Patch "Bluetooth: hci_event: Fix using memcmp when comparing keys" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    Bluetooth: hci_event: Fix using memcmp when comparing keys

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-hci_event-fix-using-memcmp-when-comparing-keys.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From b541260615f601ae1b5d6d0cc54e790de706303b Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Thu, 5 Oct 2023 13:59:59 -0700
Subject: Bluetooth: hci_event: Fix using memcmp when comparing keys

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

commit b541260615f601ae1b5d6d0cc54e790de706303b upstream.

memcmp is not consider safe to use with cryptographic secrets:

 'Do  not  use memcmp() to compare security critical data, such as
 cryptographic secrets, because the required CPU time depends on the
 number of equal bytes.'

While usage of memcmp for ZERO_KEY may not be considered a security
critical data, it can lead to more usage of memcmp with pairing keys
which could introduce more security problems.

Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/bluetooth/hci_event.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -25,6 +25,8 @@
 /* Bluetooth HCI event handling. */
 
 #include <asm/unaligned.h>
+#include <linux/crypto.h>
+#include <crypto/algapi.h>
 
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
@@ -3505,7 +3507,7 @@ static void hci_link_key_notify_evt(stru
 		goto unlock;
 
 	/* Ignore NULL link key against CVE-2020-26555 */
-	if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+	if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
 		bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
 			   &ev->bdaddr);
 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
@@ -3991,8 +3993,8 @@ static u8 bredr_oob_data_present(struct
 		 * available, then do not declare that OOB data is
 		 * present.
 		 */
-		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
-		    !memcmp(data->hash256, ZERO_KEY, 16))
+		if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
+		    !crypto_memneq(data->hash256, ZERO_KEY, 16))
 			return 0x00;
 
 		return 0x02;
@@ -4002,8 +4004,8 @@ static u8 bredr_oob_data_present(struct
 	 * not supported by the hardware, then check that if
 	 * P-192 data values are present.
 	 */
-	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
-	    !memcmp(data->hash192, ZERO_KEY, 16))
+	if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
+	    !crypto_memneq(data->hash192, ZERO_KEY, 16))
 		return 0x00;
 
 	return 0x01;


Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are

queue-4.14/bluetooth-hci_event-ignore-null-link-key.patch
queue-4.14/bluetooth-hci_sock-correctly-bounds-check-and-pad-hci_mon_new_index-name.patch
queue-4.14/bluetooth-avoid-memcmp-out-of-bounds-warning.patch
queue-4.14/bluetooth-avoid-redundant-authentication.patch
queue-4.14/bluetooth-fix-a-refcnt-underflow-problem-for-hci_conn.patch
queue-4.14/bluetooth-hci_event-fix-using-memcmp-when-comparing-keys.patch
queue-4.14/bluetooth-reject-connection-with-the-device-which-has-same-bd_addr.patch
queue-4.14/bluetooth-hci_core-fix-build-warnings.patch
queue-4.14/bluetooth-vhci-fix-race-when-opening-vhci-device.patch
queue-4.14/bluetooth-hci_event-fix-coding-style.patch
queue-4.14/bluetooth-hci_sock-fix-slab-oob-read-in-create_monitor_event.patch



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux