Skip to content

Commit 1ffc6f8

Browse files
joeyliVudentz
authored andcommitted
Bluetooth: Reject connection with the device which has same BD_ADDR
This change is used to relieve CVE-2020-26555. The description of the CVE: Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. [1] The detail of this attack is in IEEE paper: BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols [2] It's a reflection attack. The paper mentioned that attacker can induce the attacked target to generate null link key (zero key) without PIN code. In BR/EDR, the key generation is actually handled in the controller which is below HCI. A condition of this attack is that attacker should change the BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with the target device being attacked (Host A). Thus, we reject the connection with device which has same BD_ADDR both on HCI_Create_Connection and HCI_Connection_Request to prevent the attack. A similar implementation also shows in btstack project. [3][4] Cc: [email protected] Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1] Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2] Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3] Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4] Signed-off-by: Lee, Chun-Yi <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
1 parent 33155c4 commit 1ffc6f8

File tree

2 files changed

+20
-0
lines changed

2 files changed

+20
-0
lines changed

net/bluetooth/hci_conn.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1627,6 +1627,15 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
16271627
return ERR_PTR(-EOPNOTSUPP);
16281628
}
16291629

1630+
/* Reject outgoing connection to device with same BD ADDR against
1631+
* CVE-2020-26555
1632+
*/
1633+
if (!bacmp(&hdev->bdaddr, dst)) {
1634+
bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
1635+
dst);
1636+
return ERR_PTR(-ECONNREFUSED);
1637+
}
1638+
16301639
acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
16311640
if (!acl) {
16321641
acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);

net/bluetooth/hci_event.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3268,6 +3268,17 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
32683268

32693269
bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
32703270

3271+
/* Reject incoming connection from device with same BD ADDR against
3272+
* CVE-2020-26555
3273+
*/
3274+
if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
3275+
{
3276+
bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3277+
&ev->bdaddr);
3278+
hci_reject_conn(hdev, &ev->bdaddr);
3279+
return;
3280+
}
3281+
32713282
mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
32723283
&flags);
32733284

0 commit comments

Comments
 (0)