[SRU][F/J][PATCH v2 0/1] CVE-2023-24023
Yuxuan Luo
yuxuan.luo at canonical.com
Wed Mar 20 18:56:09 UTC 2024
v1 patch deferences rp before it is initialized, this v2 fixes this
issue.
[Impact]
BLUFFS attack compromises the forward and future secrecy of a Bluetooth
connection through machine-in-the-middle attack and thus hijacks an
entire session due to weak protection mechanism caused by insufficient
check on encryption key size. This vulnerability possesses high threat
to Bluetooth's confidentiality.
[Backport]
The conflict occurs around a variable called `status`, which is moved
from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize
HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the
status variable to be renamed to avoid naming conflict; in this patch,
it is renamed to `rp_status`.
Two patches share the same backporting idea, but since `git am`
complains about Jammy's patch on Focal tree due to context difference
(probably because of missing 32b50729d91f ("Bluetooth: don't assume key
size is 16 when the command fails")), generating two patches for
applying's convinience.
[Test]
Compile and boot tested.
[Where things could go wrong]
The change is taking place in the setting up connection part.
Alex Lu (1):
Bluetooth: Add more enc key size check
net/bluetooth/hci_event.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--
2.34.1
More information about the kernel-team
mailing list