APPLIED: [SRU][F/J][PATCH v2 0/1] CVE-2023-24023

[Roxana Nicolescu]

On 20/03/2024 19:56, Yuxuan Luo wrote:
> v1 patch deferences rp before it is initialized, this v2 fixes this
> issue.
>
> [Impact]
> BLUFFS attack compromises the forward and future secrecy of a Bluetooth
> connection through machine-in-the-middle attack and thus hijacks an
> entire session due to weak protection mechanism caused by insufficient
> check on encryption key size. This vulnerability possesses high threat
> to Bluetooth's confidentiality.
>
> [Backport]
> The conflict occurs around a variable called `status`, which is moved
> from parameter to local variable in 278d933e12f1 ("Bluetooth: Normalize
> HCI_OP_READ_ENC_KEY_SIZE cmdcmplt"). Missing this commit requires the
> status variable to be renamed to avoid naming conflict; in this patch,
> it is renamed to `rp_status`.
>
> Two patches share the same backporting idea, but since `git am`
> complains about Jammy's patch on Focal tree due to context difference
> (probably because of missing 32b50729d91f ("Bluetooth: don't assume key
> size is 16 when the command fails")), generating two patches for
> applying's convinience.
>
> [Test]
> Compile and boot tested.
>
> [Where things could go wrong]
> The change is taking place in the setting up connection part.
>
> Alex Lu (1):
>    Bluetooth: Add more enc key size check
>
>   net/bluetooth/hci_event.c | 18 +++++++++++++++++-
>   1 file changed, 17 insertions(+), 1 deletion(-)
>
Applied to jammy, focal master-next branches. Thanks!