[Bug 1791405] Re: bluetooth always in discoverable mode (security issue)

Bug Watch Updater 1791405 at bugs.launchpad.net
Wed Nov 7 18:30:02 UTC 2018


Launchpad has imported 9 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=1602985.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2018-07-19T00:34:47+00:00 Benjamin wrote:

Description of problem:

Bluetooth is always discoverable; when pairing a new device on my phone,
I noticed my laptop, but I did not have the GNOME Bluetooth settings
open at the time.

Version-Release number of selected component (if applicable):

3.28.0-1.fc28

How reproducible:

Always

Steps to Reproduce:
1. Boot up, log in
2. Scan for bluetooth devices with a separate computer

Actual results:

Machine name is displayed on phone

Expected results:

Machine name should not be displayed (should not be discoverable)

Additional info:

I can turn off discoverability from a term using bluetoothctl.

It seems that opening the Bluetooth settings will make the device
discoverable again, but does not make the device undiscoverable after
the settings are closed (this is not intended behavior; devices should
only be discoverable when the bluetooth settings UI is open).

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/0

------------------------------------------------------------------------
On 2018-07-19T10:29:26+00:00 Bastien wrote:

(In reply to Benjamin Kreuter from comment #0)
> It seems that opening the Bluetooth settings will make the device
> discoverable again, but does not make the device undiscoverable after the
> settings are closed (this is not intended behavior; devices should only be
> discoverable when the bluetooth settings UI is open).

It does turn it off. Except that bluetoothd and/or the kernel will fail
to make it undiscoverable.

Sender ":1.13387" is the Bluetooth settings. See how it requests for
"Discoverable" to be switched off, receives a response to the call
saying that Discoverable is now off, but receives a signal that
Discoverable changed back to "on" after a short time.

This is a dbus-monitor capture on exit:
method call time=1531995892.499232 sender=:1.13387 -> destination=:1.4 serial=94 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "Discoverable"
   variant       boolean false
method call time=1531995892.499459 sender=:1.13387 -> destination=:1.4 serial=95 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "DiscoverableTimeout"
   variant       uint32 0
method call time=1531995892.499485 sender=:1.13387 -> destination=org.freedesktop.DBus serial=96 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender=':1.4'"
method call time=1531995892.499556 sender=:1.13387 -> destination=org.freedesktop.DBus serial=97 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',arg0='org.bluez'"
method return time=1531995892.499563 sender=org.freedesktop.DBus -> destination=:1.13387 serial=69 reply_serial=97
method call time=1531995892.499610 sender=:1.13387 -> destination=org.freedesktop.DBus serial=98 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.bluez',interface='org.freedesktop.DBus.ObjectManager',path='/'"
method return time=1531995892.499616 sender=org.freedesktop.DBus -> destination=:1.13387 serial=70 reply_serial=98
method return time=1531995892.499665 sender=:1.4 -> destination=:1.13387 serial=379 reply_serial=95
signal time=1531995892.523461 sender=:1.4 -> destination=(null destination) serial=380 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "DiscoverableTimeout"
         variant             uint32 0
      )    
   ]
   array [
   ]
method return time=1531995892.523489 sender=:1.4 -> destination=:1.13387 serial=381 reply_serial=94
signal time=1531995892.533281 sender=:1.4 -> destination=(null destination) serial=382 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "Discoverable"
         variant             boolean false
      )    
   ]
   array [
   ]
signal time=1531995892.551915 sender=:1.4 -> destination=(null destination) serial=383 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "Discoverable"
         variant             boolean true 
      )    
   ]
   array [
   ]

This corresponds with this warning in my journal:
Jul 19 12:28:20 classic kernel: Bluetooth: hci0: last event is not cmd complete (0x0f)

Let's start reassigning this to bluez to start with, as that's where
we'll need to dig.

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/1

------------------------------------------------------------------------
On 2018-07-19T11:07:43+00:00 Bastien wrote:

Making this call, without waiting for the reply, always fails:
dbus-send  --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:Discoverable variant:boolean:false ; dbus-send  --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:DiscoverableTimeout variant:uint32:0

The same call with the --print-reply argument to dbus-send will however
work. I think bluez might be ignoring the calls if the caller is going
to disappear.

I monitored the state of "Discoverable" and "DiscoverableTimeout" using
bluetoothctl, after setting Discoverable to on.

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/2

------------------------------------------------------------------------
On 2018-07-19T11:34:46+00:00 Bastien wrote:

The D-Bus end-points for those 2 properties are:
property_set_discoverable and property_set_discoverable_timeout
in src/adapter.c

bluetoothd, to change those properties, calls out asynchronously to the kernel:
property_set_mode -> async stuff -> property_set_mode_complete -> new_settings_callback() sets adapter->current_settings

And to those used to async programming, the problem should be obvious. In 
property_set_discoverable_timeout():
        if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
                set_discoverable(adapter, 0x01, adapter->discoverable_timeout);

So if a discoverable setting is pending, adapter->current_settings isn't
set to the new value, and discoverable is *reset* to on.

This is a definite bug in bluez, though work-aroundable in gnome-
bluetooth.

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/3

------------------------------------------------------------------------
On 2018-07-19T12:26:27+00:00 Bastien wrote:

Worked-around in gnome-bluetooth 3.28:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89

The problem would not occur in 3.26 as D-Bus calls were synchronous, and we would DiscoverableTimeout if Discoverable was set:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/blob/gnome-3-26/lib/bluetooth-client.c#L1118

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/4

------------------------------------------------------------------------
On 2018-07-19T12:45:33+00:00 Bastien wrote:

(In reply to Bastien Nocera from comment #4)
> The problem would not occur in 3.26 as D-Bus calls were synchronous, and we
> would DiscoverableTimeout if Discoverable was set:

we would "not set" DiscoverableTimeout if...

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/5

------------------------------------------------------------------------
On 2018-07-25T11:08:21+00:00 Bastien wrote:

Upstream patches to avoid the race mentioned earlier:
https://marc.info/?l=linux-bluetooth&m=153251404332012&w=2
https://marc.info/?l=linux-bluetooth&m=153251404332014&w=2
https://marc.info/?l=linux-bluetooth&m=153251404332015&w=2
https://marc.info/?l=linux-bluetooth&m=153251404532016&w=2

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/6

------------------------------------------------------------------------
On 2018-07-27T12:23:09+00:00 Bastien wrote:

And this set:
https://marc.info/?l=linux-bluetooth&m=153261464929156&w=2
https://marc.info/?l=linux-bluetooth&m=153261465129157&w=2
https://marc.info/?l=linux-bluetooth&m=153261465229159&w=2
https://marc.info/?l=linux-bluetooth&m=153261465329160&w=2
https://marc.info/?l=linux-bluetooth&m=153261465529161&w=2
when used, should completely avoid the Discoverable state being on when the Settings are closed.

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/7

------------------------------------------------------------------------
On 2018-07-27T14:18:54+00:00 Bastien wrote:

(In reply to Bastien Nocera from comment #7)
> And this set:
> https://marc.info/?l=linux-bluetooth&m=153261464929156&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465129157&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465229159&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465329160&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465529161&w=2
> when used, should completely avoid the Discoverable state being on when the
> Settings are closed.

The gnome-bluetooth patches to use this new functionality, when available:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/merge_requests/1

Reply at: https://bugs.launchpad.net/ubuntu/+source/gnome-
bluetooth/+bug/1791405/comments/8


** Changed in: gnome-bluetooth (Fedora)
       Status: Unknown => Confirmed

** Changed in: gnome-bluetooth (Fedora)
   Importance: Unknown => Undecided

-- 
You received this bug notification because you are a member of
Bluetooth, which is subscribed to gnome-bluetooth in Ubuntu.
https://bugs.launchpad.net/bugs/1791405

Title:
  bluetooth always in discoverable mode (security issue)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-bluetooth/+bug/1791405/+subscriptions



More information about the Ubuntu-bluetooth mailing list