[SRU Focal][PATCH 0/5] Address bluetooth security issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 0/5] Address bluetooth security issues

Stefan Bader-2
Intel released an advisory on the bluetooth stack[1] that has a
collection of issues and recommendations. This set is a collection of
all those into Focal. Some will have to go into Bionic and Xenial but I
expect some changes will be needed. So I am submitting this just for
Focal to be a template for the backports.

-Stefan

[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html

Luiz Augusto von Dentz (4):
  Bluetooth: A2MP: Fix not initializing all members
    - note this appears to be present since v3.6
  Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
    - note this appears to be present since v4.8
  Bluetooth: Disable High Speed by default
  Bluetooth: MGMT: Fix not checking if BT_HS is enabled

Stefan Bader (1):
  UBUNTU: [Config] Disable BlueZ highspeed support
    - note this turns off High Speed support in the driver. The related
      Intel patch claims this would only prevent use of higher speeds as
      feature. And that this would not be supported by hardware very
      often anyway. We might want to reconsider this later.

 debian.master/config/annotations          |  3 ++-
 debian.master/config/config.common.ubuntu |  2 +-
 include/net/bluetooth/l2cap.h             |  2 ++
 net/bluetooth/Kconfig                     |  1 -
 net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
 net/bluetooth/l2cap_core.c                |  7 ++++---
 net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
 net/bluetooth/mgmt.c                      |  7 ++++++-
 8 files changed, 50 insertions(+), 8 deletions(-)

--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 1/5] Bluetooth: A2MP: Fix not initializing all members

Stefan Bader-2
From: Luiz Augusto von Dentz <[hidden email]>

This fixes various places where a stack variable is used uninitialized.

Signed-off-by: Luiz Augusto von Dentz <[hidden email]>
Signed-off-by: Marcel Holtmann <[hidden email]>

CVE-2020-12352
(cherry picked from commit eddb7732119d53400f48a02536a84c509692faa8 linux-next)
Signed-off-by: Stefan Bader <[hidden email]>
---
 net/bluetooth/a2mp.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index 26526be579c7..da7fd7c8c2dc 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -226,6 +226,9 @@ static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
  struct a2mp_info_req req;
 
  found = true;
+
+ memset(&req, 0, sizeof(req));
+
  req.id = cl->id;
  a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr),
   sizeof(req), &req);
@@ -305,6 +308,8 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb,
  if (!hdev || hdev->dev_type != HCI_AMP) {
  struct a2mp_info_rsp rsp;
 
+ memset(&rsp, 0, sizeof(rsp));
+
  rsp.id = req->id;
  rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
 
@@ -348,6 +353,8 @@ static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
  if (!ctrl)
  return -ENOMEM;
 
+ memset(&req, 0, sizeof(req));
+
  req.id = rsp->id;
  a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req),
   &req);
@@ -376,6 +383,8 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb,
  struct a2mp_amp_assoc_rsp rsp;
  rsp.id = req->id;
 
+ memset(&rsp, 0, sizeof(rsp));
+
  if (tmp) {
  rsp.status = A2MP_STATUS_COLLISION_OCCURED;
  amp_mgr_put(tmp);
@@ -464,7 +473,6 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
    struct a2mp_cmd *hdr)
 {
  struct a2mp_physlink_req *req = (void *) skb->data;
-
  struct a2mp_physlink_rsp rsp;
  struct hci_dev *hdev;
  struct hci_conn *hcon;
@@ -475,6 +483,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
 
  BT_DBG("local_id %d, remote_id %d", req->local_id, req->remote_id);
 
+ memset(&rsp, 0, sizeof(rsp));
+
  rsp.local_id = req->remote_id;
  rsp.remote_id = req->local_id;
 
@@ -553,6 +563,8 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
 
  BT_DBG("local_id %d remote_id %d", req->local_id, req->remote_id);
 
+ memset(&rsp, 0, sizeof(rsp));
+
  rsp.local_id = req->remote_id;
  rsp.remote_id = req->local_id;
  rsp.status = A2MP_STATUS_SUCCESS;
@@ -675,6 +687,8 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
  if (err) {
  struct a2mp_cmd_rej rej;
 
+ memset(&rej, 0, sizeof(rej));
+
  rej.reason = cpu_to_le16(0);
  hdr = (void *) skb->data;
 
@@ -898,6 +912,8 @@ void a2mp_send_getinfo_rsp(struct hci_dev *hdev)
 
  BT_DBG("%s mgr %p", hdev->name, mgr);
 
+ memset(&rsp, 0, sizeof(rsp));
+
  rsp.id = hdev->id;
  rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
 
@@ -995,6 +1011,8 @@ void a2mp_send_create_phy_link_rsp(struct hci_dev *hdev, u8 status)
  if (!mgr)
  return;
 
+ memset(&rsp, 0, sizeof(rsp));
+
  hs_hcon = hci_conn_hash_lookup_state(hdev, AMP_LINK, BT_CONNECT);
  if (!hs_hcon) {
  rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION;
@@ -1027,6 +1045,8 @@ void a2mp_discover_amp(struct l2cap_chan *chan)
 
  mgr->bredr_chan = chan;
 
+ memset(&req, 0, sizeof(req));
+
  req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU);
  req.ext_feat = 0;
  a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req);
--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 2/5] Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Luiz Augusto von Dentz <[hidden email]>

Only sockets will have the chan->data set to an actual sk, channels
like A2MP would have its own data which would likely cause a crash when
calling sk_filter, in order to fix this a new callback has been
introduced so channels can implement their own filtering if necessary.

Signed-off-by: Luiz Augusto von Dentz <[hidden email]>
Signed-off-by: Marcel Holtmann <[hidden email]>

CVE-2020-12351
(backported from commit f19425641cb2572a33cb074d5e30283720bd4d22 linux-next)
[smb: ajust context in last hunk(l2cap_chan_ops)]
Signed-off-by: Stefan Bader <[hidden email]>
---
 include/net/bluetooth/l2cap.h |  2 ++
 net/bluetooth/l2cap_core.c    |  7 ++++---
 net/bluetooth/l2cap_sock.c    | 14 ++++++++++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 093aedebdf0c..8efc2419a815 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -623,6 +623,8 @@ struct l2cap_ops {
  struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan,
        unsigned long hdr_len,
        unsigned long len, int nb);
+ int (*filter) (struct l2cap_chan * chan,
+   struct sk_buff *skb);
 };
 
 struct l2cap_conn {
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a845786258a0..9afde48ee998 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6696,9 +6696,10 @@ static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
  goto drop;
  }
 
- if ((chan->mode == L2CAP_MODE_ERTM ||
-     chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
- goto drop;
+ if (chan->ops->filter) {
+ if (chan->ops->filter(chan, skb))
+ goto drop;
+ }
 
  if (!control->sframe) {
  int err;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a7be8b59b3c2..ec27a0c45c52 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1467,6 +1467,19 @@ static void l2cap_sock_suspend_cb(struct l2cap_chan *chan)
  sk->sk_state_change(sk);
 }
 
+static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb)
+{
+ struct sock *sk = chan->data;
+
+ switch (chan->mode) {
+ case L2CAP_MODE_ERTM:
+ case L2CAP_MODE_STREAMING:
+ return sk_filter(sk, skb);
+ }
+
+ return 0;
+}
+
 static const struct l2cap_ops l2cap_chan_ops = {
  .name = "L2CAP Socket Interface",
  .new_connection = l2cap_sock_new_connection_cb,
@@ -1481,6 +1494,7 @@ static const struct l2cap_ops l2cap_chan_ops = {
  .set_shutdown = l2cap_sock_set_shutdown_cb,
  .get_sndtimeo = l2cap_sock_get_sndtimeo_cb,
  .alloc_skb = l2cap_sock_alloc_skb_cb,
+ .filter = l2cap_sock_filter,
 };
 
 static void l2cap_sock_destruct(struct sock *sk)
--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 3/5] Bluetooth: Disable High Speed by default

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Luiz Augusto von Dentz <[hidden email]>

Bluetooth High Speed requires hardware support which is very uncommon
nowadays since HS has not pickup interest by the industry.

Signed-off-by: Luiz Augusto von Dentz <[hidden email]>
Signed-off-by: Marcel Holtmann <[hidden email]>

CVE-2020-24490
CVE-2020-12351
CVE-2020-12352
(cherry picked from commit b176dd0ef6afcb3bca24f41d78b0d0b731ec2d08 linux-next)
Signed-off-by: Stefan Bader <[hidden email]>
---
 net/bluetooth/Kconfig | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 3803135c88ff..340f169f6d54 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -64,7 +64,6 @@ source "net/bluetooth/hidp/Kconfig"
 config BT_HS
  bool "Bluetooth High Speed (HS) features"
  depends on BT_BREDR
- default y
  help
   Bluetooth High Speed includes support for off-loading
   Bluetooth connections via 802.11 (wifi) physical layer
--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 4/5] Bluetooth: MGMT: Fix not checking if BT_HS is enabled

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Luiz Augusto von Dentz <[hidden email]>

This checks if BT_HS is enabled relecting it on MGMT_SETTING_HS instead
of always reporting it as supported.

Signed-off-by: Luiz Augusto von Dentz <[hidden email]>
Signed-off-by: Marcel Holtmann <[hidden email]>

CVE-2020-24490
CVE-2020-12351
CVE-2020-12352
(backported from commit b560a208cda0297fef6ff85bbfd58a8f0a52a543 linux-next)
[smb: adjust context in second hunk (debug function rename)]
Signed-off-by: Stefan Bader <[hidden email]>
---
 net/bluetooth/mgmt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index acb7c6d5643f..5fce559a61bf 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -756,7 +756,8 @@ static u32 get_supported_settings(struct hci_dev *hdev)
 
  if (lmp_ssp_capable(hdev)) {
  settings |= MGMT_SETTING_SSP;
- settings |= MGMT_SETTING_HS;
+ if (IS_ENABLED(CONFIG_BT_HS))
+ settings |= MGMT_SETTING_HS;
  }
 
  if (lmp_sc_capable(hdev))
@@ -1771,6 +1772,10 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
 
  BT_DBG("request for %s", hdev->name);
 
+ if (!IS_ENABLED(CONFIG_BT_HS))
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
+       MGMT_STATUS_NOT_SUPPORTED);
+
  status = mgmt_bredr_support(hdev);
  if (status)
  return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU Focal][PATCH 5/5] UBUNTU: [Config] Disable BlueZ highspeed support

Stefan Bader-2
In reply to this post by Stefan Bader-2
The Intel BlueZ project recommends in [1] to disable highspeed support
as part of the fixes for the security issues. This does the required
changes.

[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html

CVE-2020-24490
CVE-2020-12351
CVE-2020-12352
Signed-off-by: Stefan Bader <[hidden email]>
---
 debian.master/config/annotations          | 3 ++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 6b851ba69fd3..9e28dcf9110e 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11099,7 +11099,8 @@ CONFIG_BT_BNEP_MC_FILTER                        policy<{'amd64': 'y', 'arm64': '
 CONFIG_BT_BNEP_PROTO_FILTER                     policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', }>
 CONFIG_BT_CMTP                                  policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm', }>
 CONFIG_BT_HIDP                                  policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm', }>
-CONFIG_BT_HS                                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', }>
+CONFIG_BT_HS                                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', }>
+CONFIG_BT_HS mark<ENFORCED> note<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html>
 
 # Menu: Networking support >> Bluetooth subsystem support >> Bluetooth device drivers
 CONFIG_BT_HCIBTSDIO                             policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm', }>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 51bceb76493c..5abd7a1b659e 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -1269,7 +1269,7 @@ CONFIG_BT_HCIUART_RTL=y
 CONFIG_BT_HCIUART_SERDEV=y
 CONFIG_BT_HCIVHCI=m
 CONFIG_BT_HIDP=m
-CONFIG_BT_HS=y
+# CONFIG_BT_HS is not set
 CONFIG_BT_INTEL=m
 CONFIG_BT_LE=y
 CONFIG_BT_LEDS=y
--
2.25.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU Focal][PATCH 0/5] Address bluetooth security issues

Colin Ian King-2
In reply to this post by Stefan Bader-2


On 15/10/2020 10:32, Stefan Bader wrote:

> Intel released an advisory on the bluetooth stack[1] that has a
> collection of issues and recommendations. This set is a collection of
> all those into Focal. Some will have to go into Bionic and Xenial but I
> expect some changes will be needed. So I am submitting this just for
> Focal to be a template for the backports.
>
> -Stefan
>
> [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
>
> Luiz Augusto von Dentz (4):
>   Bluetooth: A2MP: Fix not initializing all members
>     - note this appears to be present since v3.6
>   Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>     - note this appears to be present since v4.8
>   Bluetooth: Disable High Speed by default
>   Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>
> Stefan Bader (1):
>   UBUNTU: [Config] Disable BlueZ highspeed support
>     - note this turns off High Speed support in the driver. The related
>       Intel patch claims this would only prevent use of higher speeds as
>       feature. And that this would not be supported by hardware very
>       often anyway. We might want to reconsider this later.
>
>  debian.master/config/annotations          |  3 ++-
>  debian.master/config/config.common.ubuntu |  2 +-
>  include/net/bluetooth/l2cap.h             |  2 ++
>  net/bluetooth/Kconfig                     |  1 -
>  net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
>  net/bluetooth/l2cap_core.c                |  7 ++++---
>  net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
>  net/bluetooth/mgmt.c                      |  7 ++++++-
>  8 files changed, 50 insertions(+), 8 deletions(-)
>

Looks good to me. Thanks Stefan.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU Focal][PATCH 0/5] Address bluetooth security issues

Andrea Righi
In reply to this post by Stefan Bader-2
On Thu, Oct 15, 2020 at 11:32:39AM +0200, Stefan Bader wrote:

> Intel released an advisory on the bluetooth stack[1] that has a
> collection of issues and recommendations. This set is a collection of
> all those into Focal. Some will have to go into Bionic and Xenial but I
> expect some changes will be needed. So I am submitting this just for
> Focal to be a template for the backports.
>
> -Stefan
>
> [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
>
> Luiz Augusto von Dentz (4):
>   Bluetooth: A2MP: Fix not initializing all members
>     - note this appears to be present since v3.6
>   Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>     - note this appears to be present since v4.8
>   Bluetooth: Disable High Speed by default
>   Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>
> Stefan Bader (1):
>   UBUNTU: [Config] Disable BlueZ highspeed support
>     - note this turns off High Speed support in the driver. The related
>       Intel patch claims this would only prevent use of higher speeds as
>       feature. And that this would not be supported by hardware very
>       often anyway. We might want to reconsider this later.
>
>  debian.master/config/annotations          |  3 ++-
>  debian.master/config/config.common.ubuntu |  2 +-
>  include/net/bluetooth/l2cap.h             |  2 ++
>  net/bluetooth/Kconfig                     |  1 -
>  net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
>  net/bluetooth/l2cap_core.c                |  7 ++++---
>  net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
>  net/bluetooth/mgmt.c                      |  7 ++++++-
>  8 files changed, 50 insertions(+), 8 deletions(-)

Looks good. Thanks.

Acked-by: Andrea Righi <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU Focal][PATCH 0/5] Address bluetooth security issues

Stefan Bader-2
In reply to this post by Stefan Bader-2
On 15.10.20 11:32, Stefan Bader wrote:

> Intel released an advisory on the bluetooth stack[1] that has a
> collection of issues and recommendations. This set is a collection of
> all those into Focal. Some will have to go into Bionic and Xenial but I
> expect some changes will be needed. So I am submitting this just for
> Focal to be a template for the backports.
>
> -Stefan
>
> [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
>
> Luiz Augusto von Dentz (4):
>   Bluetooth: A2MP: Fix not initializing all members
>     - note this appears to be present since v3.6
>   Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>     - note this appears to be present since v4.8
>   Bluetooth: Disable High Speed by default
>   Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>
> Stefan Bader (1):
>   UBUNTU: [Config] Disable BlueZ highspeed support
>     - note this turns off High Speed support in the driver. The related
>       Intel patch claims this would only prevent use of higher speeds as
>       feature. And that this would not be supported by hardware very
>       often anyway. We might want to reconsider this later.
>
>  debian.master/config/annotations          |  3 ++-
>  debian.master/config/config.common.ubuntu |  2 +-
>  include/net/bluetooth/l2cap.h             |  2 ++
>  net/bluetooth/Kconfig                     |  1 -
>  net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
>  net/bluetooth/l2cap_core.c                |  7 ++++---
>  net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
>  net/bluetooth/mgmt.c                      |  7 ++++++-
>  8 files changed, 50 insertions(+), 8 deletions(-)
>
Applied to focal/respin+master. I will push out a rebased master-next as soon as
it is ready. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED G: [SRU Focal][PATCH 0/5] Address bluetooth security issues

Andrea Righi
In reply to this post by Stefan Bader-2
On Thu, Oct 15, 2020 at 11:32:39AM +0200, Stefan Bader wrote:

> Intel released an advisory on the bluetooth stack[1] that has a
> collection of issues and recommendations. This set is a collection of
> all those into Focal. Some will have to go into Bionic and Xenial but I
> expect some changes will be needed. So I am submitting this just for
> Focal to be a template for the backports.
>
> -Stefan
>
> [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
>
> Luiz Augusto von Dentz (4):
>   Bluetooth: A2MP: Fix not initializing all members
>     - note this appears to be present since v3.6
>   Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>     - note this appears to be present since v4.8
>   Bluetooth: Disable High Speed by default
>   Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>
> Stefan Bader (1):
>   UBUNTU: [Config] Disable BlueZ highspeed support
>     - note this turns off High Speed support in the driver. The related
>       Intel patch claims this would only prevent use of higher speeds as
>       feature. And that this would not be supported by hardware very
>       often anyway. We might want to reconsider this later.
>
>  debian.master/config/annotations          |  3 ++-
>  debian.master/config/config.common.ubuntu |  2 +-
>  include/net/bluetooth/l2cap.h             |  2 ++
>  net/bluetooth/Kconfig                     |  1 -
>  net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
>  net/bluetooth/l2cap_core.c                |  7 ++++---
>  net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
>  net/bluetooth/mgmt.c                      |  7 ++++++-
>  8 files changed, 50 insertions(+), 8 deletions(-)
>
> --
> 2.25.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[B]: [SRU Focal][PATCH 0/5] Address bluetooth security issues

Kleber Souza
In reply to this post by Stefan Bader-2
On 15.10.20 11:32, Stefan Bader wrote:

> Intel released an advisory on the bluetooth stack[1] that has a
> collection of issues and recommendations. This set is a collection of
> all those into Focal. Some will have to go into Bionic and Xenial but I
> expect some changes will be needed. So I am submitting this just for
> Focal to be a template for the backports.
>
> -Stefan
>
> [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
>
> Luiz Augusto von Dentz (4):
>   Bluetooth: A2MP: Fix not initializing all members
>     - note this appears to be present since v3.6
>   Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>     - note this appears to be present since v4.8
>   Bluetooth: Disable High Speed by default
>   Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>
> Stefan Bader (1):
>   UBUNTU: [Config] Disable BlueZ highspeed support
>     - note this turns off High Speed support in the driver. The related
>       Intel patch claims this would only prevent use of higher speeds as
>       feature. And that this would not be supported by hardware very
>       often anyway. We might want to reconsider this later.
>
>  debian.master/config/annotations          |  3 ++-
>  debian.master/config/config.common.ubuntu |  2 +-
>  include/net/bluetooth/l2cap.h             |  2 ++
>  net/bluetooth/Kconfig                     |  1 -
>  net/bluetooth/a2mp.c                      | 22 +++++++++++++++++++++-
>  net/bluetooth/l2cap_core.c                |  7 ++++---
>  net/bluetooth/l2cap_sock.c                | 14 ++++++++++++++
>  net/bluetooth/mgmt.c                      |  7 ++++++-
>  8 files changed, 50 insertions(+), 8 deletions(-)
>

Applied also to bionic/linux.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team