From: Luiz Augusto von Dentz
stable inclusion
from linux-4.19.192
commit 30126d4ba73119565f1748b116b9869ac6bbda6b
category: bugfix
issue: #I421FG
CVE: CVE-2021-0129
--------------------------------
commit 6d19628f539fccf899298ff02ee4c73e4bf6df3f upstream.
This fails the pairing procedure when both remote and local non-debug
public keys are identical.
Signed-off-by: Luiz Augusto von Dentz
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Yang Yingliang
Signed-off-by: Yu Changchun
---
net/bluetooth/smp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index cc2f7ca91..719ae1dff 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2703,6 +2703,15 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
if (skb->len < sizeof(*key))
return SMP_INVALID_PARAMS;
+ /* Check if remote and local public keys are the same and debug key is
+ * not in use.
+ */
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+ return SMP_UNSPECIFIED;
+ }
+
memcpy(smp->remote_pk, key, 64);
if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
--
2.25.1
