github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
20756fec2f
linux/net/bluetooth
History
Oleh Konko 20756fec2f Bluetooth: SMP: derive legacy responder STK authentication from MITM state 
The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.

For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.

This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.

Fixes: fff3490f47 ("Bluetooth: Fix setting correct authentication information for SMP STK")
Cc: stable@vger.kernel.org
Signed-off-by: Oleh Konko <security@1seal.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-04-01 16:48:06 -04:00
..
bnep Bluetooth: bnep: fix wild-memory-access in proto_unregister 2024-10-16 16:10:03 -04:00
cmtp Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hidp Bluetooth: HIDP: Fix possible UAF 2026-03-12 15:27:46 -04:00
rfcomm Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
6lowpan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
af_bluetooth.c Bluetooth: ISO: add socket option to report packet seqnum via CMSG 2025-07-23 10:31:19 -04:00
aosp.c Bluetooth: aosp: Fix typo in comment 2025-07-23 10:30:18 -04:00
aosp.h
coredump.c Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv 2025-07-23 10:33:57 -04:00
ecdh_helper.c
ecdh_helper.h
eir.c Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
eir.h Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
hci_codec.c
hci_codec.h
hci_conn.c Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync 2026-04-01 16:46:33 -04:00
hci_core.c Bluetooth: hci_sync: annotate data-races around hdev->req_status 2026-03-19 14:43:20 -04:00
hci_debugfs.c Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap 2025-07-16 15:37:53 -04:00
hci_debugfs.h
hci_drv.c Bluetooth: Introduce HCI Driver protocol 2025-05-21 10:28:07 -04:00
hci_event.c Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt 2026-04-01 16:46:55 -04:00
hci_sock.c Bluetooth: purge error queues in socket destructors 2026-02-23 15:30:16 -05:00
hci_sync.c Bluetooth: hci_sync: Fix UAF in le_read_features_complete 2026-04-01 16:45:24 -04:00
hci_sysfs.c Bluetooth: Allow reset via sysfs 2025-01-15 10:37:07 -05:00
iso.c Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
Kconfig Bluetooth: Remove BT_HS 2024-03-06 17:22:39 -05:00
l2cap_core.c Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop 2026-03-25 15:32:32 -04:00
l2cap_sock.c Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb 2026-03-19 14:44:04 -04:00
leds.c Bluetooth: Use led_set_brightness() in LED trigger activate() callback 2024-09-10 13:06:11 -04:00
leds.h
lib.c Bluetooth: Fix typos in comments 2025-07-23 10:30:48 -04:00
Makefile Bluetooth: Introduce HCI Driver protocol 2025-05-21 10:28:07 -04:00
mgmt_config.c Bluetooth: mgmt: Add idle_timeout to configurable system parameters 2026-01-29 13:24:22 -05:00
mgmt_config.h
mgmt_util.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
mgmt_util.h Bluetooth: MGMT: Fix possible UAFs 2025-09-22 10:30:00 -04:00
mgmt.c Bluetooth: MGMT: validate mesh send advertising payload length 2026-04-01 16:47:19 -04:00
msft.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
msft.h Bluetooth: msft: fix slab-use-after-free in msft_do_close() 2024-05-03 13:05:28 -04:00
sco.c Bluetooth: SCO: fix race conditions in sco_sock_connect() 2026-04-01 16:43:53 -04:00
selftest.c
selftest.h
smp.c Bluetooth: SMP: derive legacy responder STK authentication from MITM state 2026-04-01 16:48:06 -04:00
smp.h Bluetooth: SMP: If an unallowed command is received consider it a failure 2025-07-16 15:33:30 -04:00