DivestOS/Patches/LineageOS-14.1/android_system_bt/396612.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 21:14:56 +0000
Subject: [PATCH] Fix an authentication bypass bug in SMP

When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.

Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
---
 stack/smp/smp_act.c | 11 +++++++++++
 stack/smp/smp_int.h |  1 +
 2 files changed, 12 insertions(+)

diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index 7491d0972..925bcd832 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -331,6 +331,7 @@ void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 {
     SMP_TRACE_DEBUG("%s", __func__);
     smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+    p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
 }
 
 /*******************************************************************************
@@ -720,6 +721,16 @@ void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
         return;
     }
 
+   if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+         (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+       !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT))
+   {
+     // in legacy pairing, the peer should send its rand after
+     // we send our confirm
+     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+     return;
+   }
+
     /* save the SRand for comparison */
     STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
 }
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index bfac772b9..ab7676861 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -251,6 +251,7 @@ typedef union
 #define SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY  (1 << 6) /* used on slave to resolve race condition */
 #define SMP_PAIR_FLAG_HAVE_PEER_COMM      (1 << 7) /* used to resolve race condition */
 #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY (1 << 8) /* used on slave to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT   (1 << 9)
 
 /* check if authentication requirement need MITM protection */
 #define SMP_NO_MITM_REQUIRED(x)  (((x) & SMP_AUTH_YN_BIT) == 0)
Fixup + Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-07-13 18:51:09 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
14.1: July ASB picks Signed-off-by: Tavi <tavi@divested.dev> 2024-07-04 13:17:52 +00:00			`From: Brian Delwiche <delwiche@google.com>`
			`Date: Mon, 22 Apr 2024 21:14:56 +0000`
Fixup + Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-07-13 18:51:09 +00:00			`Subject: [PATCH] Fix an authentication bypass bug in SMP`
14.1: July ASB picks Signed-off-by: Tavi <tavi@divested.dev> 2024-07-04 13:17:52 +00:00
			`When pairing with BLE legacy pairing initiated`
			`from remote, authentication can be bypassed.`
			`This change fixes it.`

			`Bug: 251514170`
			`Test: m com.android.btservices`
			`Test: manual run against PoC`
			`Ignore-AOSP-First: security`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)`
			`Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8`
			`Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8`
			`---`
			`stack/smp/smp_act.c \| 11 +++++++++++`
			`stack/smp/smp_int.h \| 1 +`
			`2 files changed, 12 insertions(+)`

			`diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c`
Fixup + Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-07-13 18:51:09 +00:00			`index 7491d0972..925bcd832 100644`
14.1: July ASB picks Signed-off-by: Tavi <tavi@divested.dev> 2024-07-04 13:17:52 +00:00			`--- a/stack/smp/smp_act.c`
			`+++ b/stack/smp/smp_act.c`
			`@@ -331,6 +331,7 @@ void smp_send_confirm(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
			`{`
			`SMP_TRACE_DEBUG("%s", __func__);`
			`smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);`
			`+ p_cb->flags \|= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;`
			`}`

			`/*******************************************************************************`
Fixup + Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-07-13 18:51:09 +00:00			`@@ -720,6 +721,16 @@ void smp_proc_init(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
14.1: July ASB picks Signed-off-by: Tavi <tavi@divested.dev> 2024-07-04 13:17:52 +00:00			`return;`
			`}`

			`+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&`
			`+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&`
			`+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT))`
			`+ {`
			`+ // in legacy pairing, the peer should send its rand after`
			`+ // we send our confirm`
			`+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);`
			`+ return;`
			`+ }`
			`+`
			`/* save the SRand for comparison */`
			`STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);`
			`}`
			`diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h`
Fixup + Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-07-13 18:51:09 +00:00			`index bfac772b9..ab7676861 100644`
14.1: July ASB picks Signed-off-by: Tavi <tavi@divested.dev> 2024-07-04 13:17:52 +00:00			`--- a/stack/smp/smp_int.h`
			`+++ b/stack/smp/smp_int.h`
			`@@ -251,6 +251,7 @@ typedef union`
			`#define SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY (1 << 6) /* used on slave to resolve race condition */`
			`#define SMP_PAIR_FLAG_HAVE_PEER_COMM (1 << 7) /* used to resolve race condition */`
			`#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY (1 << 8) /* used on slave to resolve race condition */`
			`+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)`

			`/* check if authentication requirement need MITM protection */`
			`#define SMP_NO_MITM_REQUIRED(x) (((x) & SMP_AUTH_YN_BIT) == 0)`