From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Hui Peng Date: Sat, 2 Sep 2023 04:20:10 +0000 Subject: [PATCH] Reject access to secure service authenticated from a temp bonding [1] Rejecct access to services running on l2cap Backport of Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 --- stack/btm/btm_sec.c | 41 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c index f8884b917..44d510d3b 100644 --- a/stack/btm/btm_sec.c +++ b/stack/btm/btm_sec.c @@ -106,7 +106,7 @@ static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_ UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id, UINT32 mx_chan_id); -static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec); +static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec); static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec); static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec); @@ -145,7 +145,7 @@ static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = ** Returns BOOLEAN TRUE or FALSE ** *******************************************************************************/ -static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec) +static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { @@ -229,6 +229,26 @@ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC * return(FALSE); } +/******************************************************************************* +** +** Function access_secure_service_from_temp_bond +** +** Description a utility function to test whether an access to +** secure service from temp bonding is happening +** +** Returns true if the aforementioned condition holds, +** false otherwise +** +*******************************************************************************/ +static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, + bool locally_initiated, + uint16_t security_req) +{ + return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && + btm_dev_authenticated(p_dev_rec) && + p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; +} + /******************************************************************************* ** ** Function BTM_SecRegister @@ -2215,10 +2235,15 @@ tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle if (rc == BTM_SUCCESS) { + if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) + { + LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); + rc = BTM_FAILED_ON_SECURITY; + } if (p_callback) - (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS); + (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); - return(BTM_SUCCESS); + return (rc); } } else @@ -5569,6 +5594,14 @@ extern tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec) } } + if (access_secure_service_from_temp_bond(p_dev_rec, + p_dev_rec->is_originator, + p_dev_rec->security_required)) + { + LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); + return (BTM_FAILED_ON_SECURITY); + } + /* All required security procedures already established */ p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |