Bluetooth: hci_event: Fix using memcmp when comparing keys

[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ]

memcmp is not consider safe to use with cryptographic secrets:

 'Do  not  use memcmp() to compare security critical data, such as
 cryptographic secrets, because the required CPU time depends on the
 number of equal bytes.'

While usage of memcmp for ZERO_KEY may not be considered a security
critical data, it can lead to more usage of memcmp with pairing keys
which could introduce more security problems.

Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 843502783b268d07eb0be1fbeb1be0ca852d7ead..8b59f7808628a2871d6d951ba167993119cf0c28 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -25,6 +25,8 @@
 /* Bluetooth HCI event handling. */
 
 #include <asm/unaligned.h>
+#include <linux/crypto.h>
+#include <crypto/algapi.h>
 
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
@@ -3827,7 +3829,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
                goto unlock;
 
        /* Ignore NULL link key against CVE-2020-26555 */
-       if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+       if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
                bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
                           &ev->bdaddr);
                hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
@@ -4313,8 +4315,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
                 * available, then do not declare that OOB data is
                 * present.
                 */
-               if (!memcmp(data->rand256, ZERO_KEY, 16) ||
-                   !memcmp(data->hash256, ZERO_KEY, 16))
+               if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
+                   !crypto_memneq(data->hash256, ZERO_KEY, 16))
                        return 0x00;
 
                return 0x02;
@@ -4324,8 +4326,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
         * not supported by the hardware, then check that if
         * P-192 data values are present.
         */
-       if (!memcmp(data->rand192, ZERO_KEY, 16) ||
-           !memcmp(data->hash192, ZERO_KEY, 16))
+       if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
+           !crypto_memneq(data->hash192, ZERO_KEY, 16))
                return 0x00;
 
        return 0x01;