[PW_SID:1075166] Bluetooth: SMP: honor local MITM requirements for legacy pairing by BluezTestBot · Pull Request #3433 · BluezTestBot/bluetooth-next

BluezTestBot · 2026-03-31T13:05:44Z

smp_cmd_pairing_req() currently builds the pairing response from the
initiator auth_req before enforcing the local BT_SECURITY_HIGH
requirement. If the initiator omits SMP_AUTH_MITM, the response can
also omit it even though the local side still requires MITM.

tk_request() then sees an auth value without SMP_AUTH_MITM and may
select JUST_CFM, making method selection inconsistent with the pairing
policy the responder already enforces.

When the local side requires HIGH security, first verify that MITM can
be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
response before build_pairing_cmd(). This keeps the responder auth bits
and later method selection aligned.

Fixes: `2b64d15` ("Bluetooth: Add MITM mechanism to LE-SMP")
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com
Signed-off-by: Oleh Konko security@1seal.org

net/bluetooth/smp.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)

--
2.50.0

This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>

… pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response before build_pairing_cmd(). This keeps the responder auth bits and later method selection aligned. Fixes: 2b64d15 ("Bluetooth: Add MITM mechanism to LE-SMP") Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com> Signed-off-by: Oleh Konko <security@1seal.org>

…state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated. Fixes: fff3490 ("Bluetooth: Fix setting correct authentication information for SMP STK") Cc: stable@vger.kernel.org Signed-off-by: Oleh Konko <security@1seal.org>

github-actions · 2026-03-31T13:09:16Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.60 seconds
Result: PENDING

github-actions · 2026-03-31T13:09:17Z

GitLint
Desc: Run gitlint
Duration: 0.36 seconds
Result: PENDING

github-actions · 2026-03-31T13:09:19Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.14 seconds
Result: PASS

github-actions · 2026-03-31T13:09:51Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 26.52 seconds
Result: PASS

github-actions · 2026-03-31T13:10:25Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.17 seconds
Result: PASS

github-actions · 2026-03-31T13:11:02Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 31.85 seconds
Result: PASS

github-actions · 2026-03-31T13:11:32Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.71 seconds
Result: PASS

github-actions · 2026-03-31T13:21:03Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 568.97 seconds
Result: PASS

github-actions · 2026-03-31T13:21:33Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 28.52 seconds
Result: PASS

github-actions · 2026-03-31T13:22:15Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 40.23 seconds
Result: PASS

github-actions · 2026-03-31T13:22:22Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.34 seconds
Result: PASS

github-actions · 2026-03-31T13:24:20Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 116.93 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.121 seconds

github-actions · 2026-03-31T13:24:31Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.51 seconds
Result: PASS

github-actions · 2026-03-31T13:24:46Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.39 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2026-03-31T13:24:57Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.16 seconds
Result: PASS

github-actions · 2026-03-31T13:25:09Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.52 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.784 seconds
Mesh - Send cancel - 2                               Timed out    1.996 seconds

github-actions · 2026-03-31T13:25:19Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.58 seconds
Result: PASS

github-actions · 2026-03-31T13:25:27Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.67 seconds
Result: PASS

github-actions · 2026-03-31T13:25:28Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.96 seconds
Result: PENDING

tedd-an and others added 3 commits March 30, 2026 20:53

github-actions bot force-pushed the workflow branch 5 times, most recently from 0e0806d to f465113 Compare April 2, 2026 20:42

Conversation

BluezTestBot commented Mar 31, 2026

Fixes: 2b64d15 ("Bluetooth: Add MITM mechanism to LE-SMP") Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com Signed-off-by: Oleh Konko security@1seal.org

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Fixes: `2b64d15` ("Bluetooth: Add MITM mechanism to LE-SMP")
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com
Signed-off-by: Oleh Konko security@1seal.org