Bug 1126720: Support random postfix for Bluetooth daemon socket name (under bluetooth2/), r=btian

This patch adds support for a random postfix for bluetoothd's socket name. The postfix is re-generated for every instance of the daemon. This prevents name collisions between mutliple sessions and malicious programs from taking over the connection easily. This patch is based on bug 1119746, patch [05].
2024-09-13 09:24:08 -07:00 · 2015-02-12 10:12:07 +01:00 · 2015-02-12 10:12:07 +01:00 · 7e3ef88592
commit 7e3ef88592
parent 4e8313a1a9
2 changed files with 75 additions and 11 deletions
--- a/dom/bluetooth2/bluedroid/BluetoothDaemonInterface.cpp
+++ b/dom/bluetooth2/bluedroid/BluetoothDaemonInterface.cpp
@ -7,6 +7,7 @@
 #include "BluetoothDaemonInterface.h"
 #include <cutils/properties.h>
 #include <fcntl.h>
+#include <stdlib.h>
 #include "BluetoothDaemonA2dpInterface.h"
 #include "BluetoothDaemonAvrcpInterface.h"
 #include "BluetoothDaemonHandsfreeInterface.h"
@ -17,6 +18,7 @@
 #include "mozilla/ipc/ListenSocket.h"
 #include "mozilla/ipc/UnixSocketConnector.h"
 #include "mozilla/unused.h"
+#include "prrng.h"

 using namespace mozilla::ipc;

@ -1904,10 +1906,13 @@ BluetoothDaemonInterface::OnConnectSuccess(enum Channel aChannel)
  MOZ_ASSERT(!mResultHandlerQ.IsEmpty());

  switch (aChannel) {
-    case LISTEN_SOCKET:
-      // Init, step 2: Start Bluetooth daemon */
-      if (NS_WARN_IF(property_set("ctl.start", "bluetoothd") < 0)) {
-        OnConnectError(CMD_CHANNEL);
+    case LISTEN_SOCKET: {
+        // Init, step 2: Start Bluetooth daemon */
+        nsCString value("bluetoothd:-a ");
+        value.Append(mListenSocketName);
+        if (NS_WARN_IF(property_set("ctl.start", value.get()) < 0)) {
+          OnConnectError(CMD_CHANNEL);
+        }
      }
      break;
    case CMD_CHANNEL:
@ -2067,6 +2072,46 @@ private:
  nsCString mSocketName;
 };

+nsresult
+BluetoothDaemonInterface::CreateRandomAddressString(
+  const nsACString& aPrefix, unsigned long aPostfixLength,
+  nsACString& aAddress)
+{
+  static const char sHexChar[16] = {
+    [0x0] = '0', [0x1] = '1', [0x2] = '2', [0x3] = '3',
+    [0x4] = '4', [0x5] = '5', [0x6] = '6', [0x7] = '7',
+    [0x8] = '8', [0x9] = '9', [0xa] = 'a', [0xb] = 'b',
+    [0xc] = 'c', [0xd] = 'd', [0xe] = 'e', [0xf] = 'f'
+  };
+
+  unsigned short seed[3];
+
+  if (NS_WARN_IF(!PR_GetRandomNoise(seed, sizeof(seed)))) {
+    return NS_ERROR_NOT_IMPLEMENTED;
+  }
+
+  aAddress = aPrefix;
+  aAddress.Append('-');
+
+  while (aPostfixLength) {
+
+    // Android doesn't provide rand_r, so we use nrand48 here,
+    // even though it's deprecated.
+    long value = nrand48(seed);
+
+    size_t bits = sizeof(value) * CHAR_BIT;
+
+    while ((bits > 4) && aPostfixLength) {
+      aAddress.Append(sHexChar[value&0xf]);
+      bits -= 4;
+      value >>= 4;
+      --aPostfixLength;
+    }
+  }
+
+  return NS_OK;
+}
+
 /*
 * The init procedure consists of several steps.
 *
@ -2103,9 +2148,11 @@ BluetoothDaemonInterface::Init(
  BluetoothResultHandler* aRes)
 {
  static const char BASE_SOCKET_NAME[] = "bluetoothd";
+  static unsigned long POSTFIX_LENGTH = 16;

-  // If we could not cleanup before and an old instance of the
-  // daemon is still running, we kill it here.
+  // If we could not cleanup properly before and an old
+  // instance of the daemon is still running, we kill it
+  // here.
  unused << NS_WARN_IF(property_set("ctl.stop", "bluetoothd"));

  sNotificationHandler = aNotificationHandler;
@ -2130,9 +2177,21 @@ BluetoothDaemonInterface::Init(
    mCmdChannel->CloseSocket();
  }

+  // The listen socket's name is generated with a random postfix. This
+  // avoids naming collisions if we still have a listen socket from a
+  // previously failed cleanup. It also makes it hard for malicious
+  // external programs to capture the socket name or connect before
+  // the daemon can do so. If no random postfix can be generated, we
+  // simply use the base name as-is.
+  nsresult rv = CreateRandomAddressString(NS_LITERAL_CSTRING(BASE_SOCKET_NAME),
+                                          POSTFIX_LENGTH,
+                                          mListenSocketName);
+  if (NS_FAILED(rv)) {
+    mListenSocketName = BASE_SOCKET_NAME;
+  }
+
  bool success = mListenSocket->Listen(
-    new BluetoothDaemonSocketConnector(NS_LITERAL_CSTRING(BASE_SOCKET_NAME)),
-    mCmdChannel);
+    new BluetoothDaemonSocketConnector(mListenSocketName), mCmdChannel);
  if (!success) {
    OnConnectError(CMD_CHANNEL);
    return;
--- a/dom/bluetooth2/bluedroid/BluetoothDaemonInterface.h
+++ b/dom/bluetooth2/bluedroid/BluetoothDaemonInterface.h
@ -108,22 +108,27 @@ public:

 protected:
  enum Channel {
+    LISTEN_SOCKET,
    CMD_CHANNEL,
    NTF_CHANNEL
  };

-  BluetoothDaemonInterface(BluetoothDaemonChannel* aCmdChannel,
-                           BluetoothDaemonChannel* aNtfChannel,
-                           BluetoothDaemonProtocol* aProtocol);
+  BluetoothDaemonInterface();
  ~BluetoothDaemonInterface();

  void OnConnectSuccess(enum Channel aChannel);
  void OnConnectError(enum Channel aChannel);
  void OnDisconnect(enum Channel aChannel);

+  nsresult CreateRandomAddressString(const nsACString& aPrefix,
+                                     unsigned long aPostfixLength,
+                                     nsACString& aAddress);
+
 private:
  void DispatchError(BluetoothResultHandler* aRes, BluetoothStatus aStatus);

+  nsCString mListenSocketName;
+  nsRefPtr<BluetoothDaemonListenSocket> mListenSocket;
  nsRefPtr<BluetoothDaemonChannel> mCmdChannel;
  nsRefPtr<BluetoothDaemonChannel> mNtfChannel;
  nsAutoPtr<BluetoothDaemonProtocol> mProtocol;