bluetooth always in discoverable mode (security issue)

Description of problem:

Bluetooth is always discoverable; when pairing a new device on my phone, I noticed my laptop, but I did not have the GNOME Bluetooth settings open at the time.

Version-Release number of selected component (if applicable):

3.28.0-1.fc28

How reproducible:

Always

Steps to Reproduce:
1. Boot up, log in
2. Scan for bluetooth devices with a separate computer

Actual results:

Machine name is displayed on phone

Expected results:

Machine name should not be displayed (should not be discoverable)

Additional info:

I can turn off discoverability from a term using bluetoothctl.

It seems that opening the Bluetooth settings will make the device discoverable again, but does not make the device undiscoverable after the settings are closed (this is not intended behavior; devices should only be discoverable when the bluetooth settings UI is open).

(In reply to Benjamin Kreuter from comment #0)
> It seems that opening the Bluetooth settings will make the device
> discoverable again, but does not make the device undiscoverable after the
> settings are closed (this is not intended behavior; devices should only be
> discoverable when the bluetooth settings UI is open).

It does turn it off. Except that bluetoothd and/or the kernel will fail to make it undiscoverable.

Sender ":1.13387" is the Bluetooth settings. See how it requests for "Discoverable" to be switched off, receives a response to the call saying that Discoverable is now off, but receives a signal that Discoverable changed back to "on" after a short time.

This is a dbus-monitor capture on exit:
method call time=1531995892.499232 sender=:1.13387 -> destination=:1.4 serial=94 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "Discoverable"
   variant boolean false
method call time=1531995892.499459 sender=:1.13387 -> destination=:1.4 serial=95 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "DiscoverableTimeout"
   variant uint32 0
method call time=1531995892.499485 sender=:1.13387 -> destination=org.freedesktop.DBus serial=96 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender=':1.4'"
method call time=1531995892.499556 sender=:1.13387 -> destination=org.freedesktop.DBus serial=97 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',arg0='org.bluez'"
method return time=1531995892.499563 sender=org.freedesktop.DBus -> destination=:1.13387 serial=69 reply_serial=97
method call time=1531995892.499610 sender=:1.13387 -> destination=org.freedesktop.DBus serial=98 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.bluez',interface='org.freedesktop.DBus.ObjectManager',path='/'"
method return time=1531995892.499616 sender=org.freedesktop.DBus -> destination=:1.13387 serial=70 reply_serial=98
method return time=1531995892.499665 sender=:1.4 -> destination=:1.13387 serial=379 reply_serial=95
signal time=1531995892.523461 sender=:1.4 -> destination=(null destination) serial=380 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "DiscoverableTimeout"
         variant uint32 0
      )
   ]
   array [
   ]
method return time=1531995892.523489 sender=:1.4 -> destination=:1.13387 serial=381 reply_serial=94
signal time=1531995892.533281 sender=:1.4 -> destination=(null destination) serial=382 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "Discoverable"
         variant boolean false
      )
   ]
   array [
   ]
signal time=1531995892.551915 sender=:1....

Making this call, without waiting for the reply, always fails:
dbus-send --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:Discoverable variant:boolean:false ; dbus-send --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:DiscoverableTimeout variant:uint32:0

The same call with the --print-reply argument to dbus-send will however work. I think bluez might be ignoring the calls if the caller is going to disappear.

I monitored the state of "Discoverable" and "DiscoverableTimeout" using bluetoothctl, after setting Discoverable to on.

The D-Bus end-points for those 2 properties are:
property_set_discoverable and property_set_discoverable_timeout
in src/adapter.c

bluetoothd, to change those properties, calls out asynchronously to the kernel:
property_set_mode -> async stuff -> property_set_mode_complete -> new_settings_callback() sets adapter->current_settings

And to those used to async programming, the problem should be obvious. In
property_set_discoverable_timeout():
        if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
                set_discoverable(adapter, 0x01, adapter->discoverable_timeout);

So if a discoverable setting is pending, adapter->current_settings isn't set to the new value, and discoverable is *reset* to on.

This is a definite bug in bluez, though work-aroundable in gnome-bluetooth.

Worked-around in gnome-bluetooth 3.28:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89

The problem would not occur in 3.26 as D-Bus calls were synchronous, and we would DiscoverableTimeout if Discoverable was set:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/blob/gnome-3-26/lib/bluetooth-client.c#L1118

(In reply to Bastien Nocera from comment #4)
> The problem would not occur in 3.26 as D-Bus calls were synchronous, and we
> would DiscoverableTimeout if Discoverable was set:

we would "not set" DiscoverableTimeout if...

Upstream patches to avoid the race mentioned earlier:
https://marc.info/?l=linux-bluetooth&m=153251404332012&w=2
https://marc.info/?l=linux-bluetooth&m=153251404332014&w=2
https://marc.info/?l=linux-bluetooth&m=153251404332015&w=2
https://marc.info/?l=linux-bluetooth&m=153251404532016&w=2

And this set:
https://marc.info/?l=linux-bluetooth&m=153261464929156&w=2
https://marc.info/?l=linux-bluetooth&m=153261465129157&w=2
https://marc.info/?l=linux-bluetooth&m=153261465229159&w=2
https://marc.info/?l=linux-bluetooth&m=153261465329160&w=2
https://marc.info/?l=linux-bluetooth&m=153261465529161&w=2
when used, should completely avoid the Discoverable state being on when the Settings are closed.

(In reply to Bastien Nocera from comment #7)
> And this set:
> https://marc.info/?l=linux-bluetooth&m=153261464929156&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465129157&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465229159&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465329160&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465529161&w=2
> when used, should completely avoid the Discoverable state being on when the
> Settings are closed.

The gnome-bluetooth patches to use this new functionality, when available:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/merge_requests/1

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 28 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.