As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.

Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14

Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43

Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059478'] into security-aosp-udc-release.

Change-Id: I50e49019ee1d81ffd6ae65779041ff31dca091fa

When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.

Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795

Merge cherrypicks of ['googleplex-android-review.googlesource.com/25492676', 'googleplex-android-review.googlesource.com/25494184', 'googleplex-android-review.googlesource.com/25558746', 'googleplex-android-review.googlesource.com/25676552', 'googleplex-android-review.googlesource.com/25842635'] into security-aosp-udc-release.

Change-Id: I3c7290634fa0bc694439587c63426ad43356e689

Bug: 318374503
Test: m com.android.btservices | manual test against PoC | QA
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62944f39f502b28687a5142ec2d77585525591bc)
Merged-In: I48df2c2d77810077e97d4131540277273d441998
Change-Id: I48df2c2d77810077e97d4131540277273d441998

Bug: 295887535
Bug: 315127634
Test: m com.android.btservices
Test: atest net_test_stack_gatt
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046)
Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285
Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 300903400
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20a759c149b739f8dfc3790287ad1b954115c18)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4704e7519d0a02c1caf8b4d8ed874bc201a4b91)
Merged-In: I400cfa3523c6d8b25c233205748c2db5dc803d1d
Change-Id: I400cfa3523c6d8b25c233205748c2db5dc803d1d

Merge cherrypicks of ['googleplex-android-review.googlesource.com/25558746'] into security-aosp-udc-release.

Change-Id: Ib14b601ff6de57765d2ee683c50df91d2a58b74b

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Merge cherrypicks of ['googleplex-android-review.googlesource.com/22948134', 'googleplex-android-review.googlesource.com/25503067', 'googleplex-android-review.googlesource.com/25494184'] into security-aosp-udc-release.

Change-Id: I896d7ddea13a7a81007ed89495021c61be809d18

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9)
Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e
Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368

Merge cherrypicks of ['googleplex-android-review.googlesource.com/23398897'] into security-aosp-udc-release.

Change-Id: Ib6e9ccf6442e64b3b341fb22bc61b192c25755ba

Some HCI BLE events are missing bounds checks, leading to possible OOB
access.  Add the appropriate bounds checks on the packets.

Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66e2be0585514de92e8a31df09ab31528fd67e20)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d1a3febede9f835797cf5feff978a9f007f2593)
Merged-In: If7752f6edd749d6d5a4bb957b4824c22b5602737
Change-Id: If7752f6edd749d6d5a4bb957b4824c22b5602737

Merge cherrypicks of ['googleplex-android-review.googlesource.com/22932491', 'googleplex-android-review.googlesource.com/22919959', 'googleplex-android-review.googlesource.com/24737769', 'googleplex-android-review.googlesource.com/24737770', 'googleplex-android-review.googlesource.com/24668801', 'googleplex-android-review.googlesource.com/24704938', 'googleplex-android-review.googlesource.com/24706103', 'googleplex-android-review.googlesource.com/23353294', 'googleplex-android-review.googlesource.com/24234506', 'googleplex-android-review.googlesource.com/24994487', 'googleplex-android-review.googlesource.com/25011463', 'googleplex-android-review.googlesource.com/25012272', 'googleplex-android-review.googlesource.com/25020212'] into security-aosp-udc-release.

Change-Id: I49f857cdecf0f62cbf39b33d81de00d631d4b70f

BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.

Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.

Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7a960ac1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d011f54d04e7ff732d4dc467079574b4e1c7b72d)
Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2

Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
(cherry picked from commit 0d7e3d8f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:462fc9465fafce4a055d0dadb451b3d71bf05289)
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f

This change is intended to be used to factor out
dup code for parsing GapData in StartAdvertisingSet
and make it easier to be tested.

Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c

Bug: 296291440
Test: atest net_test_main_shim
(cherry picked from commit 08690d66)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc86f8d13d6e5585f2b535bf5225000c6ceaf8e)
Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c

[conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23356997



Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d7c7f4c2c514b6a62f827615cb75ba61319b115)
Merged-In: I0389f56ae210b4976821e0ceeb21a7a0c2965a62
Change-Id: I0389f56ae210b4976821e0ceeb21a7a0c2965a62

com_android_bluetooth_btservice_AdapterService does not null its local
JNI environment variable after detaching the thread (which frees the
environment context), allowing UAF under certain conditions.

Null the variable in this case.

Testing here was done through a custom unit test; see patchsets 4-6 for
contents.  However, unit testing of the JNI layer is problematic in
production, so that part of the patch is omitted for final merge.

Bug: 291500341
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a5c71c32d382c0e14083f0d093ae4f5420968ff)
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030

a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode
frames.  If initial decoding fails, it retries with a different set of
parameters; however, no further checks are included after the retry, and
the return value is then used to generate frame size.  If the retry
fails, the return value will be negative, which when converted to
unsigned to scale the frame buffer will lead to an enormous size which
easily overflows the frame buffer.

Add a check for this case.

Bug: 275626001
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508)
Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878

Original bug
Bug: 294854926

regressions:
Bug: 299570702
Bug: 299561281

Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7db69a79091ec0199ddbac2a7b8cf1e0b57631d9)
Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa

Original bug
Bug: 294854926

regressions:
Bug: 299570702

Test: Test: m com.android.btservices
Test: QA validation
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:916b6d3899908ed09f81be131e48933637e4c9ef)
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4

Allow access to rfcomm PSM by default

Original bug
Bug: 294854926

Nearby regressions:
Bug: 298539299

Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c11c2a2bead295edf18cecf682255a498e84133a)
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66

Reject access to service running on rfcomm

this is a backport of
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:47e6e149f1d4dc557e10033ac9b147d24b37bea9)
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Rejecct access to services running on l2cap

Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1f08f638c91169df84a43b6cd4e04d1aa3a5d554)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 275057843
Bug: 275057678
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3bb913ee8c7da4602798db754045c0fac57afecf)
Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a

Bug: 275340684
Bug: 282234870
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f9059acdfed500ea5ff4b159795280d5fa2ecbf)
Merged-In: Ia8e9c3a3e534f419b6bd6c902a35d2caf4c7727b
Change-Id: Ia8e9c3a3e534f419b6bd6c902a35d2caf4c7727b

Change-Id: Ia92ddd808beafff9d375d6b7e400ed46ef204113

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

(cherry picked from commit 367ed057)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a62a311d1a0c229ba75529dbedcb47a7af18142)
Merged-In: Ibce32cc09ad2991789569f35ef2f71f90537fdce
Change-Id: Ibce32cc09ad2991789569f35ef2f71f90537fdce

Change-Id: I59465d02e61e1207eb4dc985fb96dbce1921311f

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

Change-Id: Ifbaf06c256fdf2147c4c829cf90e39bf4599516c