Skip to content
Snippets Groups Projects
  1. Jul 10, 2024
    • Brian Delwiche's avatar
      Disallow connect with key length downgrade · 024980ba
      Brian Delwiche authored
      As a guard against the BLUFFS attack, check security parameters of
      incoming connections against cached values and disallow connection if
      these parameters are downgraded or changed from their cached values.
      
      This CL adds the connection-time check for session key length.
      
      To test, please validate that bonding can be established and
      reestablished against devices with session key lengths of 7 and 16 bits,
      that session key lengths of less than 7 bits are refused, and that basic
      LE bonding functionality still works.  If it is possible to configure a
      remote device to establish a bond with a session key length of 16 bits
      and then reduce that key length to <16 bits before reconnection, this
      should fail.
      
      Bug: 314331379
      Test: m libbluetooth
      Test: manual
      
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
      Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
      Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
      024980ba
    • Brian Delwiche's avatar
      Disallow connect with Secure Connections downgrade · b5155f05
      Brian Delwiche authored
      As a guard against the BLUFFS attack, check security parameters of
      incoming connections against cached values and disallow connection if
      these parameters are downgraded or changed from their cached values.
      
      This CL adds the connection-time check for Secure Connections mode.
      
      Bug: 314331379
      Test: m libbluetooth
      Test: manual
      
      To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
      
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
      Merged-In: I9130476600d31b59608e0e419b5136d255174265
      Change-Id: I9130476600d31b59608e0e419b5136d255174265
      b5155f05
  2. Jun 06, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141',... · eb0fb004
      Android Build Coastguard Worker authored
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.
      
      Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
      eb0fb004
    • Brian Delwiche's avatar
      Fix heap-buffer overflow in sdp_utils.cc · 6afad4b3
      Brian Delwiche authored
      Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
      an out of bounds comparison.  Although the bug claims this is due to a
      comparison of a uuid with a smaller data field thana the discovery
      attribute, my research suggests that this instead stems from a
      comparison of a 128 bit UUID with a discovery attribute of some other,
      invalid size.
      
      Add checks for discovery attribute size.
      
      Bug: 287184435
      Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
      Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      6afad4b3
    • Brian Delwiche's avatar
      Fix permission bypasses to multiple methods · b0e43755
      Brian Delwiche authored
      Researcher reports that some BT calls across Binder are validating only
      BT's own permissions and not the calling app's permissions.  On
      investigation this seems to be due to a missing null check in several BT
      permissions checks, which allows a malicious app to pass in a null
      AttributionSource and therefore produce a stub AttributionSource chain
      which does not properly check for the caller's permissions.
      
      Add null checks, and correct tests which assumed a null was a valid
      input.
      
      Bug: 242996380
      Test: atest UtilsTest
      Test: researcher POC
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
      Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      b0e43755
  3. May 08, 2024
  4. Jan 11, 2024
  5. Dec 16, 2023
  6. Dec 06, 2023
  7. Nov 10, 2023
  8. Oct 11, 2023
  9. Aug 30, 2023
  10. Aug 22, 2023
  11. Aug 05, 2023
Loading