Select Git revision
Search by author
- Any Author
- authors
-
Adithya R adithya2306
-
Ali ali-nasiri-80
-
Dhina17 Dhina17
-
electimon electimon
-
Erfan Abdi erfanoabdi
-
Farzin Kazemzadeh itisFarzin
-
LMO BuildBot lmo-buildbot
-
LMO GerritBot lmo-gerritbot
-
Mohammad Hasan Keramat J ikeramat
-
Nick nift4
- May 18, 2023
-
-
Brian Delwiche authored
-
- May 16, 2023
-
-
Hui Peng authored
Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
-
Brian Delwiche authored
Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715 (cherry picked from commit 70a4d628)
-
- May 15, 2023
-
-
Hui Peng authored
-
- May 12, 2023
-
-
Hui Peng authored
The tx mtu in EATT can be controlled by remote device. With malicious mtu values, it is possible to trigger integer overflow and OOB write at multiple places (see the bug below). This fix enforces a max tx mtu in EATT. Bug: 271335899 Test: manual Ignore-AOSP-First: security Tag: #security Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31 Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
-
- May 10, 2023
-
-
Hui Peng authored
Bug: 278279023 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: I6727c9a071170baadb2292daa52f71190972ecca
-
- May 09, 2023
-
-
Treehugger Robot authored
-
- May 06, 2023
-
-
Hui Peng authored
-
- May 03, 2023
-
-
Hui Peng authored
Bug: 260726311 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: I199fdd0651ebc29f130ebb5f5fa07e13f22a7d37
-
- Apr 30, 2023
-
-
Hui Peng authored
tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG in bta_av_setconfig_rej, resulting OOB access. Bug: 260230151 Test: manual Ignore-AOSP-First: security Tag: #security Merged-In: I78a1ee50dea0113381e51f8521711d758dc759cf Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf
-
- Apr 29, 2023
-
-
Hui Peng authored
Bug: 266433017 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: I4a8959ac6e5980a6c6d20edcf103482b9916656a
-
- Apr 25, 2023
-
-
Hui Peng authored
Merge "Fix a potential OOB in BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback" into tm-dev
-
Hui Peng authored
-
Hui Peng authored
-
Hui Peng authored
-
Treehugger Robot authored
-
- Apr 18, 2023
-
-
Hui Peng authored
Plus move macros used in struct bt_oob_data_s to bluetooth.h Bug: 274722185 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: Ie12feb4090a1eb88f5c9e097546f55a076839fb0
-
Hui Peng authored
Bug: 276975913 Test: manual Ignore-AOSP-First: security Tag: security Change-Id: I38353a573168e18f06b2b311e532a937044fd92f
-
Hui Peng authored
Bug: 274722163 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: Ie4b30bbc19ba0bd191839af35880a4831d8005b1
-
- Apr 14, 2023
-
-
William Escande authored
-
Hui Peng authored
This CL fixes the following 3 bugs: 1. Integer underflow triggered by malicious MTU from peer device 2. Integer overflow caused by maliciously long item names 3. Bug caused by typo: item_len_left -> attribute_len_left Bug: 242994452 Tag: #security Ignore-AOSP-First: security Test: manual Change-Id: I0d2af48b7eb3469d9d1923910e4facc8f2cdbc95
-
- Apr 13, 2023
-
-
- Apr 04, 2023
-
-
Timothy Yiu authored
-
- Apr 03, 2023
-
-
Brian Delwiche authored
-
Brian Delwiche authored
-
- Mar 31, 2023
-
-
Brian Delwiche authored
-
- Mar 29, 2023
-
-
Brian Delwiche authored
btm_ble_periodic_av_sync_lost internally calls the function btm_ble_get_psync_index_from_handle, which polls the internal periodic sync buffer and returns a matching index if one exists. If no matching handle is found, it returns MAX_SYNC_TRANSACTION. However, here the calling function lacks the check for this case present in similar functions. If no handle is matched, it will attempt to index the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single width and lead to OOB access. Add handling for this case. Bug: 273502002 Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated against researcher POC Tag: #security Ignore-AOSP-First: Security Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5
-
- Mar 28, 2023
-
-
tyiu authored
Added boundary check for gatt_end_operation to prevent writing out of boundary. Since response of the GATT server is handled in gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum lenth that can be passed into the handlers is bounded by GATT_MAX_MTU_SIZE, which is set to 517, which is greater than GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec that gaurentees MTU response to be less than or equal to 512 bytes can cause a buffer overflow when performing memcpy without length check. Bug: 261068592 Test: No test since not affecting behavior Tag: #security Ignore-AOSP-First: security Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
-
- Mar 24, 2023
-
-
Hui Peng authored
Fix to the regression reported in b/264708304 and b/266585826 added: The root cause of the regression, the sensor HAL layer expects the HID feature reports to contain 40 bytes, even less bytes are contained in the data field. This updated fix restores the length of data fields with the len arg. Bug: 259675705 Test: manual verification with a Pixel 6 and LinkBuds Ignore-AOSP-First: security Tag: security Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3
-
- Mar 21, 2023
-
-
Brian Delwiche authored
This reverts commit e6cf2700. Reason for revert: Reinstate original change for QPR Change-Id: I3e039f1b8f8ffbcc4875b663d417462451fb76a0
-
- Mar 13, 2023
-
-
Brian Delwiche authored
-
- Mar 11, 2023
-
-
Brian Delwiche authored
This reverts commit 367ed057. Reason for revert: Reverting from May QPR, will reinstate unchanged for a later release Change-Id: I36ae57ec7e81ac0357fa1c6fb98dff219ee6dade
-
- Mar 06, 2023
-
-
Brian Delwiche authored
-
- Feb 16, 2023
-
-
Brian Delwiche authored
Structure length is checked in pan_api.cc after the structure may be freed, leading to a potential use after free. Save the buffer length to a local instead. Note that BNEP_WriteBuf may alter the length being written internally; this does not appear to be an issue in this use case because the octet count being tracked is used only for logging purposes within PAN. Bug: 259939435 Test: atest bluetooth_test_gd_unit, validate against researcher POC Tag: #security Ignore-AOSP-First: Security Change-Id: I613b3dd3684182bdc725f9e1512061484448d367
-
- Feb 15, 2023
-
-
Brian Delwiche authored
sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length but does not validate against the boundaries of the buffer it's filling. This can lead to an OOB write. Add validation. Bug: 239414876 Test: atest: bluetooth, validated against POC Tag: #security Ignore-AOSP-First: Security Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562
-
- Feb 09, 2023
-
-
Hui Peng authored
-
- Feb 07, 2023
-
-
Hui Peng authored
-
Hui Peng authored
-
Brian Delwiche authored
For NCIS certification, we need to drop the connection or reestablish encryption after receiving a command to disable link layer encryption on an encrypted link. However, dropping the connection for all devices breaks compatibility during role switch with devices running Bluetooth 2.1 or earlier, a category including many cars still in the field. Add a check forcing connections to drop in this case, conditioned on Common Criteria mode.. Bug: 251436534 Test: atest: bluetooth, lab validation forthcoming Tag: #security Ignore-AOSP-First: Security Change-Id: I94654ebeb16774643107ee41473725cfae3764ab
-
Hui Peng authored
-
