Commits · 124d2f9f623184eef831c1de5028b327eba9c0ec · LMODroid / platform_packages_modules_Bluetooth

Mar 31, 2023

Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev am: · 124d2f9f

Brian Delwiche authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22343125

Change-Id: Ib71e4715f6bf6c5f2c7954d06b1fd5e175df33b9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

124d2f9f

Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev · fd1d5e71
Brian Delwiche authored 2 years ago

fd1d5e71

Mar 29, 2023

Fix OOB read in btm_ble_periodic_av_sync_lost · c077ffbe

Brian Delwiche authored 2 years ago

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5

c077ffbe

Mar 24, 2023

Fix a OOB bug in bta_hh_co_get_rpt_rsp am: · 3c15759b

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21090924

Change-Id: Idfe58b567a3484ddcf8be45e1515b6349ed290f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

3c15759b

Fix a OOB bug in bta_hh_co_get_rpt_rsp · f173fcb4

Hui Peng authored 2 years ago

Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3

f173fcb4

Mar 13, 2023

Merge "Revert "Validate buffer length in sdpu_build_uuid_seq"" into tm-dev am: · 8c11dc05

Brian Delwiche authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21967012

Change-Id: Id55eb2d40d023aa7d56c947cef8c94d6b754ce21
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

8c11dc05

Merge "Revert "Validate buffer length in sdpu_build_uuid_seq"" into tm-dev · b4a26774
Brian Delwiche authored 2 years ago

b4a26774

Mar 11, 2023

Revert "Validate buffer length in sdpu_build_uuid_seq" · e6cf2700

Brian Delwiche authored 2 years ago

This reverts commit 367ed057.

Reason for revert: Reverting from May QPR, will reinstate unchanged for a later release

Change-Id: I36ae57ec7e81ac0357fa1c6fb98dff219ee6dade

e6cf2700

Mar 06, 2023

Merge "Validate buffer length in sdpu_build_uuid_seq" into tm-dev am: · 5e12448d

Brian Delwiche authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20729913

Change-Id: Ia86f50d44f1cb5ddac7b04220142e760fb73bf39
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

5e12448d

Merge "Validate buffer length in sdpu_build_uuid_seq" into tm-dev · d7786669
Brian Delwiche authored 2 years ago

d7786669

Feb 15, 2023

Validate buffer length in sdpu_build_uuid_seq · 367ed057

Brian Delwiche authored 2 years ago

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562

367ed057

Feb 09, 2023

Merge "Fix an OOB bug in gatt_dbg_op_name" into tm-dev am: · 35d290a9

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21047826

Change-Id: I2a66863b23eea5660bb6f561bb4c3271d6b57df5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

35d290a9

Merge "Fix an OOB bug in gatt_dbg_op_name" into tm-dev · c87c558f
Hui Peng authored 2 years ago

c87c558f

Feb 07, 2023

Merge "Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback" into tm-dev am: · 9a0637dc

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20846745

Change-Id: I7c632b3e3a8ca16594871c269aa07598a25f38da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

9a0637dc

Merge "Fix an OOB bug in btm_acl_process_sca_cmpl_pkt" into tm-dev am: · fa2b7003

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21047823

Change-Id: I9081190a672336f2ea2fba94681d477682fb8850
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

fa2b7003

Merge "Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback" into tm-dev · aa366309
Hui Peng authored 2 years ago

aa366309
Merge "Fix an OOB bug in btm_acl_process_sca_cmpl_pkt" into tm-dev · 8b062828
Hui Peng authored 2 years ago

8b062828

Reject encryption drop in Common Criteria mode am: · 5f41286a

Brian Delwiche authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20933644

Change-Id: I0576317ac705926573ad15ec0f9730d41f9b32f2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

5f41286a

Reject encryption drop in Common Criteria mode · 1ee290b8

Brian Delwiche authored 2 years ago

For NCIS certification, we need to drop the connection or
reestablish encryption after receiving a command to disable link
layer encryption on an encrypted link.  However, dropping the
connection for all devices breaks compatibility during role switch
with devices running Bluetooth 2.1 or earlier, a category including
many cars still in the field.

Add a check forcing connections to drop in this case, conditioned on
Common Criteria mode..

Bug: 251436534
Test: atest: bluetooth, lab validation forthcoming
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I94654ebeb16774643107ee41473725cfae3764ab

1ee290b8

Merge "Fix an OOB bug in btm_ble_ltk_request" into tm-dev am: · 70331592

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21047829

Change-Id: I937c885bd669dbb5644d793dc50f49b0ec87c206
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

70331592

Merge "Fix an OOB bug in remove_sdp_record" into tm-dev am: · ae197828

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20992904

Change-Id: Ife06cd167ad2dd23a33ed456c4a03e6240a5d917
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

ae197828

Merge "Fix an OOB bug in btm_ble_ltk_request" into tm-dev · 9e1c9629
Hui Peng authored 2 years ago

9e1c9629
Merge "Fix an OOB bug in remove_sdp_record" into tm-dev · 65930cfb
Hui Peng authored 2 years ago

65930cfb

Merge "Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd" into tm-dev am: · 884eaa5a

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21047825

Change-Id: Ib7c87f6349bbb0c7f7353eb438a3467394f26a97
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

884eaa5a

Merge "Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd" into tm-dev · 5d3fdb27
Hui Peng authored 2 years ago

5d3fdb27

Merge "Fix an OOB bug in on_remove_iso_data_path" into tm-dev am: · 7c4bb1a3

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21148481

Change-Id: I468d55cdbc419d0b5ddde62d5b8750bacf90f3b2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

7c4bb1a3

Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback · c5e898d3

Hui Peng authored 2 years ago

Bug: 261857395
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254

c5e898d3

Merge "Fix an OOB bug in on_remove_iso_data_path" into tm-dev · b8354c4e
Hui Peng authored 2 years ago

b8354c4e

Fix an OOB bug in btm_ble_ltk_request · 47cd3886

Hui Peng authored 2 years ago

Bug: 254445961
Test: manual
Ignore-AOSP-First: security
Change-Id: I1d3c208a5281b88ed25c0028f1a0000d6957637c

47cd3886

Feb 06, 2023

Merge "Fix a nullptr-deref in on_create_record_event" into tm-dev am: · cd4ea903

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20965587

Change-Id: Iffd6df75d9257e09f9ed44035950cefc82f3fa81
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

cd4ea903

Merge "Fix a nullptr-deref in on_create_record_event" into tm-dev · 334a5b3d
Hui Peng authored 2 years ago

334a5b3d

Merge "Fix an OOB bug in register_notification_rsp" into tm-dev am: · 80f137fa

Hui Peng authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20995769

Change-Id: I3d1aae4eba2a0e08733ed5671d1413dab0cf997f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

80f137fa

Merge "Fix an OOB bug in register_notification_rsp" into tm-dev · e2418045
Hui Peng authored 2 years ago

e2418045

Fix an OOB bug in remove_sdp_record · b9a94d52

Hui Peng authored 2 years ago

Bug: 245517503
Test: manual
Ignore-AOSP-First: security
Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab

b9a94d52

Fix an OOB bug in btm_acl_process_sca_cmpl_pkt · 4b008a2a

Hui Peng authored 2 years ago

Bug: 251427561
Test: manual
Ignore-AOSP-First: security

Change-Id: I2db2339631d521515cb34536e358ae72ebeaaa8b

4b008a2a

Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd · a24402da

Hui Peng authored 2 years ago

Bug: 233879420
Test: manual
Ignore-AOSP-First: security
Change-Id: Ic740e5ff3ceabf3df1e78431f7d31adf356479f0

a24402da

Jan 31, 2023

Fix an OOB bug in on_remove_iso_data_path · 1a8a5ece

Hui Peng authored 2 years ago

Bug: 236688764
Test: manul
Ignore-AOSP-First: security
Tag: #security
Change-Id: I0ef4855e715be8fa9a69916e35d3a6c97498a9cc

1a8a5ece

Jan 26, 2023

Merge "Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev am: · 6be4b6ad

David Duarte authored 2 years ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21101261

Change-Id: Ie2c9dd674202a7f2d9fd73b3fc7487815735ebaf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

6be4b6ad

Jan 25, 2023
- Merge "Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev · f9f1695e
  David Duarte authored 2 years ago
  
  f9f1695e
- Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp" · 2506a98f
  Hui Peng authored 2 years ago
  
  This reverts commit d2e67f50. Reason for revert: regression caused in 266585826 Change-Id: I86a5bb0b96332880a2a173ad57b96fb007e3ea83
  2506a98f