According to the PBAP specification,
The PSE user shall have to confirm at least the first Phone Book Access
Profile connection from each new PCE.

According to the MAP specification,
The MCE and MSE shall be bonded before setting up a Message Access Profile
connection.

Let's remove the permissions when the device is unbonded.

This is a backport of change ag/30386015 but requires minor changes to
logic.

Flag: EXEMPT, security fix
Bug: 289375038
Bug: 289811388
Test: atest BluetoothInstrumentationTests
Ignore-AOSP-First: security fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:968d2a53399e7fba43b6f51b632fafddc7b99e09)
Merged-In: I8b9b29310db2d14e5dfaddc81a682366fbef42d3
Change-Id: I8b9b29310db2d14e5dfaddc81a682366fbef42d3

Bug: 296915500
Flag: EXEMPT trivial fix with complete testing coverage
Test: atest GoogleBluetoothInstrumentationTests:BluetoothOppSendFileInfoTest
Ignore-AOSP-First: fix for undisclosed vulnerability
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2c5add83a18d87ea4a46bc8ab7f675e32c8d6a56)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0de38e22f1771fde73340d7b209342751616fa0b)
Merged-In: I0b6423025c95c13eeea3cbf584212913b5fbf307
Change-Id: I0b6423025c95c13eeea3cbf584212913b5fbf307

Merge cherrypicks of ['googleplex-android-review.googlesource.com/29861874'] into security-aosp-udc-release.

Change-Id: Icbe27f40de59c90a5c5ba60371980a0ec043f31c

Fix for b/25992313 was landed correctly on main, but in older branches
SMP contains identical functions smp_proc_init and smp_proc_rand, both
of which exhibit the problem, and only the former of which was patched.
This allows the problem to still appear on branches from sc-dev to
udc-dev.

Add the logic to smp_proc_rand.

Bug: 251514170
Test: m com.android.btservices
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:16a745956dbaff2d37d0e7afdf662314ea379f29)
Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc
Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc

Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release.

Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca

At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404

Merge cherrypicks of ['googleplex-android-review.googlesource.com/28504378', 'googleplex-android-review.googlesource.com/28904341', 'googleplex-android-review.googlesource.com/29360799'] into security-aosp-udc-release.

Change-Id: I05f33bd267e383619d7b8b337293357470041a1a

LE link must be encrypted immediately on connection if device are
already bonded.

This is a backport of ag/29056565, but the code needs to go in a
different location because that patch relies on recent feature work.

Ignore-AOSP-First: security
Test: mmm packages/modules/Bluetooth
Bug: 288144143
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e)
Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62
Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62

0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.

Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f

Merge cherrypicks of ['googleplex-android-review.googlesource.com/28501767'] into security-aosp-udc-release.

Change-Id: I48ecfe1977f7ac23447ceeab8be64437c6503aa2

HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.

Test: mmm packages/modules/Bluetooth
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdd92020a9c14c3f541b39624c5b1e0af599acc5)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:358b66af175f423523c5d90bb8aea4b3eb084172)
Merged-In: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b
Change-Id: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release.

Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d

As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 3cf3d9d9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.

Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14

Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43

Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059478'] into security-aosp-udc-release.

Change-Id: I50e49019ee1d81ffd6ae65779041ff31dca091fa

When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.

Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795

Merge cherrypicks of ['googleplex-android-review.googlesource.com/25492676', 'googleplex-android-review.googlesource.com/25494184', 'googleplex-android-review.googlesource.com/25558746', 'googleplex-android-review.googlesource.com/25676552', 'googleplex-android-review.googlesource.com/25842635'] into security-aosp-udc-release.

Change-Id: I3c7290634fa0bc694439587c63426ad43356e689

Bug: 318374503
Test: m com.android.btservices | manual test against PoC | QA
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62944f39f502b28687a5142ec2d77585525591bc)
Merged-In: I48df2c2d77810077e97d4131540277273d441998
Change-Id: I48df2c2d77810077e97d4131540277273d441998

Bug: 295887535
Bug: 315127634
Test: m com.android.btservices
Test: atest net_test_stack_gatt
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046)
Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285
Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 300903400
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20a759c149b739f8dfc3790287ad1b954115c18)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4704e7519d0a02c1caf8b4d8ed874bc201a4b91)
Merged-In: I400cfa3523c6d8b25c233205748c2db5dc803d1d
Change-Id: I400cfa3523c6d8b25c233205748c2db5dc803d1d

Merge cherrypicks of ['googleplex-android-review.googlesource.com/25558746'] into security-aosp-udc-release.

Change-Id: Ib14b601ff6de57765d2ee683c50df91d2a58b74b

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Merge cherrypicks of ['googleplex-android-review.googlesource.com/22948134', 'googleplex-android-review.googlesource.com/25503067', 'googleplex-android-review.googlesource.com/25494184'] into security-aosp-udc-release.

Change-Id: I896d7ddea13a7a81007ed89495021c61be809d18

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9)
Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e
Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368

Merge cherrypicks of ['googleplex-android-review.googlesource.com/23398897'] into security-aosp-udc-release.

Change-Id: Ib6e9ccf6442e64b3b341fb22bc61b192c25755ba

Some HCI BLE events are missing bounds checks, leading to possible OOB
access.  Add the appropriate bounds checks on the packets.

Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66e2be0585514de92e8a31df09ab31528fd67e20)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d1a3febede9f835797cf5feff978a9f007f2593)
Merged-In: If7752f6edd749d6d5a4bb957b4824c22b5602737
Change-Id: If7752f6edd749d6d5a4bb957b4824c22b5602737

Merge cherrypicks of ['googleplex-android-review.googlesource.com/22932491', 'googleplex-android-review.googlesource.com/22919959', 'googleplex-android-review.googlesource.com/24737769', 'googleplex-android-review.googlesource.com/24737770', 'googleplex-android-review.googlesource.com/24668801', 'googleplex-android-review.googlesource.com/24704938', 'googleplex-android-review.googlesource.com/24706103', 'googleplex-android-review.googlesource.com/23353294', 'googleplex-android-review.googlesource.com/24234506', 'googleplex-android-review.googlesource.com/24994487', 'googleplex-android-review.googlesource.com/25011463', 'googleplex-android-review.googlesource.com/25012272', 'googleplex-android-review.googlesource.com/25020212'] into security-aosp-udc-release.

Change-Id: I49f857cdecf0f62cbf39b33d81de00d631d4b70f

BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.

Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.

Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7a960ac1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d011f54d04e7ff732d4dc467079574b4e1c7b72d)
Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2

Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
(cherry picked from commit 0d7e3d8f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:462fc9465fafce4a055d0dadb451b3d71bf05289)
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f

This change is intended to be used to factor out
dup code for parsing GapData in StartAdvertisingSet
and make it easier to be tested.

Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c

Bug: 296291440
Test: atest net_test_main_shim
(cherry picked from commit 08690d66)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc86f8d13d6e5585f2b535bf5225000c6ceaf8e)
Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c

[conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23356997



Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d7c7f4c2c514b6a62f827615cb75ba61319b115)
Merged-In: I0389f56ae210b4976821e0ceeb21a7a0c2965a62
Change-Id: I0389f56ae210b4976821e0ceeb21a7a0c2965a62