Commits · 261b9b8d3ff55cf3c6bc9ae8c9cab42b4638e9e8 · LMODroid / platform_packages_modules_Bluetooth

Apr 14, 2023
- Merge "Revert "Fix a OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev · 261b9b8d
  William Escande authored 1 year ago
  
  261b9b8d
Apr 13, 2023

Revert "Fix a OOB bug in bta_hh_co_get_rpt_rsp" · a7ae837b

Hui Peng authored 1 year ago

This reverts commit f173fcb4.

Reason for revert: Head tracking broken as reported in b/277995800

Change-Id: I0c9c95afed6f73712d0a1a5024651cba960eb9d0

a7ae837b

Apr 04, 2023
- Merge "Fix gatt_end_operation buffer overflow" into tm-dev · e8779817
  Timothy Yiu authored 1 year ago
  
  e8779817
Apr 03, 2023
- Merge "Fix potential use after free in pan_api.cc" into tm-dev · 003c3d27
  Brian Delwiche authored 1 year ago
  
  003c3d27
- Merge "Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""" into tm-dev · bdcc9b8a
  Brian Delwiche authored 1 year ago
  
  bdcc9b8a
Mar 31, 2023
- Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev · fd1d5e71
  Brian Delwiche authored 1 year ago
  
  fd1d5e71
Mar 29, 2023

Fix OOB read in btm_ble_periodic_av_sync_lost · c077ffbe

Brian Delwiche authored 1 year ago

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5

c077ffbe

Mar 28, 2023

Fix gatt_end_operation buffer overflow · 7236e449

tyiu authored 1 year ago

Added boundary check for gatt_end_operation to prevent writing out of
boundary.

Since response of the GATT server is handled in
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
lenth that can be passed into the handlers is bounded by
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
that gaurentees MTU response to be less than or equal to 512 bytes can
cause a buffer overflow when performing memcpy without length check.

Bug: 261068592
Test: No test since not affecting behavior
Tag: #security
Ignore-AOSP-First: security

Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873

7236e449

Mar 24, 2023

Fix a OOB bug in bta_hh_co_get_rpt_rsp · f173fcb4

Hui Peng authored 2 years ago

Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3

f173fcb4

Mar 21, 2023

Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" · 4a33fbcf

Brian Delwiche authored 1 year ago

This reverts commit e6cf2700.

Reason for revert: Reinstate original change for QPR

Change-Id: I3e039f1b8f8ffbcc4875b663d417462451fb76a0

4a33fbcf

Mar 13, 2023
- Merge "Revert "Validate buffer length in sdpu_build_uuid_seq"" into tm-dev · b4a26774
  Brian Delwiche authored 2 years ago
  
  b4a26774
Mar 11, 2023

Revert "Validate buffer length in sdpu_build_uuid_seq" · e6cf2700

Brian Delwiche authored 2 years ago

This reverts commit 367ed057.

Reason for revert: Reverting from May QPR, will reinstate unchanged for a later release

Change-Id: I36ae57ec7e81ac0357fa1c6fb98dff219ee6dade

e6cf2700

Mar 06, 2023
- Merge "Validate buffer length in sdpu_build_uuid_seq" into tm-dev · d7786669
  Brian Delwiche authored 2 years ago
  
  d7786669
Feb 16, 2023

Fix potential use after free in pan_api.cc · f4bd0731

Brian Delwiche authored 2 years ago

Structure length is checked in pan_api.cc after the structure may
be freed, leading to a potential use after free.

Save the buffer length to a local instead.  Note that BNEP_WriteBuf
may alter the length being written internally; this does not appear
to be an issue in this use case because the octet count being tracked
is used only for logging purposes within PAN.

Bug: 259939435
Test: atest bluetooth_test_gd_unit, validate against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I613b3dd3684182bdc725f9e1512061484448d367

f4bd0731

Feb 15, 2023

Validate buffer length in sdpu_build_uuid_seq · 367ed057

Brian Delwiche authored 2 years ago

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562

367ed057

Feb 09, 2023
- Merge "Fix an OOB bug in gatt_dbg_op_name" into tm-dev · c87c558f
  Hui Peng authored 2 years ago
  
  c87c558f
Feb 07, 2023
- Merge "Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback" into tm-dev · aa366309
  Hui Peng authored 2 years ago
  
  aa366309
- Merge "Fix an OOB bug in btm_acl_process_sca_cmpl_pkt" into tm-dev · 8b062828
  Hui Peng authored 2 years ago
  
  8b062828
- Reject encryption drop in Common Criteria mode · 1ee290b8
  Brian Delwiche authored 2 years ago
  
  For NCIS certification, we need to drop the connection or reestablish encryption after receiving a command to disable link layer encryption on an encrypted link. However, dropping the connection for all devices breaks compatibility during role switch with devices running Bluetooth 2.1 or earlier, a category including many cars still in the field. Add a check forcing connections to drop in this case, conditioned on Common Criteria mode.. Bug: 251436534 Test: atest: bluetooth, lab validation forthcoming Tag: #security Ignore-AOSP-First: Security Change-Id: I94654ebeb16774643107ee41473725cfae3764ab
  1ee290b8
- Merge "Fix an OOB bug in btm_ble_ltk_request" into tm-dev · 9e1c9629
  Hui Peng authored 2 years ago
  
  9e1c9629
- Merge "Fix an OOB bug in remove_sdp_record" into tm-dev · 65930cfb
  Hui Peng authored 2 years ago
  
  65930cfb
- Merge "Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd" into tm-dev · 5d3fdb27
  Hui Peng authored 2 years ago
  
  5d3fdb27
- Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback · c5e898d3
  Hui Peng authored 2 years ago
  
  Bug: 261857395 Test: manual Tag: #security Ignore-AOSP-First: security Change-Id: I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254
  c5e898d3
- Merge "Fix an OOB bug in on_remove_iso_data_path" into tm-dev · b8354c4e
  Hui Peng authored 2 years ago
  
  b8354c4e
- Fix an OOB bug in btm_ble_ltk_request · 47cd3886
  Hui Peng authored 2 years ago
  
  Bug: 254445961 Test: manual Ignore-AOSP-First: security Change-Id: I1d3c208a5281b88ed25c0028f1a0000d6957637c
  47cd3886
Feb 06, 2023
- Merge "Fix a nullptr-deref in on_create_record_event" into tm-dev · 334a5b3d
  Hui Peng authored 2 years ago
  
  334a5b3d
- Merge "Fix an OOB bug in register_notification_rsp" into tm-dev · e2418045
  Hui Peng authored 2 years ago
  
  e2418045
- Fix an OOB bug in remove_sdp_record · b9a94d52
  Hui Peng authored 2 years ago
  
  Bug: 245517503 Test: manual Ignore-AOSP-First: security Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab
  b9a94d52
- Fix an OOB bug in btm_acl_process_sca_cmpl_pkt · 4b008a2a
  Hui Peng authored 2 years ago
  
  Bug: 251427561 Test: manual Ignore-AOSP-First: security Change-Id: I2db2339631d521515cb34536e358ae72ebeaaa8b
  4b008a2a
- Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd · a24402da
  Hui Peng authored 2 years ago
  
  Bug: 233879420 Test: manual Ignore-AOSP-First: security Change-Id: Ic740e5ff3ceabf3df1e78431f7d31adf356479f0
  a24402da
Jan 31, 2023

Fix an OOB bug in on_remove_iso_data_path · 1a8a5ece

Hui Peng authored 2 years ago

Bug: 236688764
Test: manul
Ignore-AOSP-First: security
Tag: #security
Change-Id: I0ef4855e715be8fa9a69916e35d3a6c97498a9cc

1a8a5ece

Jan 25, 2023
- Merge "Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev · f9f1695e
  David Duarte authored 2 years ago
  
  f9f1695e
- Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp" · 2506a98f
  Hui Peng authored 2 years ago
  
  This reverts commit d2e67f50. Reason for revert: regression caused in 266585826 Change-Id: I86a5bb0b96332880a2a173ad57b96fb007e3ea83
  2506a98f
Jan 19, 2023

Fix an OOB bug in gatt_dbg_op_name · 8f013f79

Hui Peng authored 2 years ago

Bug: 260079141
Test: manual
Ignore-AOSP-First: security
Change-Id: If8be70e134fdf1f6edb43d0360c524fffed6045b

8f013f79

Jan 14, 2023

Fix an OOB bug in register_notification_rsp · daa3efc5

Hui Peng authored 2 years ago

Bug: 245916076
Test: manual
Ignore-AOSP-First: security
Change-Id: I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f

daa3efc5

Jan 12, 2023
- Fix a nullptr-deref in on_create_record_event · b45b8479
  Hui Peng authored 2 years ago
  
  Bug: 263545186 Test: manual Ignore-AOSP-First: security Change-Id: I0abbb67842850cc2f1298b43dc49a89445b40a43
  b45b8479
- Merge "Harden array bounds validation" into tm-dev · d0fc4262
  Brian Delwiche authored 2 years ago
  
  d0fc4262
Jan 11, 2023
- Merge "Fix an OOB access bug in btm_vendor_specific_evt" into tm-dev · cbea7ae0
  Hui Peng authored 2 years ago
  
  cbea7ae0
- Merge "Fix a potential OOB read resulted from integer underflow" into tm-dev · 0e1b29ee
  Hui Peng authored 2 years ago
  
  0e1b29ee
- Fix an OOB bug in btm_read_rssi_complete · 047a68b1
  Hui Peng authored 2 years ago
  
  Bug: 260569232 Test: manual, to add regression Tag: #security Ignore-AOSP-First: security Merged-In: I3d56c64f205c3675ba3856c1e553878b945ec261 Change-Id: I3d56c64f205c3675ba3856c1e553878b945ec261
  047a68b1