Skip to content
Snippets Groups Projects
  1. Jun 04, 2024
    • Brian Delwiche's avatar
      Add support for checking security downgrade · 3cf3d9d9
      Brian Delwiche authored
      As a guard against the BLUFFS attack, we will need to check the security
      parameters of incoming connections against cached values and disallow
      connection if these parameters are downgraded or changed from their
      cached values.
      
      Future CLs will add checks during connection.  This CL adds the
      functions that will be needed to perform those checks and the necessary
      mocks.
      Currently supported checks are : IO capabilities (must be an exact match),
      Secure Connections capability (must not be a downgrade), and session key
      length (must not be a downgrade).  Maximum session key length, which was
      previously not cached, has been added to the device security manager
      cache.
      
      To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
      
      Bug: 314331379
      Test: m libbluetooth
      Tag: #security
      Ignore-AOSP-First: Security
      Merged-In: I3cd1db300be68d15cb09bdabea711199fcf748da
      Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
      Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
      3cf3d9d9
  2. Oct 09, 2023
  3. Oct 08, 2023
  4. Oct 06, 2023
    • Hui Peng's avatar
      Merge changes I7fcb7c46,Ia39886c4 into tm-dev · 70614401
      Hui Peng authored
      * changes:
        Fix an OOB bug in parse_gap_data
        Factor out duplicate code for parsing gap data
      70614401
    • Brian Delwiche's avatar
      Fix timing attack in BTM_BleVerifySignature · 7a960ac1
      Brian Delwiche authored
      BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
      to be deduced through a side-channel attack.
      
      Change to CRYPTO_memcmp, which is hardened against this attack, to
      eliminate this attack.
      
      Bug: 274478807
      Test: atest bluetooth_test_gd_unit
      Tag: #security
      Ignore-AOSP-First: Security
      Merged-In: I7f5646b683209bc6a6fbce8d4702ec311adc9cfc
      Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
      7a960ac1
    • Brian Delwiche's avatar
      Add bounds checks in btif_avrcp_audio_track.cc · 46803ae9
      Brian Delwiche authored
      Fuzz testing reveals that the transcodeQ*ToFloat family of functions are
      not bounds checked, causing a potential OOB write.
      
      Check these functions against bounds of the destination array.
      
      Bug: 275895309
      Test: atest bluetooth_test_gd_unit, net_test_stack_btm
      Tag: #security
      Ignore-AOSP-First: Security
      Merged-In: I7a13261429797769cf5b913912a30e249668ac93
      Change-Id: I7a13261429797769cf5b913912a30e249668ac93
      46803ae9
    • Hui Peng's avatar
      Relax the validation on sdp attr size · 8ecede4b
      Hui Peng authored
      Changing from exact size match to greater than or equal
      to make the fix less prone to regression.
      
      Bug: 263958603
      Test: atest net_test_stack_a2dp_native
      Ignore-AOSP-First: security
      Tag: #security
      
      Merged-In: I03522897e93af59508efa2f536dd217d48f78110
      Change-Id: I03522897e93af59508efa2f536dd217d48f78110
      (cherry picked from commit b608afa0)
      8ecede4b
    • Hui Peng's avatar
      Add validation on attr type and size in a2dp_api.cc · c5bc4c49
      Hui Peng authored
      Bug: 263958603
      Test: atest net_test_stack_a2dp_native
      Ignore-AOSP-First: security
      Tag: #security
      
      Merged-In: I938467ca4f4b130cd8b4c544096127e679391c06
      Change-Id: I938467ca4f4b130cd8b4c544096127e679391c06
      (cherry picked from commit 4832e302)
      c5bc4c49
    • Hui Peng's avatar
      Add tests for the following change · bd32fb5c
      Hui Peng authored
      CL: I59b208d403d6f16a8515b351f4c296f9affdf37b
      
      Bug: 263958603
      Test: atest net_test_bta
      Ignore-AOSP-First: security
      Tag: #security
      Merged-In: Ia587191901112d9e3ab15faefb1ca0f914e127ef
      Change-Id: Ia587191901112d9e3ab15faefb1ca0f914e127ef
      (cherry picked from commit a6b4a43d)
      bd32fb5c
  5. Oct 05, 2023
  6. Oct 04, 2023
    • Hui Peng's avatar
      Add validation on sdp attributes in bta_av_act.cc · d4c50d11
      Hui Peng authored
      Bug: 263958603
      Test: atest bt_host_test_bta
      Ignore-AOSP-First: security
      Tag: #security
      Merged-In: I5286fabf49f14cba5ef65a79d6e1eadb40bbb514
      Change-Id: I5286fabf49f14cba5ef65a79d6e1eadb40bbb514
      (cherry picked from commit 590aa47f)
      d4c50d11
    • Hui Peng's avatar
      Reland ag/24529645 · 31323451
      Hui Peng authored
      This is a regression introduced in ag/24529645
      (one of the fixes of b/263958603)
      and detected and reported in bugs below by WearOS team.
      
      Origninal bug
      Bug: 263958603
      
      Regressions:
      Bug: 297438857
      Bug: 297458852
      Bug: 297461435
      Bug: 297831980
      
      Test: atest net_test_stack_sdp
      Ignore-AOSP-First: security
      Merged-In: Ie7210673d65656ef9dbb2a4759a3636025b67b44
      Change-Id: Ie7210673d65656ef9dbb2a4759a3636025b67b44
      (cherry picked from commit d7d87efa)
      31323451
  7. Sep 13, 2023
    • Hui Peng's avatar
      Enforce authentication if encryption is required · 0a8c39cd
      Hui Peng authored
      Original bug
      Bug: 294854926
      
      regressions:
      Bug: 299570702
      Bug: 299561281
      
      Test: m com.android.btservices
      Test: QA validation
      Ignore-AOSP-First: security
      
      Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
      Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
      0a8c39cd
  8. Sep 12, 2023
    • Hui Peng's avatar
      Reorganize the code for checking auth requirement · 6bacbe90
      Hui Peng authored
      Original bug
      Bug: 294854926
      
      regressions:
      Bug: 299570702
      
      Test: Test: m com.android.btservices
      Test: QA validation
      Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
      Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
      6bacbe90
    • Hui Peng's avatar
      Reject access to secure service authenticated from a temp bonding [3] · 9e4cef21
      Hui Peng authored
      Allow access to rfcomm PSM by default
      
      Original bug
      Bug: 294854926
      
      Nearby regressions:
      Bug: 298539299
      
      Test: m com.android.btservices
      Ignore-AOSP-First: security
      Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
      Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
      9e4cef21
    • Hui Peng's avatar
      Reject access to secure services authenticated from temp bonding [2] · 9878a84e
      Hui Peng authored
      Reject access to service running on rfcomm
      
      this is a backport of
      I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
      
      Bug: 294854926
      Test: m com.android.btservices
      Ignore-AOSP-First: security
      Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
      Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
      9878a84e
    • Hui Peng's avatar
      Reject access to secure service authenticated from a temp bonding [1] · 232f4f81
      Hui Peng authored
      Rejecct access to services running on l2cap
      
      Backport of
      Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
      
      Bug: 294854926
      Test: m com.android.btservices
      Ignore-AOSP-First: security
      
      Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
      Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
      232f4f81
  9. Sep 03, 2023
  10. Sep 01, 2023
    • Hui Peng's avatar
      Add validation on service attrs in bta_sdp_act.cc · e2821752
      Hui Peng authored
      Bug: 263958603
      Test: atest net_test_bta
      Ignore-AOSP-First: security
      Tag: #security
      
      Merged-In: I59b208d403d6f16a8515b351f4c296f9affdf37b
      Change-Id: I59b208d403d6f16a8515b351f4c296f9affdf37b
      (cherry picked from commit 66ce4a04)
      e2821752
    • Hui Peng's avatar
      Add validation on sdp attributes in bta_ag_sdp.cc · 33334f0d
      Hui Peng authored
      Bug: 263958603
      Test: atest bt_host_test_bta
      Ignore-AOSP-First: security
      Tag: #security
      Change-Id: I51c0215125808102b6cff880357d19012ffc37b9
      Merged-In: I51c0215125808102b6cff880357d19012ffc37b9
      (cherry picked from commit 509feb84)
      33334f0d
    • Hui Peng's avatar
      Add type validation in bta_hf_client_sdp.cc · a2ccb20f
      Hui Peng authored
      Bug: 263958603
      Test: atest net_test_bta
      Ignore-AOSP-First: security
      Tag: #security
      
      Merged-In: I70a15be0409d9368e1d5984b1719f9a917c8cb7e
      Change-Id: I70a15be0409d9368e1d5984b1719f9a917c8cb7e
      (cherry picked from commit 3bd9e5b1)
      a2ccb20f
    • Hui Peng's avatar
      Add type and len field in sdp attr in SetUpSdp · aa2066f9
      Hui Peng authored
      Bug: 263958603
      Test: atest net_test_avrcp
      Ignore-AOSP-First: security
      Tag: #security
      Change-Id: Ic807df3bce25fdcd83061d24ac185ba3c4bab328
      (cherry picked from commit 2d5672a6)
      aa2066f9
    • Hui Peng's avatar
      Fix an OOB bug in parse_gap_data · 0d7e3d8f
      Hui Peng authored
      Bug: 277590580
      bug: 275553827
      Test: atest net_test_main_shim
      Ignore-AOSP-First: security
      Tag: #security
      Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
      Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
      0d7e3d8f
    • Hui Peng's avatar
      Factor out duplicate code for parsing gap data · 08690d66
      Hui Peng authored
      This change is intended to be used to factor out
      dup code for parsing GapData in StartAdvertisingSet
      and make it easier to be tested.
      
      Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c
      
      Bug: 296291440
      Test: atest net_test_main_shim
      Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
      Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
      08690d66
  11. Aug 31, 2023
  12. Aug 24, 2023
  13. Aug 08, 2023
    • Brian Delwiche's avatar
      Fix UAF in ~CallbackEnv · 7a5c71c3
      Brian Delwiche authored
      com_android_bluetooth_btservice_AdapterService does not null its local
      JNI environment variable after detaching the thread (which frees the
      environment context), allowing UAF under certain conditions.
      
      Null the variable in this case.
      
      Testing here was done through a custom unit test; see patchsets 4-6 for
      contents.  However, unit testing of the JNI layer is problematic in
      production, so that part of the patch is omitted for final merge.
      
      Bug: 291500341
      Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
      Tag: #security
      Ignore-AOSP-First: Security
      Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
      7a5c71c3
  14. Aug 07, 2023
  15. Aug 05, 2023
  16. Aug 04, 2023
  17. Jun 27, 2023
    • Hui Peng's avatar
      Fix multiple OOB bugs in btm_ble_gap.cc · 3bb913ee
      Hui Peng authored
      Bug: 275057843
      Bug: 275057678
      Test: manual
      Tag: #security
      Ignore-AOSP-First: security
      Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
      Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a
      3bb913ee
Loading