- Jun 04, 2024
-
-
Brian Delwiche authored
As a guard against the BLUFFS attack, we will need to check the security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. Future CLs will add checks during connection. This CL adds the functions that will be needed to perform those checks and the necessary mocks. Currently supported checks are : IO capabilities (must be an exact match), Secure Connections capability (must not be a downgrade), and session key length (must not be a downgrade). Maximum session key length, which was previously not cached, has been added to the device security manager cache. To QA: This CL is a logical no-op by itself. Tests should be performed as described in ag/25815924 and ag/25815925/ Bug: 314331379 Test: m libbluetooth Tag: #security Ignore-AOSP-First: Security Merged-In: I3cd1db300be68d15cb09bdabea711199fcf748da Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
-
- Oct 09, 2023
-
-
Brian Delwiche authored
-
Brian Delwiche authored
-
Brian Delwiche authored
-
Hui Peng authored
* changes: Relax the validation on sdp attr size Add validation on attr type and size in a2dp_api.cc Add tests for the following change
-
- Oct 08, 2023
- Oct 06, 2023
-
-
Hui Peng authored
* changes: Fix an OOB bug in parse_gap_data Factor out duplicate code for parsing gap data
-
Brian Delwiche authored
BTM_BleVerifySignature uses a stock memcmp, allowing signature contents to be deduced through a side-channel attack. Change to CRYPTO_memcmp, which is hardened against this attack, to eliminate this attack. Bug: 274478807 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security Merged-In: I7f5646b683209bc6a6fbce8d4702ec311adc9cfc Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
-
Brian Delwiche authored
Fuzz testing reveals that the transcodeQ*ToFloat family of functions are not bounds checked, causing a potential OOB write. Check these functions against bounds of the destination array. Bug: 275895309 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security Merged-In: I7a13261429797769cf5b913912a30e249668ac93 Change-Id: I7a13261429797769cf5b913912a30e249668ac93
-
Hui Peng authored
Changing from exact size match to greater than or equal to make the fix less prone to regression. Bug: 263958603 Test: atest net_test_stack_a2dp_native Ignore-AOSP-First: security Tag: #security Merged-In: I03522897e93af59508efa2f536dd217d48f78110 Change-Id: I03522897e93af59508efa2f536dd217d48f78110 (cherry picked from commit b608afa0)
-
- Oct 05, 2023
-
- Oct 04, 2023
-
-
Hui Peng authored
This is a regression introduced in ag/24529645 (one of the fixes of b/263958603) and detected and reported in bugs below by WearOS team. Origninal bug Bug: 263958603 Regressions: Bug: 297438857 Bug: 297458852 Bug: 297461435 Bug: 297831980 Test: atest net_test_stack_sdp Ignore-AOSP-First: security Merged-In: Ie7210673d65656ef9dbb2a4759a3636025b67b44 Change-Id: Ie7210673d65656ef9dbb2a4759a3636025b67b44 (cherry picked from commit d7d87efa)
- Sep 13, 2023
-
-
Hui Peng authored
Original bug Bug: 294854926 regressions: Bug: 299570702 Bug: 299561281 Test: m com.android.btservices Test: QA validation Ignore-AOSP-First: security Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
-
- Sep 12, 2023
-
-
Hui Peng authored
Original bug Bug: 294854926 regressions: Bug: 299570702 Test: Test: m com.android.btservices Test: QA validation Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
-
Hui Peng authored
Allow access to rfcomm PSM by default Original bug Bug: 294854926 Nearby regressions: Bug: 298539299 Test: m com.android.btservices Ignore-AOSP-First: security Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
-
Hui Peng authored
Reject access to service running on rfcomm this is a backport of I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
-
Hui Peng authored
Rejecct access to services running on l2cap Backport of Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
-
- Sep 03, 2023
-
- Sep 01, 2023
-
-
Hui Peng authored
Bug: 277590580 bug: 275553827 Test: atest net_test_main_shim Ignore-AOSP-First: security Tag: #security Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
-
Hui Peng authored
This change is intended to be used to factor out dup code for parsing GapData in StartAdvertisingSet and make it easier to be tested. Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c Bug: 296291440 Test: atest net_test_main_shim Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
- Aug 31, 2023
-
-
Hui Peng authored
-
- Aug 24, 2023
-
-
Hui Peng authored
-
- Aug 08, 2023
-
-
Brian Delwiche authored
com_android_bluetooth_btservice_AdapterService does not null its local JNI environment variable after detaching the thread (which frees the environment context), allowing UAF under certain conditions. Null the variable in this case. Testing here was done through a custom unit test; see patchsets 4-6 for contents. However, unit testing of the JNI layer is problematic in production, so that part of the patch is omitted for final merge. Bug: 291500341 Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm Tag: #security Ignore-AOSP-First: Security Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
-
- Aug 07, 2023
-
-
Hui Peng authored
-
- Aug 05, 2023
-
-
Hui Peng authored
-
- Aug 04, 2023
-
- Jun 27, 2023
-
-
Hui Peng authored
Bug: 275057843 Bug: 275057678 Test: manual Tag: #security Ignore-AOSP-First: security Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a
-