Android Security 14.0.0 Release 15 (12496787)

* tag 'android-security-14.0.0_r15' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Fix OOB writes in gatt_sr.cc
  Encrypt LE link immediately on reconnection
  Fix "GATT Read Multiple Variable Response" builder
  Fix OOB write in build_read_multi_rsp of gatt_sr.cc

 Conflicts:
	system/stack/gatt/gatt_sr.cc

Change-Id: Icbefa56d427d00dc5114fb67c3060d69c8f856f2

Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release.

Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca

At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404

Merge tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD

Android Security 14.0.0 Release 13 (12199513)

* tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  RESTRICT AUTOMERGE Disallow unexpected incoming HID connections

 Conflicts:
	android/app/jni/com_android_bluetooth_hid_host.cpp
	android/app/src/com/android/bluetooth/hid/HidHostService.java
	system/btif/include/btif_hh.h
	system/btif/src/btif_hh.cc
	system/btif/src/btif_profile_storage.cc

Change-Id: I5a93035ba9ef47c8dd63877d9467b840f61c897c

Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD

Android security 14.0.0 release 12

* tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Add support for checking security downgrade
  Disallow connect with key length downgrade
  Disallow connect with Secure Connections downgrade
  Fix heap-buffer overflow in sdp_utils.cc
  Fix permission bypasses to multiple methods
  Fix an authentication bypass bug in SMP
  Fix a security bypass issue in access_secure_service_from_temp_bond
  Reland: Fix an OOB write bug in attp_build_value_cmd
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB bug in smp_proc_sec_req
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB write bug in attp_build_read_by_type_value_cmd
  Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
  Fix some OOB errors in BTM parsing
  Fix timing attack in BTM_BleVerifySignature
  Fix an OOB bug in parse_gap_data
  Factor out duplicate code for parsing gap data
  [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1
  Fix UAF in ~CallbackEnv
  Fix OOB in a2dp_vendor_opus_decoder_decode_packet
  Enforce authentication if encryption is required
  Reorganize the code for checking auth requirement
  Reject access to  secure service authenticated from a temp bonding [3]
  Reject access to secure services authenticated from temp bonding [2]
  Reject access to secure service authenticated from a temp bonding [1]
  Fix multiple OOB bugs in btm_ble_gap.cc
  Fix 2 OOB bugs in CreateAudioBroadcast

 Conflicts:
	system/bta/le_audio/broadcaster/broadcaster.cc
	system/btif/src/btif_storage.cc
	system/include/hardware/bluetooth.h
	system/main/shim/Android.bp
	system/main/shim/le_advertising_manager.cc
	system/main/shim/utils.cc
	system/stack/a2dp/a2dp_vendor_opus_decoder.cc
	system/stack/btm/btm_ble.cc
	system/stack/btm/btm_ble_gap.cc
	system/stack/btm/btm_sec.cc
	system/stack/btm/btm_sec.h
	system/stack/btu/btu_hcif.cc
	system/stack/include/sec_hci_link_interface.h
	system/stack/sdp/sdp_utils.cc
	system/stack/smp/smp_act.cc
	system/test/headless/bt_property.cc
	system/test/mock/mock_stack_btm_sec.cc

Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2

Merge cherrypicks of ['googleplex-android-review.googlesource.com/28504378', 'googleplex-android-review.googlesource.com/28904341', 'googleplex-android-review.googlesource.com/29360799'] into security-aosp-udc-release.

Change-Id: I05f33bd267e383619d7b8b337293357470041a1a

LE link must be encrypted immediately on connection if device are
already bonded.

This is a backport of ag/29056565, but the code needs to go in a
different location because that patch relies on recent feature work.

Ignore-AOSP-First: security
Test: mmm packages/modules/Bluetooth
Bug: 288144143
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e)
Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62
Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62

0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.

Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f

Android 14.0.0 Release 55 (AP2A.240805.005)

* tag 'android-14.0.0_r55' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Fix permission bypasses to multiple methods

Change-Id: If5ba7ce8970e53c80c4b11751131e0fd675c1ed7

Merge cherrypicks of ['googleplex-android-review.googlesource.com/28501767'] into security-aosp-udc-release.

Change-Id: I48ecfe1977f7ac23447ceeab8be64437c6503aa2

HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.

Test: mmm packages/modules/Bluetooth
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdd92020a9c14c3f541b39624c5b1e0af599acc5)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:358b66af175f423523c5d90bb8aea4b3eb084172)
Merged-In: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b
Change-Id: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release.

Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d

As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 3cf3d9d9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265

Android 14.0.0 Release 50 (AP2A.240605.024)

Change-Id: I2ef189ec6f5a8fcdd58070da3aa2f42b010943a2

Change-Id: Id479e9adf8ec0a30faaf4fe6d19d58e66ddbdcb5

Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8098771bca75166d06f9591d0d2110ed089ee6a7)
Merged-In: I76f49fee440726a7c0714385564ddf0e3e8522b5
Change-Id: I76f49fee440726a7c0714385564ddf0e3e8522b5

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.

Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14

Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43

Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0

Hui Peng authored 1 year ago and Dhina17 committed 10 months ago

While aosp/2863686 was rebased on internal security
fixes, aosp/2865187 was dropped, re-apply it.

Bug: 316244428
Test: m com.android.btservices
Flag: EXEMPT, tested/verfied on internal branches
Change-Id: I319dcfbc9bb9603c515ac0c2c647155211f95e26

William Escande authored 1 year ago and Dhina17 committed 10 months ago

Bug: 314889276
Fix: 314889276
Test: Manual testing cf b/314889276#comment23
Flag: Exempt, unflag regression fix
Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c

Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059478'] into security-aosp-udc-release.

Change-Id: I50e49019ee1d81ffd6ae65779041ff31dca091fa

When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.

Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795

Android 14.0.0 release 35

* tag 'android-14.0.0_r35' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  leaudio: Fix crash on metadata update

Change-Id: I9e42543fb89cb66d8d3b15871782b7695d677e50

Change-Id: I971792158f583f17c653c9bf2e17e0c703d3e150

This reverts commit bac3e50f.

Reason for revert: b/331855635
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:34ee990ee72693cd534d7d696f3a52c9c5a5bfd8)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e214741ee05dd6bad9bf1d7a62c1448c7eee4332)
Merged-In: I471269cb5ecd4aef32c6648ad575baea44b562d1
Change-Id: I471269cb5ecd4aef32c6648ad575baea44b562d1

weifan.zhang authored 1 year ago and Mohammad Hasan Keramat J committed 11 months ago

[Description]
Add VSC cmd for low latency mode

CR-Id: ALPS08619561

Bug: 309700239
Test: m .
Flag: EXEMPT VSC command

Change-Id: I789b6bddfc6b5661430b399943d1288a7c52e988

Change-Id: Ibda0c1ebf514223bdc1f60b5542307ebd0cd4166

Auto-generated-cl: translation import

Bug: 328603775
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377f331adca25c74ea51630071f06f4aa19c2ffb)
Merged-In: I6ad3ce64bf7c9c67bd414a2e4a373ccbe7eb572f
Change-Id: I6ad3ce64bf7c9c67bd414a2e4a373ccbe7eb572f

Merge cherrypicks of ['android-review.googlesource.com/3002654', 'googleplex-android-review.googlesource.com/26539688'] into 24Q2-release.

Change-Id: I13dfe3b6183ef0a9507c034b6190bda544e2b80a

When moving metadata to Bluetooth mainthread, make sure that Bluetooth
gets metadata and not just a pointer to memory on the stack.

`sink_metadata_v7` contained a pointer to array of either (record|playback)_track_metadata_v7,
so we can't rely on simple struct copy constructor. Pass the array content as vector instead.

Bug: 329067188
Test: mmm packages/modules/Bluetooth
Test: manual LeAudio streaming with different contexs (including call)
Test: atest bluetooth_le_audio_client_test
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c8a5763f89b84a4614bfe21a9de75e07589c6322)
Merged-In: I9c01c81c0094df87efc1b3885ad69d82b0970404
Change-Id: I9c01c81c0094df87efc1b3885ad69d82b0970404

Bug: 295010253
Bug: 319471537
Test: atest net_test_btif_stack
Flag: api_get_connection_state_using_identity_address
(cherry picked from https://android-review.googlesource.com/q/commit:c27997fab1a48b66ff7a23b3ed81a92401e89458)
Merged-In: I53d288f9170eb0914a0add74f7bf1e321f9c4ee8
Change-Id: I53d288f9170eb0914a0add74f7bf1e321f9c4ee8

Android 14.0.0 release 29

 Conflicts:
	service/tests/Android.bp
	system/hci/include/hci_layer.h

Change-Id: I403094ca26ec9c144b010d4291755584e089cad9

Change-Id: I30811d46c0f35bcf8649e534ab5485f657c97bd4

When moving metadata to Bluetooth mainthread, make sure that Bluetooth
gets metadata and not just a pointer to memory on the stack.

`sink_metadata_v7` contained a pointer to array of either (record|playback)_track_metadata_v7,
so we can't rely on simple struct copy constructor. Pass the array content as vector instead.

Bug: 329067188
Test: mmm packages/modules/Bluetooth
Test: manual LeAudio streaming with different contexs (including call)
Test: atest bluetooth_le_audio_client_test
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c8a5763f89b84a4614bfe21a9de75e07589c6322)
Merged-In: I9c01c81c0094df87efc1b3885ad69d82b0970404
Change-Id: I9c01c81c0094df87efc1b3885ad69d82b0970404

Aaron Kling authored 1 year ago and Dhina17 committed 1 year ago

When pairing two of the Nvidia Shield accessories, a popup would show up
stating that the accessory was an incoming pairing request and needs to
be accepted. The official Nvidia firmware has a whitelist of remotes
that skip this confirmation if pairing request is marked as originating
from the Android device. This change takes a similar approach, but in a
more flexible manner. The main intent is to allow these accessories to
be paired via the pairing intent, which needs to complete with no user
interaction. Previously, the popup would prevent this from succeeding.

Change-Id: Ib5a0226858f5745a20e4cd166500aecdcf1f3354

Change-Id: I9d3bfbb9a63b57570f5bf105b066cbcf99dcd6a8