- Dec 07, 2024
-
-
Dhina17 authored
Android Security 14.0.0 Release 15 (12496787) * tag 'android-security-14.0.0_r15' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Fix OOB writes in gatt_sr.cc Encrypt LE link immediately on reconnection Fix "GATT Read Multiple Variable Response" builder Fix OOB write in build_read_multi_rsp of gatt_sr.cc Conflicts: system/stack/gatt/gatt_sr.cc Change-Id: Icbefa56d427d00dc5114fb67c3060d69c8f856f2
-
- Oct 14, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release. Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca
-
Brian Delwiche authored
At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
-
Dhina17 authored
Merge tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android Security 14.0.0 Release 13 (12199513) * tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth: RESTRICT AUTOMERGE Disallow unexpected incoming HID connections Conflicts: android/app/jni/com_android_bluetooth_hid_host.cpp android/app/src/com/android/bluetooth/hid/HidHostService.java system/btif/include/btif_hh.h system/btif/src/btif_hh.cc system/btif/src/btif_profile_storage.cc Change-Id: I5a93035ba9ef47c8dd63877d9467b840f61c897c
-
Dhina17 authored
Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android security 14.0.0 release 12 * tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Add support for checking security downgrade Disallow connect with key length downgrade Disallow connect with Secure Connections downgrade Fix heap-buffer overflow in sdp_utils.cc Fix permission bypasses to multiple methods Fix an authentication bypass bug in SMP Fix a security bypass issue in access_secure_service_from_temp_bond Reland: Fix an OOB write bug in attp_build_value_cmd Revert "Fix an OOB write bug in attp_build_value_cmd" Fix an OOB write bug in attp_build_value_cmd Fix an OOB bug in smp_proc_sec_req Revert "Fix an OOB write bug in attp_build_value_cmd" Fix an OOB write bug in attp_build_value_cmd Fix an OOB write bug in attp_build_read_by_type_value_cmd Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd Fix some OOB errors in BTM parsing Fix timing attack in BTM_BleVerifySignature Fix an OOB bug in parse_gap_data Factor out duplicate code for parsing gap data [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1 Fix UAF in ~CallbackEnv Fix OOB in a2dp_vendor_opus_decoder_decode_packet Enforce authentication if encryption is required Reorganize the code for checking auth requirement Reject access to secure service authenticated from a temp bonding [3] Reject access to secure services authenticated from temp bonding [2] Reject access to secure service authenticated from a temp bonding [1] Fix multiple OOB bugs in btm_ble_gap.cc Fix 2 OOB bugs in CreateAudioBroadcast Conflicts: system/bta/le_audio/broadcaster/broadcaster.cc system/btif/src/btif_storage.cc system/include/hardware/bluetooth.h system/main/shim/Android.bp system/main/shim/le_advertising_manager.cc system/main/shim/utils.cc system/stack/a2dp/a2dp_vendor_opus_decoder.cc system/stack/btm/btm_ble.cc system/stack/btm/btm_ble_gap.cc system/stack/btm/btm_sec.cc system/stack/btm/btm_sec.h system/stack/btu/btu_hcif.cc system/stack/include/sec_hci_link_interface.h system/stack/sdp/sdp_utils.cc system/stack/smp/smp_act.cc system/test/headless/bt_property.cc system/test/mock/mock_stack_btm_sec.cc Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2
-
- Oct 09, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/28504378', 'googleplex-android-review.googlesource.com/28904341', 'googleplex-android-review.googlesource.com/29360799'] into security-aosp-udc-release. Change-Id: I05f33bd267e383619d7b8b337293357470041a1a
-
Brian Delwiche authored
LE link must be encrypted immediately on connection if device are already bonded. This is a backport of ag/29056565, but the code needs to go in a different location because that patch relies on recent feature work. Ignore-AOSP-First: security Test: mmm packages/modules/Bluetooth Bug: 288144143 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e) Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62 Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62
-
Jakub Pawlowski authored
0 length value is perfectly fine, and should result in just length added into the packet. Currently, for 0 length value we just break out of loop, and don't add any value. This means, that if first characetristic in response had 0 length, we would return empty packet. Ignore-AOSP-First: security fix Test: mma -j32; Bug: 352696105 Bug: 356886209 Flag: exempt, obvious logic fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd) Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
-
Brian Delwiche authored
build_read_multi_rsp is missing a bounds check, which can lead to an OOB write when the mtu parameter is set to zero. Add that bounds check. Bug: 323850943 Test: atest GattSrTest Test: researcher POC Tag: #security Flag: EXEMPT trivial validity checks Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d) Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f
-
- Aug 08, 2024
-
-
Dhina17 authored
Android 14.0.0 Release 55 (AP2A.240805.005) * tag 'android-14.0.0_r55' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Fix permission bypasses to multiple methods Change-Id: If5ba7ce8970e53c80c4b11751131e0fd675c1ed7
-
- Aug 07, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/28501767'] into security-aosp-udc-release. Change-Id: I48ecfe1977f7ac23447ceeab8be64437c6503aa2
-
Himanshu Rawat authored
HID profile accepted any new incoming HID connection. Even when the connection policy disabled HID connection, remote devices could initiate HID connection. This change ensures that incoming HID connection are accepted only if application was interested in that HID connection. This vulnerarbility no longer exists on the main because of feature request b/324093729. Test: mmm packages/modules/Bluetooth Test: Manual | Pair and connect a HID device, disable HID connection from Bluetooth device setting, attempt to connect from the HID device. Bug: 308429049 Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdd92020a9c14c3f541b39624c5b1e0af599acc5) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:358b66af175f423523c5d90bb8aea4b3eb084172) Merged-In: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b Change-Id: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b
-
- Jul 10, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release. Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d
-
Brian Delwiche authored
As a guard against the BLUFFS attack, we will need to check the security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. Future CLs will add checks during connection. This CL adds the functions that will be needed to perform those checks and the necessary mocks. Currently supported checks are : IO capabilities (must be an exact match), Secure Connections capability (must not be a downgrade), and session key length (must not be a downgrade). Maximum session key length, which was previously not cached, has been added to the device security manager cache. To QA: This CL is a logical no-op by itself. Tests should be performed as described in ag/25815924 and ag/25815925/ Bug: 314331379 Test: m libbluetooth Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 3cf3d9d9) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed) Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
-
Brian Delwiche authored
As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for session key length. To test, please validate that bonding can be established and reestablished against devices with session key lengths of 7 and 16 bits, that session key lengths of less than 7 bits are refused, and that basic LE bonding functionality still works. If it is possible to configure a remote device to establish a bond with a session key length of 16 bits and then reduce that key length to <16 bits before reconnection, this should fail. Bug: 314331379 Test: m libbluetooth Test: manual Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4) Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
-
Brian Delwiche authored
As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for Secure Connections mode. Bug: 314331379 Test: m libbluetooth Test: manual To test this CL, please ensure that BR/EDR initial connections and reconnections (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types. Basic validation of LE bonding functionality should be done as well. Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679) Merged-In: I9130476600d31b59608e0e419b5136d255174265 Change-Id: I9130476600d31b59608e0e419b5136d255174265
-
- Jun 17, 2024
-
-
Mohammad Hasan Keramat J authored
Android 14.0.0 Release 50 (AP2A.240605.024) Change-Id: I2ef189ec6f5a8fcdd58070da3aa2f42b010943a2
-
- Jun 13, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: Id479e9adf8ec0a30faaf4fe6d19d58e66ddbdcb5
-
Brian Delwiche authored
Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks, and correct tests which assumed a null was a valid input. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8098771bca75166d06f9591d0d2110ed089ee6a7) Merged-In: I76f49fee440726a7c0714385564ddf0e3e8522b5 Change-Id: I76f49fee440726a7c0714385564ddf0e3e8522b5
-
- Jun 06, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release. Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
-
Brian Delwiche authored
Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with an out of bounds comparison. Although the bug claims this is due to a comparison of a uuid with a smaller data field thana the discovery attribute, my research suggests that this instead stems from a comparison of a 128 bit UUID with a discovery attribute of some other, invalid size. Add checks for discovery attribute size. Bug: 287184435 Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487) Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43 Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
-
Brian Delwiche authored
Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks, and correct tests which assumed a null was a valid input. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8) Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0 Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
-
- May 11, 2024
-
-
Bug: 314889276 Fix: 314889276 Test: Manual testing cf b/314889276#comment23 Flag: Exempt, unflag regression fix Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c
- May 08, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059478'] into security-aosp-udc-release. Change-Id: I50e49019ee1d81ffd6ae65779041ff31dca091fa
-
Brian Delwiche authored
When pairing with BLE legacy pairing initiated from remote, authentication can be bypassed. This change fixes it. Bug: 251514170 Test: m com.android.btservices Test: manual run against PoC Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97) Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795 Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
-
Dhina17 authored
Android 14.0.0 release 35 * tag 'android-14.0.0_r35' of https://android.googlesource.com/platform/packages/modules/Bluetooth: leaudio: Fix crash on metadata update Change-Id: I9e42543fb89cb66d8d3b15871782b7695d677e50
-
- Apr 09, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: I971792158f583f17c653c9bf2e17e0c703d3e150
-
Thomas Girardier authored
This reverts commit bac3e50f. Reason for revert: b/331855635 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:34ee990ee72693cd534d7d696f3a52c9c5a5bfd8) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e214741ee05dd6bad9bf1d7a62c1448c7eee4332) Merged-In: I471269cb5ecd4aef32c6648ad575baea44b562d1 Change-Id: I471269cb5ecd4aef32c6648ad575baea44b562d1
-
- Apr 01, 2024
-
-
[Description] Add VSC cmd for low latency mode CR-Id: ALPS08619561 Bug: 309700239 Test: m . Flag: EXEMPT VSC command Change-Id: I789b6bddfc6b5661430b399943d1288a7c52e988
-
- Mar 29, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: Ibda0c1ebf514223bdc1f60b5542307ebd0cd4166
-
Bill Yi authored
Auto-generated-cl: translation import Bug: 328603775 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377f331adca25c74ea51630071f06f4aa19c2ffb) Merged-In: I6ad3ce64bf7c9c67bd414a2e4a373ccbe7eb572f Change-Id: I6ad3ce64bf7c9c67bd414a2e4a373ccbe7eb572f
-
- Mar 28, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['android-review.googlesource.com/3002654', 'googleplex-android-review.googlesource.com/26539688'] into 24Q2-release. Change-Id: I13dfe3b6183ef0a9507c034b6190bda544e2b80a
-
Łukasz Rymanowski authored
When moving metadata to Bluetooth mainthread, make sure that Bluetooth gets metadata and not just a pointer to memory on the stack. `sink_metadata_v7` contained a pointer to array of either (record|playback)_track_metadata_v7, so we can't rely on simple struct copy constructor. Pass the array content as vector instead. Bug: 329067188 Test: mmm packages/modules/Bluetooth Test: manual LeAudio streaming with different contexs (including call) Test: atest bluetooth_le_audio_client_test Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c8a5763f89b84a4614bfe21a9de75e07589c6322) Merged-In: I9c01c81c0094df87efc1b3885ad69d82b0970404 Change-Id: I9c01c81c0094df87efc1b3885ad69d82b0970404
-
Chienyuan Huang authored
Bug: 295010253 Bug: 319471537 Test: atest net_test_btif_stack Flag: api_get_connection_state_using_identity_address (cherry picked from https://android-review.googlesource.com/q/commit:c27997fab1a48b66ff7a23b3ed81a92401e89458) Merged-In: I53d288f9170eb0914a0add74f7bf1e321f9c4ee8 Change-Id: I53d288f9170eb0914a0add74f7bf1e321f9c4ee8
-
- Mar 19, 2024
-
-
Dhina17 authored
Android 14.0.0 release 29 Conflicts: service/tests/Android.bp system/hci/include/hci_layer.h Change-Id: I403094ca26ec9c144b010d4291755584e089cad9
-
- Mar 15, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: I30811d46c0f35bcf8649e534ab5485f657c97bd4
-
Łukasz Rymanowski authored
When moving metadata to Bluetooth mainthread, make sure that Bluetooth gets metadata and not just a pointer to memory on the stack. `sink_metadata_v7` contained a pointer to array of either (record|playback)_track_metadata_v7, so we can't rely on simple struct copy constructor. Pass the array content as vector instead. Bug: 329067188 Test: mmm packages/modules/Bluetooth Test: manual LeAudio streaming with different contexs (including call) Test: atest bluetooth_le_audio_client_test Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c8a5763f89b84a4614bfe21a9de75e07589c6322) Merged-In: I9c01c81c0094df87efc1b3885ad69d82b0970404 Change-Id: I9c01c81c0094df87efc1b3885ad69d82b0970404
-
- Mar 13, 2024
-
-
When pairing two of the Nvidia Shield accessories, a popup would show up stating that the accessory was an incoming pairing request and needs to be accepted. The official Nvidia firmware has a whitelist of remotes that skip this confirmation if pairing request is marked as originating from the Android device. This change takes a similar approach, but in a more flexible manner. The main intent is to allow these accessories to be paired via the pairing intent, which needs to complete with no user interaction. Previously, the popup would prevent this from succeeding. Change-Id: Ib5a0226858f5745a20e4cd166500aecdcf1f3354
-
- Mar 05, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: I9d3bfbb9a63b57570f5bf105b066cbcf99dcd6a8
-