Skip to content
Snippets Groups Projects
Select Git revision
  • fifteen-qpr0
  • fourteen-qpr1
  • fourteen default
  • fifteen-qpr1
  • fifteen-qpr2
  • thirteen
  • staging/fourteen
7 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Oct 14, 2024
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r12' of... · 7cf6e7e8
      Dhina17 authored 
      Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD

Android security 14.0.0 release 12

* tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Add support for checking security downgrade
  Disallow connect with key length downgrade
  Disallow connect with Secure Connections downgrade
  Fix heap-buffer overflow in sdp_utils.cc
  Fix permission bypasses to multiple methods
  Fix an authentication bypass bug in SMP
  Fix a security bypass issue in access_secure_service_from_temp_bond
  Reland: Fix an OOB write bug in attp_build_value_cmd
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB bug in smp_proc_sec_req
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB write bug in attp_build_read_by_type_value_cmd
  Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
  Fix some OOB errors in BTM parsing
  Fix timing attack in BTM_BleVerifySignature
  Fix an OOB bug in parse_gap_data
  Factor out duplicate code for parsing gap data
  [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1
  Fix UAF in ~CallbackEnv
  Fix OOB in a2dp_vendor_opus_decoder_decode_packet
  Enforce authentication if encryption is required
  Reorganize the code for checking auth requirement
  Reject access to  secure service authenticated from a temp bonding [3]
  Reject access to secure services authenticated from temp bonding [2]
  Reject access to secure service authenticated from a temp bonding [1]
  Fix multiple OOB bugs in btm_ble_gap.cc
  Fix 2 OOB bugs in CreateAudioBroadcast

 Conflicts:
	system/bta/le_audio/broadcaster/broadcaster.cc
	system/btif/src/btif_storage.cc
	system/include/hardware/bluetooth.h
	system/main/shim/Android.bp
	system/main/shim/le_advertising_manager.cc
	system/main/shim/utils.cc
	system/stack/a2dp/a2dp_vendor_opus_decoder.cc
	system/stack/btm/btm_ble.cc
	system/stack/btm/btm_ble_gap.cc
	system/stack/btm/btm_sec.cc
	system/stack/btm/btm_sec.h
	system/stack/btu/btu_hcif.cc
	system/stack/include/sec_hci_link_interface.h
	system/stack/sdp/sdp_utils.cc
	system/stack/smp/smp_act.cc
	system/test/headless/bt_property.cc
	system/test/mock/mock_stack_btm_sec.cc

Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2
      7cf6e7e8
  3. Aug 08, 2024
  5. Jul 10, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673',... · a1097edc
      Android Build Coastguard Worker authored 
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release.

Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d
      a1097edc
    • Brian Delwiche's avatar
      Add support for checking security downgrade · fbdaf02a
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 3cf3d9d9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
      fbdaf02a
    • Brian Delwiche's avatar
      Disallow connect with key length downgrade · 024980ba
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
      024980ba
    • Brian Delwiche's avatar
      Disallow connect with Secure Connections downgrade · b5155f05
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265
      b5155f05
  7. Jun 17, 2024
  9. Jun 13, 2024
  11. Jun 06, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141',... · eb0fb004
      Android Build Coastguard Worker authored 
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.

Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
      eb0fb004
    • Brian Delwiche's avatar
      Fix heap-buffer overflow in sdp_utils.cc · 6afad4b3
      Brian Delwiche authored 
      Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      6afad4b3
    • Brian Delwiche's avatar
      Fix permission bypasses to multiple methods · b0e43755
      Brian Delwiche authored 
      Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      b0e43755
  13. May 11, 2024
    • Hui Peng's avatar
      Reland "Enforce authentication if encryption is required" · 5a48f1d2
      Hui Peng authored and Dhina17's avatar Dhina17 committed 
      While aosp/2863686 was rebased on internal security
fixes, aosp/2865187 was dropped, re-apply it.

Bug: 316244428
Test: m com.android.btservices
Flag: EXEMPT, tested/verfied on internal branches
Change-Id: I319dcfbc9bb9603c515ac0c2c647155211f95e26
      5a48f1d2
    • William Escande's avatar
      btm_sec: Class of device regression fix · c0a5763b
      William Escande authored and Dhina17's avatar Dhina17 committed 
      Bug: 314889276
Fix: 314889276
Test: Manual testing cf b/314889276#comment23
Flag: Exempt, unflag regression fix
Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c
      c0a5763b
  15. May 08, 2024
  17. Apr 09, 2024
  19. Apr 01, 2024
  21. Mar 29, 2024
  23. Mar 28, 2024
  25. Mar 19, 2024
  27. Mar 15, 2024
  29. Mar 13, 2024
    • Aaron Kling's avatar
      BondStateMachine: Allow skipping confirm for some remotes · a31ff746
      Aaron Kling authored and Dhina17's avatar Dhina17 committed 
      When pairing two of the Nvidia Shield accessories, a popup would show up
stating that the accessory was an incoming pairing request and needs to
be accepted. The official Nvidia firmware has a whitelist of remotes
that skip this confirmation if pairing request is marked as originating
from the Android device. This change takes a similar approach, but in a
more flexible manner. The main intent is to allow these accessories to
be paired via the pairing intent, which needs to complete with no user
interaction. Previously, the popup would prevent this from succeeding.

Change-Id: Ib5a0226858f5745a20e4cd166500aecdcf1f3354
      a31ff746
  31. Mar 05, 2024
  33. Mar 04, 2024
  35. Mar 02, 2024