Commits · 9d48efead0e87fd2b9232d20a36053309fb34ddf · LMODroid / platform_packages_modules_Bluetooth

May 24, 2023

Merge "Fix potential abort in btu_av_act.cc" into tm-dev am: · 9d48efea

Brian Delwiche authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21609715

Change-Id: I8706187fb778ea1ca35291b08773fb52181dc335
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

9d48efea

Merge "Fix potential abort in btu_av_act.cc" into tm-dev · 9607396b
Brian Delwiche authored 1 year ago

9607396b

May 19, 2023

Merge "Fix integer overflow in build_read_multi_rsp" into tm-dev am: · 95966322

Brian Delwiche authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22726306

Change-Id: I5dc67f531b235302c6bf8904609af1d7e0d869b9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

95966322

May 18, 2023
- Merge "Fix integer overflow in build_read_multi_rsp" into tm-dev · 0db5f1b1
  Brian Delwiche authored 1 year ago
  
  0db5f1b1
May 17, 2023

Fix an integer overflow bug in avdt_msg_asmbl am: · df75554b

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23152778

Change-Id: I0d6c9381f451aba707f54c1da27319b5ee097a0d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

df75554b

May 16, 2023

Fix an integer overflow bug in avdt_msg_asmbl · bf9449a7

Hui Peng authored 1 year ago

Bug: 280633699
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2

bf9449a7

Fix integer overflow in build_read_multi_rsp · badb8ffc

Brian Delwiche authored 1 year ago

Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset.  This can lead to an integer overflow
and unexpected behavior.

Change the locals to size_t, and add a check during reasssignment.

Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
(cherry picked from commit 70a4d628)

badb8ffc

Merge "Fix a NPD in sdpu_find_profile_version" into tm-dev am: · 5b789300

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23139401

Change-Id: I7c10e2ad52871e80aedb37b65500498fe494908f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

5b789300

May 15, 2023
- Merge "Fix a NPD in sdpu_find_profile_version" into tm-dev · 648f7433
  Hui Peng authored 1 year ago
  
  648f7433
May 13, 2023

[resolved conflict] Fix multiple OOB bugs resulted from tx mtu in EATT am: · 3b942b84

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23152794



Bug: 271335899
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
Change-Id: I02f1aec42e0c12c8f53fe03090b0c40c6e8e51c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

3b942b84

May 12, 2023

Fix multiple OOB bugs resulted from tx mtu in EATT · ea76b7d9

Hui Peng authored 1 year ago

The tx mtu in EATT can be controlled by remote device. With malicious
mtu values, it is possible to trigger integer overflow and
OOB write at multiple places (see the bug below).

This fix enforces a max tx mtu in EATT.

Bug: 271335899
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31

ea76b7d9

May 10, 2023

Fix a NPD in sdpu_find_profile_version · 2de20485

Hui Peng authored 1 year ago

Bug: 278279023
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I6727c9a071170baadb2292daa52f71190972ecca

2de20485

Merge "Fix an OOB bug in bta_av_proc_meta_cmd" into tm-dev am: · 4a1a9611

Treehugger Robot authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22940765

Change-Id: Ib3381da1f681834da0be152053e92a5944269f65
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

4a1a9611

May 09, 2023
- Merge "Fix an OOB bug in bta_av_proc_meta_cmd" into tm-dev · 77089c95
  Treehugger Robot authored 1 year ago
  
  77089c95
May 06, 2023

Merge "Fix an OOB bug in parameters_response_parser" into tm-dev am: · 922ca83e

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22948054

Change-Id: I06c0347f1edc9a229ed7b926a6b8aa1d7151eee6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

922ca83e

Merge "Fix an OOB bug in parameters_response_parser" into tm-dev · d2e98455
Hui Peng authored 1 year ago

d2e98455

May 04, 2023

Fix a type confusion bug in bta_av_setconfig_rej am: · 1c2593d8

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22900658

Change-Id: I4d8458d008c180a0144496e358bcd5c7ca0a9058
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1c2593d8

May 03, 2023

Fix an OOB bug in bta_av_proc_meta_cmd · aaf3fead

Hui Peng authored 1 year ago

Bug: 260726311
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I199fdd0651ebc29f130ebb5f5fa07e13f22a7d37

aaf3fead

Apr 30, 2023

Fix a type confusion bug in bta_av_setconfig_rej · bbd88e88

Hui Peng authored 1 year ago

tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG
in bta_av_setconfig_rej, resulting OOB access.

Bug: 260230151
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: I78a1ee50dea0113381e51f8521711d758dc759cf
Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf

bbd88e88

Apr 29, 2023

Fix an OOB bug in parameters_response_parser · b209c3df

Hui Peng authored 1 year ago

Bug: 266433017
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I4a8959ac6e5980a6c6d20edcf103482b9916656a

b209c3df

Apr 26, 2023

Merge "Fix a potential OOB in... · d9c7e9ac

Hui Peng authored 1 year ago

Merge "Fix a potential OOB in BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback" into tm-dev am: c2166e96

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20918444

Change-Id: I5b1c3e5df0292e188cab8c710abfae3c212fe788
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

d9c7e9ac

Merge "Fix an OOB write bug in gatt_process_notification" into tm-dev am: · dc2eea31

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22697261

Change-Id: I659be20b850ae5ae04a88750098e9b2e467873a3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

dc2eea31

Merge "Fix an OOB bug in set_data" into tm-dev am: · de28d04d

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22696389

Change-Id: Ia34bf0a351597361ba3663a0b54c8efeade47c86
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

de28d04d

Merge "Fix an OOB bug in set_data" into tm-dev am: · 9435f9b0

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22696394

Change-Id: If13ec5c92cdbb18fc5adca6697de1fbd05b18e7f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

9435f9b0

Apr 25, 2023
- Merge "Fix a potential OOB in... · c2166e96
  Hui Peng authored 1 year ago
  
  Merge "Fix a potential OOB in BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback" into tm-dev
  c2166e96
- Merge "Fix an OOB write bug in gatt_process_notification" into tm-dev · 68569357
  Hui Peng authored 1 year ago
  
  68569357
- Merge "Fix an OOB bug in set_data" into tm-dev · 125cf1ea
  Hui Peng authored 1 year ago
  
  125cf1ea
- Merge "Fix an OOB bug in set_data" into tm-dev · 8473c8c6
  Hui Peng authored 1 year ago
  
  8473c8c6
- Merge "Fix a few OOB bugs in avrc_bld_get_folder_items_rsp" into tm-dev am: 35b7a201 · 579abb6a
  Treehugger Robot authored 1 year ago
  
  Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22605431 Change-Id: I697456facafd7b447f50ab0a5b56cf4b823cf10a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
  579abb6a
- Merge "Fix a few OOB bugs in avrc_bld_get_folder_items_rsp" into tm-dev · 35b7a201
  Treehugger Robot authored 1 year ago
  
  35b7a201
Apr 18, 2023

Fix an OOB bug in set_data · 58802164

Hui Peng authored 1 year ago

Plus move macros used in struct bt_oob_data_s
to bluetooth.h

Bug: 274722185
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie12feb4090a1eb88f5c9e097546f55a076839fb0

58802164

Fix an OOB write bug in gatt_process_notification · fdaaa82d

Hui Peng authored 1 year ago

Bug: 276975913
Test: manual
Ignore-AOSP-First: security
Tag: security
Change-Id: I38353a573168e18f06b2b311e532a937044fd92f

fdaaa82d

Fix an OOB bug in set_data · 0592ed17

Hui Peng authored 1 year ago

Bug: 274722163
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ie4b30bbc19ba0bd191839af35880a4831d8005b1

0592ed17

Apr 14, 2023

Merge "Revert "Fix a OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev am: · dd201368

William Escande authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22625319

Change-Id: I0c20a4b17a0b6d0fdedf9887b70de0b8b0324b5b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

dd201368

Merge "Revert "Fix a OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev · 261b9b8d
William Escande authored 1 year ago

261b9b8d

Fix a few OOB bugs in avrc_bld_get_folder_items_rsp · a714943f

Hui Peng authored 1 year ago

This CL fixes the following 3 bugs:
1. Integer underflow triggered by malicious MTU from peer device
2. Integer overflow caused by maliciously long item names
3. Bug caused by typo: item_len_left -> attribute_len_left

Bug: 242994452
Tag: #security
Ignore-AOSP-First: security
Test: manual
Change-Id: I0d2af48b7eb3469d9d1923910e4facc8f2cdbc95

a714943f

Apr 13, 2023

Revert "Fix a OOB bug in bta_hh_co_get_rpt_rsp" · a7ae837b

Hui Peng authored 1 year ago

This reverts commit f173fcb4.

Reason for revert: Head tracking broken as reported in b/277995800

Change-Id: I0c9c95afed6f73712d0a1a5024651cba960eb9d0

a7ae837b