Skip to content
Snippets Groups Projects
Select Git revision
  • fifteen-qpr0
  • fourteen-qpr1
  • fourteen default
  • fifteen-qpr1
  • fifteen-qpr2
  • thirteen
  • staging/fourteen
7 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Apr 03, 2023
  3. Mar 31, 2023
  5. Mar 29, 2023
    • Brian Delwiche's avatar
      Fix OOB read in btm_ble_periodic_av_sync_lost · c077ffbe
      Brian Delwiche authored 
      btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5
      c077ffbe
  7. Mar 24, 2023
    • Hui Peng's avatar
      Fix a OOB bug in bta_hh_co_get_rpt_rsp · f173fcb4
      Hui Peng authored 
      Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3
      f173fcb4
  9. Mar 21, 2023
  11. Mar 13, 2023
  13. Mar 11, 2023
  15. Mar 06, 2023
  17. Feb 15, 2023
    • Brian Delwiche's avatar
      Validate buffer length in sdpu_build_uuid_seq · 367ed057
      Brian Delwiche authored 
      sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562
      367ed057
  19. Feb 09, 2023
  21. Feb 07, 2023
  23. Feb 06, 2023
  25. Jan 31, 2023
  27. Jan 25, 2023
  29. Jan 19, 2023
  31. Jan 14, 2023
  33. Jan 12, 2023
  35. Jan 11, 2023
  37. Jan 10, 2023