Commits · c077ffbe609c33adc212b73cd3018b174f0c8f89 · LMODroid / platform_packages_modules_Bluetooth

Mar 29, 2023

Fix OOB read in btm_ble_periodic_av_sync_lost · c077ffbe

Brian Delwiche authored 1 year ago

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5

c077ffbe

Jan 10, 2023

Merge "Fix an OOB bug in btm_delete_stored_link_key_complete" into tm-dev · e6d1eec3
Hui Peng authored 2 years ago

e6d1eec3
Merge "Fix an OOB bug in btm_ble_rand_enc_complete" into tm-dev · 56bb00a1
Hui Peng authored 2 years ago

56bb00a1
Merge "Fix an OOB bug in btm_read_tx_power_complete" into tm-dev · ba4fd4c7
Hui Peng authored 2 years ago

ba4fd4c7
Merge "Fix an OOB bug in btu_ble_rc_param_req_evt" into tm-dev · 90569993
Hui Peng authored 2 years ago

90569993
Merge "Fix an OOB bug in btm_ble_read_remote_features_complete" into tm-dev · 398f10c5
Hui Peng authored 2 years ago

398f10c5
Merge "Fix an OOB bug in btu_ble_ll_conn_param_upd_evt" into tm-dev · 78e6c132
Hui Peng authored 2 years ago

78e6c132
Merge "Fix an OOB write in BTA_GATTS_HandleValueIndication" into tm-dev · 45027bbe
Hui Peng authored 2 years ago

45027bbe
Merge "Fix an OOB bug in btm_create_conn_cancel_complete" into tm-dev · 0a903879
Hui Peng authored 2 years ago

0a903879
Merge "Fix an OOB bug in btm_ble_write_adv_enable_complete" into tm-dev · 96c12159
Hui Peng authored 2 years ago

96c12159
Merge "Fix an OOB bug in btm_read_local_oob_complete" into tm-dev · 993b0731
Hui Peng authored 2 years ago

993b0731
Merge "Fix an OOB access bug in BtaAvCo::GetNextSourceDataPacket" into tm-dev · bfdef9b8
TreeHugger Robot authored 2 years ago

bfdef9b8
Merge "Fix an OOB bug in btm_read_link_quality_complete" into tm-dev · 8855f6c4
Hui Peng authored 2 years ago

8855f6c4
Merge "Fix an OOB bug in btm_ble_process_periodic_adv_sync_lost_evt" into tm-dev · 6494326a
Hui Peng authored 2 years ago

6494326a

Fix an OOB access bug in BtaAvCo::GetNextSourceDataPacket · d1047690

Hui Peng authored 2 years ago

If the length of the packet is less than 4 or the offset is 0
OOB access is triggered.

Bug: 259939364
Test: manual
Ignore-AOSP-First: security
Merged-In: I11a3ebf20c45e9e69a4008a7d7271470e6235fe1
Change-Id: I11a3ebf20c45e9e69a4008a7d7271470e6235fe1

d1047690

Fix an OOB bug in on_iso_link_quality_read · f7679c19

Hui Peng authored 2 years ago

Bug: 260568750
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I58b259541a507d65271c4e8b61fcd878a3f90ec0
Change-Id: I58b259541a507d65271c4e8b61fcd878a3f90ec0

f7679c19

Fix an OOB bug in btm_delete_stored_link_key_complete · 0ab9b925

Hui Peng authored 2 years ago

Bug: 260568359
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: Icb13312b79a59117c9524ddad4163135b364baba
Change-Id: Icb13312b79a59117c9524ddad4163135b364baba

0ab9b925

Fix an OOB bug in btm_ble_read_remote_features_complete · 6aedab38

Hui Peng authored 2 years ago

Bug: 254445952
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I25f928cc9fa4b3338b1885412e5f894b4155da71
Change-Id: I25f928cc9fa4b3338b1885412e5f894b4155da71

6aedab38

Fix an OOB bug in btm_read_local_oob_complete · 14eaa92e

Hui Peng authored 2 years ago

Bug: 260568354
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I739a42519df656b28d6043f179d02316bf5a71f2
Change-Id: I739a42519df656b28d6043f179d02316bf5a71f2

14eaa92e

Fix an OOB bug in btm_read_tx_power_complete · 606824af

Hui Peng authored 2 years ago

Bug: 260568083
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I47f4806743b5837f4d7de774eafc95824b0abdd6
Change-Id: I47f4806743b5837f4d7de774eafc95824b0abdd6

606824af

Fix an OOB bug in btu_ble_rc_param_req_evt · 5bdefb74

Hui Peng authored 2 years ago

Bug: 256165737
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I0a626bbc1a72c8bc9740d139b54726b188b6f1df
Change-Id: I0a626bbc1a72c8bc9740d139b54726b188b6f1df

5bdefb74

Fix an OOB write in BTA_GATTS_HandleValueIndication · a3c7e637

Hui Peng authored 2 years ago

Bug: 245915315
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4b08db42bed52bb250098a7744b689a5d0c105b2
Change-Id: I4b08db42bed52bb250098a7744b689a5d0c105b2

a3c7e637

Merge "Fix an OOB write in SDP_AddAttribute" into tm-dev · 45e8d2dc
Hui Peng authored 2 years ago

45e8d2dc

Fix an OOB bug in btm_ble_write_adv_enable_complete · e38dbb29

Hui Peng authored 2 years ago

Bug: 260568367
Test: manual
Ignore-AOSP-First: security
Merged-In: I0f35513b9655acaa6fe07d2ba2063c1f11d6465b
Change-Id: I0f35513b9655acaa6fe07d2ba2063c1f11d6465b

e38dbb29

Fix an OOB bug in btm_read_link_quality_complete · b2c6806c

Hui Peng authored 2 years ago

Bug: 260569414
Test: manual
Ignore-AOSP-First: security
Merged-In: I7b6e6db6598d82a0191f64cab713a6482b69954b
Change-Id: I7b6e6db6598d82a0191f64cab713a6482b69954b

b2c6806c

Fix an OOB bug in btu_ble_ll_conn_param_upd_evt · 0450562b

Hui Peng authored 2 years ago

Bug: 260230274
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: Id733a472236c005e30ff5c2b56b51d6e10fc9061
Change-Id: Id733a472236c005e30ff5c2b56b51d6e10fc9061

0450562b

Fix an OOB bug in btm_create_conn_cancel_complete · adf06fb6

Hui Peng authored 2 years ago

Bug: 260568245
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I6cddf5189dbc34ce8346167ec04cb50c936898cf
Change-Id: I6cddf5189dbc34ce8346167ec04cb50c936898cf

adf06fb6

Fix an OOB bug in btm_ble_rand_enc_complete · 8d52336f

Hui Peng authored 2 years ago

Bug: 260569449
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I096fb985f025908f9d68d2735b9f98515b04cfb9
Change-Id: I096fb985f025908f9d68d2735b9f98515b04cfb9

8d52336f

Add regression test for b/255304475 · 362a9148

Hui Peng authored 2 years ago

Bug: 255304475
Test: atest net_test_stack_btm
Ignore-AOSP-First: security
Tag: #security
Merged-In: I3d1523b6dbadf75f682663504a0c932624c33d08
Change-Id: I3d1523b6dbadf75f682663504a0c932624c33d08

362a9148

Fix an OOB bug in btm_ble_clear_resolving_list_complete · 12576284

Hui Peng authored 2 years ago

Regression test: I3d1523b6dbadf75f682663504a0c932624c33d08

Bug: 255304475
Test: atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3a8158a5db7e59acdaaa47e2327f6bdf492e47e7
Change-Id: I3a8158a5db7e59acdaaa47e2327f6bdf492e47e7

12576284

Add regression test for b/260078907 · 27200cfe

Hui Peng authored 2 years ago

Bug: 260078907
Test: atest net_test_stack_btm
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678
Change-Id: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678

27200cfe

Fix an OOB bug in btm_ble_add_resolving_list_entry_complete · 73827ac5

Hui Peng authored 2 years ago

Regression test: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678

Bug: 260078907
Test: atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58
Change-Id: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58

73827ac5

Fix an OOB bug in BqrVseSubEvt::ParseBqrLinkQualityEvt · ecd5a3e8

Hui Peng authored 2 years ago

The size of the packet is not checked when
`vendor_cap_supported_version >= kBqrIsoVersion` holds.
This patch adds a check on the size in this code path.

Bug: 242993878
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3191701c54b342ef3cf2296de075666b13e3096e
Change-Id: I3191701c54b342ef3cf2296de075666b13e3096e

ecd5a3e8

Fix an OOB bug in bta_hh_co_get_rpt_rsp · d2e67f50

Hui Peng authored 2 years ago

Bug: 259675705
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I13be3103903631de4a0fa2080151bc89884c65c9
Change-Id: I13be3103903631de4a0fa2080151bc89884c65c9

d2e67f50

Fix a use-after-free bug in AttributionProcessor::OnWakelockReleased · 15fbebc8

Hui Peng authored 2 years ago

There is a use-after-free bug in AttributionProcessor::OnWakelockReleased
resulted from a well-known misuse of using iterators to delete
items in containers (the deleted items are used for calculating the next iterator
in the next round). This patch fix it with correct usage.

see the regression test is in I1709af943b6fa238dd4df41a62e6add36984c9ec

Bug: 254774758
Ignore-AOSP-First: security
Test: atest bluetooth_test_gd_unit
Merged-In: If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227
Change-Id: If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227

15fbebc8

Fix an OOB write in SDP_AddAttribute · 0846b5b7

Hui Peng authored 2 years ago

When the `attr_pad` becomes full, it is possible
that un index of `-1` is computed write
a zero byte to `p_val`, rusulting OOB write.

```
  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
```

Bug: 261867748
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b
Change-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b

0846b5b7

Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc · b0d7d4e8

Hui Peng authored 2 years ago

In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
`-=` operation on it may result in integer underflow and
OOB write with the computed pointer passed to
A2DP_BuildMediaPayloadHeaderSbc.

The regression test is I2e026025ce49a02280dfcacd08f4bfc1b5d12264

Bug: 186803518
Test: atest net_test_stack_a2dp_codecs_native
Ignore-AOSP-First: security
Merged-In: I45320085b1e458d3b0e0d86162a35aaaae7b34cb
Change-Id: I45320085b1e458d3b0e0d86162a35aaaae7b34cb

b0d7d4e8

Merge "Fix an OOB Write bug in gatt_check_write_long_terminate" into tm-dev · 0494f1ab
Hui Peng authored 2 years ago

0494f1ab

Jan 09, 2023

Fix an OOB Write bug in gatt_check_write_long_terminate · d4e34d86

Hui Peng authored 2 years ago

Bug: 258652631
Test: manual
Ignore-AOSP-First: security
Merged-In: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
Change-Id: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084

d4e34d86

Jan 07, 2023

Fix an OOB bug in btm_ble_process_periodic_adv_sync_lost_evt · 85188d00

Hui Peng authored 2 years ago

Bug: 255305114
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: I7b7f071017a6c04f6bee901f7151e4f5df0a0c64
(cherry picked from commit 6d0884df)
Merged-In: I7b7f071017a6c04f6bee901f7151e4f5df0a0c64

85188d00