It is possible with modifications to a client to open two connections
against the same SDP discovery database.  If this happens, it becomes
possible to reference a freed instance of the discovery database in the
second connection once the first one is closed.

To guard against this, check during discovery if a database has already
been allocated, and abort iff it has.

Also, add a null check to process_service_search_attr_rsp to guard
against unchecked calls to the SDP discovery database.

Bug: 291281168
Bug: 356201480
Flag: com.android.bluetooth.flags.btsec_check_valid_discovery_database
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7bc0115a7cbad342628c8428af1b8181ee1ae94)
Merged-In: I754bf8292e1e0d8e90e78fa87889284e26aa5818
Change-Id: I754bf8292e1e0d8e90e78fa87889284e26aa5818

This is a backport of the AOSP changes for b/345258562.

Test: mmm packages/modules/Bluetooth
Bug: 345258562
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7ff46bc6dc9d5afd601fb05ae1907286d03babe)
Merged-In: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8
Change-Id: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8

Fix for b/25992313 was landed correctly on main, but in older branches
SMP contains identical functions smp_proc_init and smp_proc_rand, both
of which exhibit the problem, and only the former of which was patched.
This allows the problem to still appear on branches from sc-dev to
udc-dev.

Add the logic to smp_proc_rand.

Bug: 251514170
Test: m com.android.btservices
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:16a745956dbaff2d37d0e7afdf662314ea379f29)
Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc
Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc

At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404

LE link must be encrypted immediately on connection if device are
already bonded.

This is a backport of ag/29056565, but the code needs to go in a
different location because that patch relies on recent feature work.

Ignore-AOSP-First: security
Test: mmm packages/modules/Bluetooth
Bug: 288144143
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e)
Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62
Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62

0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.

Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f

HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.

Test: mmm packages/modules/Bluetooth
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdd92020a9c14c3f541b39624c5b1e0af599acc5)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:358b66af175f423523c5d90bb8aea4b3eb084172)
Merged-In: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b
Change-Id: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b

As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 3cf3d9d9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f

As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265

Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43

When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.

Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795

Bug: 318374503
Test: m com.android.btservices | manual test against PoC | QA
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62944f39f502b28687a5142ec2d77585525591bc)
Merged-In: I48df2c2d77810077e97d4131540277273d441998
Change-Id: I48df2c2d77810077e97d4131540277273d441998

Bug: 295887535
Bug: 315127634
Test: m com.android.btservices
Test: atest net_test_stack_gatt
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046)
Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285
Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 300903400
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20a759c149b739f8dfc3790287ad1b954115c18)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4704e7519d0a02c1caf8b4d8ed874bc201a4b91)
Merged-In: I400cfa3523c6d8b25c233205748c2db5dc803d1d
Change-Id: I400cfa3523c6d8b25c233205748c2db5dc803d1d

This reverts commit a0d4425c.

Reason for revert: LE Device name is incorrect after the change. See b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df)
Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077

Bug: 295887535
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c)
Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48

Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9)
Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e
Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368

Some HCI BLE events are missing bounds checks, leading to possible OOB
access.  Add the appropriate bounds checks on the packets.

Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66e2be0585514de92e8a31df09ab31528fd67e20)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d1a3febede9f835797cf5feff978a9f007f2593)
Merged-In: If7752f6edd749d6d5a4bb957b4824c22b5602737
Change-Id: If7752f6edd749d6d5a4bb957b4824c22b5602737

BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.

Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.

Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7a960ac1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d011f54d04e7ff732d4dc467079574b4e1c7b72d)
Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2

Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
(cherry picked from commit 0d7e3d8f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:462fc9465fafce4a055d0dadb451b3d71bf05289)
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f

This change is intended to be used to factor out
dup code for parsing GapData in StartAdvertisingSet
and make it easier to be tested.

Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c

Bug: 296291440
Test: atest net_test_main_shim
(cherry picked from commit 08690d66)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc86f8d13d6e5585f2b535bf5225000c6ceaf8e)
Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c

[conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23356997



Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d7c7f4c2c514b6a62f827615cb75ba61319b115)
Merged-In: I0389f56ae210b4976821e0ceeb21a7a0c2965a62
Change-Id: I0389f56ae210b4976821e0ceeb21a7a0c2965a62

a2dp_vendor_opus_decoder_decode_packet calls opus_decode() to decode
frames.  If initial decoding fails, it retries with a different set of
parameters; however, no further checks are included after the retry, and
the return value is then used to generate frame size.  If the retry
fails, the return value will be negative, which when converted to
unsigned to scale the frame buffer will lead to an enormous size which
easily overflows the frame buffer.

Add a check for this case.

Bug: 275626001
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7b6e560eda0e43dcac6ca8298fe01ee0762f508)
Merged-In: Ie8ec891bf5e2537eeee9272f550ae23f8797a878
Change-Id: Ie8ec891bf5e2537eeee9272f550ae23f8797a878

Original bug
Bug: 294854926

regressions:
Bug: 299570702
Bug: 299561281

Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7db69a79091ec0199ddbac2a7b8cf1e0b57631d9)
Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa

Original bug
Bug: 294854926

regressions:
Bug: 299570702

Test: Test: m com.android.btservices
Test: QA validation
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:916b6d3899908ed09f81be131e48933637e4c9ef)
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4

Allow access to rfcomm PSM by default

Original bug
Bug: 294854926

Nearby regressions:
Bug: 298539299

Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c11c2a2bead295edf18cecf682255a498e84133a)
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66

Reject access to service running on rfcomm

this is a backport of
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:47e6e149f1d4dc557e10033ac9b147d24b37bea9)
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Rejecct access to services running on l2cap

Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1f08f638c91169df84a43b6cd4e04d1aa3a5d554)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 275057843
Bug: 275057678
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3bb913ee8c7da4602798db754045c0fac57afecf)
Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a

Bug: 275340684
Bug: 282234870
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f9059acdfed500ea5ff4b159795280d5fa2ecbf)
Merged-In: Ia8e9c3a3e534f419b6bd6c902a35d2caf4c7727b
Change-Id: Ia8e9c3a3e534f419b6bd6c902a35d2caf4c7727b

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

(cherry picked from commit 367ed057)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a62a311d1a0c229ba75529dbedcb47a7af18142)
Merged-In: Ibce32cc09ad2991789569f35ef2f71f90537fdce
Change-Id: Ibce32cc09ad2991789569f35ef2f71f90537fdce

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

This reverts commit d5ec5273.

Reason for revert: b/281788858
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:97c9c472f6b63b86bdf9cfd054490051e881c013)
Merged-In: If6fb57064b5b2da40842e2c1cf95aadc6f0351b6
Change-Id: If6fb57064b5b2da40842e2c1cf95aadc6f0351b6

APCF Feature Selection for AD Type check is bit 8(0x100)

Bug: 281790117
Test: manual
(cherry picked from https://android-review.googlesource.com/q/commit:ea54fff1792c08169ff911467ad666c5a8add796)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35042736eaeb4b41093bd058a42950656b587440)
Merged-In: I64f301137797a44c69e06e744a653bda72c85b18
Change-Id: I64f301137797a44c69e06e744a653bda72c85b18

1. HID host treats pthread_t as a signed value. Some platform may define
it as unsigned type.
2. HID host uses -1 as invalid pthread ID. pthread does not define
invalid thread ID.


Bug: 285750089
Test: Floss test "Two BLE connections"
(cherry picked from https://android-review.googlesource.com/q/commit:791d9aa87fa0a1503077a81fa80c51e4c6b620ee)
Merged-In: I77eb1596910ee1a6c9c2244beff7ff382ca57ba0
Change-Id: I77eb1596910ee1a6c9c2244beff7ff382ca57ba0