Commits · c9f6e21bde29db9515132c6d89be966f1c35de81 · LMODroid / platform_packages_modules_Bluetooth

Apr 03, 2023

Merge "Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""" into... · c9f6e21b

Brian Delwiche authored 1 year ago

Merge "Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""" into tm-dev am: bdcc9b8a am: 9d6e514e

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22188831

Change-Id: If564b2839a739ba0c08e8efc6f9c91406831c64c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

c9f6e21b

Merge "Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""" into tm-dev am: · 9d6e514e

Brian Delwiche authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22188831

Change-Id: I3896da1ac7eca27d1fae53c2c63159513ecaa909
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

9d6e514e

Merge "Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""" into tm-dev · bdcc9b8a
Brian Delwiche authored 1 year ago

bdcc9b8a

Apr 02, 2023
- Merge "Import translations. DO NOT MERGE ANYWHERE" into tm-qpr-dev · 89e28b8d
  Bill Yi authored 1 year ago
  
  89e28b8d
Apr 01, 2023
- Merge "RESTRICT AUTOMERGE: Move BMW Carkit(9c:df:03) into IOP table to only... · 2f61784f
  Jamin Liu authored 1 year ago
  
  Merge "RESTRICT AUTOMERGE: Move BMW Carkit(9c:df:03) into IOP table to only use AVRCP 1.3 from 1.4 to resolve interop issues." into tm-qpr-dev
  2f61784f
- Merge "BluetoothMetrics: Upload readable sha256, instead of bytes" into tm-qpr-dev · 69bf6d7e
  Thomas Girardier authored 1 year ago
  
  69bf6d7e
Mar 31, 2023

Import translations. DO NOT MERGE ANYWHERE · 0604c882

Bill Yi authored 1 year ago

Auto-generated-cl: translation import
Change-Id: I8b62d67e327fc7ac6e98c481c161a21fccb44fc2

0604c882

RESTRICT AUTOMERGE: Move BMW Carkit(9c:df:03) into IOP table to only use AVRCP... · a4815c16

Jamin Liu authored 1 year ago

RESTRICT AUTOMERGE: Move BMW Carkit(9c:df:03) into IOP table to only use AVRCP 1.3 from 1.4 to resolve interop issues.

Bug: 272518730
Bug: 234548635
Tag: #compatibility
Test: Manual. Refer: go/bmw-x5-car-kit-audio
Ignore-AOSP-First: This change is the tm version of aosp/2514656
Merged-In: Ia3216810f2814b10218981e9ecbe962bfc5e6754
Change-Id: Ibc4ebe01f3d408c72a4d8b9c36118cf0acc7d655

a4815c16

Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev am: am: · 01e05e53

Brian Delwiche authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22343125

Change-Id: I4a333da79dedbfe03b0c6b8253cdf1839f7bd57a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

01e05e53

Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev am: · 124d2f9f

Brian Delwiche authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22343125

Change-Id: Ib71e4715f6bf6c5f2c7954d06b1fd5e175df33b9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

124d2f9f

Merge "Fix OOB read in btm_ble_periodic_av_sync_lost" into tm-dev · fd1d5e71
Brian Delwiche authored 1 year ago

fd1d5e71

Mar 29, 2023

Fix OOB read in btm_ble_periodic_av_sync_lost · c077ffbe

Brian Delwiche authored 1 year ago

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5

c077ffbe

Mar 25, 2023
- Merge "[BluetoothMetrics] Adding dependent changes for direct LE-ACL L2CAP... · b9a19014
  David Duarte authored 1 year ago
  
  Merge "[BluetoothMetrics] Adding dependent changes for direct LE-ACL L2CAP fixed channel" into tm-qpr-dev
  b9a19014
Mar 24, 2023

Fix a OOB bug in bta_hh_co_get_rpt_rsp am: am: · 5773c861

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21090924

Change-Id: I72949a74e23dbbb0fd2dbee7bd7eee0b2f0c316a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

5773c861

Fix a OOB bug in bta_hh_co_get_rpt_rsp am: · 3c15759b

Hui Peng authored 1 year ago

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/21090924

Change-Id: Idfe58b567a3484ddcf8be45e1515b6349ed290f3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

3c15759b

Fix a OOB bug in bta_hh_co_get_rpt_rsp · f173fcb4

Hui Peng authored 2 years ago

Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3

f173fcb4

[BluetoothMetrics] Adding dependent changes for · 01bcd532

Palash Ahuja authored 2 years ago

direct LE-ACL L2CAP fixed channel

Bug: 268252025
Change-Id: Ie40ce994abe8bb6023cf039fc3716ac0f35b11c1
Merged-In: Ie40ce994abe8bb6023cf039fc3716ac0f35b11c1

01bcd532

Merge "BluetoothMetrics: Add fallback solution for device names" into tm-qpr-dev · 867b494f
Chen Chen authored 1 year ago

867b494f

Mar 23, 2023

Merge "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq" into tm-qpr-dev · 78393ce2
Brian Delwiche authored 1 year ago

78393ce2

BluetoothMetrics: Upload readable sha256, instead of bytes · c34a20b5

Chen Chen authored 1 year ago

Bug: 264937355
Test: atest BluetoothInstrumentationTests
(cherry picked from https://android-review.googlesource.com/q/commit:c5a164cfbf2771d49ccfa2a501fd8e6fcc490745)
Merged-In: Ica31ffcc22d5a75aa82b9e2f91b9239d63506a40
Change-Id: Ica31ffcc22d5a75aa82b9e2f91b9239d63506a40

c34a20b5

BluetoothMetrics: Add fallback solution for device names · 039971fa

Chen Chen authored 1 year ago

Bug: 264937355
Test: atest BluetoothInstrumentationTests
(cherry picked from https://android-review.googlesource.com/q/commit:41d98ac1632528f4a4aa240748773780e5236085)
Merged-In: If7d8aa463decc99cf95437d7a608ed2612323560
Change-Id: If7d8aa463decc99cf95437d7a608ed2612323560

039971fa

Merge "LE Audio: close GATT server properly" into tm-qpr-dev · ceb25ac1
Jack He authored 1 year ago

ceb25ac1
Merge "[RESTRICT AUTOMERGE] Fix potential use after free in pan_api.cc" into tm-qpr-dev · 73517ade
Brian Delwiche authored 1 year ago

73517ade

[BluetoothMetrics] This covers the case for Direct LE-ACL Connection · 585d258c

Palash Ahuja authored 2 years ago

Success Rate as per go/bluetooth-le-connection-metrics.

Unit Tests:
- Successful
- Failure
- Timeout
- Cancellation

Test: atest bluetooth_test_gd_unit:LEConnectionMetricsRemoteDeviceTest --host
Bug: b/268252025
Change-Id: Iddef3b0c873c9999e165078912339b97caf6b265
Merged-In: I7b8618c30d5f1e4dc5b9665e056934c2db888271

585d258c

Mar 21, 2023

[RESTRICT AUTOMERGE] Fix potential use after free in pan_api.cc · c7b0b8ac

Brian Delwiche authored 2 years ago

Structure length is checked in pan_api.cc after the structure may
be freed, leading to a potential use after free.

Save the buffer length to a local instead.  Note that BNEP_WriteBuf
may alter the length being written internally; this does not appear
to be an issue in this use case because the octet count being tracked
is used only for logging purposes within PAN.

Bug: 259939435
Test: atest bluetooth_test_gd_unit, validate against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I613b3dd3684182bdc725f9e1512061484448d367

c7b0b8ac

[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq · 95ff9958

Brian Delwiche authored 2 years ago

sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562
(cherry picked from commit 367ed057)

95ff9958

Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" · 4a33fbcf

Brian Delwiche authored 2 years ago

This reverts commit e6cf2700.

Reason for revert: Reinstate original change for QPR

Change-Id: I3e039f1b8f8ffbcc4875b663d417462451fb76a0

4a33fbcf

Merge "Only initiate Codec Negotation if locally supported." into tm-qpr-dev · b4dd1a0d
William Escande authored 2 years ago

b4dd1a0d
Merge "Fix null pointer access in handle_rc_ctrl_features" into tm-qpr-dev · ebcc2327
TreeHugger Robot authored 2 years ago

ebcc2327
Merge "Fix that hearing aid paring dialog pops up twice" into tm-qpr-dev · 50800f68
Sungsoo Lim authored 2 years ago

50800f68
Merge "Add missing lock on getSupportedProfile" into tm-qpr-dev · bae181fa
TreeHugger Robot authored 2 years ago

bae181fa
Merge "Only add br_edr to power mode db" into tm-qpr-dev · 0742a03c
TreeHugger Robot authored 2 years ago

0742a03c

LE Audio: close GATT server properly · 364b10bc

Jakub Pawlowski authored 2 years ago

Currently we are leaking GMCS instance every time BT is restarted.

Bug: 273361967
Test: manual, restart bluetooth, observe output of:
adb shell dumpsys bluetooth_manager | grep -A 10 "Server\:"
(cherry picked from https://android-review.googlesource.com/q/commit:db6561f3d907c74055fe74f8e8a5b979da5cd1aa)
Merged-In: I3fabbe267a380a1eae482bb54be5551db9f0029e
Change-Id: I3fabbe267a380a1eae482bb54be5551db9f0029e

364b10bc

Only initiate Codec Negotation if locally supported. · ff5f9d03

Calvin On authored 2 years ago

Currently, because of aosp/683369 the device will initiate
Codec Negotiation even if the remote device does not send the
required AT+BAC command during Service Level Connection setup.

This enables in the following out-of-spec sequence:
1. Device sends Codec Negotiation NOT supported to a Headset which does.
2. Headset respects the feature not supported, and does not send AT+BAC.
3. Device initiates Codec Negotiation with the Headset anyway.

This check ensures that Device will not attempt to initiate
Codec Negotiation at all if the local feature is not enabled.

Bug: 267171863
Test: make
(cherry picked from https://android-review.googlesource.com/q/commit:4be3e5d58237cfdfa89a7c5324c26c986ef52239)
Merged-In: I446e071e3b66875a2bacde228841ca703acd5739
Change-Id: I446e071e3b66875a2bacde228841ca703acd5739
Bug: 263323082

ff5f9d03

Merge "BluetoothMetrics: Send peripheral device hash through metrics API" into tm-qpr-dev · dcfd8ab2
Thomas Girardier authored 2 years ago

dcfd8ab2

Fix null pointer access in handle_rc_ctrl_features · f6d2de2f

Ugo Yu authored 2 years ago

There is a chance the callback gets invoked right after a AVRC
disconnection and bt_rc_ctrl_callbacks has been cleared.

Tag: stability
Bug: 242208896
Test: presubmit, Bluetooth calling test items
(cherry picked from https://android-review.googlesource.com/q/commit:722854df05ddad0567f5c30db2491afc90d15228)
Merged-In: I649ac336022a20894d2311313d7ed68687bc70a3
Change-Id: I649ac336022a20894d2311313d7ed68687bc70a3
Bug: 263323082

f6d2de2f

Only add br_edr to power mode db · d005e6ce

Chris Manton authored 2 years ago

Power modes only work with classic/br_edr

Bug: 262479565
Tag: #refactor
Test: gd/cert/run
(cherry picked from https://android-review.googlesource.com/q/commit:272684810473fe72988475eb307f49305b45904a)
Merged-In: I2b28968159df873aabb2c12f7855beae89c6d653
Change-Id: I2b28968159df873aabb2c12f7855beae89c6d653
Bug: 263323082

d005e6ce

Merge "Set CE length to 0 in LE_Create_Connection" into tm-qpr-dev · faacd2db
TreeHugger Robot authored 2 years ago

faacd2db

Mar 20, 2023

Add missing lock on getSupportedProfile · cc6451dd

William Escande authored 2 years ago

Bug: 274037299
Test: presubmit tests
(cherry picked from https://android-review.googlesource.com/q/commit:6e179238dc3b3eaa5f8e26c9eff0d891decae5ea)
Merged-In: I993505cd6656d67362eeefd6bd3abd411e8f59ff
Change-Id: I993505cd6656d67362eeefd6bd3abd411e8f59ff

cc6451dd

Mar 18, 2023

Always send BTA_DM_GATT_OVER_LE_RES_EVT · 24d5d774

Rahul Arya authored 2 years ago

If doing gatt discovery, we should always send this event to the upper
layer on its conclusion. Otherwise we get the pairing_cb stuck.

Bug: 263050668
Test: manual
(cherry picked from https://android-review.googlesource.com/q/commit:3380f3ddf0dedc8d0cb3ca7256711bff5c2aee98)
Merged-In: I65aa5cddc3fe5a9f5c8b9e2d43d676bf3d9082b7
Change-Id: I07621dd098ad887c82927a3af9f41ac2b31c15b0

24d5d774