Skip to content
Snippets Groups Projects
Select Git revision
  • fifteen-qpr0
  • fourteen-qpr1
  • fourteen default
  • fifteen-qpr1
  • fifteen-qpr2
  • thirteen
  • staging/fourteen
7 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Mar 06, 2025
  3. Feb 26, 2025
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r17' into fourteen · c06923aa
      Dhina17 authored 
      Android Security 14.0.0 Release 17 (12787469)

* tag 'android-security-14.0.0_r17' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Reset permissions for not bonded device
  RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to current user"
  Resolve incomplete fix for SMP authentication bypass

 Conflicts:
	android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
	android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
	system/stack/smp/smp_act.cc

Change-Id: I504b54da1bb173098da08c815c18dbe3f491d90d
      c06923aa
  5. Jan 09, 2025
  7. Dec 12, 2024
  9. Dec 07, 2024
  11. Nov 06, 2024
  13. Oct 14, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391']... · 043d5b99
      Android Build Coastguard Worker authored 
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release.

Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca
      043d5b99
    • Brian Delwiche's avatar
      Fix OOB writes in gatt_sr.cc · c7468e64
      Brian Delwiche authored 
      At various points in gatt_sr.cc, the output of the
gatt_tcb_get_payload_size function is used without checking for a
positive length.  However, in exceptional cases it is possible for the
channel to be closed at the time the function is called, which will lead
to a zero length and cause an OOB write in subsequent processing.

Fix all of these.

Bug: 364026473
Bug: 364027038
Bug: 364027949
Bug: 364025411
Test: m libbluetooth
Test: researcher POC
Flag: EXEMPT trivial validity checks
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7de5617f)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
      c7468e64
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r13' of... · 41da7df8
      Dhina17 authored 
      Merge tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD

Android Security 14.0.0 Release 13 (12199513)

* tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  RESTRICT AUTOMERGE Disallow unexpected incoming HID connections

 Conflicts:
	android/app/jni/com_android_bluetooth_hid_host.cpp
	android/app/src/com/android/bluetooth/hid/HidHostService.java
	system/btif/include/btif_hh.h
	system/btif/src/btif_hh.cc
	system/btif/src/btif_profile_storage.cc

Change-Id: I5a93035ba9ef47c8dd63877d9467b840f61c897c
      41da7df8
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r12' of... · 7cf6e7e8
      Dhina17 authored 
      Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD

Android security 14.0.0 release 12

* tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
  Add support for checking security downgrade
  Disallow connect with key length downgrade
  Disallow connect with Secure Connections downgrade
  Fix heap-buffer overflow in sdp_utils.cc
  Fix permission bypasses to multiple methods
  Fix an authentication bypass bug in SMP
  Fix a security bypass issue in access_secure_service_from_temp_bond
  Reland: Fix an OOB write bug in attp_build_value_cmd
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB bug in smp_proc_sec_req
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB write bug in attp_build_read_by_type_value_cmd
  Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
  Fix some OOB errors in BTM parsing
  Fix timing attack in BTM_BleVerifySignature
  Fix an OOB bug in parse_gap_data
  Factor out duplicate code for parsing gap data
  [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1
  Fix UAF in ~CallbackEnv
  Fix OOB in a2dp_vendor_opus_decoder_decode_packet
  Enforce authentication if encryption is required
  Reorganize the code for checking auth requirement
  Reject access to  secure service authenticated from a temp bonding [3]
  Reject access to secure services authenticated from temp bonding [2]
  Reject access to secure service authenticated from a temp bonding [1]
  Fix multiple OOB bugs in btm_ble_gap.cc
  Fix 2 OOB bugs in CreateAudioBroadcast

 Conflicts:
	system/bta/le_audio/broadcaster/broadcaster.cc
	system/btif/src/btif_storage.cc
	system/include/hardware/bluetooth.h
	system/main/shim/Android.bp
	system/main/shim/le_advertising_manager.cc
	system/main/shim/utils.cc
	system/stack/a2dp/a2dp_vendor_opus_decoder.cc
	system/stack/btm/btm_ble.cc
	system/stack/btm/btm_ble_gap.cc
	system/stack/btm/btm_sec.cc
	system/stack/btm/btm_sec.h
	system/stack/btu/btu_hcif.cc
	system/stack/include/sec_hci_link_interface.h
	system/stack/sdp/sdp_utils.cc
	system/stack/smp/smp_act.cc
	system/test/headless/bt_property.cc
	system/test/mock/mock_stack_btm_sec.cc

Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2
      7cf6e7e8
  15. Oct 09, 2024
  17. Aug 08, 2024
  19. Aug 07, 2024
  21. Jul 10, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673',... · a1097edc
      Android Build Coastguard Worker authored 
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release.

Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d
      a1097edc
    • Brian Delwiche's avatar
      Add support for checking security downgrade · fbdaf02a
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 3cf3d9d9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
      fbdaf02a
    • Brian Delwiche's avatar
      Disallow connect with key length downgrade · 024980ba
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for session key length.

To test, please validate that bonding can be established and
reestablished against devices with session key lengths of 7 and 16 bits,
that session key lengths of less than 7 bits are refused, and that basic
LE bonding functionality still works.  If it is possible to configure a
remote device to establish a bond with a session key length of 16 bits
and then reduce that key length to <16 bits before reconnection, this
should fail.

Bug: 314331379
Test: m libbluetooth
Test: manual

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
      024980ba
    • Brian Delwiche's avatar
      Disallow connect with Secure Connections downgrade · b5155f05
      Brian Delwiche authored 
      As a guard against the BLUFFS attack, check security parameters of
incoming connections against cached values and disallow connection if
these parameters are downgraded or changed from their cached values.

This CL adds the connection-time check for Secure Connections mode.

Bug: 314331379
Test: m libbluetooth
Test: manual

To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.

Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
Merged-In: I9130476600d31b59608e0e419b5136d255174265
Change-Id: I9130476600d31b59608e0e419b5136d255174265
      b5155f05
  23. Jun 17, 2024
  25. Jun 13, 2024
  27. Jun 06, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141',... · eb0fb004
      Android Build Coastguard Worker authored 
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.

Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
      eb0fb004
    • Brian Delwiche's avatar
      Fix heap-buffer overflow in sdp_utils.cc · 6afad4b3
      Brian Delwiche authored 
      Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison.  Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.

Add checks for discovery attribute size.

Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      6afad4b3
    • Brian Delwiche's avatar
      Fix permission bypasses to multiple methods · b0e43755
      Brian Delwiche authored 
      Researcher reports that some BT calls across Binder are validating only
BT's own permissions and not the calling app's permissions.  On
investigation this seems to be due to a missing null check in several BT
permissions checks, which allows a malicious app to pass in a null
AttributionSource and therefore produce a stub AttributionSource chain
which does not properly check for the caller's permissions.

Add null checks, and correct tests which assumed a null was a valid
input.

Bug: 242996380
Test: atest UtilsTest
Test: researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      b0e43755
  29. May 11, 2024
    • Hui Peng's avatar
      Reland "Enforce authentication if encryption is required" · 5a48f1d2
      Hui Peng authored and Dhina17's avatar Dhina17 committed 
      While aosp/2863686 was rebased on internal security
fixes, aosp/2865187 was dropped, re-apply it.

Bug: 316244428
Test: m com.android.btservices
Flag: EXEMPT, tested/verfied on internal branches
Change-Id: I319dcfbc9bb9603c515ac0c2c647155211f95e26
      5a48f1d2
    • William Escande's avatar
      btm_sec: Class of device regression fix · c0a5763b
      William Escande authored and Dhina17's avatar Dhina17 committed 
      Bug: 314889276
Fix: 314889276
Test: Manual testing cf b/314889276#comment23
Flag: Exempt, unflag regression fix
Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c
      c0a5763b
  31. May 08, 2024
  33. Apr 09, 2024
  35. Apr 01, 2024