- Mar 06, 2025
-
-
Dhina17 authored
Android Security 14.0.0 Release 18 (12895206) * tag 'android-security-14.0.0_r18' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Fix UAF in sdp_discovery.cc Use encrypted link for avdtp and avctp channels Conflicts: system/stack/avct/avct_api.cc Change-Id: If803d7e69214b512d5ed59fcd7becc7fa47191f5
-
- Feb 26, 2025
-
-
Dhina17 authored
Android Security 14.0.0 Release 17 (12787469) * tag 'android-security-14.0.0_r17' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Reset permissions for not bonded device RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to current user" Resolve incomplete fix for SMP authentication bypass Conflicts: android/app/src/com/android/bluetooth/btservice/BondStateMachine.java android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java system/stack/smp/smp_act.cc Change-Id: I504b54da1bb173098da08c815c18dbe3f491d90d
-
- Jan 09, 2025
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/29553782', 'googleplex-android-review.googlesource.com/29779766'] into security-aosp-udc-release. Change-Id: I965d1aa33f67105414b4d4c1060db28f2d1fab6b
-
Brian Delwiche authored
It is possible with modifications to a client to open two connections against the same SDP discovery database. If this happens, it becomes possible to reference a freed instance of the discovery database in the second connection once the first one is closed. To guard against this, check during discovery if a database has already been allocated, and abort iff it has. Also, add a null check to process_service_search_attr_rsp to guard against unchecked calls to the SDP discovery database. Bug: 291281168 Bug: 356201480 Flag: com.android.bluetooth.flags.btsec_check_valid_discovery_database Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7bc0115a7cbad342628c8428af1b8181ee1ae94) Merged-In: I754bf8292e1e0d8e90e78fa87889284e26aa5818 Change-Id: I754bf8292e1e0d8e90e78fa87889284e26aa5818
-
Brian Delwiche authored
This is a backport of the AOSP changes for b/345258562. Test: mmm packages/modules/Bluetooth Bug: 345258562 Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7ff46bc6dc9d5afd601fb05ae1907286d03babe) Merged-In: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8 Change-Id: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8
-
- Dec 12, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693205', 'googleplex-android-review.googlesource.com/30387611'] into security-aosp-udc-release. Change-Id: I3ab827be10a18d55753724720471561679d93996
-
Brian Delwiche authored
According to the PBAP specification, The PSE user shall have to confirm at least the first Phone Book Access Profile connection from each new PCE. According to the MAP specification, The MCE and MSE shall be bonded before setting up a Message Access Profile connection. Let's remove the permissions when the device is unbonded. This is a backport of change ag/30386015 but requires minor changes to logic. Flag: EXEMPT, security fix Bug: 289375038 Bug: 289811388 Test: atest BluetoothInstrumentationTests Ignore-AOSP-First: security fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:968d2a53399e7fba43b6f51b632fafddc7b99e09) Merged-In: I8b9b29310db2d14e5dfaddc81a682366fbef42d3 Change-Id: I8b9b29310db2d14e5dfaddc81a682366fbef42d3
-
Billy Huang authored
Bug: 296915500 Flag: EXEMPT trivial fix with complete testing coverage Test: atest GoogleBluetoothInstrumentationTests:BluetoothOppSendFileInfoTest Ignore-AOSP-First: fix for undisclosed vulnerability (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2c5add83a18d87ea4a46bc8ab7f675e32c8d6a56) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0de38e22f1771fde73340d7b209342751616fa0b) Merged-In: I0b6423025c95c13eeea3cbf584212913b5fbf307 Change-Id: I0b6423025c95c13eeea3cbf584212913b5fbf307
-
- Dec 07, 2024
-
-
Dhina17 authored
Android Security 14.0.0 Release 15 (12496787) * tag 'android-security-14.0.0_r15' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Fix OOB writes in gatt_sr.cc Encrypt LE link immediately on reconnection Fix "GATT Read Multiple Variable Response" builder Fix OOB write in build_read_multi_rsp of gatt_sr.cc Conflicts: system/stack/gatt/gatt_sr.cc Change-Id: Icbefa56d427d00dc5114fb67c3060d69c8f856f2
-
- Nov 06, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/29861874'] into security-aosp-udc-release. Change-Id: Icbe27f40de59c90a5c5ba60371980a0ec043f31c
-
Brian Delwiche authored
Fix for b/25992313 was landed correctly on main, but in older branches SMP contains identical functions smp_proc_init and smp_proc_rand, both of which exhibit the problem, and only the former of which was patched. This allows the problem to still appear on branches from sc-dev to udc-dev. Add the logic to smp_proc_rand. Bug: 251514170 Test: m com.android.btservices Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:16a745956dbaff2d37d0e7afdf662314ea379f29) Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc
-
- Oct 14, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release. Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca
-
Brian Delwiche authored
At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
-
Dhina17 authored
Merge tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android Security 14.0.0 Release 13 (12199513) * tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth: RESTRICT AUTOMERGE Disallow unexpected incoming HID connections Conflicts: android/app/jni/com_android_bluetooth_hid_host.cpp android/app/src/com/android/bluetooth/hid/HidHostService.java system/btif/include/btif_hh.h system/btif/src/btif_hh.cc system/btif/src/btif_profile_storage.cc Change-Id: I5a93035ba9ef47c8dd63877d9467b840f61c897c
-
Dhina17 authored
Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android security 14.0.0 release 12 * tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Add support for checking security downgrade Disallow connect with key length downgrade Disallow connect with Secure Connections downgrade Fix heap-buffer overflow in sdp_utils.cc Fix permission bypasses to multiple methods Fix an authentication bypass bug in SMP Fix a security bypass issue in access_secure_service_from_temp_bond Reland: Fix an OOB write bug in attp_build_value_cmd Revert "Fix an OOB write bug in attp_build_value_cmd" Fix an OOB write bug in attp_build_value_cmd Fix an OOB bug in smp_proc_sec_req Revert "Fix an OOB write bug in attp_build_value_cmd" Fix an OOB write bug in attp_build_value_cmd Fix an OOB write bug in attp_build_read_by_type_value_cmd Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd Fix some OOB errors in BTM parsing Fix timing attack in BTM_BleVerifySignature Fix an OOB bug in parse_gap_data Factor out duplicate code for parsing gap data [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1 Fix UAF in ~CallbackEnv Fix OOB in a2dp_vendor_opus_decoder_decode_packet Enforce authentication if encryption is required Reorganize the code for checking auth requirement Reject access to secure service authenticated from a temp bonding [3] Reject access to secure services authenticated from temp bonding [2] Reject access to secure service authenticated from a temp bonding [1] Fix multiple OOB bugs in btm_ble_gap.cc Fix 2 OOB bugs in CreateAudioBroadcast Conflicts: system/bta/le_audio/broadcaster/broadcaster.cc system/btif/src/btif_storage.cc system/include/hardware/bluetooth.h system/main/shim/Android.bp system/main/shim/le_advertising_manager.cc system/main/shim/utils.cc system/stack/a2dp/a2dp_vendor_opus_decoder.cc system/stack/btm/btm_ble.cc system/stack/btm/btm_ble_gap.cc system/stack/btm/btm_sec.cc system/stack/btm/btm_sec.h system/stack/btu/btu_hcif.cc system/stack/include/sec_hci_link_interface.h system/stack/sdp/sdp_utils.cc system/stack/smp/smp_act.cc system/test/headless/bt_property.cc system/test/mock/mock_stack_btm_sec.cc Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2
-
- Oct 09, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/28504378', 'googleplex-android-review.googlesource.com/28904341', 'googleplex-android-review.googlesource.com/29360799'] into security-aosp-udc-release. Change-Id: I05f33bd267e383619d7b8b337293357470041a1a
-
Brian Delwiche authored
LE link must be encrypted immediately on connection if device are already bonded. This is a backport of ag/29056565, but the code needs to go in a different location because that patch relies on recent feature work. Ignore-AOSP-First: security Test: mmm packages/modules/Bluetooth Bug: 288144143 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e) Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62 Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62
-
Jakub Pawlowski authored
0 length value is perfectly fine, and should result in just length added into the packet. Currently, for 0 length value we just break out of loop, and don't add any value. This means, that if first characetristic in response had 0 length, we would return empty packet. Ignore-AOSP-First: security fix Test: mma -j32; Bug: 352696105 Bug: 356886209 Flag: exempt, obvious logic fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd) Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
-
Brian Delwiche authored
build_read_multi_rsp is missing a bounds check, which can lead to an OOB write when the mtu parameter is set to zero. Add that bounds check. Bug: 323850943 Test: atest GattSrTest Test: researcher POC Tag: #security Flag: EXEMPT trivial validity checks Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d) Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f
-
- Aug 08, 2024
-
-
Dhina17 authored
Android 14.0.0 Release 55 (AP2A.240805.005) * tag 'android-14.0.0_r55' of https://android.googlesource.com/platform/packages/modules/Bluetooth: Fix permission bypasses to multiple methods Change-Id: If5ba7ce8970e53c80c4b11751131e0fd675c1ed7
-
- Aug 07, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/28501767'] into security-aosp-udc-release. Change-Id: I48ecfe1977f7ac23447ceeab8be64437c6503aa2
-
Himanshu Rawat authored
HID profile accepted any new incoming HID connection. Even when the connection policy disabled HID connection, remote devices could initiate HID connection. This change ensures that incoming HID connection are accepted only if application was interested in that HID connection. This vulnerarbility no longer exists on the main because of feature request b/324093729. Test: mmm packages/modules/Bluetooth Test: Manual | Pair and connect a HID device, disable HID connection from Bluetooth device setting, attempt to connect from the HID device. Bug: 308429049 Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bdd92020a9c14c3f541b39624c5b1e0af599acc5) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:358b66af175f423523c5d90bb8aea4b3eb084172) Merged-In: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b Change-Id: Iba2ac3502bf1e6e4ac1f60ed64b1b074facd880b
-
- Jul 10, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release. Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d
-
Brian Delwiche authored
As a guard against the BLUFFS attack, we will need to check the security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. Future CLs will add checks during connection. This CL adds the functions that will be needed to perform those checks and the necessary mocks. Currently supported checks are : IO capabilities (must be an exact match), Secure Connections capability (must not be a downgrade), and session key length (must not be a downgrade). Maximum session key length, which was previously not cached, has been added to the device security manager cache. To QA: This CL is a logical no-op by itself. Tests should be performed as described in ag/25815924 and ag/25815925/ Bug: 314331379 Test: m libbluetooth Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 3cf3d9d9) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed) Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
-
Brian Delwiche authored
As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for session key length. To test, please validate that bonding can be established and reestablished against devices with session key lengths of 7 and 16 bits, that session key lengths of less than 7 bits are refused, and that basic LE bonding functionality still works. If it is possible to configure a remote device to establish a bond with a session key length of 16 bits and then reduce that key length to <16 bits before reconnection, this should fail. Bug: 314331379 Test: m libbluetooth Test: manual Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4) Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
-
Brian Delwiche authored
As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for Secure Connections mode. Bug: 314331379 Test: m libbluetooth Test: manual To test this CL, please ensure that BR/EDR initial connections and reconnections (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types. Basic validation of LE bonding functionality should be done as well. Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679) Merged-In: I9130476600d31b59608e0e419b5136d255174265 Change-Id: I9130476600d31b59608e0e419b5136d255174265
-
- Jun 17, 2024
-
-
Mohammad Hasan Keramat J authored
Android 14.0.0 Release 50 (AP2A.240605.024) Change-Id: I2ef189ec6f5a8fcdd58070da3aa2f42b010943a2
-
- Jun 13, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: Id479e9adf8ec0a30faaf4fe6d19d58e66ddbdcb5
-
Brian Delwiche authored
Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks, and correct tests which assumed a null was a valid input. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8098771bca75166d06f9591d0d2110ed089ee6a7) Merged-In: I76f49fee440726a7c0714385564ddf0e3e8522b5 Change-Id: I76f49fee440726a7c0714385564ddf0e3e8522b5
-
- Jun 06, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release. Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
-
Brian Delwiche authored
Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with an out of bounds comparison. Although the bug claims this is due to a comparison of a uuid with a smaller data field thana the discovery attribute, my research suggests that this instead stems from a comparison of a 128 bit UUID with a discovery attribute of some other, invalid size. Add checks for discovery attribute size. Bug: 287184435 Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487) Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43 Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
-
Brian Delwiche authored
Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks, and correct tests which assumed a null was a valid input. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8) Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0 Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
-
- May 11, 2024
-
-
Bug: 314889276 Fix: 314889276 Test: Manual testing cf b/314889276#comment23 Flag: Exempt, unflag regression fix Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c
- May 08, 2024
-
-
Android Build Coastguard Worker authored
Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059478'] into security-aosp-udc-release. Change-Id: I50e49019ee1d81ffd6ae65779041ff31dca091fa
-
Brian Delwiche authored
When pairing with BLE legacy pairing initiated from remote, authentication can be bypassed. This change fixes it. Bug: 251514170 Test: m com.android.btservices Test: manual run against PoC Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97) Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795 Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
-
Dhina17 authored
Android 14.0.0 release 35 * tag 'android-14.0.0_r35' of https://android.googlesource.com/platform/packages/modules/Bluetooth: leaudio: Fix crash on metadata update Change-Id: I9e42543fb89cb66d8d3b15871782b7695d677e50
-
- Apr 09, 2024
-
-
Android Build Coastguard Worker authored
Change-Id: I971792158f583f17c653c9bf2e17e0c703d3e150
-
Thomas Girardier authored
This reverts commit bac3e50f. Reason for revert: b/331855635 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:34ee990ee72693cd534d7d696f3a52c9c5a5bfd8) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e214741ee05dd6bad9bf1d7a62c1448c7eee4332) Merged-In: I471269cb5ecd4aef32c6648ad575baea44b562d1 Change-Id: I471269cb5ecd4aef32c6648ad575baea44b562d1
-
- Apr 01, 2024
-
-
[Description] Add VSC cmd for low latency mode CR-Id: ALPS08619561 Bug: 309700239 Test: m . Flag: EXEMPT VSC command Change-Id: I789b6bddfc6b5661430b399943d1288a7c52e988
-