Skip to content
Snippets Groups Projects
  1. Mar 06, 2025
  2. Feb 26, 2025
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r17' into fourteen · c06923aa
      Dhina17 authored
      Android Security 14.0.0 Release 17 (12787469)
      
      * tag 'android-security-14.0.0_r17' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
        Reset permissions for not bonded device
        RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to current user"
        Resolve incomplete fix for SMP authentication bypass
      
       Conflicts:
      	android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
      	android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
      	system/stack/smp/smp_act.cc
      
      Change-Id: I504b54da1bb173098da08c815c18dbe3f491d90d
      c06923aa
  3. Jan 09, 2025
  4. Dec 12, 2024
  5. Dec 07, 2024
  6. Nov 06, 2024
  7. Oct 14, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391']... · 043d5b99
      Android Build Coastguard Worker authored
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/29693391'] into security-aosp-udc-release.
      
      Change-Id: Ie8cbd82a476d027f634378fb3d9b15cd4991b5ca
      043d5b99
    • Brian Delwiche's avatar
      Fix OOB writes in gatt_sr.cc · c7468e64
      Brian Delwiche authored
      At various points in gatt_sr.cc, the output of the
      gatt_tcb_get_payload_size function is used without checking for a
      positive length.  However, in exceptional cases it is possible for the
      channel to be closed at the time the function is called, which will lead
      to a zero length and cause an OOB write in subsequent processing.
      
      Fix all of these.
      
      Bug: 364026473
      Bug: 364027038
      Bug: 364027949
      Bug: 364025411
      Test: m libbluetooth
      Test: researcher POC
      Flag: EXEMPT trivial validity checks
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a)
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc)
      Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
      Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
      c7468e64
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r13' of... · 41da7df8
      Dhina17 authored
      Merge tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD
      
      Android Security 14.0.0 Release 13 (12199513)
      
      * tag 'android-security-14.0.0_r13' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
        RESTRICT AUTOMERGE Disallow unexpected incoming HID connections
      
       Conflicts:
      	android/app/jni/com_android_bluetooth_hid_host.cpp
      	android/app/src/com/android/bluetooth/hid/HidHostService.java
      	system/btif/include/btif_hh.h
      	system/btif/src/btif_hh.cc
      	system/btif/src/btif_profile_storage.cc
      
      Change-Id: I5a93035ba9ef47c8dd63877d9467b840f61c897c
      41da7df8
    • Dhina17's avatar
      Merge tag 'android-security-14.0.0_r12' of... · 7cf6e7e8
      Dhina17 authored
      Merge tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD
      
      Android security 14.0.0 release 12
      
      * tag 'android-security-14.0.0_r12' of https://android.googlesource.com/platform/packages/modules/Bluetooth:
        Add support for checking security downgrade
        Disallow connect with key length downgrade
        Disallow connect with Secure Connections downgrade
        Fix heap-buffer overflow in sdp_utils.cc
        Fix permission bypasses to multiple methods
        Fix an authentication bypass bug in SMP
        Fix a security bypass issue in access_secure_service_from_temp_bond
        Reland: Fix an OOB write bug in attp_build_value_cmd
        Revert "Fix an OOB write bug in attp_build_value_cmd"
        Fix an OOB write bug in attp_build_value_cmd
        Fix an OOB bug in smp_proc_sec_req
        Revert "Fix an OOB write bug in attp_build_value_cmd"
        Fix an OOB write bug in attp_build_value_cmd
        Fix an OOB write bug in attp_build_read_by_type_value_cmd
        Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
        Fix some OOB errors in BTM parsing
        Fix timing attack in BTM_BleVerifySignature
        Fix an OOB bug in parse_gap_data
        Factor out duplicate code for parsing gap data
        [conflict] Merge "Add bounds checks in btif_avrcp_audio_track.cc" into tm-dev am: 0b68bd68 am: 52d169b1
        Fix UAF in ~CallbackEnv
        Fix OOB in a2dp_vendor_opus_decoder_decode_packet
        Enforce authentication if encryption is required
        Reorganize the code for checking auth requirement
        Reject access to  secure service authenticated from a temp bonding [3]
        Reject access to secure services authenticated from temp bonding [2]
        Reject access to secure service authenticated from a temp bonding [1]
        Fix multiple OOB bugs in btm_ble_gap.cc
        Fix 2 OOB bugs in CreateAudioBroadcast
      
       Conflicts:
      	system/bta/le_audio/broadcaster/broadcaster.cc
      	system/btif/src/btif_storage.cc
      	system/include/hardware/bluetooth.h
      	system/main/shim/Android.bp
      	system/main/shim/le_advertising_manager.cc
      	system/main/shim/utils.cc
      	system/stack/a2dp/a2dp_vendor_opus_decoder.cc
      	system/stack/btm/btm_ble.cc
      	system/stack/btm/btm_ble_gap.cc
      	system/stack/btm/btm_sec.cc
      	system/stack/btm/btm_sec.h
      	system/stack/btu/btu_hcif.cc
      	system/stack/include/sec_hci_link_interface.h
      	system/stack/sdp/sdp_utils.cc
      	system/stack/smp/smp_act.cc
      	system/test/headless/bt_property.cc
      	system/test/mock/mock_stack_btm_sec.cc
      
      Change-Id: Ibe2d623dc8664059ef9e87f14a4ddfbe5e3cb2d2
      7cf6e7e8
  8. Oct 09, 2024
  9. Aug 08, 2024
  10. Aug 07, 2024
  11. Jul 10, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673',... · a1097edc
      Android Build Coastguard Worker authored
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27059673', 'googleplex-android-review.googlesource.com/27059674', 'googleplex-android-review.googlesource.com/27695267'] into security-aosp-udc-release.
      
      Change-Id: Ib319ba41488207f4afcb5365b129ebe44e3a8e4d
      a1097edc
    • Brian Delwiche's avatar
      Add support for checking security downgrade · fbdaf02a
      Brian Delwiche authored
      As a guard against the BLUFFS attack, we will need to check the security
      parameters of incoming connections against cached values and disallow
      connection if these parameters are downgraded or changed from their
      cached values.
      
      Future CLs will add checks during connection.  This CL adds the
      functions that will be needed to perform those checks and the necessary
      mocks.
      Currently supported checks are : IO capabilities (must be an exact match),
      Secure Connections capability (must not be a downgrade), and session key
      length (must not be a downgrade).  Maximum session key length, which was
      previously not cached, has been added to the device security manager
      cache.
      
      To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
      
      Bug: 314331379
      Test: m libbluetooth
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from commit 3cf3d9d9)
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c17811e6a2357eb34368a1a0a6ed5dec19d980ed)
      Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
      Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
      fbdaf02a
    • Brian Delwiche's avatar
      Disallow connect with key length downgrade · 024980ba
      Brian Delwiche authored
      As a guard against the BLUFFS attack, check security parameters of
      incoming connections against cached values and disallow connection if
      these parameters are downgraded or changed from their cached values.
      
      This CL adds the connection-time check for session key length.
      
      To test, please validate that bonding can be established and
      reestablished against devices with session key lengths of 7 and 16 bits,
      that session key lengths of less than 7 bits are refused, and that basic
      LE bonding functionality still works.  If it is possible to configure a
      remote device to establish a bond with a session key length of 16 bits
      and then reduce that key length to <16 bits before reconnection, this
      should fail.
      
      Bug: 314331379
      Test: m libbluetooth
      Test: manual
      
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
      Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
      Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
      024980ba
    • Brian Delwiche's avatar
      Disallow connect with Secure Connections downgrade · b5155f05
      Brian Delwiche authored
      As a guard against the BLUFFS attack, check security parameters of
      incoming connections against cached values and disallow connection if
      these parameters are downgraded or changed from their cached values.
      
      This CL adds the connection-time check for Secure Connections mode.
      
      Bug: 314331379
      Test: m libbluetooth
      Test: manual
      
      To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
      
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
      Merged-In: I9130476600d31b59608e0e419b5136d255174265
      Change-Id: I9130476600d31b59608e0e419b5136d255174265
      b5155f05
  12. Jun 17, 2024
  13. Jun 13, 2024
  14. Jun 06, 2024
    • Android Build Coastguard Worker's avatar
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141',... · eb0fb004
      Android Build Coastguard Worker authored
      Merge cherrypicks of ['googleplex-android-review.googlesource.com/27235141', 'googleplex-android-review.googlesource.com/27051267'] into security-aosp-udc-release.
      
      Change-Id: I6ef70460b77304d0ab73c5f31a3404e18ee07c14
      eb0fb004
    • Brian Delwiche's avatar
      Fix heap-buffer overflow in sdp_utils.cc · 6afad4b3
      Brian Delwiche authored
      Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
      an out of bounds comparison.  Although the bug claims this is due to a
      comparison of a uuid with a smaller data field thana the discovery
      attribute, my research suggests that this instead stems from a
      comparison of a 128 bit UUID with a discovery attribute of some other,
      invalid size.
      
      Add checks for discovery attribute size.
      
      Bug: 287184435
      Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487)
      Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
      6afad4b3
    • Brian Delwiche's avatar
      Fix permission bypasses to multiple methods · b0e43755
      Brian Delwiche authored
      Researcher reports that some BT calls across Binder are validating only
      BT's own permissions and not the calling app's permissions.  On
      investigation this seems to be due to a missing null check in several BT
      permissions checks, which allows a malicious app to pass in a null
      AttributionSource and therefore produce a stub AttributionSource chain
      which does not properly check for the caller's permissions.
      
      Add null checks, and correct tests which assumed a null was a valid
      input.
      
      Bug: 242996380
      Test: atest UtilsTest
      Test: researcher POC
      Tag: #security
      Ignore-AOSP-First: Security
      (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fe72f931db2898eb51a44e3b1b424c6370e8ad8)
      Merged-In: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      Change-Id: I9bf6fac218dccc092debe0904e08eb23cc4583c0
      b0e43755
  15. May 11, 2024
    • Hui Peng's avatar
      Reland "Enforce authentication if encryption is required" · 5a48f1d2
      Hui Peng authored and Dhina17's avatar Dhina17 committed
      While aosp/2863686 was rebased on internal security
      fixes, aosp/2865187 was dropped, re-apply it.
      
      Bug: 316244428
      Test: m com.android.btservices
      Flag: EXEMPT, tested/verfied on internal branches
      Change-Id: I319dcfbc9bb9603c515ac0c2c647155211f95e26
      5a48f1d2
    • William Escande's avatar
      btm_sec: Class of device regression fix · c0a5763b
      William Escande authored and Dhina17's avatar Dhina17 committed
      Bug: 314889276
      Fix: 314889276
      Test: Manual testing cf b/314889276#comment23
      Flag: Exempt, unflag regression fix
      Change-Id: I554c9c7b056bb096d3a9609dafe2d96d134f307c
      c0a5763b
  16. May 08, 2024
  17. Apr 09, 2024
  18. Apr 01, 2024
Loading