Commits · f4bd0731fcaa851f6fb7ea49389313e9398501a9 · LMODroid / platform_packages_modules_Bluetooth

Feb 16, 2023

Fix potential use after free in pan_api.cc · f4bd0731

Brian Delwiche authored 2 years ago

Structure length is checked in pan_api.cc after the structure may
be freed, leading to a potential use after free.

Save the buffer length to a local instead.  Note that BNEP_WriteBuf
may alter the length being written internally; this does not appear
to be an issue in this use case because the octet count being tracked
is used only for logging purposes within PAN.

Bug: 259939435
Test: atest bluetooth_test_gd_unit, validate against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I613b3dd3684182bdc725f9e1512061484448d367

f4bd0731

Feb 09, 2023
- Merge "Fix an OOB bug in gatt_dbg_op_name" into tm-dev · c87c558f
  Hui Peng authored 2 years ago
  
  c87c558f
Feb 07, 2023
- Merge "Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback" into tm-dev · aa366309
  Hui Peng authored 2 years ago
  
  aa366309
- Merge "Fix an OOB bug in btm_acl_process_sca_cmpl_pkt" into tm-dev · 8b062828
  Hui Peng authored 2 years ago
  
  8b062828
- Reject encryption drop in Common Criteria mode · 1ee290b8
  Brian Delwiche authored 2 years ago
  
  For NCIS certification, we need to drop the connection or reestablish encryption after receiving a command to disable link layer encryption on an encrypted link. However, dropping the connection for all devices breaks compatibility during role switch with devices running Bluetooth 2.1 or earlier, a category including many cars still in the field. Add a check forcing connections to drop in this case, conditioned on Common Criteria mode.. Bug: 251436534 Test: atest: bluetooth, lab validation forthcoming Tag: #security Ignore-AOSP-First: Security Change-Id: I94654ebeb16774643107ee41473725cfae3764ab
  1ee290b8
- Merge "Fix an OOB bug in btm_ble_ltk_request" into tm-dev · 9e1c9629
  Hui Peng authored 2 years ago
  
  9e1c9629
- Merge "Fix an OOB bug in remove_sdp_record" into tm-dev · 65930cfb
  Hui Peng authored 2 years ago
  
  65930cfb
- Merge "Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd" into tm-dev · 5d3fdb27
  Hui Peng authored 2 years ago
  
  5d3fdb27
- Fix a few bugs in btm_ble_batchscan_filter_track_adv_vse_cback · c5e898d3
  Hui Peng authored 2 years ago
  
  Bug: 261857395 Test: manual Tag: #security Ignore-AOSP-First: security Change-Id: I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254
  c5e898d3
- Merge "Fix an OOB bug in on_remove_iso_data_path" into tm-dev · b8354c4e
  Hui Peng authored 2 years ago
  
  b8354c4e
- Fix an OOB bug in btm_ble_ltk_request · 47cd3886
  Hui Peng authored 2 years ago
  
  Bug: 254445961 Test: manual Ignore-AOSP-First: security Change-Id: I1d3c208a5281b88ed25c0028f1a0000d6957637c
  47cd3886
Feb 06, 2023
- Merge "Fix a nullptr-deref in on_create_record_event" into tm-dev · 334a5b3d
  Hui Peng authored 2 years ago
  
  334a5b3d
- Merge "Fix an OOB bug in register_notification_rsp" into tm-dev · e2418045
  Hui Peng authored 2 years ago
  
  e2418045
- Fix an OOB bug in remove_sdp_record · b9a94d52
  Hui Peng authored 2 years ago
  
  Bug: 245517503 Test: manual Ignore-AOSP-First: security Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab
  b9a94d52
- Fix an OOB bug in btm_acl_process_sca_cmpl_pkt · 4b008a2a
  Hui Peng authored 2 years ago
  
  Bug: 251427561 Test: manual Ignore-AOSP-First: security Change-Id: I2db2339631d521515cb34536e358ae72ebeaaa8b
  4b008a2a
- Fix an OOB bug in btm_ble_periodic_adv_sync_tx_rcvd · a24402da
  Hui Peng authored 2 years ago
  
  Bug: 233879420 Test: manual Ignore-AOSP-First: security Change-Id: Ic740e5ff3ceabf3df1e78431f7d31adf356479f0
  a24402da
Jan 31, 2023

Fix an OOB bug in on_remove_iso_data_path · 1a8a5ece

Hui Peng authored 2 years ago

Bug: 236688764
Test: manul
Ignore-AOSP-First: security
Tag: #security
Change-Id: I0ef4855e715be8fa9a69916e35d3a6c97498a9cc

1a8a5ece

Jan 25, 2023
- Merge "Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp"" into tm-dev · f9f1695e
  David Duarte authored 2 years ago
  
  f9f1695e
- Revert "Fix an OOB bug in bta_hh_co_get_rpt_rsp" · 2506a98f
  Hui Peng authored 2 years ago
  
  This reverts commit d2e67f50. Reason for revert: regression caused in 266585826 Change-Id: I86a5bb0b96332880a2a173ad57b96fb007e3ea83
  2506a98f
Jan 19, 2023

Fix an OOB bug in gatt_dbg_op_name · 8f013f79

Hui Peng authored 2 years ago

Bug: 260079141
Test: manual
Ignore-AOSP-First: security
Change-Id: If8be70e134fdf1f6edb43d0360c524fffed6045b

8f013f79

Jan 14, 2023

Fix an OOB bug in register_notification_rsp · daa3efc5

Hui Peng authored 2 years ago

Bug: 245916076
Test: manual
Ignore-AOSP-First: security
Change-Id: I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f

daa3efc5

Jan 12, 2023
- Fix a nullptr-deref in on_create_record_event · b45b8479
  Hui Peng authored 2 years ago
  
  Bug: 263545186 Test: manual Ignore-AOSP-First: security Change-Id: I0abbb67842850cc2f1298b43dc49a89445b40a43
  b45b8479
- Merge "Harden array bounds validation" into tm-dev · d0fc4262
  Brian Delwiche authored 2 years ago
  
  d0fc4262
Jan 11, 2023

Merge "Fix an OOB access bug in btm_vendor_specific_evt" into tm-dev · cbea7ae0
Hui Peng authored 2 years ago

cbea7ae0
Merge "Fix a potential OOB read resulted from integer underflow" into tm-dev · 0e1b29ee
Hui Peng authored 2 years ago

0e1b29ee

Fix an OOB bug in btm_read_rssi_complete · 047a68b1

Hui Peng authored 2 years ago

Bug: 260569232
Test: manual, to add regression
Tag: #security
Ignore-AOSP-First: security
Merged-In: I3d56c64f205c3675ba3856c1e553878b945ec261
Change-Id: I3d56c64f205c3675ba3856c1e553878b945ec261

047a68b1

Merge "Add regression test for b/254774758" into tm-dev · 976361c4
Hui Peng authored 2 years ago

976361c4

Add regression test for b/254774758 · be2a1570

Hui Peng authored 2 years ago

Bug: 254774758
Ignore-AOSP-First: security
Test: atest bluetooth_test_gd_unit
Merged-In: I1709af943b6fa238dd4df41a62e6add36984c9ec
Change-Id: I1709af943b6fa238dd4df41a62e6add36984c9ec

be2a1570

Merge "Add mocking support for now function in AttributionProcessor" into tm-dev · a3141b5d
Hui Peng authored 2 years ago

a3141b5d

Harden array bounds validation · 5409196d

Brian Delwiche authored 2 years ago

Several bounds checks in btif_rc.cc are not validated against
AVRC_MAX_APP_ATTR_SIZE, leading to a potential buffer overflow when
processing AVRCP responses exceeding that length.

This is a patch from Qualcomm which has been adapted to T.

Bug: 261468700
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
Change-Id: Ia71c9f22fa3eb0d2c2b50bf751a873a78919c38f

5409196d

Jan 10, 2023
- Fix an OOB access bug in btm_vendor_specific_evt · 9c12298c
  Hui Peng authored 2 years ago
  
  This CL also fix one of vendor specific event callbacks: BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback. Other issues in the callbacks of this function are: - b/261857395, fix in I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254. - b/264921486, fix in Ifed6a81c2a980394efbd5666305d10227d5ec186, Bug: 255304665 Test: manual Ignore-AOSP-First: security Tag: #security Change-Id: Ic9c43064db88a36aecb2a88f024db85f6cfc05f1
  9c12298c
- Merge "Fix an OOB bug in btm_delete_stored_link_key_complete" into tm-dev · e6d1eec3
  Hui Peng authored 2 years ago
  
  e6d1eec3
- Merge "Fix an OOB bug in btm_ble_rand_enc_complete" into tm-dev · 56bb00a1
  Hui Peng authored 2 years ago
  
  56bb00a1
- Merge "Fix an OOB bug in btm_read_tx_power_complete" into tm-dev · ba4fd4c7
  Hui Peng authored 2 years ago
  
  ba4fd4c7
- Merge "Fix an OOB bug in btu_ble_rc_param_req_evt" into tm-dev · 90569993
  Hui Peng authored 2 years ago
  
  90569993
- Merge "Fix an OOB bug in btm_ble_read_remote_features_complete" into tm-dev · 398f10c5
  Hui Peng authored 2 years ago
  
  398f10c5
- Merge "Fix an OOB bug in btu_ble_ll_conn_param_upd_evt" into tm-dev · 78e6c132
  Hui Peng authored 2 years ago
  
  78e6c132
- Merge "Fix an OOB write in BTA_GATTS_HandleValueIndication" into tm-dev · 45027bbe
  Hui Peng authored 2 years ago
  
  45027bbe
- Merge "Fix an OOB bug in btm_create_conn_cancel_complete" into tm-dev · 0a903879
  Hui Peng authored 2 years ago
  
  0a903879
- Merge "Fix an OOB bug in btm_ble_write_adv_enable_complete" into tm-dev · 96c12159
  Hui Peng authored 2 years ago
  
  96c12159