aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix an OOB Write bug in avrc_vendor_msgHEADt13.0Hui Peng2025-10-071-2/+13
| | | | | | | | | | | | | Plus some cleanup Bug: 271962784 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from commit d5de235b461ec83e43a7db513e286d3204c4cedf) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f685c51b0bc63369107efe59b12162bbb145a4d) Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86 Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
* Fix OOB read in add_attrBrian Delwiche2025-07-091-0/+5
| | | | | | | | | | | | | | | | | It is possible in exceptional cases for add_attr to be passed a p pointer one byte short of its p_end pointer, which leads to an OOB read as it attempts to read the type of the next attribute. Add a check for this. Bug: 367274727 Test: m libbluetooth Ignore-AOSP-First: security Tag: security Flag: EXEMPT trivial validity check (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:319bb08af014e30654548c679f5e1cb2721c0c60) Merged-In: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe Change-Id: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe
* Fix OOB read in bta_av_setconfig_rejBrian Delwiche2025-07-091-1/+1
| | | | | | | | | | | | | | | | | | | | | The bta_av_config_ind function in bta_av_aact.cc makes a call in some user journeys to bta_av_setconfig_rej, constructing its p_data argument (a union datatype) as a tBTA_AV_CI_SETCONFIG. This is a valid member of the union, but bta_av_setconfig_rej makes the assumption that the variable being passed has been set up as a tBTA_AV_STR_MSG, which is not true in this case. This causes OOB access. Draw the required data instead from the stream control block, which should not be subject to this confusion. Bug: 260230151 Test: m libbluetooth Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1816d40959e366f5feaa50a8db673141022634e9) Merged-In: If7fee75ff454ab925b9661c78980b7c093c29f0b Change-Id: If7fee75ff454ab925b9661c78980b7c093c29f0b
* Fix authentication bypass bug in SMPBrian Delwiche2025-07-091-0/+10
| | | | | | | | | | | | | | | | | | It is possible for a malicious peer to bypass SMP authentication by claiming to have OOB data and proceeding with pairing, exploiting the fact that the Android stack sets the OOB randomizer to zero if no local OOB data is available. Drop the connection if a peer claims it has OOB data but no local OOB data has been stored. Bug: 251514171 Test: m com.android.btservices Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83e55e8a316e319c82f727763ab791bfc24404dd) Merged-In: Ib87574bd455bcc673a7e58283fd22342cf924cfd Change-Id: Ib87574bd455bcc673a7e58283fd22342cf924cfd
* Fix type confusion in avdt_msg.ccBrian Delwiche2025-07-081-0/+8
| | | | | | | | | | | | | | | | It is possible for a malicious user to reply to a pending AVDT message with the wrong type, leading to type confusion and an eventual OOB access. Add message type validation. Bug: 273995284 Test: m libbluetooth Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:12d26748f31d855ac18de9df1832f60a4bd73265) Merged-In: I87a0df92710658d6c27d9b63ee7813a0d45a301a Change-Id: I87a0df92710658d6c27d9b63ee7813a0d45a301a
* Backport regression fixes for 288144143Brian Delwiche2025-07-082-1/+37
| | | | | | | | | | | | | | | | | These are backports for the following AOSP changes: aosp/3424923 aosp/3420039 aosp/3394039 which address regressions in the initial fix for above bug. Bug: 288144143 Test: m libbluetooth Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b613f3748de40cde15bb4d5b99dc2894c8d184b) Merged-In: I78a249561fd8ccab38e32fe2e14d90e3b4420dcb Change-Id: I78a249561fd8ccab38e32fe2e14d90e3b4420dcb
* Fix UAF in sdp_discovery.ccBrian Delwiche2025-07-082-0/+22
| | | | | | | | | | | | | | | | | | | | | | | It is possible with modifications to a client to open two connections against the same SDP discovery database. If this happens, it becomes possible to reference a freed instance of the discovery database in the second connection once the first one is closed. To guard against this, check during discovery if a database has already been allocated, and abort iff it has. Also, add a null check to process_service_search_attr_rsp to guard against unchecked calls to the SDP discovery database. Bug: 291281168 Bug: 356201480 Flag: com.android.bluetooth.flags.btsec_check_valid_discovery_database Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2c3b80e41630d9a252e63a3e30cc2997488fc3e4) Merged-In: I754bf8292e1e0d8e90e78fa87889284e26aa5818 Change-Id: I754bf8292e1e0d8e90e78fa87889284e26aa5818
* Use encrypted link for avdtp and avctp channelsBrian Delwiche2025-07-085-7/+13
| | | | | | | | | | | | This is a backport of the AOSP changes for b/345258562. Test: mmm packages/modules/Bluetooth Bug: 345258562 Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d26e79ab057057cbfcafc5eaeaaf1581afebd007) Merged-In: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8 Change-Id: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8
* Reset permissions for not bonded deviceBrian Delwiche2025-02-211-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | According to the PBAP specification, The PSE user shall have to confirm at least the first Phone Book Access Profile connection from each new PCE. According to the MAP specification, The MCE and MSE shall be bonded before setting up a Message Access Profile connection. Let's remove the permissions when the device is unbonded. This is a backport of change ag/30386015 but requires minor changes to logic. Flag: EXEMPT, security fix Bug: 289375038 Bug: 289811388 Test: atest BluetoothInstrumentationTests Ignore-AOSP-First: security fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8507ce69bb6e4e508a82cfc41dce56be1450a62e) Merged-In: I8b9b29310db2d14e5dfaddc81a682366fbef42d3 Change-Id: I8b9b29310db2d14e5dfaddc81a682366fbef42d3
* RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to ↵Billy Huang2025-02-211-0/+15
| | | | | | | | | | | | | | | current user" Bug: 296915500 Flag: EXEMPT trivial fix with complete testing coverage Test: atest GoogleBluetoothInstrumentationTests:BluetoothOppSendFileInfoTest Ignore-AOSP-First: fix for undisclosed vulnerability (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bcfd347823f1d3893d843db2286f2013923fad8) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d2e609af40232d899621465e5cd7eeb670476240) Merged-In: Ibff36089bfde4b5bb28d797aeae1423b668943a2 Change-Id: Ibff36089bfde4b5bb28d797aeae1423b668943a2 Change-Id: Ia60fee2666c45180a97e1a17e6f73f3c67f12856
* Resolve incomplete fix for SMP authentication bypassBrian Delwiche2025-01-131-0/+11
| | | | | | | | | | | | | | | | | | Fix for b/251514170 was landed correctly on main, but in older branches SMP contains identical functions smp_proc_init and smp_proc_rand, both of which exhibit the problem, and only the former of which was patched. This allows the problem to still appear on branches from sc-dev to udc-dev. Add the logic to smp_proc_rand. Bug: 251514170 Test: m com.android.btservices Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b6737a08f5718b6400ffe78b494cb5f0779e56e) Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc
* Fix OOB writes in gatt_sr.ccBrian Delwiche2024-12-301-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:61f6c95083aa98c597f1fdf7c871dd826e810f2b) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
* Encrypt LE link immediately on reconnectionBrian Delwiche2024-12-301-0/+11
| | | | | | | | | | | | | | | LE link must be encrypted immediately on connection if device are already bonded. This is a backport of ag/29056565, but the code needs to go in a different location because that patch relies on recent feature work. Ignore-AOSP-First: security Test: mmm packages/modules/Bluetooth Bug: 288144143 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9d3b7ecfb920c07474e8a5684a00600e6ce6fcbe) Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62 Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62
* Fix "GATT Read Multiple Variable Response" builderJakub Pawlowski2024-12-301-1/+1
| | | | | | | | | | | | | | | | | | 0 length value is perfectly fine, and should result in just length added into the packet. Currently, for 0 length value we just break out of loop, and don't add any value. This means, that if first characetristic in response had 0 length, we would return empty packet. Ignore-AOSP-First: security fix Test: mma -j32; Bug: 352696105 Bug: 356886209 Flag: exempt, obvious logic fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:676d4d0b0bc423fae086f8edf6b9e482780d07d1) Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
* Fix OOB write in build_read_multi_rsp of gatt_sr.ccBrian Delwiche2024-12-302-0/+8
| | | | | | | | | | | | | | | | | | | build_read_multi_rsp is missing a bounds check, which can lead to an OOB write when the mtu parameter is set to zero. Add that bounds check. Bug: 323850943 Test: atest GattSrTest Test: researcher POC Tag: #security Flag: EXEMPT trivial validity checks Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:269a60348a373fa5bb20098c45125223726f13ff) Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f
* Fix OOB of L2CAP_CMD_CREDIT_BASED_CONN_RESChienyuan2024-11-181-1/+1
| | | | | | | | | | | TAG: #security Bug: 213519176 Test: atest manual Ignore-AOSP-First: security fix (cherry picked from commit c9bf9d2d797bd56ecef848e95e183f84037d6c90) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:386ba28fa3a573fc09b1618cb4263cc919f3c4a2) Merged-In: Ieb6ebc88a40d044a0bbb3311fe2f5b7d5b571b9e Change-Id: Ieb6ebc88a40d044a0bbb3311fe2f5b7d5b571b9e
* RESTRICT AUTOMERGE Disallow unexpected incoming HID connectionsHimanshu Rawat2024-11-159-15/+170
| | | | | | | | | | | | | | | | | | | | HID profile accepted any new incoming HID connection. Even when the connection policy disabled HID connection, remote devices could initiate HID connection. This change ensures that incoming HID connection are accepted only if application was interested in that HID connection. This vulnerarbility no longer exists on the main because of feature request b/324093729. Test: mmm packages/modules/Bluetooth Test: Manual | Pair and connect a HID device, disable HID connection from Bluetooth device setting, attempt to connect from the HID device. Bug: 308429049 Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:03dca3305311096f157da3ab9cfed5cc30f2c135) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:431ef0346302dec8fa8c7d89c4696931e2bbac9a) Merged-In: I013d0528fb18ee87195fb3c8aab553c6a8da5ae4 Change-Id: I013d0528fb18ee87195fb3c8aab553c6a8da5ae4
* Disallow connect with key length downgradeBrian Delwiche2024-09-171-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for session key length. To test, please validate that bonding can be established and reestablished against devices with session key lengths of 7 and 16 bits, that session key lengths of less than 7 bits are refused, and that basic LE bonding functionality still works. If it is possible to configure a remote device to establish a bond with a session key length of 16 bits and then reduce that key length to <16 bits before reconnection, this should fail. Bug: 314331379 Test: m libbluetooth Test: manual Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4) Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
* Disallow connect with Secure Connections downgradeBrian Delwiche2024-09-171-0/+17
| | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for Secure Connections mode. Bug: 314331379 Test: m libbluetooth Test: manual To test this CL, please ensure that BR/EDR initial connections and reconnections (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types. Basic validation of LE bonding functionality should be done as well. Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679) Merged-In: I9130476600d31b59608e0e419b5136d255174265 Change-Id: I9130476600d31b59608e0e419b5136d255174265
* Add support for checking security downgradeBrian Delwiche2024-09-177-0/+184
| | | | | | | | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, we will need to check the security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. Future CLs will add checks during connection. This CL adds the functions that will be needed to perform those checks and the necessary mocks. Currently supported checks are : IO capabilities (must be an exact match), Secure Connections capability (must not be a downgrade), and session key length (must not be a downgrade). Maximum session key length, which was previously not cached, has been added to the device security manager cache. To QA: This CL is a logical no-op by itself. Tests should be performed as described in ag/25815924 and ag/25815925/ Bug: 314331379 Test: m libbluetooth Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3cf3d9d98909787748e6135733b42be0c67e9333) Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
* Fix heap-buffer overflow in sdp_utils.ccBrian Delwiche2024-08-271-2/+22
| | | | | | | | | | | | | | | | | | | Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with an out of bounds comparison. Although the bug claims this is due to a comparison of a uuid with a smaller data field thana the discovery attribute, my research suggests that this instead stems from a comparison of a 128 bit UUID with a discovery attribute of some other, invalid size. Add checks for discovery attribute size. Bug: 287184435 Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487) Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43 Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
* Fix permission bypasses to multiple methodsBrian Delwiche2024-08-271-16/+16
| | | | | | | | | | | | | | | | | | | | Researcher reports that some BT calls across Binder are validating only BT's own permissions and not the calling app's permissions. On investigation this seems to be due to a missing null check in several BT permissions checks, which allows a malicious app to pass in a null AttributionSource and therefore produce a stub AttributionSource chain which does not properly check for the caller's permissions. Add null checks. Bug: 242996380 Test: atest UtilsTest Test: researcher POC Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ed63d97fd6537f539fdde1413bff86a30f80a7b5) Merged-In: I7a11e11257b85dc0752396490abfc79b1c383204 Change-Id: I7a11e11257b85dc0752396490abfc79b1c383204
* Fix an authentication bypass bug in SMPBrian Delwiche2024-08-262-0/+13
| | | | | | | | | | | | | | When pairing with BLE legacy pairing initiated from remote, authentication can be bypassed. This change fixes it. Bug: 251514170 Test: m com.android.btservices Test: manual run against PoC Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97) Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795 Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
* Fix jni crash when get field of adTypeweidengke2024-03-121-1/+1
| | | | | | | | The type of field 'ad_type' in com.android.bluetooth.gatt.ScanFilterQueue.Entry is int. Test: Use eng version to verity. Change-Id: Ieee0496d790ab14d86439fdadc330540bedd3ebc Signed-off-by: weidengke <weidengke@xiaomi.com>
* Fix a security bypass issue in access_secure_service_from_temp_bondHui Peng2024-03-091-2/+1
| | | | | | | | | Bug: 318374503 Test: m com.android.btservices | manual test against PoC | QA Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62944f39f502b28687a5142ec2d77585525591bc) Merged-In: I48df2c2d77810077e97d4131540277273d441998 Change-Id: I48df2c2d77810077e97d4131540277273d441998
* Reland: Fix an OOB write bug in attp_build_value_cmdHui Peng2024-03-091-11/+45
| | | | | | | | | | | Bug: 295887535 Bug: 315127634 Test: m com.android.btservices Test: atest net_test_stack_gatt Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046) Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285 Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285
* Fix an OOB bug in smp_proc_sec_reqHui Peng2024-03-091-0/+7
| | | | | | | | | | Bug: 300903400 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20a759c149b739f8dfc3790287ad1b954115c18) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4704e7519d0a02c1caf8b4d8ed874bc201a4b91) Merged-In: I400cfa3523c6d8b25c233205748c2db5dc803d1d Change-Id: I400cfa3523c6d8b25c233205748c2db5dc803d1d
* Revert "Fix an OOB write bug in attp_build_value_cmd"Mehmet Murat Sevim2024-02-151-44/+11
| | | | | | | | | This reverts commit a0d4425c3964f99f589d449deed2f1bbe520218c. Reason for revert: LE Device name is incorrect after the change. See b/315127634 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df) Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077 Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
* Fix an OOB write bug in attp_build_value_cmdHui Peng2024-02-151-11/+44
| | | | | | | | | | Bug: 295887535 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c) Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48 Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
* Fix an OOB write bug in attp_build_read_by_type_value_cmdHui Peng2024-02-151-1/+7
| | | | | | | | | | Bug: 297524203 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9) Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e
* Fix an OOB bug in btif_to_bta_response and attp_build_value_cmdHui Peng2024-02-151-2/+4
| | | | | | | | | | | | | | | | | | | 1. The size of `p_src->attr_value.value` is dependent on `p_src->attr_value.len`. While copying `p_src->attr_value.value`, to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN bytes, it may result in OOB read in `p_src->attr_value.value`; 2. As the `p_dest->attr_value.len` does not map the length of `p_dest->attr_value.value`, it may result in OOB read in attp_build_value_cmd; Bug: 276898739 Test: manual Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59) Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
* Fix some OOB errors in BTM parsingBrian Delwiche2024-01-092-14/+54
| | | | | | | | | | | | | | Some HCI BLE events are missing bounds checks, leading to possible OOB access. Add the appropriate bounds checks on the packets. Bug: 279169188 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66e2be0585514de92e8a31df09ab31528fd67e20) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d1a3febede9f835797cf5feff978a9f007f2593) Merged-In: If7752f6edd749d6d5a4bb957b4824c22b5602737 Change-Id: If7752f6edd749d6d5a4bb957b4824c22b5602737
* Fix timing attack in BTM_BleVerifySignatureBrian Delwiche2023-12-061-3/+4
| | | | | | | | | | | | | | | | BTM_BleVerifySignature uses a stock memcmp, allowing signature contents to be deduced through a side-channel attack. Change to CRYPTO_memcmp, which is hardened against this attack, to eliminate this attack. Bug: 274478807 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a960ac1c0cbc6d3949b6eaa7a86302a0b20c04f) Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2 Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
* Fix UAF in ~CallbackEnvBrian Delwiche2023-12-061-0/+1
| | | | | | | | | | | | | | | | | | | | com_android_bluetooth_btservice_AdapterService does not null its local JNI environment variable after detaching the thread (which frees the environment context), allowing UAF under certain conditions. Null the variable in this case. Testing here was done through a custom unit test; see patchsets 4-6 for contents. However, unit testing of the JNI layer is problematic in production, so that part of the patch is omitted for final merge. Bug: 291500341 Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a5c71c32d382c0e14083f0d093ae4f5420968ff) Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
* Add bounds checks in btif_avrcp_audio_track.ccBrian Delwiche2023-12-061-3/+5
| | | | | | | | | | | | | | | Fuzz testing reveals that the transcodeQ*ToFloat family of functions are not bounds checked, causing a potential OOB write. Check these functions against bounds of the destination array. Bug: 275895309 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46803ae95d63ee133eae83d885e7c051964dc8ed) Merged-In: I7a13261429797769cf5b913912a30e249668ac93 Change-Id: I7a13261429797769cf5b913912a30e249668ac93
* Fix an OOB bug in parse_gap_dataHui Peng2023-12-061-0/+4
| | | | | | | | | | | Bug: 277590580 bug: 275553827 Test: atest net_test_main_shim Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d7e3d8fd96389f1435b76f37064c69ae61df6e7) Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
* Factor out duplicate code for parsing gap dataHui Peng2023-12-066-101/+85
| | | | | | | | | | | | | | This change is intended to be used to factor out dup code for parsing GapData in StartAdvertisingSet and make it easier to be tested. Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c Bug: 296291440 Test: atest net_test_main_shim (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:08690d66322386d506818b298ad067622d4d5686) Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
* Enforce authentication if encryption is requiredHui Peng2023-12-061-4/+6
| | | | | | | | | | | | | | | | Original bug Bug: 294854926 regressions: Bug: 299570702 Bug: 299561281 Test: m com.android.btservices Test: QA validation Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0a8c39cda12639f0b08f5ca79bff6b5515ab20d9) Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
* Reorganize the code for checking auth requirementHui Peng2023-12-061-39/+56
| | | | | | | | | | | | | | Original bug Bug: 294854926 regressions: Bug: 299570702 Test: Test: m com.android.btservices Test: QA validation (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6bacbe908e8ba71422badc6ebff47d3f021e8824) Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
* Reject access to secure service authenticated from a temp bonding [3]Hui Peng2023-12-061-4/+4
| | | | | | | | | | | | | | | | Allow access to rfcomm PSM by default Original bug Bug: 294854926 Nearby regressions: Bug: 298539299 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9e4cef217f1d1e11fb7b74765ec17200e618bc24) Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
* Reject access to secure services authenticated from temp bonding [2]Hui Peng2023-12-061-0/+5
| | | | | | | | | | | | | | Reject access to service running on rfcomm this is a backport of I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9878a84e7eebb49ba994a9bbdd2258ecf4b3abb8) Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
* Reject access to secure service authenticated from a temp bonding [1]Hui Peng2023-12-061-2/+33
| | | | | | | | | | | | | | Rejecct access to services running on l2cap Backport of Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:232f4f81a9774196f688e956f50084514110798a) Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
* Fix multiple OOB bugs in btm_ble_gap.ccHui Peng2023-12-061-1/+27
| | | | | | | | | | | Bug: 275057843 Bug: 275057678 Test: manual Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3bb913ee8c7da4602798db754045c0fac57afecf) Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a
* Fix an integer underflow in build_read_multi_rspHui Peng2023-10-071-15/+17
| | | | | | | | | | | | | | | | | | When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len evaluates to true, integer underflow is triggered in the following line, resulting OOB access. ``` len = p_rsp->attr_value.len - (total_len - mtu); ``` Bug: 273874525 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23) Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
* Merge tag 'android-13.0.0_r75' of ↵Julian Veit2023-09-262-3/+8
|\ | | | | | | | | | | | | | | https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android 13.0.0 release 75 Change-Id: Iadb626579aee524fd72e294bee4fb03e1c7f3b3f
| * Merge cherrypicks of ['googleplex-android-review.googlesource.com/23186010', ↵Android Build Coastguard Worker2023-09-016-12/+32
| |\ | | | | | | | | | | | | | | | 'googleplex-android-review.googlesource.com/23152778', 'googleplex-android-review.googlesource.com/22726306', 'googleplex-android-review.googlesource.com/21609715', 'googleplex-android-review.googlesource.com/22581496'] into tm-qpr3-release. Change-Id: I3f18a7e729469a5d10a4a910d67687acf27594ab
| | * Fix UAF in gatt_cl.ccBrian Delwiche2023-09-011-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gatt_cl.cc accesses a header field after the buffer holding it may have been freed. Track the relevant state as a local variable instead. Bug: 274617156 Test: atest: bluetooth, validated against fuzzer Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbaa83627b328eee8f2e26188909a5ebfb0388d5) Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
| | * Fix potential abort in btu_av_act.ccBrian Delwiche2023-09-011-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Partner analysis shows that bta_av_rc_msg does not respect handling established for a null browse packet, instead dispatching the null pointer to bta_av_rc_free_browse_msg. Strictly speaking this does not cause a UAF, as osi_free_and_reset will find the null and abort, but it will lead to improper program termination. Handle the case instead. Bug: 269253349 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3ee136851de30261e56c62fbb488541dc564b94) Merged-In: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d Change-Id: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d
| | * Fix integer overflow in build_read_multi_rspBrian Delwiche2023-09-011-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 70a4d628fa016a9487fae07f211644b95e1f0000) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:badb8ffce06b517cbcfdbfa68cb7b7e02d22494a) Merged-In: I3a74bdb0d003cb6bf4f282615be8c68836676715 Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
| | * Fix an integer overflow bug in avdt_msg_asmblHui Peng2023-09-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179) Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-07 22:11:22 +0000