aboutsummaryrefslogtreecommitdiff
path: root/system/stack
Commit message (Collapse)AuthorAgeFilesLines
* Fix an OOB Write bug in avrc_vendor_msgHEADt13.0Hui Peng2025-10-071-2/+13
| | | | | | | | | | | | | Plus some cleanup Bug: 271962784 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from commit d5de235b461ec83e43a7db513e286d3204c4cedf) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f685c51b0bc63369107efe59b12162bbb145a4d) Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86 Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86
* Fix OOB read in add_attrBrian Delwiche2025-07-091-0/+5
| | | | | | | | | | | | | | | | | It is possible in exceptional cases for add_attr to be passed a p pointer one byte short of its p_end pointer, which leads to an OOB read as it attempts to read the type of the next attribute. Add a check for this. Bug: 367274727 Test: m libbluetooth Ignore-AOSP-First: security Tag: security Flag: EXEMPT trivial validity check (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:319bb08af014e30654548c679f5e1cb2721c0c60) Merged-In: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe Change-Id: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe
* Fix authentication bypass bug in SMPBrian Delwiche2025-07-091-0/+10
| | | | | | | | | | | | | | | | | | It is possible for a malicious peer to bypass SMP authentication by claiming to have OOB data and proceeding with pairing, exploiting the fact that the Android stack sets the OOB randomizer to zero if no local OOB data is available. Drop the connection if a peer claims it has OOB data but no local OOB data has been stored. Bug: 251514171 Test: m com.android.btservices Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:83e55e8a316e319c82f727763ab791bfc24404dd) Merged-In: Ib87574bd455bcc673a7e58283fd22342cf924cfd Change-Id: Ib87574bd455bcc673a7e58283fd22342cf924cfd
* Fix type confusion in avdt_msg.ccBrian Delwiche2025-07-081-0/+8
| | | | | | | | | | | | | | | | It is possible for a malicious user to reply to a pending AVDT message with the wrong type, leading to type confusion and an eventual OOB access. Add message type validation. Bug: 273995284 Test: m libbluetooth Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:12d26748f31d855ac18de9df1832f60a4bd73265) Merged-In: I87a0df92710658d6c27d9b63ee7813a0d45a301a Change-Id: I87a0df92710658d6c27d9b63ee7813a0d45a301a
* Backport regression fixes for 288144143Brian Delwiche2025-07-082-1/+37
| | | | | | | | | | | | | | | | | These are backports for the following AOSP changes: aosp/3424923 aosp/3420039 aosp/3394039 which address regressions in the initial fix for above bug. Bug: 288144143 Test: m libbluetooth Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b613f3748de40cde15bb4d5b99dc2894c8d184b) Merged-In: I78a249561fd8ccab38e32fe2e14d90e3b4420dcb Change-Id: I78a249561fd8ccab38e32fe2e14d90e3b4420dcb
* Fix UAF in sdp_discovery.ccBrian Delwiche2025-07-081-0/+9
| | | | | | | | | | | | | | | | | | | | | | | It is possible with modifications to a client to open two connections against the same SDP discovery database. If this happens, it becomes possible to reference a freed instance of the discovery database in the second connection once the first one is closed. To guard against this, check during discovery if a database has already been allocated, and abort iff it has. Also, add a null check to process_service_search_attr_rsp to guard against unchecked calls to the SDP discovery database. Bug: 291281168 Bug: 356201480 Flag: com.android.bluetooth.flags.btsec_check_valid_discovery_database Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2c3b80e41630d9a252e63a3e30cc2997488fc3e4) Merged-In: I754bf8292e1e0d8e90e78fa87889284e26aa5818 Change-Id: I754bf8292e1e0d8e90e78fa87889284e26aa5818
* Use encrypted link for avdtp and avctp channelsBrian Delwiche2025-07-085-7/+13
| | | | | | | | | | | | This is a backport of the AOSP changes for b/345258562. Test: mmm packages/modules/Bluetooth Bug: 345258562 Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d26e79ab057057cbfcafc5eaeaaf1581afebd007) Merged-In: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8 Change-Id: I4ef23f9dec4aaae6a526c11a7c2489159bd7fdf8
* Resolve incomplete fix for SMP authentication bypassBrian Delwiche2025-01-131-0/+11
| | | | | | | | | | | | | | | | | | Fix for b/251514170 was landed correctly on main, but in older branches SMP contains identical functions smp_proc_init and smp_proc_rand, both of which exhibit the problem, and only the former of which was patched. This allows the problem to still appear on branches from sc-dev to udc-dev. Add the logic to smp_proc_rand. Bug: 251514170 Test: m com.android.btservices Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b6737a08f5718b6400ffe78b494cb5f0779e56e) Merged-In: I51e99c18a322a29632a6cac09ddb2b07bea482fc Change-Id: I51e99c18a322a29632a6cac09ddb2b07bea482fc
* Fix OOB writes in gatt_sr.ccBrian Delwiche2024-12-301-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:61f6c95083aa98c597f1fdf7c871dd826e810f2b) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
* Encrypt LE link immediately on reconnectionBrian Delwiche2024-12-301-0/+11
| | | | | | | | | | | | | | | LE link must be encrypted immediately on connection if device are already bonded. This is a backport of ag/29056565, but the code needs to go in a different location because that patch relies on recent feature work. Ignore-AOSP-First: security Test: mmm packages/modules/Bluetooth Bug: 288144143 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9d3b7ecfb920c07474e8a5684a00600e6ce6fcbe) Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62 Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62
* Fix "GATT Read Multiple Variable Response" builderJakub Pawlowski2024-12-301-1/+1
| | | | | | | | | | | | | | | | | | 0 length value is perfectly fine, and should result in just length added into the packet. Currently, for 0 length value we just break out of loop, and don't add any value. This means, that if first characetristic in response had 0 length, we would return empty packet. Ignore-AOSP-First: security fix Test: mma -j32; Bug: 352696105 Bug: 356886209 Flag: exempt, obvious logic fix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:676d4d0b0bc423fae086f8edf6b9e482780d07d1) Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
* Fix OOB write in build_read_multi_rsp of gatt_sr.ccBrian Delwiche2024-12-302-0/+8
| | | | | | | | | | | | | | | | | | | build_read_multi_rsp is missing a bounds check, which can lead to an OOB write when the mtu parameter is set to zero. Add that bounds check. Bug: 323850943 Test: atest GattSrTest Test: researcher POC Tag: #security Flag: EXEMPT trivial validity checks Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:269a60348a373fa5bb20098c45125223726f13ff) Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f
* Fix OOB of L2CAP_CMD_CREDIT_BASED_CONN_RESChienyuan2024-11-181-1/+1
| | | | | | | | | | | TAG: #security Bug: 213519176 Test: atest manual Ignore-AOSP-First: security fix (cherry picked from commit c9bf9d2d797bd56ecef848e95e183f84037d6c90) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:386ba28fa3a573fc09b1618cb4263cc919f3c4a2) Merged-In: Ieb6ebc88a40d044a0bbb3311fe2f5b7d5b571b9e Change-Id: Ieb6ebc88a40d044a0bbb3311fe2f5b7d5b571b9e
* Disallow connect with key length downgradeBrian Delwiche2024-09-171-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for session key length. To test, please validate that bonding can be established and reestablished against devices with session key lengths of 7 and 16 bits, that session key lengths of less than 7 bits are refused, and that basic LE bonding functionality still works. If it is possible to configure a remote device to establish a bond with a session key length of 16 bits and then reduce that key length to <16 bits before reconnection, this should fail. Bug: 314331379 Test: m libbluetooth Test: manual Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4) Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
* Disallow connect with Secure Connections downgradeBrian Delwiche2024-09-171-0/+17
| | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, check security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. This CL adds the connection-time check for Secure Connections mode. Bug: 314331379 Test: m libbluetooth Test: manual To test this CL, please ensure that BR/EDR initial connections and reconnections (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types. Basic validation of LE bonding functionality should be done as well. Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679) Merged-In: I9130476600d31b59608e0e419b5136d255174265 Change-Id: I9130476600d31b59608e0e419b5136d255174265
* Add support for checking security downgradeBrian Delwiche2024-09-173-0/+129
| | | | | | | | | | | | | | | | | | | | | | | | | | As a guard against the BLUFFS attack, we will need to check the security parameters of incoming connections against cached values and disallow connection if these parameters are downgraded or changed from their cached values. Future CLs will add checks during connection. This CL adds the functions that will be needed to perform those checks and the necessary mocks. Currently supported checks are : IO capabilities (must be an exact match), Secure Connections capability (must not be a downgrade), and session key length (must not be a downgrade). Maximum session key length, which was previously not cached, has been added to the device security manager cache. To QA: This CL is a logical no-op by itself. Tests should be performed as described in ag/25815924 and ag/25815925/ Bug: 314331379 Test: m libbluetooth Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3cf3d9d98909787748e6135733b42be0c67e9333) Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
* Fix heap-buffer overflow in sdp_utils.ccBrian Delwiche2024-08-271-2/+22
| | | | | | | | | | | | | | | | | | | Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with an out of bounds comparison. Although the bug claims this is due to a comparison of a uuid with a smaller data field thana the discovery attribute, my research suggests that this instead stems from a comparison of a 128 bit UUID with a discovery attribute of some other, invalid size. Add checks for discovery attribute size. Bug: 287184435 Test: atest bluetooth_test_gd_unit, net_test_stack_sdp Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bbdb139bf91dca86c72c33a74c0e3407938c487) Merged-In: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43 Change-Id: I8e16ae525815bcdd47a2379ee8e5a6de47a3ac43
* Fix an authentication bypass bug in SMPBrian Delwiche2024-08-262-0/+13
| | | | | | | | | | | | | | When pairing with BLE legacy pairing initiated from remote, authentication can be bypassed. This change fixes it. Bug: 251514170 Test: m com.android.btservices Test: manual run against PoC Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97) Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795 Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
* Fix a security bypass issue in access_secure_service_from_temp_bondHui Peng2024-03-091-2/+1
| | | | | | | | | Bug: 318374503 Test: m com.android.btservices | manual test against PoC | QA Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62944f39f502b28687a5142ec2d77585525591bc) Merged-In: I48df2c2d77810077e97d4131540277273d441998 Change-Id: I48df2c2d77810077e97d4131540277273d441998
* Reland: Fix an OOB write bug in attp_build_value_cmdHui Peng2024-03-091-11/+45
| | | | | | | | | | | Bug: 295887535 Bug: 315127634 Test: m com.android.btservices Test: atest net_test_stack_gatt Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ae5e736813bf2928bfc8c71e3dacf3b78394046) Merged-In: I291fd665a68d90813b8c21c80d23cc438f84f285 Change-Id: I291fd665a68d90813b8c21c80d23cc438f84f285
* Fix an OOB bug in smp_proc_sec_reqHui Peng2024-03-091-0/+7
| | | | | | | | | | Bug: 300903400 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20a759c149b739f8dfc3790287ad1b954115c18) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a4704e7519d0a02c1caf8b4d8ed874bc201a4b91) Merged-In: I400cfa3523c6d8b25c233205748c2db5dc803d1d Change-Id: I400cfa3523c6d8b25c233205748c2db5dc803d1d
* Revert "Fix an OOB write bug in attp_build_value_cmd"Mehmet Murat Sevim2024-02-151-44/+11
| | | | | | | | | This reverts commit a0d4425c3964f99f589d449deed2f1bbe520218c. Reason for revert: LE Device name is incorrect after the change. See b/315127634 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6dbe94fe556ef67f3bbb7d7bb2da3320d68619df) Merged-In: I93906e7ab768b4015fe3491e171fdb0ec8cf3077 Change-Id: I93906e7ab768b4015fe3491e171fdb0ec8cf3077
* Fix an OOB write bug in attp_build_value_cmdHui Peng2024-02-151-11/+44
| | | | | | | | | | Bug: 295887535 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b927f3fb660dafaf97b2fa0398353a8c39125efc) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a0d4425c3964f99f589d449deed2f1bbe520218c) Merged-In: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48 Change-Id: Ie16251c3a2b7c0f807ecb53bbf125d1e8c276e48
* Fix an OOB write bug in attp_build_read_by_type_value_cmdHui Peng2024-02-151-1/+7
| | | | | | | | | | Bug: 297524203 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9) Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e
* Fix some OOB errors in BTM parsingBrian Delwiche2024-01-092-14/+54
| | | | | | | | | | | | | | Some HCI BLE events are missing bounds checks, leading to possible OOB access. Add the appropriate bounds checks on the packets. Bug: 279169188 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:66e2be0585514de92e8a31df09ab31528fd67e20) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d1a3febede9f835797cf5feff978a9f007f2593) Merged-In: If7752f6edd749d6d5a4bb957b4824c22b5602737 Change-Id: If7752f6edd749d6d5a4bb957b4824c22b5602737
* Fix timing attack in BTM_BleVerifySignatureBrian Delwiche2023-12-061-3/+4
| | | | | | | | | | | | | | | | BTM_BleVerifySignature uses a stock memcmp, allowing signature contents to be deduced through a side-channel attack. Change to CRYPTO_memcmp, which is hardened against this attack, to eliminate this attack. Bug: 274478807 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a960ac1c0cbc6d3949b6eaa7a86302a0b20c04f) Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2 Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
* Enforce authentication if encryption is requiredHui Peng2023-12-061-4/+6
| | | | | | | | | | | | | | | | Original bug Bug: 294854926 regressions: Bug: 299570702 Bug: 299561281 Test: m com.android.btservices Test: QA validation Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0a8c39cda12639f0b08f5ca79bff6b5515ab20d9) Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
* Reorganize the code for checking auth requirementHui Peng2023-12-061-39/+56
| | | | | | | | | | | | | | Original bug Bug: 294854926 regressions: Bug: 299570702 Test: Test: m com.android.btservices Test: QA validation (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6bacbe908e8ba71422badc6ebff47d3f021e8824) Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
* Reject access to secure service authenticated from a temp bonding [3]Hui Peng2023-12-061-4/+4
| | | | | | | | | | | | | | | | Allow access to rfcomm PSM by default Original bug Bug: 294854926 Nearby regressions: Bug: 298539299 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9e4cef217f1d1e11fb7b74765ec17200e618bc24) Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
* Reject access to secure services authenticated from temp bonding [2]Hui Peng2023-12-061-0/+5
| | | | | | | | | | | | | | Reject access to service running on rfcomm this is a backport of I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9878a84e7eebb49ba994a9bbdd2258ecf4b3abb8) Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
* Reject access to secure service authenticated from a temp bonding [1]Hui Peng2023-12-061-2/+33
| | | | | | | | | | | | | | Rejecct access to services running on l2cap Backport of Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Bug: 294854926 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:232f4f81a9774196f688e956f50084514110798a) Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
* Fix multiple OOB bugs in btm_ble_gap.ccHui Peng2023-12-061-1/+27
| | | | | | | | | | | Bug: 275057843 Bug: 275057678 Test: manual Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3bb913ee8c7da4602798db754045c0fac57afecf) Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a
* Fix an integer underflow in build_read_multi_rspHui Peng2023-10-071-15/+17
| | | | | | | | | | | | | | | | | | When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len evaluates to true, integer underflow is triggered in the following line, resulting OOB access. ``` len = p_rsp->attr_value.len - (total_len - mtu); ``` Bug: 273874525 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23) Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
* Merge tag 'android-13.0.0_r75' of ↵Julian Veit2023-09-262-3/+8
|\ | | | | | | | | | | | | | | https://android.googlesource.com/platform/packages/modules/Bluetooth into HEAD Android 13.0.0 release 75 Change-Id: Iadb626579aee524fd72e294bee4fb03e1c7f3b3f
| * Fix UAF in gatt_cl.ccBrian Delwiche2023-09-011-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gatt_cl.cc accesses a header field after the buffer holding it may have been freed. Track the relevant state as a local variable instead. Bug: 274617156 Test: atest: bluetooth, validated against fuzzer Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbaa83627b328eee8f2e26188909a5ebfb0388d5) Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
| * Fix integer overflow in build_read_multi_rspBrian Delwiche2023-09-011-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 70a4d628fa016a9487fae07f211644b95e1f0000) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:badb8ffce06b517cbcfdbfa68cb7b7e02d22494a) Merged-In: I3a74bdb0d003cb6bf4f282615be8c68836676715 Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
| * Fix an integer overflow bug in avdt_msg_asmblHui Peng2023-09-011-2/+2
| | | | | | | | | | | | | | | | | | | | Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179) Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
| * Fix multiple OOB bugs resulted from tx mtu in EATTHui Peng2023-09-012-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The tx mtu in EATT can be controlled by remote device. With malicious mtu values, it is possible to trigger integer overflow and OOB write at multiple places (see the bug below). This fix enforces a max tx mtu in EATT. Bug: 271335899 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:282d4a182ea6a7d2e6e0f6901d2bc1e75b49e52f) Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31 Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
* | Fix UAF in gatt_cl.ccBrian Delwiche2023-09-181-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | gatt_cl.cc accesses a header field after the buffer holding it may have been freed. Track the relevant state as a local variable instead. Bug: 274617156 Test: atest: bluetooth, validated against fuzzer Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbaa83627b328eee8f2e26188909a5ebfb0388d5) Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
* | Fix integer overflow in build_read_multi_rspBrian Delwiche2023-09-181-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 70a4d628fa016a9487fae07f211644b95e1f0000) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:badb8ffce06b517cbcfdbfa68cb7b7e02d22494a) Merged-In: I3a74bdb0d003cb6bf4f282615be8c68836676715 Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
* | Fix an integer overflow bug in avdt_msg_asmblHui Peng2023-09-181-2/+2
| | | | | | | | | | | | | | | | | | | | Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179) Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
* | Merge tag 'android-13.0.0_r52' of ↵George Zacharia2023-07-0263-218/+1417
|\| | | | | | | | | | | | | | | https://android.googlesource.com/platform/packages/modules/Bluetooth into t13.0 Android 13.0.0 Release 52 (TQ3A.230605.012) Change-Id: I379845946815b7c623f83a1d33036ae615f090fb
| * Merge "Revert "Handle AVDT_SCB_HDL_TC_CLOSE in avdt_scb idle state"" into ↵TreeHugger Robot2023-04-051-1/+1
| |\ | | | | | | | | | tm-qpr-dev
| | * Revert "Handle AVDT_SCB_HDL_TC_CLOSE in avdt_scb idle state"William Escande2023-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 0480ff3dd26cd491fc1b02a0d541d9857a69a354. Reason for revert: b/267716052 The AOSP CL got reverted too Bug: 267716052 Change-Id: Ifa79d22eb5266bb15d91868fe6ecd7371492d8c7 Test: manual Ignore-AOSP-First: Already reverted on AOSP
| * | Merge "Fix gatt_end_operation buffer overflow" into tm-dev am: e8779817c0 ↵Timothy Yiu2023-04-041-0/+7
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | am: 01d3e82a4f Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22316109 Change-Id: I4853e4bd4ca025f31ca8a59c9708ae280b451a2e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| | * \ Merge "Fix gatt_end_operation buffer overflow" into tm-dev am: e8779817c0Timothy Yiu2023-04-041-0/+7
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22316109 Change-Id: I40d67db13aae24e9093615e1663483f97e874b08 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| | | * \ Merge "Fix gatt_end_operation buffer overflow" into tm-devTimothy Yiu2023-04-041-0/+7
| | | |\ \
| | | | * | Fix gatt_end_operation buffer overflowtyiu2023-03-281-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added boundary check for gatt_end_operation to prevent writing out of boundary. Since response of the GATT server is handled in gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum lenth that can be passed into the handlers is bounded by GATT_MAX_MTU_SIZE, which is set to 517, which is greater than GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec that gaurentees MTU response to be less than or equal to 512 bytes can cause a buffer overflow when performing memcpy without length check. Bug: 261068592 Test: No test since not affecting behavior Tag: #security Ignore-AOSP-First: security Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
| | * | | | Merge "Fix potential use after free in pan_api.cc" into tm-dev am: 003c3d2765Brian Delwiche2023-04-031-1/+7
| | |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20697203 Change-Id: Ie634b4e628a94fd90cfe9b78ba71441217501139 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| | | * | | Merge "Fix potential use after free in pan_api.cc" into tm-devBrian Delwiche2023-04-031-1/+7
| | | |\ \ \
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-12 17:42:42 +0000