Conversation
Limit allocations on 32bit to 2 GB Limit allocations on 64bit to 8 Exabyte Bug: 197868577 Tag: #refactor Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I1c347084d7617b1e364a3241f1b37b398a2a6c6a (cherry picked from commit e435404)
Bug: 201083442 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975 (cherry picked from commit c08175b) Merged-In:I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
Bug: 204355134 Bug: 195410559 Test: Check IRK, pair devices, unpair all devices, Check IRK Tag: #security Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065 Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065 (cherry picked from commit d6d753d) Merged-In:I8e44f010a72dcdec595d81293a05f49ccc054065
Bug: 205837191 Tag: #security Test: PoC test program Ignore-AOSP-First: Security Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374 Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374 (cherry picked from commit 697942b) Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374
Bug: 224536184 Test: build Tag: #security Ignore-AOSP-First: Security bug Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda (cherry picked from commit ea2815973590018a6df5a3e88fa582eb4c8ff04e) Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
Bug: 205571133 Test: build + ag/18105403 for sts test Ignore-AOSP-First: Security vulnerability Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e (cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3) Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e
Bug: 220732646 Test: build Tag: #security Ignore-AOSP-First: Security bug Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4 (cherry picked from commit 863a0f417f6358892783860e08bf093d027764cf) Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
Bug: 231161832 Test: Test against trying to connect using the same address Change-Id: I2a23440303758faf281989abdb2a614708f05d36 Merged-In: I2a23440303758faf281989abdb2a614708f05d36 (cherry picked from commit d9a9f9aaecd5bc46827b40db5a2e5745056440fd) Merged-In: I2a23440303758faf281989abdb2a614708f05d36
Add check for str_len to prevent potential OOB read in vendor response. Bug: 205570663 Tag: #security Test: net_test_stack:StackAvrcpTest Ignore-AOSP-First: Security Change-Id: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc Merged-In: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc (cherry picked from commit 53aff7d1e018c5d5f4eb5d09eecfaad760e92ec4) Merged-In: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc
Bug: 225876506 Test: run supplied POC (updated to Android T) Tag: #security Ignore-AOSP-First: Security Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca (cherry picked from commit 864460a945fe47b417def4017fb3d791e829753c) Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
Bug: 228602963 Test: make Tag: #security Ignore-AOSP-First: Security Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75 (cherry picked from commit 5f1d6ac9a6adc287b8d10bb8241fe21615913c4b) Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75
Bug: 232023771 Test: make Tag: #security Ignore-AOSP-First: Security Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b (cherry picked from commit 324c3065f863b8484847bbdfd91ef4709d407c8c) Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Bug: 230867224 Test: Manual -- paired Bluetooth headset and played audio Tags: #security Ignore-AOSP-First: Security Change-Id: I740038288143715a1c06db781efd674b269a7f3e (cherry picked from commit f67ea88c64d62e81c9a804c67ff06c52a6920d39) Merged-In: I740038288143715a1c06db781efd674b269a7f3e
Bug: 228450451 Test: manual, pair BT and play audio Tag: #security Ignore-AOSP-First: Security Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36 (cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d) Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36
Previous fix for AVDT causing memory leak. And missing similar fix for AVCT packet. Bug: 232023771 Test: make Tag: #security Ignore-AOSP-First: Security Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 (cherry picked from commit 240baf57ea9a112c153af0b53082c6951c636653) Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
Convert min_len from 16 bits to 32 bits to avoid length checking overflow. Also, use calloc instead of malloc for list allocation since caller need to clean up string memory in the list items Bug: 242459126 Test: fuzz_avrc Tag: #security Ignore-AOSP-First: Security Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4 Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4 (cherry picked from commit 18fd685cfcc2690a9748a29721a1c275ec18448b) Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
A crash may occur when creating a bluetooth AVRCP connection to a device. The code fails to check a return value from an AVRCP function being used to index into an array. The return value may exceed the size of the array causing memory outside the bounds of the array to be accessed leading to memory corruption and a crash. The fix is to ensure the return value is within the bounds of the array before accessing the array contents. If the return value is not within the bounds of the array report it as a failure to the bluetooth stack. This change is relevant for android automotive because the IVI (in-vehicle infotainment system) acts as the an AVRCP controller which still executes this code. Note: this is a backport of b/214569798, inducted as a non-security issue. Per b/226927612 it has been found to have security impact and should be backported to earlier branches. Bug: 226927612 Test: Manual - set return value to be out of bounds, verify no crash Tag: #security Ignore-AOSP-First: Security Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c (cherry picked from commit 6a543761f2dc3db0ebf541285a0b3b2afc83a6a6) Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
Bug: 242535997 Test: BT unit tests, validated against researcher POC Tag: #security Ignore-AOSP-First: Security Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 (cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd) Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084 Bug: 258652631 Test: manual Tag: #security Ignore-AOSP-First: security Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66 (cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03) Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the `-=` operation on it may result in integer underflow and OOB write with the computed pointer passed to A2DP_BuildMediaPayloadHeaderSbc. This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb Test: atest net_test_stack_a2dp_codecs_native Ignore-AOSP-First: security Tag:#security Bug: 186803518 Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec (cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7) Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
When the `attr_pad` becomes full, it is possible that un index of `-1` is computed write a zero byte to `p_val`, rusulting OOB write. ``` p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0'; ``` This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b Bug: 261867748 Test: manual Tag: #security Ignore-AOSP-First: security Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1 (cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2) Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
This is a back port of the following 2 CLs: - Id13b1ebde8f603123c8b7a49922b2f1378ab788f - If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4 Regression test: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54 Bug: 142546355 258057241 Test: atest net_test_stack_avdtp Ignore-AOSP-First: security Change-Id: Ie1707385d6452ece47915c153f4faaa1c8a287c9 (cherry picked from commit b0b968e8c6214e20a5dc3617d66567225df0884f) Merged-In: Ie1707385d6452ece47915c153f4faaa1c8a287c9
This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f to rvc-dev. Bug: 245916076 Test: manual Ignore-AOSP-First: security Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765 (cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf) Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765
BTA sends the the HID report pointer to BTIF and deallocates it immediately. This is now prevented by providing a deep copy callback function for HID reports when tranferring context from BTA to BTIF. This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825, already merged on T for b/227620181. Bug: 228837201 Test: Validated against researcher POC, ran BT unit tests, played audio manually. Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42) Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19 Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
…uild_uuid_seq"" This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6. Reason for revert: Reinstate original change for QPR (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec) Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8 Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8
This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f. Function btm_sec_encrypt_change() is called at most places with argument "encr_enable" treated as bool and not as per (tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The function has special handling for "encr_enable=1" to downgrade the link key type for BR/EDR case. This gets executed even when the caller/context did not mean/expect so. It appears this handling in btm_sec_encrypt_change() is not necessary and is removed by this commit to prevent accidental execution of it. Test: Verified re-pairing with an iPhone works fine now Issue Reproduction Steps: 1. Enable Bluetooth Hotspot on Android device (DUT). 2. Pair and connect an iPhone to DUT. 3. Forget this pairing on DUT. 4. On iPhone settings, click on old DUT's paired entry to connect. 5. iPhone notifies to click 'Forget Device' and try fresh pairing. 6. On iPhone, after doing 'Forget Device', discover DUT again. 7. Attempt pairing to DUT by clicking on discovered DUT entry. Pairing will be unsuccessful. Issue Cause: During re-pairing, DUT is seen to downgrade BR/EDR link key unexpectedly from link key type 0x8 (BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB). Log snippet (re-pairing time): btm_sec_link_key_notification set new_encr_key_256 to 1 btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1 btm_sec_encrypt_change new_encr_key_256 is 1 --On DUT, HCI_Encryption_Key_Refresh_Complete event noticed--- btm_sec_encrypt_change new_encr_key_256 is 0 updated link key type to 5 btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1 This is a backport of the following patch: aosp/1890096 Bug: 258834033 Reason for revert: Reinstate original change for QPR (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f) Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6 Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
Added boundary check for gatt_end_operation to prevent writing out of boundary. Since response of the GATT server is handled in gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum lenth that can be passed into the handlers is bounded by GATT_MAX_MTU_SIZE, which is set to 517, which is greater than GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec that gaurentees MTU response to be less than or equal to 512 bytes can cause a buffer overflow when performing memcpy without length check. Bug: 261068592 Test: No test since not affecting behavior Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200) Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
This is a backport of Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 to rvc-dev Bug: 280633699 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639) Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0) Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9 Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
Partner analysis shows that bta_av_rc_msg does not respect handling established for a null browse packet, instead dispatching the null pointer to bta_av_rc_free_browse_msg. Strictly speaking this does not cause a UAF, as osi_free_and_reset will find the null and abort, but it will lead to improper program termination. Handle the case instead. Bug: 269253349 Test: atest bluetooth_test_gd_unit Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9) Merged-In: I4df7045798b663fbefd7434288dc9383216171a7 Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
gatt_cl.cc accesses a header field after the buffer holding it may have been freed. Track the relevant state as a local variable instead. Bug: 274617156 Test: atest: bluetooth, validated against fuzzer Tag: #security Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244) Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.