DivestOS/Patches/LineageOS-14.1/android_system_bt/376463.patch

104 lines
4.4 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:20:10 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
bonding [1]
Rejecct access to services running on l2cap
Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
---
stack/btm/btm_sec.c | 41 +++++++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index f8884b917..44d510d3b 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c
@@ -106,7 +106,7 @@ static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_
UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
UINT32 mx_chan_id);
-static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
@@ -145,7 +145,7 @@ static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
** Returns BOOLEAN TRUE or FALSE
**
*******************************************************************************/
-static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec)
{
if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
{
@@ -229,6 +229,26 @@ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *
return(FALSE);
}
+/*******************************************************************************
+**
+** Function access_secure_service_from_temp_bond
+**
+** Description a utility function to test whether an access to
+** secure service from temp bonding is happening
+**
+** Returns true if the aforementioned condition holds,
+** false otherwise
+**
+*******************************************************************************/
+static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
+ bool locally_initiated,
+ uint16_t security_req)
+{
+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+ btm_dev_authenticated(p_dev_rec) &&
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+}
+
/*******************************************************************************
**
** Function BTM_SecRegister
@@ -2215,10 +2235,15 @@ tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle
if (rc == BTM_SUCCESS)
{
+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required))
+ {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ rc = BTM_FAILED_ON_SECURITY;
+ }
if (p_callback)
- (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
- return(BTM_SUCCESS);
+ return (rc);
}
}
else
@@ -5569,6 +5594,14 @@ extern tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
}
}
+ if (access_secure_service_from_temp_bond(p_dev_rec,
+ p_dev_rec->is_originator,
+ p_dev_rec->security_required))
+ {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ return (BTM_FAILED_ON_SECURITY);
+ }
+
/* All required security procedures already established */
p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |