DivestOS/Patches/LineageOS-16.0/android_system_bt/366135.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 1 Jun 2023 23:57:58 +0000
Subject: [PATCH] Fix UAF in gatt_cl.cc

gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.

Track the relevant state as a local variable instead.

Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
---
 stack/gatt/gatt_cl.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 16a7171f6..5e4837020 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
 
   memcpy(value.value, p, value.len);
 
+  bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
+
   if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
     gatt_send_prepare_write(tcb, p_clcb);
     return;
   }
 
-  if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
+  // We now know that we have not terminated, or else we would have returned
+  // early.  We free the buffer only if the subtype is not equal to
+  // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
+  if (subtype_is_write_prepare) {
     /* application should verify handle offset
        and value are matched or not */
     gatt_end_operation(p_clcb, p_clcb->status, &value);
16.0: Import and verify picks https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev> 2024-05-07 19:13:31 -04:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Brian Delwiche <delwiche@google.com>`
			`Date: Thu, 1 Jun 2023 23:57:58 +0000`
			`Subject: [PATCH] Fix UAF in gatt_cl.cc`

			`gatt_cl.cc accesses a header field after the buffer holding it may have`
			`been freed.`

			`Track the relevant state as a local variable instead.`

			`Bug: 274617156`
			`Test: atest: bluetooth, validated against fuzzer`
			`Tag: #security`
			`Ignore-AOSP-First: Security`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)`
			`Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724`
			`Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724`
			`---`
			`stack/gatt/gatt_cl.cc \| 7 ++++++-`
			`1 file changed, 6 insertions(+), 1 deletion(-)`

			`diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc`
			`index 16a7171f6..5e4837020 100644`
			`--- a/stack/gatt/gatt_cl.cc`
			`+++ b/stack/gatt/gatt_cl.cc`
			`@@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,`

			`memcpy(value.value, p, value.len);`

			`+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);`
			`+`
			`if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {`
			`gatt_send_prepare_write(tcb, p_clcb);`
			`return;`
			`}`

			`- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {`
			`+ // We now know that we have not terminated, or else we would have returned`
			`+ // early. We free the buffer only if the subtype is not equal to`
			`+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.`
			`+ if (subtype_is_write_prepare) {`
			`/* application should verify handle offset`
			`and value are matched or not */`
			`gatt_end_operation(p_clcb, p_clcb->status, &value);`