DivestOS/Patches/LineageOS-14.1/android_system_bt/385236.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ugo Yu <ugoyu@google.com>
Date: Thu, 29 Nov 2018 17:55:40 +0800
Subject: [PATCH] Fix OOB caused by invalid SMP packet length

Bug: 111850706
Bug: 111213909
Bug: 111214770
Bug: 111214470
Test: PoC, Manully
Change-Id: I889d2de97b1aab706c850a950f668aba558f240f
---
 stack/smp/smp_act.c   | 34 ++++++++++++++++++++++++++++++++++
 stack/smp/smp_int.h   |  1 +
 stack/smp/smp_utils.c | 29 +++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index fffee6f75..675a99600 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -579,6 +579,14 @@ void smp_proc_pair_cmd(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 
     p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
 
+    if (smp_command_has_invalid_length(p_cb))
+    {
+        reason = SMP_INVALID_PARAMETERS;
+        android_errorWriteLog(0x534e4554, "111850706");
+        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     STREAM_TO_UINT8(p_cb->peer_io_caps, p);
     STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
     STREAM_TO_UINT8(p_cb->peer_auth_req, p);
@@ -889,6 +897,14 @@ void smp_br_process_pairing_command(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 
     p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
 
+    if (smp_command_has_invalid_length(p_cb))
+    {
+        reason = SMP_INVALID_PARAMETERS;
+        android_errorWriteLog(0x534e4554, "111213909");
+        smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     STREAM_TO_UINT8(p_cb->peer_io_caps, p);
     STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
     STREAM_TO_UINT8(p_cb->peer_auth_req, p);
@@ -1106,9 +1122,18 @@ void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 {
     UINT8   *p = (UINT8 *)p_data;
+    UINT8   reason = SMP_INVALID_PARAMETERS;
     tBTM_LE_KEY_VALUE pid_key;
 
     SMP_TRACE_DEBUG("%s", __func__);
+
+    if (smp_command_has_invalid_parameters(p_cb))
+    {
+        android_errorWriteLog(0x534e4554, "111214770");
+        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE);
 
     STREAM_TO_UINT8(pid_key.pid_key.addr_type, p);
@@ -1133,8 +1158,17 @@ void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
 {
     tBTM_LE_KEY_VALUE le_key;
+    UINT8 reason = SMP_INVALID_PARAMETERS;
 
     SMP_TRACE_DEBUG("%s", __func__);
+
+    if (smp_command_has_invalid_parameters(p_cb))
+    {
+        android_errorWriteLog(0x534e4554, "111214470");
+        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE);
 
     /* save CSRK to security record */
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index aea85380e..bfac772b9 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -488,6 +488,7 @@ extern void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b);
 extern BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len,
                                  UINT8 *plain_text, UINT8 pt_len,
                                  tSMP_ENC *p_out);
+extern BOOLEAN smp_command_has_invalid_length(tSMP_CB *p_cb);
 extern BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb);
 extern void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr);
 extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb);
diff --git a/stack/smp/smp_utils.c b/stack/smp/smp_utils.c
index 6ea98f4ba..ec6f0307d 100644
--- a/stack/smp/smp_utils.c
+++ b/stack/smp/smp_utils.c
@@ -962,6 +962,35 @@ void smp_proc_pairing_cmpl(tSMP_CB *p_cb)
         (*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data);
 }
 
+/*******************************************************************************
+ *
+ * Function         smp_command_has_invalid_length
+ *
+ * Description      Checks if the received SMP command has invalid length
+ *                  It returns true if the command has invalid length.
+ *
+ * Returns          true if the command has invalid length, false otherwise.
+ *
+ ******************************************************************************/
+BOOLEAN smp_command_has_invalid_length(tSMP_CB* p_cb)
+{
+    UINT8 cmd_code = p_cb->rcvd_cmd_code;
+
+    if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
+        (cmd_code < SMP_OPCODE_MIN))
+    {
+        SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
+                          __func__, cmd_code);
+        return TRUE;
+    }
+
+    if (!smp_command_has_valid_fixed_length(p_cb)) {
+        return TRUE;
+    }
+
+    return FALSE;
+}
+
 /*******************************************************************************
 **
 ** Function         smp_command_has_invalid_parameters
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`From: Ugo Yu <ugoyu@google.com>`
			`Date: Thu, 29 Nov 2018 17:55:40 +0800`
			`Subject: [PATCH] Fix OOB caused by invalid SMP packet length`

			`Bug: 111850706`
			`Bug: 111213909`
			`Bug: 111214770`
			`Bug: 111214470`
			`Test: PoC, Manully`
			`Change-Id: I889d2de97b1aab706c850a950f668aba558f240f`
			`---`
			`stack/smp/smp_act.c \| 34 ++++++++++++++++++++++++++++++++++`
			`stack/smp/smp_int.h \| 1 +`
			`stack/smp/smp_utils.c \| 29 +++++++++++++++++++++++++++++`
			`3 files changed, 64 insertions(+)`

			`diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`index fffee6f75..675a99600 100644`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`--- a/stack/smp/smp_act.c`
			`+++ b/stack/smp/smp_act.c`
			`@@ -579,6 +579,14 @@ void smp_proc_pair_cmd(tSMP_CB p_cb, tSMP_INT_DATA p_data)`

			`p_cb->flags \|= SMP_PAIR_FLAG_ENC_AFTER_PAIR;`

			`+ if (smp_command_has_invalid_length(p_cb))`
			`+ {`
			`+ reason = SMP_INVALID_PARAMETERS;`
			`+ android_errorWriteLog(0x534e4554, "111850706");`
			`+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);`
			`+ return;`
			`+ }`
			`+`
			`STREAM_TO_UINT8(p_cb->peer_io_caps, p);`
			`STREAM_TO_UINT8(p_cb->peer_oob_flag, p);`
			`STREAM_TO_UINT8(p_cb->peer_auth_req, p);`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`@@ -889,6 +897,14 @@ void smp_br_process_pairing_command(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00
			`p_cb->flags \|= SMP_PAIR_FLAG_ENC_AFTER_PAIR;`

			`+ if (smp_command_has_invalid_length(p_cb))`
			`+ {`
			`+ reason = SMP_INVALID_PARAMETERS;`
			`+ android_errorWriteLog(0x534e4554, "111213909");`
			`+ smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);`
			`+ return;`
			`+ }`
			`+`
			`STREAM_TO_UINT8(p_cb->peer_io_caps, p);`
			`STREAM_TO_UINT8(p_cb->peer_oob_flag, p);`
			`STREAM_TO_UINT8(p_cb->peer_auth_req, p);`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`@@ -1106,9 +1122,18 @@ void smp_proc_id_info(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`void smp_proc_id_addr(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
			`{`
			`UINT8 p = (UINT8 )p_data;`
			`+ UINT8 reason = SMP_INVALID_PARAMETERS;`
			`tBTM_LE_KEY_VALUE pid_key;`

			`SMP_TRACE_DEBUG("%s", __func__);`
			`+`
			`+ if (smp_command_has_invalid_parameters(p_cb))`
			`+ {`
			`+ android_errorWriteLog(0x534e4554, "111214770");`
			`+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);`
			`+ return;`
			`+ }`
			`+`
			`smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE);`

			`STREAM_TO_UINT8(pid_key.pid_key.addr_type, p);`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`@@ -1133,8 +1158,17 @@ void smp_proc_id_addr(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`void smp_proc_srk_info(tSMP_CB p_cb, tSMP_INT_DATA p_data)`
			`{`
			`tBTM_LE_KEY_VALUE le_key;`
			`+ UINT8 reason = SMP_INVALID_PARAMETERS;`

			`SMP_TRACE_DEBUG("%s", __func__);`
			`+`
			`+ if (smp_command_has_invalid_parameters(p_cb))`
			`+ {`
			`+ android_errorWriteLog(0x534e4554, "111214470");`
			`+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);`
			`+ return;`
			`+ }`
			`+`
			`smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE);`

			`/* save CSRK to security record */`
			`diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`index aea85380e..bfac772b9 100644`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`--- a/stack/smp/smp_int.h`
			`+++ b/stack/smp/smp_int.h`
			`@@ -488,6 +488,7 @@ extern void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b);`
			`extern BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len,`
			`UINT8 *plain_text, UINT8 pt_len,`
			`tSMP_ENC *p_out);`
			`+extern BOOLEAN smp_command_has_invalid_length(tSMP_CB *p_cb);`
			`extern BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb);`
			`extern void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr);`
			`extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb);`
			`diff --git a/stack/smp/smp_utils.c b/stack/smp/smp_utils.c`
Churn Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:25:46 -05:00			`index 6ea98f4ba..ec6f0307d 100644`
14/19/20: ASB Picks Signed-off-by: Tavi <tavi@divested.dev> 2024-03-09 11:05:06 -05:00			`--- a/stack/smp/smp_utils.c`
			`+++ b/stack/smp/smp_utils.c`
			`@@ -962,6 +962,35 @@ void smp_proc_pairing_cmpl(tSMP_CB *p_cb)`
			`(*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data);`
			`}`

			`+/*******************************************************************************`
			`+ *`
			`+ * Function smp_command_has_invalid_length`
			`+ *`
			`+ * Description Checks if the received SMP command has invalid length`
			`+ * It returns true if the command has invalid length.`
			`+ *`
			`+ * Returns true if the command has invalid length, false otherwise.`
			`+ *`
			`+ ******************************************************************************/`
			`+BOOLEAN smp_command_has_invalid_length(tSMP_CB* p_cb)`
			`+{`
			`+ UINT8 cmd_code = p_cb->rcvd_cmd_code;`
			`+`
			`+ if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) \|\|`
			`+ (cmd_code < SMP_OPCODE_MIN))`
			`+ {`
			`+ SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",`
			`+ __func__, cmd_code);`
			`+ return TRUE;`
			`+ }`
			`+`
			`+ if (!smp_command_has_valid_fixed_length(p_cb)) {`
			`+ return TRUE;`
			`+ }`
			`+`
			`+ return FALSE;`
			`+}`
			`+`
			`/*******************************************************************************`
			`**`
			`** Function smp_command_has_invalid_parameters`