DivestOS/Patches/LineageOS-14.1/android_system_bt/376463.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:20:10 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
 bonding [1]

Rejecct access to services running on l2cap

Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
---
 stack/btm/btm_sec.c | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index f8884b917..44d510d3b 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c
@@ -106,7 +106,7 @@ static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_
                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
                                             UINT32 mx_chan_id);
 
-static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
@@ -145,7 +145,7 @@ static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
 ** Returns          BOOLEAN TRUE or FALSE
 **
 *******************************************************************************/
-static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec)
 {
     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
     {
@@ -229,6 +229,26 @@ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *
     return(FALSE);
 }
 
+/*******************************************************************************
+**
+** Function         access_secure_service_from_temp_bond
+**
+** Description      a utility function to test whether an access to
+**                  secure service from temp bonding is happening
+**
+** Returns          true if the aforementioned condition holds,
+**                  false otherwise
+**
+*******************************************************************************/
+static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
+                                                    bool locally_initiated,
+                                                    uint16_t security_req)
+{
+    return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+    btm_dev_authenticated(p_dev_rec) &&
+     p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+}
+
 /*******************************************************************************
 **
 ** Function         BTM_SecRegister
@@ -2215,10 +2235,15 @@ tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle
 
         if (rc == BTM_SUCCESS)
         {
+            if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required))
+            {
+                LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+                rc = BTM_FAILED_ON_SECURITY;
+            }
             if (p_callback)
-                (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
+                (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
 
-            return(BTM_SUCCESS);
+            return (rc);
         }
     }
     else
@@ -5569,6 +5594,14 @@ extern tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
         }
     }
 
+    if (access_secure_service_from_temp_bond(p_dev_rec,
+                                             p_dev_rec->is_originator,
+                                             p_dev_rec->security_required))
+    {
+        LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+        return (BTM_FAILED_ON_SECURITY);
+    }
+
     /* All required  security procedures already established */
     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
Churn Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:16:40 -05:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
14.1: December ASB picks Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:07:00 -05:00			`From: Hui Peng <phui@google.com>`
			`Date: Sat, 2 Sep 2023 04:20:10 +0000`
			`Subject: [PATCH] Reject access to secure service authenticated from a temp`
			`bonding [1]`

			`Rejecct access to services running on l2cap`

			`Backport of`
			`Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3`

			`Bug: 294854926`
			`Test: m com.android.btservices`
			`Ignore-AOSP-First: security`
			`(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)`
			`Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3`
			`Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3`
			`---`
			`stack/btm/btm_sec.c \| 41 +++++++++++++++++++++++++++++++++++++----`
			`1 file changed, 37 insertions(+), 4 deletions(-)`

			`diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c`
Churn Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:16:40 -05:00			`index f8884b917..44d510d3b 100644`
14.1: December ASB picks Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:07:00 -05:00			`--- a/stack/btm/btm_sec.c`
			`+++ b/stack/btm/btm_sec.c`
			`@@ -106,7 +106,7 @@ static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_`
			`UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,`
			`UINT32 mx_chan_id);`

			`-static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);`
			`+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);`
			`static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);`
			`static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);`
			`static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC p_dev_rec, tBTM_SEC_SERV_REC p_serv_rec);`
			`@@ -145,7 +145,7 @@ static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =`
			`** Returns BOOLEAN TRUE or FALSE`
			`**`
			`*******************************************************************************/`
			`-static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)`
			`+static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec)`
			`{`
			`if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)`
			`{`
			`@@ -229,6 +229,26 @@ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC p_dev_rec, tBTM_SEC_SERV_REC `
			`return(FALSE);`
			`}`

			`+/*******************************************************************************`
			`+**`
			`+** Function access_secure_service_from_temp_bond`
			`+**`
			`+** Description a utility function to test whether an access to`
			`+** secure service from temp bonding is happening`
			`+**`
			`+** Returns true if the aforementioned condition holds,`
			`+** false otherwise`
			`+**`
			`+*******************************************************************************/`
			`+static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,`
			`+ bool locally_initiated,`
			`+ uint16_t security_req)`
			`+{`
			`+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&`
			`+ btm_dev_authenticated(p_dev_rec) &&`
			`+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;`
			`+}`
			`+`
			`/*******************************************************************************`
			`**`
			`** Function BTM_SecRegister`
			`@@ -2215,10 +2235,15 @@ tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle`

			`if (rc == BTM_SUCCESS)`
			`{`
			`+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required))`
			`+ {`
			`+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");`
			`+ rc = BTM_FAILED_ON_SECURITY;`
			`+ }`
			`if (p_callback)`
			`- (p_callback) (bd_addr, transport, (void )p_ref_data, BTM_SUCCESS);`
			`+ (p_callback)(&bd_addr, transport, (void)p_ref_data, rc);`

			`- return(BTM_SUCCESS);`
			`+ return (rc);`
			`}`
			`}`
			`else`
Churn Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:16:40 -05:00			`@@ -5569,6 +5594,14 @@ extern tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)`
14.1: December ASB picks Signed-off-by: Tad <tad@spotco.us> 2023-12-07 00:07:00 -05:00			`}`
			`}`

			`+ if (access_secure_service_from_temp_bond(p_dev_rec,`
			`+ p_dev_rec->is_originator,`
			`+ p_dev_rec->security_required))`
			`+ {`
			`+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");`
			`+ return (BTM_FAILED_ON_SECURITY);`
			`+ }`
			`+`
			`/* All required security procedures already established */`
			`p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE \| BTM_SEC_IN_AUTHORIZE \|`
			`BTM_SEC_OUT_AUTHENTICATE \| BTM_SEC_IN_AUTHENTICATE \|`