From 0310c702c745e74070f3876a4503a0b08c7b7cdf Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 12 Dec 2023 13:58:25 -0500 Subject: [PATCH] 15/16: two missing system/bt fixes Signed-off-by: Tad --- .../android_system_bt/377030.patch | 30 ++++++++++++++++ .../android_system_bt/377031.patch | 35 +++++++++++++++++++ .../android_system_bt/377030-backport.patch | 30 ++++++++++++++++ .../android_system_bt/377031.patch | 35 +++++++++++++++++++ Scripts/LineageOS-15.1/Patch.sh | 2 ++ Scripts/LineageOS-16.0/Patch.sh | 2 ++ 6 files changed, 134 insertions(+) create mode 100644 Patches/LineageOS-15.1/android_system_bt/377030.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/377031.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/377030-backport.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/377031.patch diff --git a/Patches/LineageOS-15.1/android_system_bt/377030.patch b/Patches/LineageOS-15.1/android_system_bt/377030.patch new file mode 100644 index 00000000..7d499252 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/377030.patch @@ -0,0 +1,30 @@ +From 2b22ff4cc93a2824e14970d212493245362c78d1 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Wed, 24 May 2023 13:28:21 +0530 +Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc + +Root cause: +if the length of "pin_code" is greater than 16, +an OOBW will be triggered due to a missing bounds check. + +Fix: +Check is added to avoid Out of Bound Write. + +CRs-Fixed: 3507292 +Change-Id: I15a1eae59b17f633e29180a01676c260189b8353 +--- + btif/src/bluetooth.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc +index b01a4aa30..609ef7a98 100644 +--- a/btif/src/bluetooth.cc ++++ b/btif/src/bluetooth.cc +@@ -327,6 +327,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, + bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (interface_ready() == false) return BT_STATUS_NOT_READY; ++ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; + + memcpy(&tmp_pin_code, pin_code, pin_len); + return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); diff --git a/Patches/LineageOS-15.1/android_system_bt/377031.patch b/Patches/LineageOS-15.1/android_system_bt/377031.patch new file mode 100644 index 00000000..22bd1610 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/377031.patch @@ -0,0 +1,35 @@ +From 1b97ac8d26a07231e48bfa90ea653d8cd8104428 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Tue, 7 Mar 2023 16:53:46 +0530 +Subject: [PATCH] BT: Fixing the rfc_slot_id overflow + +Root cause: +overflow causing leak in slot fds. +As slot id 0 not valid, we are not able to release these fds later. + +Fix: +Changes are made to avoid overflow while allocate rfc slots. + +CRs-Fixed: 3417458 +Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0 +--- + btif/src/btif_sock_rfc.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc +index 0403c588a..b56fbe12b 100644 +--- a/btif/src/btif_sock_rfc.cc ++++ b/btif/src/btif_sock_rfc.cc +@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name, + } + + // Increment slot id and make sure we don't use id=0. +- if (++rfc_slot_id == 0) rfc_slot_id = 1; ++ if (UINT32_MAX == rfc_slot_id) { ++ rfc_slot_id = 1; ++ } else { ++ ++rfc_slot_id; ++ } + + slot->fd = fds[0]; + slot->app_fd = fds[1]; diff --git a/Patches/LineageOS-16.0/android_system_bt/377030-backport.patch b/Patches/LineageOS-16.0/android_system_bt/377030-backport.patch new file mode 100644 index 00000000..eb8291ce --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377030-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Wed, 24 May 2023 13:28:21 +0530 +Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc + +Root cause: +if the length of "pin_code" is greater than 16, +an OOBW will be triggered due to a missing bounds check. + +Fix: +Check is added to avoid Out of Bound Write. + +CRs-Fixed: 3507292 +Change-Id: I15a1eae59b17f633e29180a01676c260189b8353 +--- + btif/src/bluetooth.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc +index fa695e323..e6b72d174 100644 +--- a/btif/src/bluetooth.cc ++++ b/btif/src/bluetooth.cc +@@ -296,6 +296,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, + bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (!interface_ready()) return BT_STATUS_NOT_READY; ++ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; + + memcpy(&tmp_pin_code, pin_code, pin_len); + return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); diff --git a/Patches/LineageOS-16.0/android_system_bt/377031.patch b/Patches/LineageOS-16.0/android_system_bt/377031.patch new file mode 100644 index 00000000..22bd1610 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377031.patch @@ -0,0 +1,35 @@ +From 1b97ac8d26a07231e48bfa90ea653d8cd8104428 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Tue, 7 Mar 2023 16:53:46 +0530 +Subject: [PATCH] BT: Fixing the rfc_slot_id overflow + +Root cause: +overflow causing leak in slot fds. +As slot id 0 not valid, we are not able to release these fds later. + +Fix: +Changes are made to avoid overflow while allocate rfc slots. + +CRs-Fixed: 3417458 +Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0 +--- + btif/src/btif_sock_rfc.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc +index 0403c588a..b56fbe12b 100644 +--- a/btif/src/btif_sock_rfc.cc ++++ b/btif/src/btif_sock_rfc.cc +@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name, + } + + // Increment slot id and make sure we don't use id=0. +- if (++rfc_slot_id == 0) rfc_slot_id = 1; ++ if (UINT32_MAX == rfc_slot_id) { ++ rfc_slot_id = 1; ++ } else { ++ ++rfc_slot_id; ++ } + + slot->fd = fds[0]; + slot->app_fd = fds[1]; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index b8b74030..d91cfe8d 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -490,6 +490,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject applyPatch "$DOS_PATCHES/android_system_bt/377020-backport.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow fi; if enterAndClear "system/ca-certificates"; then diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 8c32498c..939c4906 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -383,6 +383,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_system_bt/377031-backport.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi;