mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
15/16: two missing system/bt fixes
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
9926f25ada
commit
0310c702c7
30
Patches/LineageOS-15.1/android_system_bt/377030.patch
Normal file
30
Patches/LineageOS-15.1/android_system_bt/377030.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 2b22ff4cc93a2824e14970d212493245362c78d1 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Wed, 24 May 2023 13:28:21 +0530
|
||||
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
|
||||
|
||||
Root cause:
|
||||
if the length of "pin_code" is greater than 16,
|
||||
an OOBW will be triggered due to a missing bounds check.
|
||||
|
||||
Fix:
|
||||
Check is added to avoid Out of Bound Write.
|
||||
|
||||
CRs-Fixed: 3507292
|
||||
Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
|
||||
---
|
||||
btif/src/bluetooth.cc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
|
||||
index b01a4aa30..609ef7a98 100644
|
||||
--- a/btif/src/bluetooth.cc
|
||||
+++ b/btif/src/bluetooth.cc
|
||||
@@ -327,6 +327,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
|
||||
bt_pin_code_t tmp_pin_code;
|
||||
/* sanity check */
|
||||
if (interface_ready() == false) return BT_STATUS_NOT_READY;
|
||||
+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
|
||||
|
||||
memcpy(&tmp_pin_code, pin_code, pin_len);
|
||||
return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
|
||||
35
Patches/LineageOS-15.1/android_system_bt/377031.patch
Normal file
35
Patches/LineageOS-15.1/android_system_bt/377031.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 1b97ac8d26a07231e48bfa90ea653d8cd8104428 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Tue, 7 Mar 2023 16:53:46 +0530
|
||||
Subject: [PATCH] BT: Fixing the rfc_slot_id overflow
|
||||
|
||||
Root cause:
|
||||
overflow causing leak in slot fds.
|
||||
As slot id 0 not valid, we are not able to release these fds later.
|
||||
|
||||
Fix:
|
||||
Changes are made to avoid overflow while allocate rfc slots.
|
||||
|
||||
CRs-Fixed: 3417458
|
||||
Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0
|
||||
---
|
||||
btif/src/btif_sock_rfc.cc | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc
|
||||
index 0403c588a..b56fbe12b 100644
|
||||
--- a/btif/src/btif_sock_rfc.cc
|
||||
+++ b/btif/src/btif_sock_rfc.cc
|
||||
@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name,
|
||||
}
|
||||
|
||||
// Increment slot id and make sure we don't use id=0.
|
||||
- if (++rfc_slot_id == 0) rfc_slot_id = 1;
|
||||
+ if (UINT32_MAX == rfc_slot_id) {
|
||||
+ rfc_slot_id = 1;
|
||||
+ } else {
|
||||
+ ++rfc_slot_id;
|
||||
+ }
|
||||
|
||||
slot->fd = fds[0];
|
||||
slot->app_fd = fds[1];
|
||||
@ -0,0 +1,30 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Wed, 24 May 2023 13:28:21 +0530
|
||||
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
|
||||
|
||||
Root cause:
|
||||
if the length of "pin_code" is greater than 16,
|
||||
an OOBW will be triggered due to a missing bounds check.
|
||||
|
||||
Fix:
|
||||
Check is added to avoid Out of Bound Write.
|
||||
|
||||
CRs-Fixed: 3507292
|
||||
Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
|
||||
---
|
||||
btif/src/bluetooth.cc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
|
||||
index fa695e323..e6b72d174 100644
|
||||
--- a/btif/src/bluetooth.cc
|
||||
+++ b/btif/src/bluetooth.cc
|
||||
@@ -296,6 +296,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
|
||||
bt_pin_code_t tmp_pin_code;
|
||||
/* sanity check */
|
||||
if (!interface_ready()) return BT_STATUS_NOT_READY;
|
||||
+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
|
||||
|
||||
memcpy(&tmp_pin_code, pin_code, pin_len);
|
||||
return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
|
||||
35
Patches/LineageOS-16.0/android_system_bt/377031.patch
Normal file
35
Patches/LineageOS-16.0/android_system_bt/377031.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 1b97ac8d26a07231e48bfa90ea653d8cd8104428 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Tue, 7 Mar 2023 16:53:46 +0530
|
||||
Subject: [PATCH] BT: Fixing the rfc_slot_id overflow
|
||||
|
||||
Root cause:
|
||||
overflow causing leak in slot fds.
|
||||
As slot id 0 not valid, we are not able to release these fds later.
|
||||
|
||||
Fix:
|
||||
Changes are made to avoid overflow while allocate rfc slots.
|
||||
|
||||
CRs-Fixed: 3417458
|
||||
Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0
|
||||
---
|
||||
btif/src/btif_sock_rfc.cc | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc
|
||||
index 0403c588a..b56fbe12b 100644
|
||||
--- a/btif/src/btif_sock_rfc.cc
|
||||
+++ b/btif/src/btif_sock_rfc.cc
|
||||
@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name,
|
||||
}
|
||||
|
||||
// Increment slot id and make sure we don't use id=0.
|
||||
- if (++rfc_slot_id == 0) rfc_slot_id = 1;
|
||||
+ if (UINT32_MAX == rfc_slot_id) {
|
||||
+ rfc_slot_id = 1;
|
||||
+ } else {
|
||||
+ ++rfc_slot_id;
|
||||
+ }
|
||||
|
||||
slot->fd = fds[0];
|
||||
slot->app_fd = fds[1];
|
||||
@ -490,6 +490,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377020-backport.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/ca-certificates"; then
|
||||
|
||||
@ -383,6 +383,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377031-backport.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
fi;
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user