Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-09-19 20:24:48 -04:00
Code Issues Projects Releases Packages Wiki Activity

Pull in old cherrypicks + 5 missing patches from syphyr

Browse source 
This adds 3 expat patches for n-asb-2022-09
from https://github.com/syphyr/android_external_expat/commits/cm-14.1
and also applies 2 of them to 15.1

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-09-11 12:25:11 -04:00
parent df3db92d5a
commit 202033c013
No known key found for this signature in database
GPG key ID: B286E9F57A07424B
89 changed files with 7138 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

50
Patches/LineageOS-14.1/android_system_bt/315718.patch Normal file
View file

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sumit Deshmukh <sumitd@codeaurora.org>
Date: Tue, 16 Apr 2019 12:38:32 +0530
Subject: [PATCH] BLE: [IOT] Initiate disconnection when encryption fails
during pairing
Usecase:
1. Keep remote device (IOGEAR Keyboard) in advertising mode.
2. Pair and connect remote device with DUT.
3. Disconnect remote from settings menu.
4. Keep remote back in pairing mode. (This deletes link key
at remote side.)
5. Select remote for connection from Settings menu from
paired devices.
Issue:
Device is seen stuck in "Connecting state" in settings app.
Root Cause:
When pairing is initiated again from DUT (step 5), encryption
change event is received with status "PIN or Key Missing" after
connection complete but disconnection is not initiated by DUT
thereafter.
Fix:
Trigger disconnection if encyption fails with reason like
HCI_ERR_AUTH_FAILURE, HCI_ERR_KEY_MISSING,
HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE etc
CRs-Fixed: 2427750
Change-Id: Ie93938a5dc68c6bbd4b6c375c360f09e797f9e77
---
stack/btm/btm_ble.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
index 51fd748c0..6bb85a4ce 100644
--- a/stack/btm/btm_ble.c
+++ b/stack/btm/btm_ble.c
@@ -1643,7 +1643,9 @@ void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
{
if (encr_enable)
btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE);
- else if (p_dev_rec->role_master)
+ else if (p_dev_rec->sec_flags & ~BTM_SEC_LE_LINK_KEY_KNOWN) {
+ btm_sec_dev_rec_cback_event(p_dev_rec, BTM_FAILED_ON_SECURITY, TRUE);
+ } else if (p_dev_rec->role_master)
btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE);
}

29
Patches/LineageOS-14.1/android_system_bt/315719.patch Normal file
View file

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Mon, 7 Jun 2021 11:06:17 -0700
Subject: [PATCH] SMP: Reject pairing if public_key.x match
Bug: 189329824
Test: POC
Test: pair an LE device
Change-Id: If6d8a72075f0cf657cadfab033cacffeb22868cb
Tag: #security
(cherry picked from commit 9fbf77d1a81b3a1e09d4efa96070a568431e844d)
---
stack/smp/smp_act.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index 8702e1095..fffee6f75 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -757,8 +757,7 @@ void smp_process_pairing_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
- if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN) &&
- !memcmp(p_cb->peer_publ_key.y, p_cb->loc_publ_key.y, BT_OCTET32_LEN))
+ if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN))
{
android_errorWriteLog(0x534e4554, "174886838");
SMP_TRACE_WARNING("Remote and local public keys can't match");

38
Patches/LineageOS-14.1/android_system_bt/320420.patch Normal file
View file

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Wed, 29 Sep 2021 17:49:25 -0700
Subject: [PATCH] osi: Prevent memory allocations with MSB set
Limit allocations on 32bit to 2 GB
Limit allocations on 64bit to 8 Exabyte
Bug: 197868577
Tag: #refactor
Test: gd/cert/run
Ignore-AOSP-First: Security
Change-Id: I1c347084d7617b1e364a3241f1b37b398a2a6c6a
(cherry picked from commit cee4d086c959e174328a0e173398d99f59ccbb1f)
---
osi/src/allocator.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/osi/src/allocator.c b/osi/src/allocator.c
index 3d821a826..a81a206a9 100644
--- a/osi/src/allocator.c
+++ b/osi/src/allocator.c
@@ -63,6 +63,7 @@ char *osi_strndup(const char *str, size_t len) {
}
void *osi_malloc(size_t size) {
+ assert((ssize_t)size >= 0);
size_t real_size = allocation_tracker_resize_for_canary(size);
void *ptr = malloc(real_size);
assert(ptr);
@@ -70,6 +71,7 @@ void *osi_malloc(size_t size) {
}
void *osi_calloc(size_t size) {
+ assert((ssize_t)size >= 0);
size_t real_size = allocation_tracker_resize_for_canary(size);
void *ptr = calloc(1, real_size);
assert(ptr);

53
Patches/LineageOS-14.1/android_system_bt/323456.patch Normal file
View file

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Mon, 8 Nov 2021 16:45:42 -0800
Subject: [PATCH] security: Use-After-Free in btm_sec_[dis]connected
Bug: 201083442
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security
Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
(cherry picked from commit 4f3fdf141b248cacd7c7dd09c06d058931726c98)
Merged-In:I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
---
stack/btm/btm_sec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index b27b7e071..175fefeae 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c
@@ -4472,7 +4472,6 @@ static void btm_sec_connect_after_cc_page_tout (UNUSED_ATTR void *data)
*******************************************************************************/
void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
{
- tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
UINT8 res;
BOOLEAN is_pairing_device = FALSE;
tACL_CONN *p_acl_cb;
@@ -4480,6 +4479,7 @@ void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
btm_acl_resubmit_page();
+ tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
/* Commenting out trace due to obf/compilation problems.
*/
#if (BT_USE_TRACES == TRUE)
@@ -4836,7 +4836,6 @@ tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
*******************************************************************************/
void btm_sec_disconnected (UINT16 handle, UINT8 reason)
{
- tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
UINT8 old_pairing_flags = btm_cb.pairing_flags;
int result = HCI_ERR_AUTH_FAILURE;
tBTM_SEC_CALLBACK *p_callback = NULL;
@@ -4847,6 +4846,7 @@ void btm_sec_disconnected (UINT16 handle, UINT8 reason)
btm_acl_resubmit_page();
+ tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
if (!p_dev_rec)
return;

50
Patches/LineageOS-14.1/android_system_bt/323457.patch Normal file
View file

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Martin Brabham <optedoblivion@google.com>
Date: Fri, 29 Oct 2021 21:27:27 +0000
Subject: [PATCH] Reset the IRK after all devices are unpaired
Bug: 204355134
Bug: 195410559
Test: Check IRK, pair devices, unpair all devices, Check IRK
Tag: #security
Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065
Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065
(cherry picked from commit 6b3c0f6a368dbf6fe9d0d3ca625d47a69fe15d2f)
Merged-In:I8e44f010a72dcdec595d81293a05f49ccc054065
---
bta/dm/bta_dm_act.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index ff25cef00..74dc74704 100644
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -35,6 +35,7 @@
#include "bta_dm_co.h"
#include "bta_dm_int.h"
#include "bta_sys.h"
+#include "btif/include/btif_storage.h"
#include "btm_api.h"
#include "btm_int.h"
#include "btu.h"
@@ -44,6 +45,7 @@
#include "osi/include/log.h"
#include "osi/include/osi.h"
#include "sdp_api.h"
+#include "stack/btm/btm_ble_int.h"
#include "utl.h"
#if (GAP_INCLUDED == TRUE)
@@ -865,6 +867,12 @@ void bta_dm_remove_device(tBTA_DM_MSG *p_data)
BD_ADDR dummy_bda = {0};
if (continue_delete_other_dev && (bdcmp(other_address, dummy_bda) != 0))
bta_dm_process_remove_device(other_address);
+
+ /* Check the length of the paired devices, and if 0 then reset IRK */
+ if (btif_storage_get_num_bonded_devices() < 1) {
+ LOG_INFO(LOG_TAG, "Last paired device removed, resetting IRK");
+ btm_ble_reset_id();
+ }
}
/*******************************************************************************

46
Patches/LineageOS-14.1/android_system_bt/328306.patch Normal file
View file

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 13 Jan 2022 15:00:32 +0800
Subject: [PATCH] Security fix OOB read due to invalid count in
stack/avrc/avrc_pars_ct
Bug: 205837191
Tag: #security
Test: PoC test program
Ignore-AOSP-First: Security
Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374
Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374
(cherry picked from commit 60a5d2f63bf95ed386a2ca6c43f1d88bb1d07003)
Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374
---
stack/avrc/avrc_pars_ct.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index cff7bffbe..077ef1210 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -285,6 +285,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
__func__, p_result->get_caps.capability_id, p_result->get_caps.count);
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID)
{
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID)
+ {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
if (len < min_len) goto length_error;
for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_COMP_ID));
@@ -295,6 +300,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
}
else if (p_result->get_caps.capability_id == AVRC_CAP_EVENTS_SUPPORTED)
{
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID)
+ {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
if (len < min_len) goto length_error;
for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_EVT_ID));

31
Patches/LineageOS-14.1/android_system_bt/334032.patch Normal file
View file

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chen Chen <cncn@google.com>
Date: Fri, 15 Apr 2022 14:24:48 -0700
Subject: [PATCH] Security: Fix out of bound write in HFP client
Bug: 224536184
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
(cherry picked from commit 01136338f6d739226e027716b6e5304df379fa4c)
Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
---
bta/hf_client/bta_hf_client_at.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bta/hf_client/bta_hf_client_at.c b/bta/hf_client/bta_hf_client_at.c
index 76575f730..f790dd432 100644
--- a/bta/hf_client/bta_hf_client_at.c
+++ b/bta/hf_client/bta_hf_client_at.c
@@ -355,6 +355,10 @@ static void bta_hf_client_handle_cind_list_item(char *name, UINT32 min, UINT32 m
APPL_TRACE_DEBUG("%s %lu.%s <%lu:%lu>", __FUNCTION__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for(i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++)
{

33
Patches/LineageOS-14.1/android_system_bt/334033.patch Normal file
View file

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: William Escande <wescande@google.com>
Date: Mon, 2 May 2022 09:48:59 -0700
Subject: [PATCH] Check Avrcp packet vendor length before extracting length
Bug: 205571133
Test: build + ag/18105403 for sts test
Ignore-AOSP-First: Security vulnerability
Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e
(cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3)
Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e
---
stack/avrc/avrc_pars_tg.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/stack/avrc/avrc_pars_tg.c b/stack/avrc/avrc_pars_tg.c
index 78bd18a43..d976a0d14 100644
--- a/stack/avrc/avrc_pars_tg.c
+++ b/stack/avrc/avrc_pars_tg.c
@@ -44,6 +44,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAN
{
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4)
+ { /* 4 == pdu + reserved byte + len as uint16 */
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
UINT8 *p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);

29
Patches/LineageOS-14.1/android_system_bt/334034.patch Normal file
View file

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Josh Wu <joshwu@google.com>
Date: Fri, 29 Apr 2022 00:02:23 -0700
Subject: [PATCH] Security: Fix out of bound read in AT_SKIP_REST
Bug: 220732646
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
(cherry picked from commit 4ce5a3c374fb5d24f367a202a6a3dcab4ba4dffd)
Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
---
bta/hf_client/bta_hf_client_at.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bta/hf_client/bta_hf_client_at.c b/bta/hf_client/bta_hf_client_at.c
index f790dd432..695c4fb32 100644
--- a/bta/hf_client/bta_hf_client_at.c
+++ b/bta/hf_client/bta_hf_client_at.c
@@ -622,7 +622,7 @@ static void bta_hf_client_handle_cgmm(char *manf_model)
buf += sizeof("\r\n") - 1;
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) while(*buf != '\r') buf++;
+#define AT_SKIP_REST(buf) while(*buf != '\r' && *buf != '\0') buf++;
static char *bta_hf_client_parse_ok(char *buffer)
{

43
Patches/LineageOS-14.1/android_system_bt/334877.patch Normal file
View file

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Roopa Sattiraju <sattiraju@google.com>
Date: Wed, 25 May 2022 21:00:01 +0000
Subject: [PATCH] Removing bonded device when auth fails due to missing keys
Bug: 231161832
Test: Test against trying to connect using the same address
Change-Id: I2a23440303758faf281989abdb2a614708f05d36
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
(cherry picked from commit 21df1076a4b9c1d1bbe3f5ecb475fe0b7c1b8c2a)
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
---
btif/src/btif_dm.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index 3b6f2a744..8dfbae924 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
@@ -1387,7 +1387,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- btif_storage_remove_bonded_device(&bd_addr);
status = BT_STATUS_AUTH_REJECTED;
break;
@@ -1398,7 +1397,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- btif_storage_remove_bonded_device(&bd_addr);
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
case HCI_ERR_UNIT_KEY_USED:
@@ -1429,7 +1427,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
if (check_cod(&bd_addr, COD_HID_POINTING)) {
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram", __FUNCTION__);
- btif_storage_remove_bonded_device(&bd_addr);
}
bond_state_changed(status, &bd_addr, state);
}

52
Patches/LineageOS-14.1/android_system_bt/337998.patch Normal file
View file

@ -0,0 +1,52 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Wed, 30 Jan 2019 19:17:03 +0800
Subject: [PATCH] Fix OOB in BNEP_Write
Bug: 112050583
Test: PoC
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index 3e866d100..dc349299a 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -374,10 +374,16 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
/* Check MTU size */
if (p_buf->len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", p_buf->len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, p_buf->len, BNEP_MTU_SIZE);
osi_free(p_buf);
return (BNEP_MTU_EXCEDED);
}
+ else if (p_buf->len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, p_buf->len);
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
+ }
/* Check if the packet should be filtered out */
p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
@@ -484,9 +490,14 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
/* Check MTU size. Consider the possibility of having extension headers */
if (len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, len, BNEP_MTU_SIZE);
return (BNEP_MTU_EXCEDED);
}
+ else if (len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, len);
+ return BNEP_IGNORE_CMD;
+ }
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS))
return (BNEP_WRONG_HANDLE);

119
Patches/LineageOS-14.1/android_system_bt/337999.patch Normal file
View file

@ -0,0 +1,119 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Tue, 12 Feb 2019 16:01:00 +0800
Subject: [PATCH] Fix OOB in bnep_is_packet_allowed
Bug: 112050983
Test: PoC
Change-Id: I5d331f46cdba86c8e61de206a2ede1d2b348d7e4
(cherry picked from commit 230f252b8a1a1073ec1a4081545b2ff62393d16d)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.c | 15 +++++++++++++--
stack/bnep/bnep_int.h | 2 +-
stack/bnep/bnep_utils.c | 13 ++++++++++++-
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index dc349299a..e1c9f2e3d 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -387,7 +387,8 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
/* Check if the packet should be filtered out */
p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
- if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present, p_data) != BNEP_SUCCESS)
+ if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present,
+ p_data, p_buf->len) != BNEP_SUCCESS)
{
/*
** If packet is filtered and ext headers are present
@@ -401,6 +402,11 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
org_len = p_buf->len;
new_len = 0;
do {
+ if ((new_len + 2) > org_len)
+ {
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
length = *p_data++;
@@ -505,7 +511,8 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
p_bcb = &(bnep_cb.bcb[handle - 1]);
/* Check if the packet should be filtered out */
- if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present, p_data) != BNEP_SUCCESS)
+ if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present,
+ p_data, len) != BNEP_SUCCESS)
{
/*
** If packet is filtered and ext headers are present
@@ -520,6 +527,10 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
new_len = 0;
p = p_data;
do {
+ if ((new_len + 2) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
length = *p_data++;
diff --git a/stack/bnep/bnep_int.h b/stack/bnep/bnep_int.h
index 126be04fe..b10098122 100644
--- a/stack/bnep/bnep_int.h
+++ b/stack/bnep/bnep_int.h
@@ -236,7 +236,7 @@ extern UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UI
extern void bnep_sec_check_complete (BD_ADDR bd_addr, tBT_TRANSPORT trasnport,
void *p_ref_data, UINT8 result);
extern tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb, BD_ADDR p_dest_addr, UINT16 protocol,
- BOOLEAN fw_ext_present, UINT8 *p_data);
+ BOOLEAN fw_ext_present, UINT8 *p_data, UINT16 org_len);
extern UINT32 bnep_get_uuid32 (tBT_UUID *src_uuid);
diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c
index 65acd33f6..09f2d13c2 100644
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -1336,7 +1336,7 @@ tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb,
BD_ADDR p_dest_addr,
UINT16 protocol,
BOOLEAN fw_ext_present,
- UINT8 *p_data)
+ UINT8 *p_data, UINT16 org_len)
{
if (p_bcb->rcvd_num_filters)
{
@@ -1346,18 +1346,29 @@ tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb,
proto = protocol;
if (proto == BNEP_802_1_P_PROTOCOL)
{
+ UINT16 new_len = 0;
if (fw_ext_present)
{
UINT8 len, ext;
/* parse the extension headers and findout actual protocol */
do {
+ if ((new_len + 2) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
len = *p_data++;
p_data += len;
+ new_len += (len + 2);
+
} while (ext & 0x80);
}
+ if ((new_len + 4) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
p_data += 2;
BE_STREAM_TO_UINT16 (proto, p_data);
}

40
Patches/LineageOS-14.1/android_system_bt/338000.patch Normal file
View file

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Venkata Jagadeesh Garaga <quic_vgaraga@quicinc.com>
Date: Tue, 22 Mar 2022 13:35:43 +0530
Subject: [PATCH] Fix OOB in reassemble_and_dispatch
Fix OOB while reading L2cap length in HCI pkt
Change-Id: I7f32b171e8c68b9724f95fcf2327959539e2d0d5
CRs-Fixed: 3155132
---
hci/src/packet_fragmenter.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hci/src/packet_fragmenter.c b/hci/src/packet_fragmenter.c
index f1d302238..b2ebefe0e 100644
--- a/hci/src/packet_fragmenter.c
+++ b/hci/src/packet_fragmenter.c
@@ -130,12 +130,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
uint8_t *stream = packet->data;
uint16_t handle;
- uint16_t l2cap_length;
uint16_t acl_length;
STREAM_TO_UINT16(handle, stream);
STREAM_TO_UINT16(acl_length, stream);
- STREAM_TO_UINT16(l2cap_length, stream);
assert(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
@@ -166,6 +164,9 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
return;
}
+ uint16_t l2cap_length;
+ STREAM_TO_UINT16(l2cap_length, stream);
+
uint16_t full_length = l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
// Check for buffer overflow and that the full packet size + BT_HDR size is less than