15.1 September ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_system_bt/365979.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 16 May 2023 21:24:07 +0000
+Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
+
+This is a backport of
+Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+to rvc-dev
+
+Bug: 280633699
+Test: manual
+Ignore-AOSP-First: security
+Tag: #security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639)
+Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+---
+ stack/avdt/avdt_msg.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
+index b6a952bcf..b5f512a03 100644
+--- a/stack/avdt/avdt_msg.cc
++++ b/stack/avdt/avdt_msg.cc
+@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(tAVDT_CCB* p_ccb, BT_HDR* p_buf) {
+        * NOTE: The buffer is allocated above at the beginning of the
+        * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
+        */
+-      uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
++      size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
+ 
+       /* adjust offset and len of fragment for header byte */
+       p_buf->offset += AVDT_LEN_TYPE_CONT;
+       p_buf->len -= AVDT_LEN_TYPE_CONT;
+ 
+       /* verify length */
+-      if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
++      if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
+         /* won't fit; free everything */
+         AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
+         osi_free_and_reset((void**)&p_ccb->p_rx_msg);

Patches/LineageOS-15.1/android_system_bt/365980.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 19 May 2023 19:17:16 +0000
+Subject: [PATCH] Fix integer overflow in build_read_multi_rsp
+
+Local variables tracking structure size in build_read_multi_rsp are of
+uint16 type but accept a full uint16 range from function arguments while
+appending a fixed-length offset.  This can lead to an integer overflow
+and unexpected behavior.
+
+Change the locals to size_t, and add a check during reasssignment.
+
+Bug: 273966636
+Test: atest bluetooth_test_gd_unit, net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0)
+Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
+Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
+---
+ stack/gatt/gatt_sr.cc | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index f9e8f537f..1b9988739 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -111,7 +111,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) {
+  ******************************************************************************/
+ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+                                    tGATTS_RSP* p_msg, uint16_t mtu) {
+-  uint16_t ii, total_len, len;
++  uint16_t ii;
++  size_t total_len, len;
+   uint8_t* p;
+   bool is_overflow = false;
+ 
+@@ -166,16 +167,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+             len = p_rsp->attr_value.len - (total_len - mtu);
+             is_overflow = true;
+             VLOG(1) << StringPrintf(
+-                "multi read overflow available len=%d val_len=%d", len,
++                "multi read overflow available len=%zu val_len=%d", len,
+                 p_rsp->attr_value.len);
+           } else {
+             len = p_rsp->attr_value.len;
+           }
+ 
+           if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
+-            memcpy(p, p_rsp->attr_value.value, len);
+-            if (!is_overflow) p += len;
+-            p_buf->len += len;
++            // check for possible integer overflow
++            if (p_buf->len + len <= UINT16_MAX) {
++              memcpy(p, p_rsp->attr_value.value, len);
++              if (!is_overflow) p += len;
++              p_buf->len += len;
++            } else {
++              p_cmd->status = GATT_NOT_FOUND;
++              break;
++            }
+           } else {
+             p_cmd->status = GATT_NOT_FOUND;
+             break;

Patches/LineageOS-15.1/android_system_bt/365981.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 27 Apr 2023 20:43:58 +0000
+Subject: [PATCH] Fix potential abort in btu_av_act.cc
+
+Partner analysis shows that bta_av_rc_msg does not respect handling
+established for a null browse packet, instead dispatching the null
+pointer to bta_av_rc_free_browse_msg.  Strictly speaking this does
+not cause a UAF, as osi_free_and_reset will find the null and abort,
+but it will lead to improper program termination.
+
+Handle the case instead.
+
+Bug: 269253349
+Test: atest bluetooth_test_gd_unit
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
+Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
+Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
+---
+ bta/av/bta_av_act.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
+index 541d68303..acd6f5281 100644
+--- a/bta/av/bta_av_act.cc
++++ b/bta/av/bta_av_act.cc
+@@ -1004,7 +1004,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
+     av.remote_cmd.rc_handle = p_data->rc_msg.handle;
+     (*p_cb->p_cback)(evt, &av);
+     /* If browsing message, then free the browse message buffer */
+-    bta_av_rc_free_browse_msg(p_cb, p_data);
++    if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
++        p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
++      bta_av_rc_free_browse_msg(p_cb, p_data);
++    }
+   }
+ }
+ 

Patches/LineageOS-15.1/android_system_bt/365982-backport.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 1 Jun 2023 23:57:58 +0000
+Subject: [PATCH] Fix UAF in gatt_cl.cc
+
+gatt_cl.cc accesses a header field after the buffer holding it may have
+been freed.
+
+Track the relevant state as a local variable instead.
+
+Bug: 274617156
+Test: atest: bluetooth, validated against fuzzer
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
+Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
+Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
+---
+ stack/gatt/gatt_cl.cc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
+index 014240888..305a54660 100644
+--- a/stack/gatt/gatt_cl.cc
++++ b/stack/gatt/gatt_cl.cc
+@@ -583,7 +583,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+ 
+   memcpy(value.value, p, value.len);
+ 
+-  if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
++  bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
++
++  // We now know that we have not terminated, or else we would have returned
++  // early.  We free the buffer only if the subtype is not equal to
++  // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
++  if (subtype_is_write_prepare) {
+     p_clcb->status = GATT_SUCCESS;
+     /* application should verify handle offset
+        and value are matched or not */