Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-09-26 03:00:59 -04:00
Code Issues Projects Releases Packages Wiki Activity

17.1: August 2024 ASB work

Browse source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-08-17 10:04:14 -04:00
parent c3555ebac2
commit 439af0cc9d
No known key found for this signature in database
GPG key ID: E599F62ECBAEAF2E
6 changed files with 262 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

60
Patches/LineageOS-17.1/android_system_bt/399742.patch Normal file
View file

@ -0,0 +1,60 @@
From 2c0deba7d780ae11d16fc675fc6aa9abba344fd7 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 16:43:29 +0000
Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc
Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
an out of bounds comparison. Although the bug claims this is due to a
comparison of a uuid with a smaller data field thana the discovery
attribute, my research suggests that this instead stems from a
comparison of a 128 bit UUID with a discovery attribute of some other,
invalid size.
Add checks for discovery attribute size.
Bug: 287184435
Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99210e2f251e2189c1eede15942c832e017404c2)
Merged-In: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
---
stack/sdp/sdp_utils.cc | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
index f8cde2c34c5..9581dc72a77 100644
--- a/stack/sdp/sdp_utils.cc
+++ b/stack/sdp/sdp_utils.cc
@@ -949,8 +949,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2,
******************************************************************************/
bool sdpu_compare_uuid_with_attr(const Uuid& uuid, tSDP_DISC_ATTR* p_attr) {
int len = uuid.GetShortestRepresentationSize();
- if (len == 2) return uuid.As16Bit() == p_attr->attr_value.v.u16;
- if (len == 4) return uuid.As32Bit() == p_attr->attr_value.v.u32;
+ if (len == 2) {
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes16) {
+ return uuid.As16Bit() == p_attr->attr_value.v.u16;
+ } else {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+ }
+ if (len == 4) {
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes32) {
+ return uuid.As32Bit() == p_attr->attr_value.v.u32;
+ } else {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+ }
+
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) != Uuid::kNumBytes128) {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+
if (memcmp(uuid.To128BitBE().data(), (void*)p_attr->attr_value.v.array,
Uuid::kNumBytes128) == 0)
return (true);