17.1 March ASB work

Signed-off-by: Tad <tad@spotco.us>
2025-08-03 20:04:21 -04:00 · 2023-03-21 11:57:39 -04:00 · 2023-03-21 11:57:39 -04:00 · 44fa294eca
commit 44fa294eca
parent b4dbe27f23
23 changed files with 2023 additions and 8 deletions
--- a/Patches/LineageOS-17.1/android_system_bt/351443.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/351443.patch
@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 28 Dec 2022 00:32:37 +0000
+Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
+
+this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
+
+Bug: 258652631
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
+(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
+Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
+---
+ stack/gatt/gatt_cl.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
+index 3115317da..db41c5f9f 100644
+--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
+@@ -572,7 +572,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+   LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
+                              gatt_dbg_op_name(op_code), len);
+ 
+-  if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+  if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+      len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
+     LOG(ERROR) << "illegal prepare write response length, discard";
+     gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
+     return;
+@@ -581,7 +582,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+   STREAM_TO_UINT16(value.handle, p);
+   STREAM_TO_UINT16(value.offset, p);
+ 
+-  value.len = len - 4;
+  value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
+ 
+   memcpy(value.value, p, value.len);
+ 
--- a/Patches/LineageOS-17.1/android_system_bt/351444.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/351444.patch
@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Mon, 2 Jan 2023 22:05:45 +0000
+Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+
+In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
+`-=` operation on it may result in integer underflow and
+OOB write with the computed pointer passed to
+A2DP_BuildMediaPayloadHeaderSbc.
+
+This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb
+Test: atest net_test_stack_a2dp_codecs_native
+Ignore-AOSP-First: security
+Tag:#security
+
+Bug: 186803518
+Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec
+(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7)
+Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
+---
+ stack/a2dp/a2dp_sbc.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
+index 4c48993c4..5036eec2e 100644
+--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
+@@ -704,6 +704,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
+                               BT_HDR* p_buf, uint16_t frames_per_packet) {
+   uint8_t* p;
+ 
+  // there is a timestamp right following p_buf
+  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+    return false;
+  }
+
+   p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
+   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
+   p_buf->len += A2DP_SBC_MPL_HDR_LEN;
--- a/Patches/LineageOS-17.1/android_system_bt/351445.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/351445.patch
@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 4 Jan 2023 22:45:13 +0000
+Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
+
+When the `attr_pad` becomes full, it is possible
+that un index of `-1` is computed write
+a zero byte to `p_val`, rusulting OOB write.
+
+```
+  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
+```
+
+This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b
+
+Bug: 261867748
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
+(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)
+Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
+---
+ stack/sdp/sdp_db.cc | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
+index ea5b84d23..4130ae71a 100644
+--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
+@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+   uint16_t xx, yy, zz;
+   tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ 
+  if (p_val == nullptr) {
+    SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+    return (false);
+  }
+
+   if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
+     if ((attr_type == UINT_DESC_TYPE) ||
+         (attr_type == TWO_COMP_INT_DESC_TYPE) ||
+@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+     if (p_rec->record_handle == handle) {
+       tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ 
+      // error out early, no need to look up
+      if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+        SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+                        "full, skip adding the attribute", handle);
+        return (false);
+      }
+
+       /* Found the record. Now, see if the attribute already exists */
+       for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
+         /* The attribute exists. replace it */
+@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+           attr_len = 0;
+       }
+ 
+-      if ((attr_len > 0) && (p_val != 0)) {
+      if (attr_len > 0) {
+         p_attr->len = attr_len;
+         memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
+         p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
+         p_rec->free_pad_ptr += attr_len;
+-      } else if ((attr_len == 0 &&
+-                  p_attr->len !=
+-                      0) || /* if truncate to 0 length, simply don't add */
+-                 p_val == 0) {
+      } else if (attr_len == 0 && p_attr->len != 0) {
+        /* if truncate to 0 length, simply don't add */
+         SDP_TRACE_ERROR(
+             "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
+             attr_id, attr_len);