mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-23 14:39:24 -05:00
14.1: January ASB Picks
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
fac5f2568f
commit
533749cffd
BIN
Misc/pubring.kbx
BIN
Misc/pubring.kbx
Binary file not shown.
@ -1296,7 +1296,7 @@
|
||||
<apn carrier="Sprint LTE internet" mcc="310" mnc="120" apn="n.ispsn" type="default,mms,supl,hipri,dun" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="14" />
|
||||
<apn carrier="Sprint EHRPD internet" mcc="310" mnc="120" apn="n.ispsn" type="default,mms,supl,hipri" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="13" />
|
||||
<apn carrier="Sprint internet" mcc="310" mnc="120" apn="n.ispsn" type="mms,supl,hipri" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
|
||||
<apn carrier="Boost" mcc="310" mnc="120" apn="cinet.spcs" type="supl,mms,dun,fota" mmsc="http://mm.myboostmobile.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
|
||||
<apn carrier="Boost Mobile" mcc="310" mnc="410" apn="ereseller" mmsc="http://mmsc.mobile.att.net" mmsproxy="proxy.mobile.att.net" mmsport="80" type="default,mms,supl,fota,xcap" protocol="IPV4V6" roaming_protocol="IPV4V6" mvno_match_data="3432" mvno_type="gid" />
|
||||
<apn carrier="Credo Mobile" mcc="310" mnc="120" apn="n.w1.ispsn" type="mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
|
||||
<apn carrier="Ting" mcc="310" mnc="120" apn="n.t8.ispsn" type="default,supl,mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
|
||||
<apn carrier="Ringplus" mcc="310" mnc="120" apn="n.r5.ispsn" type="supl,mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
|
||||
@ -1630,7 +1630,6 @@
|
||||
<apn carrier="MetroPCS IMS" mcc="311" mnc="660" apn="ims.metropcs" user="" password="" type="ims" authtype="0" mmsc="http://mms.metropcs.net:3128/mmsc" protocol="IP" roaming_protocol="IP" bearer="14" />
|
||||
<apn carrier="ATT WAP" mcc="311" mnc="680" apn="wap.cingular" proxy="wireless.cingular.com" port="80" mmsc="http://mmsc.cingular.com" mmsproxy="wireless.cingular.com" mmsport="80" type="default,mms" />
|
||||
<apn carrier="ATT Broadband" mcc="311" mnc="680" apn="Broadband" type="default,supl" />
|
||||
<apn carrier="Boost Mobile CdmaNai" mcc="311" mnc="870" apn="CdmaNai" mmsproxy="68.28.31.7" mmsport="80" mmsc="http://mm.myboostmobile.com" type="mms" carrier_enabled="false" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="6" />
|
||||
<apn carrier="ATT WAP" mcc="311" mnc="980" apn="wap.cingular" proxy="wireless.cingular.com" port="80" mmsc="http://mmsc.cingular.com" mmsproxy="wireless.cingular.com" mmsport="80" type="default,mms" />
|
||||
<apn carrier="ATT Broadband" mcc="311" mnc="980" apn="Broadband" type="default,supl" />
|
||||
<apn carrier="Sprint CdmaNai" mcc="312" mnc="530" apn="CdmaNai" mmsproxy="68.28.31.7" mmsport="80" mmsc="http://mms.sprintpcs.com" type="mms" carrier_enabled="false" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="6" />
|
||||
|
94
Patches/LineageOS-14.1/android_frameworks_base/378954.patch
Normal file
94
Patches/LineageOS-14.1/android_frameworks_base/378954.patch
Normal file
@ -0,0 +1,94 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tetiana Meronyk <tetianameronyk@google.com>
|
||||
Date: Mon, 9 Oct 2023 20:57:11 +0000
|
||||
Subject: [PATCH] Truncate user data to a limit of 500 characters
|
||||
|
||||
Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
|
||||
|
||||
By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
|
||||
|
||||
Bug: 293602317
|
||||
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46caac641941f2e8865a8d53400f959b3bd98d88)
|
||||
Merged-In: Ia71477601d036a3ca55e73cdc9698ae268a30f20
|
||||
Change-Id: Ia71477601d036a3ca55e73cdc9698ae268a30f20
|
||||
---
|
||||
.../android/server/pm/UserManagerService.java | 24 ++++++++++++++-----
|
||||
1 file changed, 18 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
|
||||
index cea22bbe46f4..d19a95a5e229 100644
|
||||
--- a/services/core/java/com/android/server/pm/UserManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
|
||||
@@ -188,6 +188,8 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
|
||||
private static final int USER_VERSION = 6;
|
||||
|
||||
+ private static final int MAX_USER_STRING_LENGTH = 500;
|
||||
+
|
||||
private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
|
||||
|
||||
// Maximum number of managed profiles permitted per user is 1. This cannot be increased
|
||||
@@ -1921,15 +1923,17 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
// Write seed data
|
||||
if (userData.persistSeedData) {
|
||||
if (userData.seedAccountName != null) {
|
||||
- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
|
||||
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
|
||||
+ truncateString(userData.seedAccountName));
|
||||
}
|
||||
if (userData.seedAccountType != null) {
|
||||
- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
|
||||
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
|
||||
+ truncateString(userData.seedAccountType));
|
||||
}
|
||||
}
|
||||
if (userInfo.name != null) {
|
||||
serializer.startTag(null, TAG_NAME);
|
||||
- serializer.text(userInfo.name);
|
||||
+ serializer.text(truncateString(userInfo.name));
|
||||
serializer.endTag(null, TAG_NAME);
|
||||
}
|
||||
synchronized (mRestrictionsLock) {
|
||||
@@ -1961,6 +1965,13 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
}
|
||||
}
|
||||
|
||||
+ private String truncateString(String original) {
|
||||
+ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
|
||||
+ return original;
|
||||
+ }
|
||||
+ return original.substring(0, MAX_USER_STRING_LENGTH);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Writes the user list file in this format:
|
||||
*
|
||||
@@ -2219,6 +2230,7 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
if (ActivityManager.isLowRamDeviceStatic()) {
|
||||
return null;
|
||||
}
|
||||
+ String truncatedName = truncateString(name);
|
||||
final boolean isGuest = (flags & UserInfo.FLAG_GUEST) != 0;
|
||||
final boolean isManagedProfile = (flags & UserInfo.FLAG_MANAGED_PROFILE) != 0;
|
||||
final boolean isRestricted = (flags & UserInfo.FLAG_RESTRICTED) != 0;
|
||||
@@ -2297,7 +2309,7 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
flags |= UserInfo.FLAG_EPHEMERAL;
|
||||
}
|
||||
|
||||
- userInfo = new UserInfo(userId, name, null, flags);
|
||||
+ userInfo = new UserInfo(userId, truncatedName, null, flags);
|
||||
userInfo.serialNumber = mNextSerialNumber++;
|
||||
long now = System.currentTimeMillis();
|
||||
userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0;
|
||||
@@ -3095,8 +3107,8 @@ public class UserManagerService extends IUserManager.Stub {
|
||||
Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
|
||||
return;
|
||||
}
|
||||
- userData.seedAccountName = accountName;
|
||||
- userData.seedAccountType = accountType;
|
||||
+ userData.seedAccountName = truncateString(accountName);
|
||||
+ userData.seedAccountType = truncateString(accountType);
|
||||
userData.seedAccountOptions = accountOptions;
|
||||
userData.persistSeedData = persist;
|
||||
}
|
40
Patches/LineageOS-14.1/android_frameworks_base/378955.patch
Normal file
40
Patches/LineageOS-14.1/android_frameworks_base/378955.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Will Leshner <wleshner@google.com>
|
||||
Date: Tue, 31 Oct 2023 13:23:08 -0700
|
||||
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
|
||||
activities
|
||||
|
||||
Test: Flashed device and verified dream settings works as expected
|
||||
Test: Installed APK from bug and verified the dream didn't allow
|
||||
launching the inappropriate settings activity.
|
||||
Fixes: 300090204
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
|
||||
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
|
||||
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
|
||||
---
|
||||
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||||
index e5cdc85a48d9..6dae681c92df 100644
|
||||
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||||
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
|
||||
@@ -274,7 +274,17 @@ public class DreamBackend {
|
||||
if (cn != null && cn.indexOf('/') < 0) {
|
||||
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
|
||||
}
|
||||
- return cn == null ? null : ComponentName.unflattenFromString(cn);
|
||||
+ // Ensure that the component is from the same package as the dream service. If not,
|
||||
+ // treat the component as invalid and return null instead.
|
||||
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
|
||||
+ if (result != null
|
||||
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
|
||||
+ Log.w(TAG,
|
||||
+ "Inconsistent package name in component: " + result.getPackageName()
|
||||
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
|
||||
+ return null;
|
||||
+ }
|
||||
+ return result;
|
||||
}
|
||||
|
||||
private static void logd(String msg, Object... args) {
|
69
Patches/LineageOS-14.1/android_frameworks_base/378956.patch
Normal file
69
Patches/LineageOS-14.1/android_frameworks_base/378956.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jing Ji <jji@google.com>
|
||||
Date: Thu, 19 Oct 2023 14:22:58 -0700
|
||||
Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses
|
||||
permissions
|
||||
|
||||
In the pevious CL, we incorrectly added the permission check in the
|
||||
killBackgroundProcessesExcept. Now fix this issue.
|
||||
|
||||
Bug: 239423414
|
||||
Bug: 223376078
|
||||
Test: atest CtsAppTestCases:ActivityManagerTest
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37)
|
||||
Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b
|
||||
Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b
|
||||
---
|
||||
.../server/am/ActivityManagerService.java | 32 +++++++++----------
|
||||
1 file changed, 16 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index 406e08009cb7..2e6e7fa15d0f 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -5868,6 +5868,22 @@ public final class ActivityManagerService extends ActivityManagerNative
|
||||
throw new SecurityException(msg);
|
||||
}
|
||||
|
||||
+ final int callingUid = Binder.getCallingUid();
|
||||
+ final int callingPid = Binder.getCallingPid();
|
||||
+
|
||||
+ ProcessRecord proc;
|
||||
+ synchronized (mPidsSelfLocked) {
|
||||
+ proc = mPidsSelfLocked.get(callingPid);
|
||||
+ }
|
||||
+ if (callingUid >= Process.FIRST_APPLICATION_UID
|
||||
+ && (proc == null || !proc.info.isSystemApp())) {
|
||||
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
|
||||
+ + callingPid + ", uid=" + callingUid + " is not allowed";
|
||||
+ Slog.w(TAG, msg);
|
||||
+ // Silently return to avoid existing apps from crashing.
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
final long callingId = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (this) {
|
||||
@@ -5925,22 +5941,6 @@ public final class ActivityManagerService extends ActivityManagerNative
|
||||
throw new SecurityException(msg);
|
||||
}
|
||||
|
||||
- final int callingUid = Binder.getCallingUid();
|
||||
- final int callingPid = Binder.getCallingPid();
|
||||
-
|
||||
- ProcessRecord proc;
|
||||
- synchronized (mPidsSelfLocked) {
|
||||
- proc = mPidsSelfLocked.get(callingPid);
|
||||
- }
|
||||
- if (callingUid >= Process.FIRST_APPLICATION_UID
|
||||
- && (proc == null || !proc.info.isSystemApp())) {
|
||||
- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
|
||||
- + callingPid + ", uid=" + callingUid + " is not allowed";
|
||||
- Slog.w(TAG, msg);
|
||||
- // Silently return to avoid existing apps from crashing.
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
final long callingId = Binder.clearCallingIdentity();
|
||||
try {
|
||||
synchronized (this) {
|
@ -49,7 +49,7 @@ index 60820c2c0..89963dc30 100644
|
||||
readable = true;
|
||||
return future_new_immediate(FUTURE_SUCCESS);
|
||||
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
|
||||
index eacf145bf..616d6d581 100644
|
||||
index 6a219b4c7..1d2ea45b3 100644
|
||||
--- a/stack/btu/btu_hcif.c
|
||||
+++ b/stack/btu/btu_hcif.c
|
||||
@@ -606,7 +606,7 @@ static void btu_hcif_rmt_name_request_comp_evt (UINT8 *p, UINT16 evt_len)
|
||||
@ -121,7 +121,7 @@ index eacf145bf..616d6d581 100644
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void btu_ble_process_adv_pkt (UINT8 *p)
|
||||
static void btu_ble_ll_conn_complete_evt ( UINT8 *p, UINT16 evt_len)
|
||||
diff --git a/stack/hcic/hcicmds.c b/stack/hcic/hcicmds.c
|
||||
index ba1f6d4fe..233306759 100644
|
||||
--- a/stack/hcic/hcicmds.c
|
||||
|
8641
Patches/LineageOS-14.1/android_system_bt/378957.patch
Normal file
8641
Patches/LineageOS-14.1/android_system_bt/378957.patch
Normal file
File diff suppressed because it is too large
Load Diff
341
Patches/LineageOS-14.1/android_system_bt/378958.patch
Normal file
341
Patches/LineageOS-14.1/android_system_bt/378958.patch
Normal file
@ -0,0 +1,341 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Pawlowski <jpawlowski@google.com>
|
||||
Date: Tue, 6 Dec 2016 15:40:58 -0800
|
||||
Subject: [PATCH] Simplify btm_ble_resolve_random_addr
|
||||
|
||||
Bug: 30622771
|
||||
Test: manual testing
|
||||
Change-Id: I604d0e909a6fe270e2b413abbdb497d622780261
|
||||
---
|
||||
stack/btm/btm_ble.c | 119 ++++++++++++---------------------------
|
||||
stack/btm/btm_ble_addr.c | 41 ++++++--------
|
||||
stack/btm/btm_ble_gap.c | 66 ++++++----------------
|
||||
stack/btm/btm_ble_int.h | 3 +-
|
||||
4 files changed, 74 insertions(+), 155 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
|
||||
index c6e699d49..69a497454 100644
|
||||
--- a/stack/btm/btm_ble.c
|
||||
+++ b/stack/btm/btm_ble.c
|
||||
@@ -1800,69 +1800,6 @@ UINT8 btm_ble_br_keys_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
|
||||
return callback_rc;
|
||||
}
|
||||
|
||||
-#if (BLE_PRIVACY_SPT == TRUE )
|
||||
-/*******************************************************************************
|
||||
-**
|
||||
-** Function btm_ble_resolve_random_addr_on_conn_cmpl
|
||||
-**
|
||||
-** Description resolve random address complete on connection complete event.
|
||||
-**
|
||||
-** Returns void
|
||||
-**
|
||||
-*******************************************************************************/
|
||||
-static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data)
|
||||
-{
|
||||
- UINT8 *p = (UINT8 *)p_data;
|
||||
- tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
|
||||
- UINT8 role, bda_type;
|
||||
- UINT16 handle;
|
||||
- BD_ADDR bda;
|
||||
- UINT16 conn_interval, conn_latency, conn_timeout;
|
||||
- BOOLEAN match = FALSE;
|
||||
-
|
||||
- ++p;
|
||||
- STREAM_TO_UINT16 (handle, p);
|
||||
- STREAM_TO_UINT8 (role, p);
|
||||
- STREAM_TO_UINT8 (bda_type, p);
|
||||
- STREAM_TO_BDADDR (bda, p);
|
||||
- STREAM_TO_UINT16 (conn_interval, p);
|
||||
- STREAM_TO_UINT16 (conn_latency, p);
|
||||
- STREAM_TO_UINT16 (conn_timeout, p);
|
||||
-
|
||||
- handle = HCID_GET_HANDLE (handle);
|
||||
-
|
||||
- BTM_TRACE_EVENT ("%s", __func__);
|
||||
-
|
||||
- if (match_rec)
|
||||
- {
|
||||
- LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
|
||||
- match = TRUE;
|
||||
- match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
|
||||
- memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
|
||||
- if (!btm_ble_init_pseudo_addr (match_rec, bda))
|
||||
- {
|
||||
- /* assign the original address to be the current report address */
|
||||
- memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- LOG_INFO(LOG_TAG, "%s unable to match and resolve random address", __func__);
|
||||
- }
|
||||
-
|
||||
- btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
|
||||
-
|
||||
- l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
|
||||
- conn_latency, conn_timeout);
|
||||
-
|
||||
- return;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
/*******************************************************************************
|
||||
**
|
||||
** Function btm_ble_connected
|
||||
@@ -1946,7 +1883,7 @@ void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
|
||||
void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
|
||||
{
|
||||
#if (BLE_PRIVACY_SPT == TRUE )
|
||||
- UINT8 *p_data = p, peer_addr_type;
|
||||
+ UINT8 peer_addr_type;
|
||||
BD_ADDR local_rpa, peer_rpa;
|
||||
#endif
|
||||
UINT8 role, status, bda_type;
|
||||
@@ -1974,35 +1911,53 @@ void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
|
||||
STREAM_TO_BDADDR (peer_rpa, p);
|
||||
}
|
||||
|
||||
+ STREAM_TO_UINT16(conn_interval, p);
|
||||
+ STREAM_TO_UINT16(conn_latency, p);
|
||||
+ STREAM_TO_UINT16(conn_timeout, p);
|
||||
+ handle = HCID_GET_HANDLE(handle);
|
||||
+
|
||||
/* possiblly receive connection complete with resolvable random while
|
||||
the device has been paired */
|
||||
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
|
||||
{
|
||||
- btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data);
|
||||
+ tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
|
||||
+ if (match_rec)
|
||||
+ {
|
||||
+ LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
|
||||
+ match = true;
|
||||
+ match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
|
||||
+ memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
|
||||
+ if (!btm_ble_init_pseudo_addr(match_rec, bda))
|
||||
+ {
|
||||
+ /* assign the original address to be the current report address */
|
||||
+ memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ LOG_INFO(LOG_TAG, "%s unable to match and resolve random address",
|
||||
+ __func__);
|
||||
+ }
|
||||
}
|
||||
- else
|
||||
#endif
|
||||
- {
|
||||
- STREAM_TO_UINT16 (conn_interval, p);
|
||||
- STREAM_TO_UINT16 (conn_latency, p);
|
||||
- STREAM_TO_UINT16 (conn_timeout, p);
|
||||
- handle = HCID_GET_HANDLE (handle);
|
||||
+ btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
|
||||
|
||||
- btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
|
||||
-
|
||||
- l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
|
||||
- conn_latency, conn_timeout);
|
||||
+ l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
|
||||
+ conn_latency, conn_timeout);
|
||||
|
||||
#if (BLE_PRIVACY_SPT == TRUE)
|
||||
- if (enhanced)
|
||||
- {
|
||||
- btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
|
||||
+ if (enhanced)
|
||||
+ {
|
||||
+ btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
|
||||
|
||||
- if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
|
||||
- btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
|
||||
- }
|
||||
-#endif
|
||||
+ if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
|
||||
+ btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
|
||||
}
|
||||
+#endif
|
||||
}
|
||||
else
|
||||
{
|
||||
diff --git a/stack/btm/btm_ble_addr.c b/stack/btm/btm_ble_addr.c
|
||||
index 81fff5349..b389aae5c 100644
|
||||
--- a/stack/btm/btm_ble_addr.c
|
||||
+++ b/stack/btm/btm_ble_addr.c
|
||||
@@ -318,13 +318,13 @@ BOOLEAN btm_ble_addr_resolvable (BD_ADDR rpa, tBTM_SEC_DEV_REC *p_dev_rec)
|
||||
static BOOLEAN btm_ble_match_random_bda(void *data, void *context)
|
||||
{
|
||||
#if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
|
||||
+ UINT8 *random_bda = (uint8_t*)context;
|
||||
/* use the 3 MSB of bd address as prand */
|
||||
|
||||
- tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
|
||||
UINT8 rand[3];
|
||||
- rand[0] = p_mgnt_cb->random_bda[2];
|
||||
- rand[1] = p_mgnt_cb->random_bda[1];
|
||||
- rand[2] = p_mgnt_cb->random_bda[0];
|
||||
+ rand[0] = random_bda[2];
|
||||
+ rand[1] = random_bda[1];
|
||||
+ rand[2] = random_bda[0];
|
||||
|
||||
BTM_TRACE_EVENT("%s next iteration", __func__);
|
||||
|
||||
@@ -356,28 +356,21 @@ static BOOLEAN btm_ble_match_random_bda(void *data, void *context)
|
||||
** address is matched to.
|
||||
**
|
||||
*******************************************************************************/
|
||||
-void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p)
|
||||
+tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(BD_ADDR random_bda)
|
||||
{
|
||||
- tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
|
||||
-
|
||||
BTM_TRACE_EVENT("%s", __func__);
|
||||
- if ( !p_mgnt_cb->busy) {
|
||||
- p_mgnt_cb->p = p;
|
||||
- p_mgnt_cb->busy = TRUE;
|
||||
- memcpy(p_mgnt_cb->random_bda, random_bda, BD_ADDR_LEN);
|
||||
- /* start to resolve random address */
|
||||
- /* check for next security record */
|
||||
-
|
||||
- list_node_t * n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, NULL);
|
||||
- tBTM_SEC_DEV_REC *p_dev_rec = n ? list_node(n) : NULL;
|
||||
-
|
||||
- BTM_TRACE_EVENT("%s: %sresolved", __func__, (p_dev_rec == NULL ? "not " : ""));
|
||||
- p_mgnt_cb->busy = FALSE;
|
||||
-
|
||||
- (*p_cback)(p_dev_rec, p);
|
||||
- } else {
|
||||
- (*p_cback)(NULL, p);
|
||||
- }
|
||||
+
|
||||
+ /* start to resolve random address */
|
||||
+ /* check for next security record */
|
||||
+
|
||||
+ list_node_t* n =
|
||||
+ list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, random_bda);
|
||||
+ tBTM_SEC_DEV_REC* p_dev_rec = NULL;
|
||||
+ if (n != NULL) p_dev_rec = (tBTM_SEC_DEV_REC*)list_node(n);
|
||||
+
|
||||
+ BTM_TRACE_EVENT("%s: %sresolved", __func__,
|
||||
+ (p_dev_rec == NULL ? "not " : ""));
|
||||
+ return p_dev_rec;
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
|
||||
index f8c06342f..fe8ee6d27 100644
|
||||
--- a/stack/btm/btm_ble_gap.c
|
||||
+++ b/stack/btm/btm_ble_gap.c
|
||||
@@ -729,51 +729,6 @@ extern UINT8 BTM_BleMaxMultiAdvInstanceCount(void)
|
||||
btm_cb.cmn_ble_vsc_cb.adv_inst_max : BTM_BLE_MULTI_ADV_MAX;
|
||||
}
|
||||
|
||||
-#if BLE_PRIVACY_SPT == TRUE
|
||||
-/*******************************************************************************
|
||||
-**
|
||||
-** Function btm_ble_resolve_random_addr_on_adv
|
||||
-**
|
||||
-** Description resolve random address complete callback.
|
||||
-**
|
||||
-** Returns void
|
||||
-**
|
||||
-*******************************************************************************/
|
||||
-static void btm_ble_resolve_random_addr_on_adv(void * p_rec, void *p)
|
||||
-{
|
||||
- tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
|
||||
- UINT8 addr_type = BLE_ADDR_RANDOM;
|
||||
- BD_ADDR bda;
|
||||
- UINT8 *pp = (UINT8 *)p + 1;
|
||||
- UINT8 evt_type;
|
||||
-
|
||||
- BTM_TRACE_EVENT ("btm_ble_resolve_random_addr_on_adv ");
|
||||
-
|
||||
- STREAM_TO_UINT8 (evt_type, pp);
|
||||
- STREAM_TO_UINT8 (addr_type, pp);
|
||||
- STREAM_TO_BDADDR (bda, pp);
|
||||
-
|
||||
- if (match_rec)
|
||||
- {
|
||||
- BTM_TRACE_DEBUG("Random match");
|
||||
- match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
|
||||
- memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
|
||||
-
|
||||
- if (btm_ble_init_pseudo_addr(match_rec, bda))
|
||||
- {
|
||||
- memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
|
||||
- } else {
|
||||
- // Assign the original address to be the current report address
|
||||
- memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, pp);
|
||||
-
|
||||
- return;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
/*******************************************************************************
|
||||
**
|
||||
** Function BTM_BleLocalPrivacyEnabled
|
||||
@@ -2766,11 +2721,26 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
|
||||
/* always do RRA resolution on host */
|
||||
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
|
||||
{
|
||||
- btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_adv, p_data);
|
||||
+ tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
|
||||
+ if (match_rec)
|
||||
+ {
|
||||
+ BTM_TRACE_DEBUG("Random match");
|
||||
+ match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
|
||||
+ memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
|
||||
+
|
||||
+ if (btm_ble_init_pseudo_addr(match_rec, bda))
|
||||
+ {
|
||||
+ memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ // Assign the original address to be the current report address
|
||||
+ memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- else
|
||||
#endif
|
||||
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
|
||||
+ btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
|
||||
|
||||
STREAM_TO_UINT8(data_len, p);
|
||||
|
||||
diff --git a/stack/btm/btm_ble_int.h b/stack/btm/btm_ble_int.h
|
||||
index 437503e12..4bcf5a7e9 100644
|
||||
--- a/stack/btm/btm_ble_int.h
|
||||
+++ b/stack/btm/btm_ble_int.h
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "hcidefs.h"
|
||||
#include "btm_ble_api.h"
|
||||
#include "btm_int.h"
|
||||
+#include "btm_int_types.h"
|
||||
|
||||
#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
|
||||
#include "smp_api.h"
|
||||
@@ -132,7 +133,7 @@ extern void btm_ble_dequeue_direct_conn_req(BD_ADDR rem_bda);
|
||||
/* BLE address management */
|
||||
extern void btm_gen_resolvable_private_addr (void *p_cmd_cplt_cback);
|
||||
extern void btm_gen_non_resolvable_private_addr (tBTM_BLE_ADDR_CBACK *p_cback, void *p);
|
||||
-extern void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p);
|
||||
+extern tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(BD_ADDR random_bda);
|
||||
extern void btm_gen_resolve_paddr_low(tBTM_RAND_ENC *p);
|
||||
|
||||
/* privacy function */
|
298
Patches/LineageOS-14.1/android_system_bt/378959.patch
Normal file
298
Patches/LineageOS-14.1/android_system_bt/378959.patch
Normal file
@ -0,0 +1,298 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Pawlowski <jpawlowski@google.com>
|
||||
Date: Wed, 7 Dec 2016 10:54:44 -0800
|
||||
Subject: [PATCH] Simplify LE Advertising Report Event processing
|
||||
|
||||
Bug: 30622771
|
||||
Test: compiliation test
|
||||
Change-Id: I78ac958b62462dc7aa322336c047670eec6bda0f
|
||||
---
|
||||
stack/btm/btm_ble_gap.c | 92 +++++++++++++++++++++-------------------
|
||||
stack/btm/btm_ble_int.h | 2 +-
|
||||
stack/btu/btu_hcif.c | 11 +----
|
||||
stack/include/bt_types.h | 1 +
|
||||
4 files changed, 53 insertions(+), 53 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
|
||||
index fe8ee6d27..d1fb6238a 100644
|
||||
--- a/stack/btm/btm_ble_gap.c
|
||||
+++ b/stack/btm/btm_ble_gap.c
|
||||
@@ -71,7 +71,8 @@ static tBTM_BLE_CTRL_FEATURES_CBACK *p_ctrl_le_feature_rd_cmpl_cback = NULL;
|
||||
** Local functions
|
||||
*******************************************************************************/
|
||||
static void btm_ble_update_adv_flag(UINT8 flag);
|
||||
-static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type, UINT8 *p);
|
||||
+static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type,
|
||||
+ UINT8 data_len, UINT8 *data, INT8 rssi);
|
||||
UINT8 *btm_ble_build_adv_data(tBTM_BLE_AD_MASK *p_data_mask, UINT8 **p_dst,
|
||||
tBTM_BLE_ADV_DATA *p_data);
|
||||
static UINT8 btm_set_conn_mode_adv_init_addr(tBTM_BLE_INQ_CB *p_cb,
|
||||
@@ -2306,15 +2307,13 @@ BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p
|
||||
** Returns void
|
||||
**
|
||||
*******************************************************************************/
|
||||
-UINT8 btm_ble_is_discoverable(BD_ADDR bda, UINT8 evt_type, UINT8 *p)
|
||||
+UINT8 btm_ble_is_discoverable(BD_ADDR bda, UINT8 evt_type)
|
||||
{
|
||||
UINT8 *p_flag, flag = 0, rt = 0;
|
||||
UINT8 data_len;
|
||||
tBTM_INQ_PARMS *p_cond = &btm_cb.btm_inq_vars.inqparms;
|
||||
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
|
||||
|
||||
- UNUSED(p);
|
||||
-
|
||||
/* for observer, always "discoverable */
|
||||
if (BTM_BLE_IS_OBS_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
|
||||
rt |= BTM_BLE_OBS_RESULT;
|
||||
@@ -2494,32 +2493,27 @@ static void btm_ble_appearance_to_cod(UINT16 appearance, UINT8 *dev_class)
|
||||
** Returns void
|
||||
**
|
||||
*******************************************************************************/
|
||||
-BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_type, UINT8 *p)
|
||||
+BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type,
|
||||
+ UINT8 evt_type, UINT8 data_len,
|
||||
+ UINT8 *data, INT8 rssi)
|
||||
{
|
||||
BOOLEAN to_report = TRUE;
|
||||
tBTM_INQ_RESULTS *p_cur = &p_i->inq_info.results;
|
||||
UINT8 len;
|
||||
UINT8 *p_flag;
|
||||
tBTM_INQUIRY_VAR_ST *p_inq = &btm_cb.btm_inq_vars;
|
||||
- UINT8 data_len, rssi;
|
||||
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
|
||||
- UINT8 *p1;
|
||||
UINT8 *p_uuid16;
|
||||
|
||||
- STREAM_TO_UINT8 (data_len, p);
|
||||
-
|
||||
if (data_len > BTM_BLE_ADV_DATA_LEN_MAX)
|
||||
{
|
||||
BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
|
||||
return FALSE;
|
||||
}
|
||||
- if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
|
||||
+ if (!btm_ble_cache_adv_data(p_cur, data_len, data, evt_type)) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- p1 = (p + data_len);
|
||||
- STREAM_TO_UINT8 (rssi, p1);
|
||||
-
|
||||
/* Save the info */
|
||||
p_cur->inq_result_type = BTM_INQ_RESULT_BLE;
|
||||
p_cur->ble_addr_type = addr_type;
|
||||
@@ -2529,8 +2523,8 @@ BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_t
|
||||
if ((btm_cb.ble_ctr_cb.inq_var.scan_type == BTM_BLE_SCAN_MODE_ACTI &&
|
||||
(evt_type == BTM_BLE_CONNECT_EVT || evt_type == BTM_BLE_DISCOVER_EVT)))
|
||||
{
|
||||
- BTM_TRACE_DEBUG("btm_ble_update_inq_result scan_rsp=false, to_report=false,\
|
||||
- scan_type_active=%d", btm_cb.ble_ctr_cb.inq_var.scan_type);
|
||||
+ BTM_TRACE_DEBUG("%s: scan_rsp=false, to_report=false, scan_type_active=%d",
|
||||
+ __func__, btm_cb.ble_ctr_cb.inq_var.scan_type);
|
||||
p_i->scan_rsp = FALSE;
|
||||
to_report = FALSE;
|
||||
}
|
||||
@@ -2642,9 +2636,11 @@ void btm_clear_all_pending_le_entry(void)
|
||||
** Returns void
|
||||
**
|
||||
*******************************************************************************/
|
||||
-void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_data, UINT8 addr_type)
|
||||
+void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type,
|
||||
+ UINT8 data_len, UINT8 *data,
|
||||
+ UINT8 addr_type)
|
||||
{
|
||||
- UINT8 data_len, len;
|
||||
+ UINT8 len;
|
||||
UINT8 *p_dev_name, remname[31] = {0};
|
||||
UNUSED(addr_type);
|
||||
|
||||
@@ -2653,15 +2649,13 @@ void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_dat
|
||||
(evt_type != BTM_BLE_EVT_CONN_ADV && evt_type != BTM_BLE_EVT_CONN_DIR_ADV))
|
||||
return;
|
||||
|
||||
- STREAM_TO_UINT8 (data_len, p_data);
|
||||
-
|
||||
/* get the device name if exist in ADV data */
|
||||
if (data_len != 0)
|
||||
{
|
||||
- p_dev_name = BTM_CheckAdvData(p_data, BTM_BLE_AD_TYPE_NAME_CMPL, &len);
|
||||
+ p_dev_name = BTM_CheckAdvData(data, BTM_BLE_AD_TYPE_NAME_CMPL, &len);
|
||||
|
||||
if (p_dev_name == NULL)
|
||||
- p_dev_name = BTM_CheckAdvData(p_data, BTM_BLE_AD_TYPE_NAME_SHORT, &len);
|
||||
+ p_dev_name = BTM_CheckAdvData(data, BTM_BLE_AD_TYPE_NAME_SHORT, &len);
|
||||
|
||||
if (p_dev_name)
|
||||
memcpy(remname, p_dev_name, len);
|
||||
@@ -2687,16 +2681,12 @@ void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_dat
|
||||
** Returns void
|
||||
**
|
||||
*******************************************************************************/
|
||||
-void btm_ble_process_adv_pkt (UINT8 *p_data)
|
||||
+void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||||
{
|
||||
BD_ADDR bda;
|
||||
- UINT8 evt_type = 0, *p = p_data;
|
||||
- UINT8 addr_type = 0;
|
||||
- UINT8 num_reports;
|
||||
- UINT8 data_len;
|
||||
-#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
|
||||
- BOOLEAN match = FALSE;
|
||||
-#endif
|
||||
+ UINT8 *p = data;
|
||||
+ UINT8 evt_type, addr_type, num_reports, pkt_data_len;
|
||||
+ INT8 rssi;
|
||||
|
||||
/* Only process the results if the inquiry is still active */
|
||||
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
|
||||
@@ -2707,17 +2697,35 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
|
||||
|
||||
while (num_reports--)
|
||||
{
|
||||
+ if (p > data + data_len)
|
||||
+ {
|
||||
+ // TODO(jpawlowski): we should crash the stack here
|
||||
+ BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* Extract inquiry results */
|
||||
STREAM_TO_UINT8 (evt_type, p);
|
||||
STREAM_TO_UINT8 (addr_type, p);
|
||||
STREAM_TO_BDADDR (bda, p);
|
||||
+ STREAM_TO_UINT8 (pkt_data_len, p);
|
||||
+
|
||||
+ UINT8 *pkt_data = p;
|
||||
+ p += pkt_data_len; /* Advance to the the rssi byte */
|
||||
+
|
||||
+ STREAM_TO_INT8(rssi, p);
|
||||
+
|
||||
+ if (rssi >= 21 && rssi <= 126) {
|
||||
+ BTM_TRACE_ERROR("%s: bad rssi value in advertising report: ", __func__,
|
||||
+ pkt_data_len, rssi);
|
||||
+ }
|
||||
|
||||
#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
|
||||
/* map address to security record */
|
||||
- match = btm_identity_addr_to_random_pseudo(bda, &addr_type, FALSE);
|
||||
+ bool match = btm_identity_addr_to_random_pseudo(bda, &addr_type, FALSE);
|
||||
|
||||
- BTM_TRACE_DEBUG("btm_ble_process_adv_pkt:bda= %0x:%0x:%0x:%0x:%0x:%0x",
|
||||
- bda[0],bda[1],bda[2],bda[3],bda[4],bda[5]);
|
||||
+ BTM_TRACE_DEBUG("%s: bda= %0x:%0x:%0x:%0x:%0x:%0x", __func__, bda[0],
|
||||
+ bda[1], bda[2], bda[3], bda[4], bda[5]);
|
||||
/* always do RRA resolution on host */
|
||||
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
|
||||
{
|
||||
@@ -2740,12 +2748,8 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
|
||||
-
|
||||
- STREAM_TO_UINT8(data_len, p);
|
||||
-
|
||||
- /* Advance to the next event data_len + rssi byte */
|
||||
- p += data_len + 1;
|
||||
+ btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, pkt_data_len,
|
||||
+ pkt_data, rssi);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2761,7 +2765,9 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
|
||||
** Returns void
|
||||
**
|
||||
*******************************************************************************/
|
||||
-static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type, UINT8 *p)
|
||||
+static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type,
|
||||
+ UINT8 evt_type, UINT8 data_len,
|
||||
+ UINT8 *data, INT8 rssi)
|
||||
{
|
||||
tINQ_DB_ENT *p_i;
|
||||
tBTM_INQUIRY_VAR_ST *p_inq = &btm_cb.btm_inq_vars;
|
||||
@@ -2809,12 +2815,12 @@ static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt
|
||||
p_inq->inq_cmpl_info.num_resp++;
|
||||
}
|
||||
/* update the LE device information in inquiry database */
|
||||
- if (!btm_ble_update_inq_result(p_i, addr_type, evt_type, p))
|
||||
+ if (!btm_ble_update_inq_result(p_i, addr_type, evt_type, data_len, data, rssi))
|
||||
return;
|
||||
|
||||
- if ((result = btm_ble_is_discoverable(bda, evt_type, p)) == 0)
|
||||
+ if ((result = btm_ble_is_discoverable(bda, evt_type)) == 0)
|
||||
{
|
||||
- LOG_WARN(LOG_TAG, "%s device is no longer discoverable so discarding advertising packet pkt",
|
||||
+ LOG_WARN(LOG_TAG, "%s device no longer discoverable, discarding advertising packet",
|
||||
__func__);
|
||||
return;
|
||||
}
|
||||
@@ -2847,7 +2853,7 @@ static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt
|
||||
if (btm_cb.ble_ctr_cb.bg_conn_type == BTM_BLE_CONN_SELECTIVE)
|
||||
{
|
||||
if (result & BTM_BLE_SEL_CONN_RESULT)
|
||||
- btm_send_sel_conn_callback(bda, evt_type, p, addr_type);
|
||||
+ btm_send_sel_conn_callback(bda, evt_type, data_len, data, addr_type);
|
||||
else
|
||||
{
|
||||
BTM_TRACE_DEBUG("None LE device, can not initiate selective connection");
|
||||
diff --git a/stack/btm/btm_ble_int.h b/stack/btm/btm_ble_int.h
|
||||
index 4bcf5a7e9..98b801981 100644
|
||||
--- a/stack/btm/btm_ble_int.h
|
||||
+++ b/stack/btm/btm_ble_int.h
|
||||
@@ -45,7 +45,7 @@ extern "C" {
|
||||
|
||||
extern void btm_ble_adv_raddr_timer_timeout(void *data);
|
||||
extern void btm_ble_refresh_raddr_timer_timeout(void *data);
|
||||
-extern void btm_ble_process_adv_pkt (UINT8 *p);
|
||||
+extern void btm_ble_process_adv_pkt (UINT8 len, UINT8 *p);
|
||||
extern void btm_ble_proc_scan_rsp_rpt (UINT8 *p);
|
||||
extern tBTM_STATUS btm_ble_read_remote_name(BD_ADDR remote_bda, tBTM_INQ_INFO *p_cur, tBTM_CMPL_CB *p_cb);
|
||||
extern BOOLEAN btm_ble_cancel_remote_name(BD_ADDR remote_bda);
|
||||
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
|
||||
index eacf145bf..4851e53ad 100644
|
||||
--- a/stack/btu/btu_hcif.c
|
||||
+++ b/stack/btu/btu_hcif.c
|
||||
@@ -115,7 +115,6 @@ static void btu_hcif_ssr_evt (UINT8 *p, UINT16 evt_len);
|
||||
|
||||
#if BLE_INCLUDED == TRUE
|
||||
static void btu_ble_ll_conn_complete_evt (UINT8 *p, UINT16 evt_len);
|
||||
-static void btu_ble_process_adv_pkt (UINT8 *p);
|
||||
static void btu_ble_read_remote_feat_evt (UINT8 *p);
|
||||
static void btu_ble_ll_conn_param_upd_evt (UINT8 *p, UINT16 evt_len);
|
||||
static void btu_ble_proc_ltk_req (UINT8 *p);
|
||||
@@ -308,7 +307,8 @@ void btu_hcif_process_event (UNUSED_ATTR UINT8 controller_id, BT_HDR *p_msg)
|
||||
switch (ble_sub_code)
|
||||
{
|
||||
case HCI_BLE_ADV_PKT_RPT_EVT: /* result of inquiry */
|
||||
- btu_ble_process_adv_pkt(p);
|
||||
+ HCI_TRACE_EVENT("HCI_BLE_ADV_PKT_RPT_EVT");
|
||||
+ btm_ble_process_adv_pkt(hci_evt_len - 1, p);
|
||||
break;
|
||||
case HCI_BLE_CONN_COMPLETE_EVT:
|
||||
btu_ble_ll_conn_complete_evt(p, hci_evt_len);
|
||||
@@ -1733,13 +1733,6 @@ static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
|
||||
}
|
||||
}
|
||||
|
||||
-static void btu_ble_process_adv_pkt (UINT8 *p)
|
||||
-{
|
||||
- HCI_TRACE_EVENT("btu_ble_process_adv_pkt");
|
||||
-
|
||||
- btm_ble_process_adv_pkt(p);
|
||||
-}
|
||||
-
|
||||
static void btu_ble_ll_conn_complete_evt ( UINT8 *p, UINT16 evt_len)
|
||||
{
|
||||
btm_ble_conn_complete(p, evt_len, FALSE);
|
||||
diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h
|
||||
index ebc1e00f1..4cfd6f39d 100644
|
||||
--- a/stack/include/bt_types.h
|
||||
+++ b/stack/include/bt_types.h
|
||||
@@ -250,6 +250,7 @@ typedef struct
|
||||
#define ARRAY_TO_STREAM(p, a, len) {register int ijk; for (ijk = 0; ijk < len; ijk++) *(p)++ = (UINT8) a[ijk];}
|
||||
#define REVERSE_ARRAY_TO_STREAM(p, a, len) {register int ijk; for (ijk = 0; ijk < len; ijk++) *(p)++ = (UINT8) a[len - 1 - ijk];}
|
||||
|
||||
+#define STREAM_TO_INT8(u8, p) {u8 = (*((INT8*)p)); (p) += 1;}
|
||||
#define STREAM_TO_UINT8(u8, p) {u8 = (UINT8)(*(p)); (p) += 1;}
|
||||
#define STREAM_TO_UINT16(u16, p) {u16 = ((UINT16)(*(p)) + (((UINT16)(*((p) + 1))) << 8)); (p) += 2;}
|
||||
#define STREAM_TO_UINT24(u32, p) {u32 = (((UINT32)(*(p))) + ((((UINT32)(*((p) + 1)))) << 8) + ((((UINT32)(*((p) + 2)))) << 16) ); (p) += 3;}
|
31
Patches/LineageOS-14.1/android_system_bt/378960.patch
Normal file
31
Patches/LineageOS-14.1/android_system_bt/378960.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Pawlowski <jpawlowski@google.com>
|
||||
Date: Wed, 21 Mar 2018 17:13:36 -0700
|
||||
Subject: [PATCH] LE Advertising Report parsing enhancements
|
||||
|
||||
Reject invalid data length for advertisement data.
|
||||
Also, don't attempt to resolve anonymous advertising addresses.
|
||||
|
||||
Test: LE scanning tests
|
||||
Bug: 73193883
|
||||
Change-Id: I1cb330bc30fdcaebc86527cd2656c9dd7932b318
|
||||
---
|
||||
stack/btm/btm_ble_gap.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
|
||||
index d1fb6238a..a758f991f 100644
|
||||
--- a/stack/btm/btm_ble_gap.c
|
||||
+++ b/stack/btm/btm_ble_gap.c
|
||||
@@ -2712,6 +2712,11 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||||
|
||||
UINT8 *pkt_data = p;
|
||||
p += pkt_data_len; /* Advance to the the rssi byte */
|
||||
+ if (p > data + data_len - sizeof(rssi))
|
||||
+ {
|
||||
+ BTM_TRACE_ERROR("Invalid pkt_data_len: %d", pkt_data_len);
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
STREAM_TO_INT8(rssi, p);
|
||||
|
91
Patches/LineageOS-14.1/android_system_bt/378961.patch
Normal file
91
Patches/LineageOS-14.1/android_system_bt/378961.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Tue, 23 May 2023 23:23:11 +0000
|
||||
Subject: [PATCH] Fix some OOB errors in BTM parsing
|
||||
|
||||
Some HCI BLE events are missing bounds checks, leading to possible OOB
|
||||
access. Add the appropriate bounds checks on the packets.
|
||||
|
||||
Bug: 279169188
|
||||
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
|
||||
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
|
||||
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
|
||||
---
|
||||
stack/btm/btm_ble_gap.c | 25 ++++++++++++++++++-------
|
||||
stack/btu/btu_hcif.c | 7 +++++++
|
||||
2 files changed, 25 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
|
||||
index a758f991f..591034ddf 100644
|
||||
--- a/stack/btm/btm_ble_gap.c
|
||||
+++ b/stack/btm/btm_ble_gap.c
|
||||
@@ -2687,20 +2687,28 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||||
UINT8 *p = data;
|
||||
UINT8 evt_type, addr_type, num_reports, pkt_data_len;
|
||||
INT8 rssi;
|
||||
+ size_t bytes_to_process;
|
||||
|
||||
/* Only process the results if the inquiry is still active */
|
||||
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
|
||||
return;
|
||||
|
||||
+ bytes_to_process = 1;
|
||||
+
|
||||
+ if (data_len < bytes_to_process) {
|
||||
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for num reports");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* Extract the number of reports in this event. */
|
||||
STREAM_TO_UINT8(num_reports, p);
|
||||
|
||||
while (num_reports--)
|
||||
{
|
||||
- if (p > data + data_len)
|
||||
- {
|
||||
- // TODO(jpawlowski): we should crash the stack here
|
||||
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
|
||||
+ bytes_to_process += 9;
|
||||
+
|
||||
+ if (data_len < bytes_to_process) {
|
||||
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for metadata");
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -2712,9 +2720,12 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||||
|
||||
UINT8 *pkt_data = p;
|
||||
p += pkt_data_len; /* Advance to the the rssi byte */
|
||||
- if (p > data + data_len - sizeof(rssi))
|
||||
- {
|
||||
- BTM_TRACE_ERROR("Invalid pkt_data_len: %d", pkt_data_len);
|
||||
+
|
||||
+ // include rssi for this check
|
||||
+ bytes_to_process += pkt_data_len + 1;
|
||||
+ if (data_len < bytes_to_process) {
|
||||
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for "
|
||||
+ "packet data and/or RSSI");
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
|
||||
index 4851e53ad..6a219b4c7 100644
|
||||
--- a/stack/btu/btu_hcif.c
|
||||
+++ b/stack/btu/btu_hcif.c
|
||||
@@ -1794,6 +1794,13 @@ static void btu_ble_data_length_change_evt(UINT8 *p, UINT16 evt_len)
|
||||
return;
|
||||
}
|
||||
|
||||
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
|
||||
+ if (evt_len < 8)
|
||||
+ {
|
||||
+ LOG_ERROR(LOG_TAG, "Event packet too short");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
STREAM_TO_UINT16(handle, p);
|
||||
STREAM_TO_UINT16(tx_data_len, p);
|
||||
p += 2; /* Skip the TxTimer */
|
@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
||||
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
awk -i inplace '!/Exchange2/' target/product/core.mk;
|
||||
sed -i 's/2021-06-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-12 #XXX
|
||||
sed -i 's/2021-06-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-01 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "device/qcom/sepolicy"; then
|
||||
@ -243,6 +243,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/376458.patch"; #n-asb-2023-12 D
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/376459.patch"; #n-asb-2023-12 Validate userId when publishing shortcuts
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/376460.patch"; #n-asb-2023-12 Adding in verification of calling UID in onShellCommand
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377939.patch"; #n-asb-2023-12 Require permission to unlock keyguard
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/378954.patch"; #n-asb-2024-01 Truncate user data to a limit of 500 characters
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/378955.patch"; #n-asb-2024-01 Fix vulnerability that allowed attackers to start arbitary activities
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 Fix ActivityManager#killBackgroundProcesses permissions
|
||||
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
|
||||
@ -531,6 +534,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/376465.patch"; #n-asb-2023-12 Reject
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/376466.patch"; #n-asb-2023-12 Reorganize the code for checking auth requirement
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/376467.patch"; #n-asb-2023-12 Enforce authentication if encryption is required
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/376468.patch"; #n-asb-2023-12 Fix timing attack in BTM_BleVerifySignature
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/378957.patch"; #n-asb-2024-01 Separate the definition of BTM layer types from control blocks
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/378958.patch"; #n-asb-2024-01 Simplify btm_ble_resolve_random_addr
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/378959.patch"; #n-asb-2024-01 Simplify LE Advertising Report Event processing
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/378960.patch"; #n-asb-2024-01 LE Advertising Report parsing enhancements
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/378961.patch"; #n-asb-2024-01 Fix some OOB errors in BTM parsing
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)
|
||||
|
Loading…
Reference in New Issue
Block a user