Git-Mirrors
/
DivestOS
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

14.1: January ASB Picks 

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-01-05 23:14:43 -05:00
parent fac5f2568f
commit 533749cffd
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
12 changed files with 9617 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Misc/pubring.kbx
View File

Binary file not shown.

3
Patches/Common/apns-conf.xml
View File

@ -1296,7 +1296,7 @@
<apn carrier="Sprint LTE internet" mcc="310" mnc="120" apn="n.ispsn" type="default,mms,supl,hipri,dun" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="14" />
<apn carrier="Sprint EHRPD internet" mcc="310" mnc="120" apn="n.ispsn" type="default,mms,supl,hipri" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="13" />
<apn carrier="Sprint internet" mcc="310" mnc="120" apn="n.ispsn" type="mms,supl,hipri" mmsc="http://mms.sprintpcs.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
<apn carrier="Boost" mcc="310" mnc="120" apn="cinet.spcs" type="supl,mms,dun,fota" mmsc="http://mm.myboostmobile.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
<apn carrier="Boost Mobile" mcc="310" mnc="410" apn="ereseller" mmsc="http://mmsc.mobile.att.net" mmsproxy="proxy.mobile.att.net" mmsport="80" type="default,mms,supl,fota,xcap" protocol="IPV4V6" roaming_protocol="IPV4V6" mvno_match_data="3432" mvno_type="gid" />
<apn carrier="Credo Mobile" mcc="310" mnc="120" apn="n.w1.ispsn" type="mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
<apn carrier="Ting" mcc="310" mnc="120" apn="n.t8.ispsn" type="default,supl,mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
<apn carrier="Ringplus" mcc="310" mnc="120" apn="n.r5.ispsn" type="supl,mms" mmsc="http://mms.plspictures.com" mmsproxy="68.28.31.7" mmsport="80" protocol="IPV4V6" roaming_protocol="IPV4V6" />
@ -1630,7 +1630,6 @@
<apn carrier="MetroPCS IMS" mcc="311" mnc="660" apn="ims.metropcs" user="" password="" type="ims" authtype="0" mmsc="http://mms.metropcs.net:3128/mmsc" protocol="IP" roaming_protocol="IP" bearer="14" />
<apn carrier="ATT WAP" mcc="311" mnc="680" apn="wap.cingular" proxy="wireless.cingular.com" port="80" mmsc="http://mmsc.cingular.com" mmsproxy="wireless.cingular.com" mmsport="80" type="default,mms" />
<apn carrier="ATT Broadband" mcc="311" mnc="680" apn="Broadband" type="default,supl" />
<apn carrier="Boost Mobile CdmaNai" mcc="311" mnc="870" apn="CdmaNai" mmsproxy="68.28.31.7" mmsport="80" mmsc="http://mm.myboostmobile.com" type="mms" carrier_enabled="false" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="6" />
<apn carrier="ATT WAP" mcc="311" mnc="980" apn="wap.cingular" proxy="wireless.cingular.com" port="80" mmsc="http://mmsc.cingular.com" mmsproxy="wireless.cingular.com" mmsport="80" type="default,mms" />
<apn carrier="ATT Broadband" mcc="311" mnc="980" apn="Broadband" type="default,supl" />
<apn carrier="Sprint CdmaNai" mcc="312" mnc="530" apn="CdmaNai" mmsproxy="68.28.31.7" mmsport="80" mmsc="http://mms.sprintpcs.com" type="mms" carrier_enabled="false" protocol="IPV4V6" roaming_protocol="IPV4V6" bearer="6" />

94
Patches/LineageOS-14.1/android_frameworks_base/378954.patch Normal file
View File

@ -0,0 +1,94 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tetiana Meronyk <tetianameronyk@google.com>
Date: Mon, 9 Oct 2023 20:57:11 +0000
Subject: [PATCH] Truncate user data to a limit of 500 characters
Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
Bug: 293602317
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:46caac641941f2e8865a8d53400f959b3bd98d88)
Merged-In: Ia71477601d036a3ca55e73cdc9698ae268a30f20
Change-Id: Ia71477601d036a3ca55e73cdc9698ae268a30f20
---
.../android/server/pm/UserManagerService.java | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index cea22bbe46f4..d19a95a5e229 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -188,6 +188,8 @@ public class UserManagerService extends IUserManager.Stub {
private static final int USER_VERSION = 6;
+ private static final int MAX_USER_STRING_LENGTH = 500;
+
private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
// Maximum number of managed profiles permitted per user is 1. This cannot be increased
@@ -1921,15 +1923,17 @@ public class UserManagerService extends IUserManager.Stub {
// Write seed data
if (userData.persistSeedData) {
if (userData.seedAccountName != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
+ truncateString(userData.seedAccountName));
}
if (userData.seedAccountType != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
+ truncateString(userData.seedAccountType));
}
}
if (userInfo.name != null) {
serializer.startTag(null, TAG_NAME);
- serializer.text(userInfo.name);
+ serializer.text(truncateString(userInfo.name));
serializer.endTag(null, TAG_NAME);
}
synchronized (mRestrictionsLock) {
@@ -1961,6 +1965,13 @@ public class UserManagerService extends IUserManager.Stub {
}
}
+ private String truncateString(String original) {
+ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
+ return original;
+ }
+ return original.substring(0, MAX_USER_STRING_LENGTH);
+ }
+
/*
* Writes the user list file in this format:
*
@@ -2219,6 +2230,7 @@ public class UserManagerService extends IUserManager.Stub {
if (ActivityManager.isLowRamDeviceStatic()) {
return null;
}
+ String truncatedName = truncateString(name);
final boolean isGuest = (flags & UserInfo.FLAG_GUEST) != 0;
final boolean isManagedProfile = (flags & UserInfo.FLAG_MANAGED_PROFILE) != 0;
final boolean isRestricted = (flags & UserInfo.FLAG_RESTRICTED) != 0;
@@ -2297,7 +2309,7 @@ public class UserManagerService extends IUserManager.Stub {
flags |= UserInfo.FLAG_EPHEMERAL;
}
- userInfo = new UserInfo(userId, name, null, flags);
+ userInfo = new UserInfo(userId, truncatedName, null, flags);
userInfo.serialNumber = mNextSerialNumber++;
long now = System.currentTimeMillis();
userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0;
@@ -3095,8 +3107,8 @@ public class UserManagerService extends IUserManager.Stub {
Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
return;
}
- userData.seedAccountName = accountName;
- userData.seedAccountType = accountType;
+ userData.seedAccountName = truncateString(accountName);
+ userData.seedAccountType = truncateString(accountType);
userData.seedAccountOptions = accountOptions;
userData.persistSeedData = persist;
}

40
Patches/LineageOS-14.1/android_frameworks_base/378955.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Will Leshner <wleshner@google.com>
Date: Tue, 31 Oct 2023 13:23:08 -0700
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
activities
Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
---
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
index e5cdc85a48d9..6dae681c92df 100644
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -274,7 +274,17 @@ public class DreamBackend {
if (cn != null && cn.indexOf('/') < 0) {
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
}
- return cn == null ? null : ComponentName.unflattenFromString(cn);
+ // Ensure that the component is from the same package as the dream service. If not,
+ // treat the component as invalid and return null instead.
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+ if (result != null
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+ Log.w(TAG,
+ "Inconsistent package name in component: " + result.getPackageName()
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
+ return null;
+ }
+ return result;
}
private static void logd(String msg, Object... args) {

69
Patches/LineageOS-14.1/android_frameworks_base/378956.patch Normal file
View File

@ -0,0 +1,69 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jing Ji <jji@google.com>
Date: Thu, 19 Oct 2023 14:22:58 -0700
Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses
permissions
In the pevious CL, we incorrectly added the permission check in the
killBackgroundProcessesExcept. Now fix this issue.
Bug: 239423414
Bug: 223376078
Test: atest CtsAppTestCases:ActivityManagerTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37)
Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b
Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b
---
.../server/am/ActivityManagerService.java | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 406e08009cb7..2e6e7fa15d0f 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -5868,6 +5868,22 @@ public final class ActivityManagerService extends ActivityManagerNative
throw new SecurityException(msg);
}
+ final int callingUid = Binder.getCallingUid();
+ final int callingPid = Binder.getCallingPid();
+
+ ProcessRecord proc;
+ synchronized (mPidsSelfLocked) {
+ proc = mPidsSelfLocked.get(callingPid);
+ }
+ if (callingUid >= Process.FIRST_APPLICATION_UID
+ && (proc == null || !proc.info.isSystemApp())) {
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
+ + callingPid + ", uid=" + callingUid + " is not allowed";
+ Slog.w(TAG, msg);
+ // Silently return to avoid existing apps from crashing.
+ return;
+ }
+
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {
@@ -5925,22 +5941,6 @@ public final class ActivityManagerService extends ActivityManagerNative
throw new SecurityException(msg);
}
- final int callingUid = Binder.getCallingUid();
- final int callingPid = Binder.getCallingPid();
-
- ProcessRecord proc;
- synchronized (mPidsSelfLocked) {
- proc = mPidsSelfLocked.get(callingPid);
- }
- if (callingUid >= Process.FIRST_APPLICATION_UID
- && (proc == null || !proc.info.isSystemApp())) {
- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
- + callingPid + ", uid=" + callingUid + " is not allowed";
- Slog.w(TAG, msg);
- // Silently return to avoid existing apps from crashing.
- return;
- }
-
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {

4
Patches/LineageOS-14.1/android_system_bt/0001-NO_READENCRKEYSIZE.patch
View File

@ -49,7 +49,7 @@ index 60820c2c0..89963dc30 100644
readable = true;
return future_new_immediate(FUTURE_SUCCESS);
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
index eacf145bf..616d6d581 100644
index 6a219b4c7..1d2ea45b3 100644
--- a/stack/btu/btu_hcif.c
+++ b/stack/btu/btu_hcif.c
@@ -606,7 +606,7 @@ static void btu_hcif_rmt_name_request_comp_evt (UINT8 *p, UINT16 evt_len)
@ -121,7 +121,7 @@ index eacf145bf..616d6d581 100644
+#endif
}
static void btu_ble_process_adv_pkt (UINT8 *p)
static void btu_ble_ll_conn_complete_evt ( UINT8 *p, UINT16 evt_len)
diff --git a/stack/hcic/hcicmds.c b/stack/hcic/hcicmds.c
index ba1f6d4fe..233306759 100644
--- a/stack/hcic/hcicmds.c

8641
Patches/LineageOS-14.1/android_system_bt/378957.patch Normal file
View File

File diff suppressed because it is too large Load Diff

341
Patches/LineageOS-14.1/android_system_bt/378958.patch Normal file
View File

@ -0,0 +1,341 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Tue, 6 Dec 2016 15:40:58 -0800
Subject: [PATCH] Simplify btm_ble_resolve_random_addr
Bug: 30622771
Test: manual testing
Change-Id: I604d0e909a6fe270e2b413abbdb497d622780261
---
stack/btm/btm_ble.c | 119 ++++++++++++---------------------------
stack/btm/btm_ble_addr.c | 41 ++++++--------
stack/btm/btm_ble_gap.c | 66 ++++++----------------
stack/btm/btm_ble_int.h | 3 +-
4 files changed, 74 insertions(+), 155 deletions(-)
diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
index c6e699d49..69a497454 100644
--- a/stack/btm/btm_ble.c
+++ b/stack/btm/btm_ble.c
@@ -1800,69 +1800,6 @@ UINT8 btm_ble_br_keys_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
return callback_rc;
}
-#if (BLE_PRIVACY_SPT == TRUE )
-/*******************************************************************************
-**
-** Function btm_ble_resolve_random_addr_on_conn_cmpl
-**
-** Description resolve random address complete on connection complete event.
-**
-** Returns void
-**
-*******************************************************************************/
-static void btm_ble_resolve_random_addr_on_conn_cmpl(void * p_rec, void *p_data)
-{
- UINT8 *p = (UINT8 *)p_data;
- tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
- UINT8 role, bda_type;
- UINT16 handle;
- BD_ADDR bda;
- UINT16 conn_interval, conn_latency, conn_timeout;
- BOOLEAN match = FALSE;
-
- ++p;
- STREAM_TO_UINT16 (handle, p);
- STREAM_TO_UINT8 (role, p);
- STREAM_TO_UINT8 (bda_type, p);
- STREAM_TO_BDADDR (bda, p);
- STREAM_TO_UINT16 (conn_interval, p);
- STREAM_TO_UINT16 (conn_latency, p);
- STREAM_TO_UINT16 (conn_timeout, p);
-
- handle = HCID_GET_HANDLE (handle);
-
- BTM_TRACE_EVENT ("%s", __func__);
-
- if (match_rec)
- {
- LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
- match = TRUE;
- match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
- memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
- if (!btm_ble_init_pseudo_addr (match_rec, bda))
- {
- /* assign the original address to be the current report address */
- memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
- }
- else
- {
- memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
- }
- }
- else
- {
- LOG_INFO(LOG_TAG, "%s unable to match and resolve random address", __func__);
- }
-
- btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
-
- l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
- conn_latency, conn_timeout);
-
- return;
-}
-#endif
-
/*******************************************************************************
**
** Function btm_ble_connected
@@ -1946,7 +1883,7 @@ void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
{
#if (BLE_PRIVACY_SPT == TRUE )
- UINT8 *p_data = p, peer_addr_type;
+ UINT8 peer_addr_type;
BD_ADDR local_rpa, peer_rpa;
#endif
UINT8 role, status, bda_type;
@@ -1974,35 +1911,53 @@ void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len, BOOLEAN enhanced)
STREAM_TO_BDADDR (peer_rpa, p);
}
+ STREAM_TO_UINT16(conn_interval, p);
+ STREAM_TO_UINT16(conn_latency, p);
+ STREAM_TO_UINT16(conn_timeout, p);
+ handle = HCID_GET_HANDLE(handle);
+
/* possiblly receive connection complete with resolvable random while
the device has been paired */
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
{
- btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_conn_cmpl, p_data);
+ tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
+ if (match_rec)
+ {
+ LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
+ match = true;
+ match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
+ memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
+ if (!btm_ble_init_pseudo_addr(match_rec, bda))
+ {
+ /* assign the original address to be the current report address */
+ memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
+ }
+ else
+ {
+ memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
+ }
+ }
+ else
+ {
+ LOG_INFO(LOG_TAG, "%s unable to match and resolve random address",
+ __func__);
+ }
}
- else
#endif
- {
- STREAM_TO_UINT16 (conn_interval, p);
- STREAM_TO_UINT16 (conn_latency, p);
- STREAM_TO_UINT16 (conn_timeout, p);
- handle = HCID_GET_HANDLE (handle);
+ btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
- btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
-
- l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
- conn_latency, conn_timeout);
+ l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
+ conn_latency, conn_timeout);
#if (BLE_PRIVACY_SPT == TRUE)
- if (enhanced)
- {
- btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
+ if (enhanced)
+ {
+ btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
- if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
- btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
- }
-#endif
+ if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
+ btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa, BLE_ADDR_RANDOM);
}
+#endif
}
else
{
diff --git a/stack/btm/btm_ble_addr.c b/stack/btm/btm_ble_addr.c
index 81fff5349..b389aae5c 100644
--- a/stack/btm/btm_ble_addr.c
+++ b/stack/btm/btm_ble_addr.c
@@ -318,13 +318,13 @@ BOOLEAN btm_ble_addr_resolvable (BD_ADDR rpa, tBTM_SEC_DEV_REC *p_dev_rec)
static BOOLEAN btm_ble_match_random_bda(void *data, void *context)
{
#if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
+ UINT8 *random_bda = (uint8_t*)context;
/* use the 3 MSB of bd address as prand */
- tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
UINT8 rand[3];
- rand[0] = p_mgnt_cb->random_bda[2];
- rand[1] = p_mgnt_cb->random_bda[1];
- rand[2] = p_mgnt_cb->random_bda[0];
+ rand[0] = random_bda[2];
+ rand[1] = random_bda[1];
+ rand[2] = random_bda[0];
BTM_TRACE_EVENT("%s next iteration", __func__);
@@ -356,28 +356,21 @@ static BOOLEAN btm_ble_match_random_bda(void *data, void *context)
** address is matched to.
**
*******************************************************************************/
-void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p)
+tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(BD_ADDR random_bda)
{
- tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
-
BTM_TRACE_EVENT("%s", __func__);
- if ( !p_mgnt_cb->busy) {
- p_mgnt_cb->p = p;
- p_mgnt_cb->busy = TRUE;
- memcpy(p_mgnt_cb->random_bda, random_bda, BD_ADDR_LEN);
- /* start to resolve random address */
- /* check for next security record */
-
- list_node_t * n = list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, NULL);
- tBTM_SEC_DEV_REC *p_dev_rec = n ? list_node(n) : NULL;
-
- BTM_TRACE_EVENT("%s: %sresolved", __func__, (p_dev_rec == NULL ? "not " : ""));
- p_mgnt_cb->busy = FALSE;
-
- (*p_cback)(p_dev_rec, p);
- } else {
- (*p_cback)(NULL, p);
- }
+
+ /* start to resolve random address */
+ /* check for next security record */
+
+ list_node_t* n =
+ list_foreach(btm_cb.sec_dev_rec, btm_ble_match_random_bda, random_bda);
+ tBTM_SEC_DEV_REC* p_dev_rec = NULL;
+ if (n != NULL) p_dev_rec = (tBTM_SEC_DEV_REC*)list_node(n);
+
+ BTM_TRACE_EVENT("%s: %sresolved", __func__,
+ (p_dev_rec == NULL ? "not " : ""));
+ return p_dev_rec;
}
#endif
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index f8c06342f..fe8ee6d27 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -729,51 +729,6 @@ extern UINT8 BTM_BleMaxMultiAdvInstanceCount(void)
btm_cb.cmn_ble_vsc_cb.adv_inst_max : BTM_BLE_MULTI_ADV_MAX;
}
-#if BLE_PRIVACY_SPT == TRUE
-/*******************************************************************************
-**
-** Function btm_ble_resolve_random_addr_on_adv
-**
-** Description resolve random address complete callback.
-**
-** Returns void
-**
-*******************************************************************************/
-static void btm_ble_resolve_random_addr_on_adv(void * p_rec, void *p)
-{
- tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec;
- UINT8 addr_type = BLE_ADDR_RANDOM;
- BD_ADDR bda;
- UINT8 *pp = (UINT8 *)p + 1;
- UINT8 evt_type;
-
- BTM_TRACE_EVENT ("btm_ble_resolve_random_addr_on_adv ");
-
- STREAM_TO_UINT8 (evt_type, pp);
- STREAM_TO_UINT8 (addr_type, pp);
- STREAM_TO_BDADDR (bda, pp);
-
- if (match_rec)
- {
- BTM_TRACE_DEBUG("Random match");
- match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
- memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
-
- if (btm_ble_init_pseudo_addr(match_rec, bda))
- {
- memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
- } else {
- // Assign the original address to be the current report address
- memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
- }
- }
-
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, pp);
-
- return;
-}
-#endif
-
/*******************************************************************************
**
** Function BTM_BleLocalPrivacyEnabled
@@ -2766,11 +2721,26 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
/* always do RRA resolution on host */
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
{
- btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_adv, p_data);
+ tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
+ if (match_rec)
+ {
+ BTM_TRACE_DEBUG("Random match");
+ match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
+ memcpy(match_rec->ble.cur_rand_addr, bda, BD_ADDR_LEN);
+
+ if (btm_ble_init_pseudo_addr(match_rec, bda))
+ {
+ memcpy(bda, match_rec->bd_addr, BD_ADDR_LEN);
+ }
+ else
+ {
+ // Assign the original address to be the current report address
+ memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN);
+ }
+ }
}
- else
#endif
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
+ btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
STREAM_TO_UINT8(data_len, p);
diff --git a/stack/btm/btm_ble_int.h b/stack/btm/btm_ble_int.h
index 437503e12..4bcf5a7e9 100644
--- a/stack/btm/btm_ble_int.h
+++ b/stack/btm/btm_ble_int.h
@@ -31,6 +31,7 @@
#include "hcidefs.h"
#include "btm_ble_api.h"
#include "btm_int.h"
+#include "btm_int_types.h"
#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
#include "smp_api.h"
@@ -132,7 +133,7 @@ extern void btm_ble_dequeue_direct_conn_req(BD_ADDR rem_bda);
/* BLE address management */
extern void btm_gen_resolvable_private_addr (void *p_cmd_cplt_cback);
extern void btm_gen_non_resolvable_private_addr (tBTM_BLE_ADDR_CBACK *p_cback, void *p);
-extern void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK * p_cback, void *p);
+extern tBTM_SEC_DEV_REC* btm_ble_resolve_random_addr(BD_ADDR random_bda);
extern void btm_gen_resolve_paddr_low(tBTM_RAND_ENC *p);
/* privacy function */

298
Patches/LineageOS-14.1/android_system_bt/378959.patch Normal file
View File

@ -0,0 +1,298 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Wed, 7 Dec 2016 10:54:44 -0800
Subject: [PATCH] Simplify LE Advertising Report Event processing
Bug: 30622771
Test: compiliation test
Change-Id: I78ac958b62462dc7aa322336c047670eec6bda0f
---
stack/btm/btm_ble_gap.c | 92 +++++++++++++++++++++-------------------
stack/btm/btm_ble_int.h | 2 +-
stack/btu/btu_hcif.c | 11 +----
stack/include/bt_types.h | 1 +
4 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index fe8ee6d27..d1fb6238a 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -71,7 +71,8 @@ static tBTM_BLE_CTRL_FEATURES_CBACK *p_ctrl_le_feature_rd_cmpl_cback = NULL;
** Local functions
*******************************************************************************/
static void btm_ble_update_adv_flag(UINT8 flag);
-static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type, UINT8 *p);
+static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type,
+ UINT8 data_len, UINT8 *data, INT8 rssi);
UINT8 *btm_ble_build_adv_data(tBTM_BLE_AD_MASK *p_data_mask, UINT8 **p_dst,
tBTM_BLE_ADV_DATA *p_data);
static UINT8 btm_set_conn_mode_adv_init_addr(tBTM_BLE_INQ_CB *p_cb,
@@ -2306,15 +2307,13 @@ BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p
** Returns void
**
*******************************************************************************/
-UINT8 btm_ble_is_discoverable(BD_ADDR bda, UINT8 evt_type, UINT8 *p)
+UINT8 btm_ble_is_discoverable(BD_ADDR bda, UINT8 evt_type)
{
UINT8 *p_flag, flag = 0, rt = 0;
UINT8 data_len;
tBTM_INQ_PARMS *p_cond = &btm_cb.btm_inq_vars.inqparms;
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
- UNUSED(p);
-
/* for observer, always "discoverable */
if (BTM_BLE_IS_OBS_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
rt |= BTM_BLE_OBS_RESULT;
@@ -2494,32 +2493,27 @@ static void btm_ble_appearance_to_cod(UINT16 appearance, UINT8 *dev_class)
** Returns void
**
*******************************************************************************/
-BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_type, UINT8 *p)
+BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type,
+ UINT8 evt_type, UINT8 data_len,
+ UINT8 *data, INT8 rssi)
{
BOOLEAN to_report = TRUE;
tBTM_INQ_RESULTS *p_cur = &p_i->inq_info.results;
UINT8 len;
UINT8 *p_flag;
tBTM_INQUIRY_VAR_ST *p_inq = &btm_cb.btm_inq_vars;
- UINT8 data_len, rssi;
tBTM_BLE_INQ_CB *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
- UINT8 *p1;
UINT8 *p_uuid16;
- STREAM_TO_UINT8 (data_len, p);
-
if (data_len > BTM_BLE_ADV_DATA_LEN_MAX)
{
BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
return FALSE;
}
- if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
+ if (!btm_ble_cache_adv_data(p_cur, data_len, data, evt_type)) {
return FALSE;
}
- p1 = (p + data_len);
- STREAM_TO_UINT8 (rssi, p1);
-
/* Save the info */
p_cur->inq_result_type = BTM_INQ_RESULT_BLE;
p_cur->ble_addr_type = addr_type;
@@ -2529,8 +2523,8 @@ BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_t
if ((btm_cb.ble_ctr_cb.inq_var.scan_type == BTM_BLE_SCAN_MODE_ACTI &&
(evt_type == BTM_BLE_CONNECT_EVT || evt_type == BTM_BLE_DISCOVER_EVT)))
{
- BTM_TRACE_DEBUG("btm_ble_update_inq_result scan_rsp=false, to_report=false,\
- scan_type_active=%d", btm_cb.ble_ctr_cb.inq_var.scan_type);
+ BTM_TRACE_DEBUG("%s: scan_rsp=false, to_report=false, scan_type_active=%d",
+ __func__, btm_cb.ble_ctr_cb.inq_var.scan_type);
p_i->scan_rsp = FALSE;
to_report = FALSE;
}
@@ -2642,9 +2636,11 @@ void btm_clear_all_pending_le_entry(void)
** Returns void
**
*******************************************************************************/
-void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_data, UINT8 addr_type)
+void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type,
+ UINT8 data_len, UINT8 *data,
+ UINT8 addr_type)
{
- UINT8 data_len, len;
+ UINT8 len;
UINT8 *p_dev_name, remname[31] = {0};
UNUSED(addr_type);
@@ -2653,15 +2649,13 @@ void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_dat
(evt_type != BTM_BLE_EVT_CONN_ADV && evt_type != BTM_BLE_EVT_CONN_DIR_ADV))
return;
- STREAM_TO_UINT8 (data_len, p_data);
-
/* get the device name if exist in ADV data */
if (data_len != 0)
{
- p_dev_name = BTM_CheckAdvData(p_data, BTM_BLE_AD_TYPE_NAME_CMPL, &len);
+ p_dev_name = BTM_CheckAdvData(data, BTM_BLE_AD_TYPE_NAME_CMPL, &len);
if (p_dev_name == NULL)
- p_dev_name = BTM_CheckAdvData(p_data, BTM_BLE_AD_TYPE_NAME_SHORT, &len);
+ p_dev_name = BTM_CheckAdvData(data, BTM_BLE_AD_TYPE_NAME_SHORT, &len);
if (p_dev_name)
memcpy(remname, p_dev_name, len);
@@ -2687,16 +2681,12 @@ void btm_send_sel_conn_callback(BD_ADDR remote_bda, UINT8 evt_type, UINT8 *p_dat
** Returns void
**
*******************************************************************************/
-void btm_ble_process_adv_pkt (UINT8 *p_data)
+void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
{
BD_ADDR bda;
- UINT8 evt_type = 0, *p = p_data;
- UINT8 addr_type = 0;
- UINT8 num_reports;
- UINT8 data_len;
-#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
- BOOLEAN match = FALSE;
-#endif
+ UINT8 *p = data;
+ UINT8 evt_type, addr_type, num_reports, pkt_data_len;
+ INT8 rssi;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
@@ -2707,17 +2697,35 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
while (num_reports--)
{
+ if (p > data + data_len)
+ {
+ // TODO(jpawlowski): we should crash the stack here
+ BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
+ return;
+ }
+
/* Extract inquiry results */
STREAM_TO_UINT8 (evt_type, p);
STREAM_TO_UINT8 (addr_type, p);
STREAM_TO_BDADDR (bda, p);
+ STREAM_TO_UINT8 (pkt_data_len, p);
+
+ UINT8 *pkt_data = p;
+ p += pkt_data_len; /* Advance to the the rssi byte */
+
+ STREAM_TO_INT8(rssi, p);
+
+ if (rssi >= 21 && rssi <= 126) {
+ BTM_TRACE_ERROR("%s: bad rssi value in advertising report: ", __func__,
+ pkt_data_len, rssi);
+ }
#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE)
/* map address to security record */
- match = btm_identity_addr_to_random_pseudo(bda, &addr_type, FALSE);
+ bool match = btm_identity_addr_to_random_pseudo(bda, &addr_type, FALSE);
- BTM_TRACE_DEBUG("btm_ble_process_adv_pkt:bda= %0x:%0x:%0x:%0x:%0x:%0x",
- bda[0],bda[1],bda[2],bda[3],bda[4],bda[5]);
+ BTM_TRACE_DEBUG("%s: bda= %0x:%0x:%0x:%0x:%0x:%0x", __func__, bda[0],
+ bda[1], bda[2], bda[3], bda[4], bda[5]);
/* always do RRA resolution on host */
if (!match && BTM_BLE_IS_RESOLVE_BDA(bda))
{
@@ -2740,12 +2748,8 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
}
}
#endif
- btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p);
-
- STREAM_TO_UINT8(data_len, p);
-
- /* Advance to the next event data_len + rssi byte */
- p += data_len + 1;
+ btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, pkt_data_len,
+ pkt_data, rssi);
}
}
@@ -2761,7 +2765,9 @@ void btm_ble_process_adv_pkt (UINT8 *p_data)
** Returns void
**
*******************************************************************************/
-static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt_type, UINT8 *p)
+static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type,
+ UINT8 evt_type, UINT8 data_len,
+ UINT8 *data, INT8 rssi)
{
tINQ_DB_ENT *p_i;
tBTM_INQUIRY_VAR_ST *p_inq = &btm_cb.btm_inq_vars;
@@ -2809,12 +2815,12 @@ static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt
p_inq->inq_cmpl_info.num_resp++;
}
/* update the LE device information in inquiry database */
- if (!btm_ble_update_inq_result(p_i, addr_type, evt_type, p))
+ if (!btm_ble_update_inq_result(p_i, addr_type, evt_type, data_len, data, rssi))
return;
- if ((result = btm_ble_is_discoverable(bda, evt_type, p)) == 0)
+ if ((result = btm_ble_is_discoverable(bda, evt_type)) == 0)
{
- LOG_WARN(LOG_TAG, "%s device is no longer discoverable so discarding advertising packet pkt",
+ LOG_WARN(LOG_TAG, "%s device no longer discoverable, discarding advertising packet",
__func__);
return;
}
@@ -2847,7 +2853,7 @@ static void btm_ble_process_adv_pkt_cont(BD_ADDR bda, UINT8 addr_type, UINT8 evt
if (btm_cb.ble_ctr_cb.bg_conn_type == BTM_BLE_CONN_SELECTIVE)
{
if (result & BTM_BLE_SEL_CONN_RESULT)
- btm_send_sel_conn_callback(bda, evt_type, p, addr_type);
+ btm_send_sel_conn_callback(bda, evt_type, data_len, data, addr_type);
else
{
BTM_TRACE_DEBUG("None LE device, can not initiate selective connection");
diff --git a/stack/btm/btm_ble_int.h b/stack/btm/btm_ble_int.h
index 4bcf5a7e9..98b801981 100644
--- a/stack/btm/btm_ble_int.h
+++ b/stack/btm/btm_ble_int.h
@@ -45,7 +45,7 @@ extern "C" {
extern void btm_ble_adv_raddr_timer_timeout(void *data);
extern void btm_ble_refresh_raddr_timer_timeout(void *data);
-extern void btm_ble_process_adv_pkt (UINT8 *p);
+extern void btm_ble_process_adv_pkt (UINT8 len, UINT8 *p);
extern void btm_ble_proc_scan_rsp_rpt (UINT8 *p);
extern tBTM_STATUS btm_ble_read_remote_name(BD_ADDR remote_bda, tBTM_INQ_INFO *p_cur, tBTM_CMPL_CB *p_cb);
extern BOOLEAN btm_ble_cancel_remote_name(BD_ADDR remote_bda);
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
index eacf145bf..4851e53ad 100644
--- a/stack/btu/btu_hcif.c
+++ b/stack/btu/btu_hcif.c
@@ -115,7 +115,6 @@ static void btu_hcif_ssr_evt (UINT8 *p, UINT16 evt_len);
#if BLE_INCLUDED == TRUE
static void btu_ble_ll_conn_complete_evt (UINT8 *p, UINT16 evt_len);
-static void btu_ble_process_adv_pkt (UINT8 *p);
static void btu_ble_read_remote_feat_evt (UINT8 *p);
static void btu_ble_ll_conn_param_upd_evt (UINT8 *p, UINT16 evt_len);
static void btu_ble_proc_ltk_req (UINT8 *p);
@@ -308,7 +307,8 @@ void btu_hcif_process_event (UNUSED_ATTR UINT8 controller_id, BT_HDR *p_msg)
switch (ble_sub_code)
{
case HCI_BLE_ADV_PKT_RPT_EVT: /* result of inquiry */
- btu_ble_process_adv_pkt(p);
+ HCI_TRACE_EVENT("HCI_BLE_ADV_PKT_RPT_EVT");
+ btm_ble_process_adv_pkt(hci_evt_len - 1, p);
break;
case HCI_BLE_CONN_COMPLETE_EVT:
btu_ble_ll_conn_complete_evt(p, hci_evt_len);
@@ -1733,13 +1733,6 @@ static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
}
}
-static void btu_ble_process_adv_pkt (UINT8 *p)
-{
- HCI_TRACE_EVENT("btu_ble_process_adv_pkt");
-
- btm_ble_process_adv_pkt(p);
-}
-
static void btu_ble_ll_conn_complete_evt ( UINT8 *p, UINT16 evt_len)
{
btm_ble_conn_complete(p, evt_len, FALSE);
diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h
index ebc1e00f1..4cfd6f39d 100644
--- a/stack/include/bt_types.h
+++ b/stack/include/bt_types.h
@@ -250,6 +250,7 @@ typedef struct
#define ARRAY_TO_STREAM(p, a, len) {register int ijk; for (ijk = 0; ijk < len; ijk++) *(p)++ = (UINT8) a[ijk];}
#define REVERSE_ARRAY_TO_STREAM(p, a, len) {register int ijk; for (ijk = 0; ijk < len; ijk++) *(p)++ = (UINT8) a[len - 1 - ijk];}
+#define STREAM_TO_INT8(u8, p) {u8 = (*((INT8*)p)); (p) += 1;}
#define STREAM_TO_UINT8(u8, p) {u8 = (UINT8)(*(p)); (p) += 1;}
#define STREAM_TO_UINT16(u16, p) {u16 = ((UINT16)(*(p)) + (((UINT16)(*((p) + 1))) << 8)); (p) += 2;}
#define STREAM_TO_UINT24(u32, p) {u32 = (((UINT32)(*(p))) + ((((UINT32)(*((p) + 1)))) << 8) + ((((UINT32)(*((p) + 2)))) << 16) ); (p) += 3;}

31
Patches/LineageOS-14.1/android_system_bt/378960.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Wed, 21 Mar 2018 17:13:36 -0700
Subject: [PATCH] LE Advertising Report parsing enhancements
Reject invalid data length for advertisement data.
Also, don't attempt to resolve anonymous advertising addresses.
Test: LE scanning tests
Bug: 73193883
Change-Id: I1cb330bc30fdcaebc86527cd2656c9dd7932b318
---
stack/btm/btm_ble_gap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index d1fb6238a..a758f991f 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -2712,6 +2712,11 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
UINT8 *pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
+ if (p > data + data_len - sizeof(rssi))
+ {
+ BTM_TRACE_ERROR("Invalid pkt_data_len: %d", pkt_data_len);
+ return;
+ }
STREAM_TO_INT8(rssi, p);

91
Patches/LineageOS-14.1/android_system_bt/378961.patch Normal file
View File

@ -0,0 +1,91 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 23 May 2023 23:23:11 +0000
Subject: [PATCH] Fix some OOB errors in BTM parsing
Some HCI BLE events are missing bounds checks, leading to possible OOB
access. Add the appropriate bounds checks on the packets.
Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
---
stack/btm/btm_ble_gap.c | 25 ++++++++++++++++++-------
stack/btu/btu_hcif.c | 7 +++++++
2 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index a758f991f..591034ddf 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -2687,20 +2687,28 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
UINT8 *p = data;
UINT8 evt_type, addr_type, num_reports, pkt_data_len;
INT8 rssi;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for num reports");
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--)
{
- if (p > data + data_len)
- {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
+ bytes_to_process += 9;
+
+ if (data_len < bytes_to_process) {
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for metadata");
return;
}
@@ -2712,9 +2720,12 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
UINT8 *pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
- if (p > data + data_len - sizeof(rssi))
- {
- BTM_TRACE_ERROR("Invalid pkt_data_len: %d", pkt_data_len);
+
+ // include rssi for this check
+ bytes_to_process += pkt_data_len + 1;
+ if (data_len < bytes_to_process) {
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for "
+ "packet data and/or RSSI");
return;
}
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
index 4851e53ad..6a219b4c7 100644
--- a/stack/btu/btu_hcif.c
+++ b/stack/btu/btu_hcif.c
@@ -1794,6 +1794,13 @@ static void btu_ble_data_length_change_evt(UINT8 *p, UINT16 evt_len)
return;
}
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
+ if (evt_len < 8)
+ {
+ LOG_ERROR(LOG_TAG, "Event packet too short");
+ return;
+ }
+
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT16(tx_data_len, p);
p += 2; /* Skip the TxTimer */

10
Scripts/LineageOS-14.1/Patch.sh
View File

@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-12 #XXX
sed -i 's/2021-06-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-01 #XXX
fi;
if enterAndClear "device/qcom/sepolicy"; then
@ -243,6 +243,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/376458.patch"; #n-asb-2023-12 D
applyPatch "$DOS_PATCHES/android_frameworks_base/376459.patch"; #n-asb-2023-12 Validate userId when publishing shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/376460.patch"; #n-asb-2023-12 Adding in verification of calling UID in onShellCommand
applyPatch "$DOS_PATCHES/android_frameworks_base/377939.patch"; #n-asb-2023-12 Require permission to unlock keyguard
applyPatch "$DOS_PATCHES/android_frameworks_base/378954.patch"; #n-asb-2024-01 Truncate user data to a limit of 500 characters
applyPatch "$DOS_PATCHES/android_frameworks_base/378955.patch"; #n-asb-2024-01 Fix vulnerability that allowed attackers to start arbitary activities
applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 Fix ActivityManager#killBackgroundProcesses permissions
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -531,6 +534,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/376465.patch"; #n-asb-2023-12 Reject
applyPatch "$DOS_PATCHES/android_system_bt/376466.patch"; #n-asb-2023-12 Reorganize the code for checking auth requirement
applyPatch "$DOS_PATCHES/android_system_bt/376467.patch"; #n-asb-2023-12 Enforce authentication if encryption is required
applyPatch "$DOS_PATCHES/android_system_bt/376468.patch"; #n-asb-2023-12 Fix timing attack in BTM_BleVerifySignature
applyPatch "$DOS_PATCHES/android_system_bt/378957.patch"; #n-asb-2024-01 Separate the definition of BTM layer types from control blocks
applyPatch "$DOS_PATCHES/android_system_bt/378958.patch"; #n-asb-2024-01 Simplify btm_ble_resolve_random_addr
applyPatch "$DOS_PATCHES/android_system_bt/378959.patch"; #n-asb-2024-01 Simplify LE Advertising Report Event processing
applyPatch "$DOS_PATCHES/android_system_bt/378960.patch"; #n-asb-2024-01 LE Advertising Report parsing enhancements
applyPatch "$DOS_PATCHES/android_system_bt/378961.patch"; #n-asb-2024-01 Fix some OOB errors in BTM parsing
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)