15.1 February ASB work + Picks

Signed-off-by: Tad <tad@spotco.us>
2025-08-03 20:04:21 -04:00 · 2023-02-19 12:43:13 -05:00 · 2023-02-19 12:43:13 -05:00 · b2913e8170
commit b2913e8170
parent 2993b459f0
11 changed files with 334 additions and 2 deletions
--- a/Patches/LineageOS-15.1/android_system_bt/349334-backport.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/349334-backport.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 2 Dec 2022 00:41:24 +0000
+Subject: [PATCH] Report failure when not able to connect to AVRCP
+
+A crash may occur when creating a bluetooth AVRCP connection to a
+device.
+
+The code fails to check a return value from an AVRCP function
+being used to index into an array. The return value may exceed the
+size of the array causing memory outside the bounds of the array to be
+accessed leading to memory corruption and a crash.
+
+The fix is to ensure the return value is within the bounds of the
+array before accessing the array contents. If the return value is
+not within the bounds of the array report it as a failure to the
+bluetooth stack.
+
+This change is relevant for android automotive because the IVI
+(in-vehicle infotainment system) acts as the an AVRCP controller
+which still executes this code.
+
+Note: this is a backport of b/214569798, inducted as a non-security
+issue.  Per b/226927612 it has been found to have security impact
+and should be backported to earlier branches.
+
+Bug: 226927612
+Test: Manual - set return value to be out of bounds, verify no crash
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c
+Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
+(cherry picked from commit 86112bf0535f3f5a4c6a0a137e67b0eebd9bbdf5)
+Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
+---
+ bta/av/bta_av_act.cc | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
+index 541d68303..2043b75cf 100644
+--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
+@@ -1826,7 +1826,21 @@ void bta_av_rc_disc_done(UNUSED_ATTR tBTA_AV_DATA* p_data) {
+         if (p_lcb) {
+           rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
+                                        (uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
+-          p_cb->rcb[rc_handle].peer_features = peer_features;
+          if (rc_handle < BTA_AV_NUM_RCB) {
+            p_cb->rcb[rc_handle].peer_features = peer_features;
+          } else {
+            /* cannot create valid rc_handle for current device. report failure
+             */
+            APPL_TRACE_ERROR("%s: no link resources available", __func__);
+            p_scb->use_rc = false;
+            tBTA_AV_RC_OPEN rc_open;
+            rc_open.peer_addr = p_scb->PeerAddress();
+            rc_open.peer_features = 0;
+            rc_open.status = BTA_AV_FAIL_RESOURCES;
+            tBTA_AV bta_av_data;
+            bta_av_data.rc_open = rc_open;
+            (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
+          }
+         } else {
+           APPL_TRACE_ERROR("can not find LCB!!");
+         }
--- a/Patches/LineageOS-15.1/android_system_bt/349335.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/349335.patch
@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 27 Sep 2022 22:05:08 +0000
+Subject: [PATCH] Add bounds check in avdt_scb_act.cc
+
+Bug: 242535997
+Test: BT unit tests, validated against researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+(cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd)
+Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+---
+ stack/avdt/avdt_scb_act.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
+index 5e0e98d80..ea9c0bceb 100644
+--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
+@@ -957,6 +957,11 @@ void avdt_scb_hdl_write_req(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
+ 
+   /* Build a media packet, and add an RTP header if required. */
+   if (add_rtp_header) {
+    if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+      android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+      return;
+    }
+
+     ssrc = avdt_scb_gen_ssrc(p_scb);
+ 
+     p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;