15.1: December 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-12-17 07:53:05 -05:00
parent 8a0e26b791
commit d8d0c47a60
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
6 changed files with 244 additions and 1 deletions

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@google.com>
Date: Mon, 12 Aug 2024 15:00:08 -0400
Subject: [PATCH] Bounds check in skia_alloc_func
The allocator callback for zlib needs to check that items * size will
fit in size_t and return nullptr if not.
Conflicts:
- src/pdf/SkDeflate.cpp: just in header includes
Bug: 349678452
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
Commit-Queue: Ben Wagner <bungeman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56)
Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
---
src/pdf/SkDeflate.cpp | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
index 6952ec4f11..8ae2102c0e 100644
--- a/src/pdf/SkDeflate.cpp
+++ b/src/pdf/SkDeflate.cpp
@@ -10,6 +10,7 @@
#include "SkDeflate.h"
#include "SkMakeUnique.h"
#include "SkMalloc.h"
+#include "SkTFitsIn.h"
#include "SkTraceEvent.h"
#include "zlib.h"
@@ -19,6 +20,13 @@ namespace {
// Different zlib implementations use different T.
// We've seen size_t and unsigned.
template <typename T> void* skia_alloc_func(void*, T items, T size) {
+ if (!SkTFitsIn<size_t>(size)) {
+ return nullptr;
+ }
+ const size_t maxItems = SIZE_MAX / size;
+ if (maxItems < items) {
+ return nullptr;
+ }
return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
}

View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Osman <brianosman@google.com>
Date: Thu, 29 Aug 2024 12:47:48 -0400
Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
SkMask data
Bug: 352631932
Test: N/A -- not reproducible / speculative fix
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
Commit-Queue: Ben Wagner <bungeman@google.com>
Reviewed-by: Ben Wagner <bungeman@google.com>
Auto-Submit: Brian Osman <brianosman@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36)
Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
Change-Id: I4e5330532e3981a15f6eee8e65fe74e7da50f719
---
src/effects/SkBlurMaskFilter.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/effects/SkBlurMaskFilter.cpp b/src/effects/SkBlurMaskFilter.cpp
index d85160e651..11475f9c39 100644
--- a/src/effects/SkBlurMaskFilter.cpp
+++ b/src/effects/SkBlurMaskFilter.cpp
@@ -345,6 +345,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
mask->fRowBytes = SkAlign4(mask->fBounds.width());
mask->fFormat = SkMask::kA8_Format;
const size_t size = mask->computeImageSize();
+ if (size == 0) {
+ return false;
+ }
mask->fImage = SkMask::AllocImage(size);
if (nullptr == mask->fImage) {
return false;

View File

@ -0,0 +1,44 @@
From 9f73a10e0bd1ac2f6d8e3fe612fb9ff2f1839d63 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 8 Jul 2024 22:42:18 +0000
Subject: [PATCH] [BACKPORT] Fix OOB write in build_read_multi_rsp of
gatt_sr.cc
build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.
Add that bounds check.
Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd)
Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
---
stack/gatt/gatt_sr.cc | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index 252732c739..9a875d742d 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
/* Wait till we get all the responses */
if (fixed_queue_length(p_cmd->multi_rsp_q) ==
p_cmd->multi_req.num_handles) {
+
+ // We need at least one extra byte for the opcode
+ if (mtu == 0) {
+ LOG(ERROR) << "Invalid MTU";
+ p_cmd->status = GATT_ILLEGAL_PARAMETER;
+ return (true);
+ }
+
len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
p_buf = (BT_HDR*)osi_calloc(len);
p_buf->offset = L2CAP_MIN_OFFSET;

View File

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Thu, 27 Jul 2023 04:09:04 +0000
Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
to sc-dev
Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
---
stack/gatt/gatt_sr.cc | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index 28e7d3415..e80070b05 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -23,6 +23,7 @@
******************************************************************************/
#include <log/log.h>
+#include <algorithm>
#include "bt_target.h"
#include "bt_utils.h"
#include "osi/include/osi.h"
@@ -170,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
}
if (p_rsp != NULL) {
- total_len = (p_buf->len + p_rsp->attr_value.len);
+ total_len = p_buf->len;
if (total_len > mtu) {
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+ if (len == 0) {
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ if (len < p_rsp->attr_value.len) {
/* just send the partial response for the overflow case */
len = p_rsp->attr_value.len - (total_len - mtu);
is_overflow = true;
@@ -184,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
}
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
- // check for possible integer overflow
- if (p_buf->len + len <= UINT16_MAX) {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow) p += len;
- p_buf->len += len;
- } else {
- p_cmd->status = GATT_NOT_FOUND;
- break;
- }
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+ p_buf->len += (uint16_t) len;
} else {
p_cmd->status = GATT_NOT_FOUND;
break;

View File

@ -0,0 +1,37 @@
From 425cc51af8d1662dacab60330628a6adfd1a404f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <jpawlowski@google.com>
Date: Thu, 1 Aug 2024 14:12:58 +0000
Subject: [PATCH] [BACKPORT] Fix "GATT Read Multiple Variable Response" builder
0 length value is perfectly fine, and should result in just length
added into the packet.
Currently, for 0 length value we just break out of loop, and don't add
any value.
This means, that if first characetristic in response had 0 length, we
would return empty packet.
Ignore-AOSP-First: security fix
Test: mma -j32;
Bug: 352696105
Bug: 356886209
Flag: exempt, obvious logic fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf)
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
---
stack/gatt/gatt_sr.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index c0c1486af0..d94221682d 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
- if (len == 0) {
+ if (total_len == mtu && p_rsp->attr_value.len > 0) {
VLOG(1) << "Buffer space not enough for this data item, skipping";
break;
}

View File

@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2024-12-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -156,6 +156,8 @@ fi;
if enterAndClear "external/skia"; then
applyPatch "$DOS_PATCHES/android_external_skia/408506.patch"; #P_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter
applyPatch "$DOS_PATCHES/android_external_skia/410675-backport.patch"; #n-asb-2024-12 [pdf] Bounds check in skia_alloc_func
applyPatch "$DOS_PATCHES/android_external_skia/410676-backport.patch"; #n-asb-2024-12 Check for size overflow before allocating SkMask data
fi;
if enterAndClear "external/sonivox"; then
@ -574,6 +576,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland:
applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP
applyPatch "$DOS_PATCHES/android_system_bt/399772-backport.patch"; #P_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc #XXX
applyPatch "$DOS_PATCHES/android_system_bt/411488.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc
applyPatch "$DOS_PATCHES/android_system_bt/411489-backport.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp
applyPatch "$DOS_PATCHES/android_system_bt/411490.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder
fi;
if enterAndClear "system/ca-certificates"; then