17.1 December ASB work

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-12-11 19:26:24 -05:00
parent ba1e29a1b1
commit f18fb48d8a
No known key found for this signature in database
GPG key ID: B286E9F57A07424B
35 changed files with 1853 additions and 8 deletions

View file

@ -72,10 +72,10 @@ index 214feebcb..9bd85aa13 100644
{"initNative", "()V", (void*)initNative},
{"sendMediaUpdateNative", "(ZZZ)V", (void*)sendMediaUpdateNative},
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
index 55b391c56..ea1eeeb73 100644
index aa0a13d46..997ac5a29 100644
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
@@ -1238,7 +1238,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj,
@@ -1239,7 +1239,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj,
return output_bytes;
}

View file

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 5 Oct 2023 00:01:03 +0000
Subject: [PATCH] Fix UAF in ~CallbackEnv
com_android_bluetooth_btservice_AdapterService does not null its local
JNI environment variable after detaching the thread (which frees the
environment context), allowing UAF under certain conditions.
Null the variable in this case.
Testing here was done through a custom unit test; see patchsets 4-6 for
contents. However, unit testing of the JNI layer is problematic in
production, so that part of the patch is omitted for final merge.
Bug: 291500341
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
---
jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
index 55b391c56..aa0a13d46 100644
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
return;
}
vm->DetachCurrentThread();
+ callbackEnv = NULL;
}
}