DivestOS/Patches/LineageOS-16.0/android_system_bt/366135.patch
Tavi 082bc48c32
16.0: Import and verify picks
https://review.lineageos.org/q/topic:P_asb_2022-05
https://review.lineageos.org/q/topic:P_asb_2022-06
https://review.lineageos.org/q/topic:P_asb_2022-07
https://review.lineageos.org/q/topic:P_asb_2022-08
https://review.lineageos.org/q/topic:P_asb_2022-09
https://review.lineageos.org/q/topic:P_asb_2022-10
https://review.lineageos.org/q/topic:P_asb_2022-11
https://review.lineageos.org/q/topic:P_asb_2022-12
https://review.lineageos.org/q/topic:P_asb_2023-01
https://review.lineageos.org/q/topic:P_asb_2023-02
https://review.lineageos.org/q/topic:P_asb_2023-03
https://review.lineageos.org/q/topic:P_asb_2023-04
https://review.lineageos.org/q/topic:P_asb_2023-05
https://review.lineageos.org/q/topic:P_asb_2023-06
https://review.lineageos.org/q/topic:P_asb_2023-07
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250
https://review.lineageos.org/q/topic:P_asb_2023-08
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328
https://review.lineageos.org/q/topic:P_asb_2023-09
https://review.lineageos.org/q/topic:P_asb_2023-10
https://review.lineageos.org/q/topic:P_asb_2023-11
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916
https://review.lineageos.org/q/topic:P_asb_2023-12
https://review.lineageos.org/q/topic:P_asb_2024-01
https://review.lineageos.org/q/topic:P_asb_2024-02
https://review.lineageos.org/q/topic:P_asb_2024-03
https://review.lineageos.org/q/topic:P_asb_2024-04

Signed-off-by: Tavi <tavi@divested.dev>
2024-05-07 19:43:19 -04:00

45 lines
1.7 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 1 Jun 2023 23:57:58 +0000
Subject: [PATCH] Fix UAF in gatt_cl.cc
gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.
Track the relevant state as a local variable instead.
Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
---
stack/gatt/gatt_cl.cc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 16a7171f6..5e4837020 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
memcpy(value.value, p, value.len);
+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
+
if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
gatt_send_prepare_write(tcb, p_clcb);
return;
}
- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
+ // We now know that we have not terminated, or else we would have returned
+ // early. We free the buffer only if the subtype is not equal to
+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
+ if (subtype_is_write_prepare) {
/* application should verify handle offset
and value are matched or not */
gatt_end_operation(p_clcb, p_clcb->status, &value);