mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-14 18:34:30 -05:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Brian Delwiche <delwiche@google.com>
|
|
Date: Thu, 1 Jun 2023 23:57:58 +0000
|
|
Subject: [PATCH] Fix UAF in gatt_cl.cc
|
|
|
|
gatt_cl.cc accesses a header field after the buffer holding it may have
|
|
been freed.
|
|
|
|
Track the relevant state as a local variable instead.
|
|
|
|
Bug: 274617156
|
|
Test: atest: bluetooth, validated against fuzzer
|
|
Tag: #security
|
|
Ignore-AOSP-First: Security
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
|
|
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
|
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
|
---
|
|
stack/gatt/gatt_cl.cc | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
|
|
index db41c5f9f..f7f11b7a9 100644
|
|
--- a/stack/gatt/gatt_cl.cc
|
|
+++ b/stack/gatt/gatt_cl.cc
|
|
@@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
|
|
|
memcpy(value.value, p, value.len);
|
|
|
|
+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
|
|
+
|
|
if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
|
|
gatt_send_prepare_write(tcb, p_clcb);
|
|
return;
|
|
}
|
|
|
|
- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
|
|
+ // We now know that we have not terminated, or else we would have returned
|
|
+ // early. We free the buffer only if the subtype is not equal to
|
|
+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
|
|
+ if (subtype_is_write_prepare) {
|
|
/* application should verify handle offset
|
|
and value are matched or not */
|
|
gatt_end_operation(p_clcb, p_clcb->status, &value);
|