OSDN Git Service
Chih-Wei Huang [Tue, 2 Mar 2021 14:23:40 +0000 (22:23 +0800)]
Merge tag 'android-8.1.0_r81' into oreo-x86
Android 8.1.0 Release 81 (
6780335)
weichinweng [Tue, 28 Jul 2020 08:56:33 +0000 (16:56 +0800)]
Fix possible OOB when receive gatt read type response data
Bug:
158833854
Bug:
158778659
Test: manual
Tag: #security
Change-Id: I1bd8713eecebc2bc3d919402b035987e06a2d4d3
(cherry picked from commit
0eb7a763dff47d349b5cfc5821116ece5a46ffa3)
Myles Watson [Thu, 18 Jun 2020 21:35:53 +0000 (14:35 -0700)]
DO NOT MERGE: Remove pairing on incoming bond request
Bug:
150156492
Tag: #security
Test: Bond two devices, forget from one device and reconnect
Change-Id: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit
13f409ad3a2423b06af7a7f1a9b06fb06c8820a7)
Merged-In: I048b7b142e3fe2096cf1a9aa2931c175fa52cd45
(cherry picked from commit
e29c52cfdabd13c259f442ebaaf4ec876173d320)
Joseph Pirozzo [Mon, 25 May 2020 17:36:26 +0000 (10:36 -0700)]
Enable bitpool sanity checks
Enable bitpool sanity checks to run all the time, not just in debug
mode.
Tag: #security
Test: sbcdecoder_fuzzer
Bug:
146398979
Change-Id: Iff58305cd18de35e37290f0c09fba01ee14e787a
(cherry picked from commit
59c234a8fddda37147bb3fe1dd3b3a668828bcab)
Chih-Wei Huang [Fri, 8 May 2020 02:55:55 +0000 (10:55 +0800)]
Merge tag 'android-8.1.0_r76' into oreo-x86
Android 8.1.0 release 76
Jakub Pawlowski [Fri, 20 Mar 2020 14:24:00 +0000 (15:24 +0100)]
Fix potential stack overflow caused by integer overflow
Bug:
151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
(cherry picked from commit
1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)
Chih-Wei Huang [Mon, 16 Mar 2020 10:40:40 +0000 (18:40 +0800)]
Merge tag 'android-8.1.0_r74' into oreo-x86
Android 8.1.0 release 74
Hansong Zhang [Thu, 13 Feb 2020 19:40:44 +0000 (11:40 -0800)]
GattServcer: Check invalid offset
Test: manual
Bug:
143231677
Change-Id: I0396380f431cdb7f91c78db6de9043ea0f373dfe
Merged-In: I97e2c3ae15fccc482d07d8d621c455cc74900cfd
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
(cherry picked from commit
c14c1fb86420bb69b1d8d2ee9e83108331183acd)
Chih-Wei Huang [Fri, 14 Feb 2020 05:15:13 +0000 (13:15 +0800)]
Avoid more annoying crashing
Zongheng Wang [Tue, 12 Nov 2019 20:59:44 +0000 (12:59 -0800)]
SDP: add return after SDP disconnection
A return is needed after sdp_disconnect(). It is the logic
expected and it prevents the use of p_ccb after it's freed.
Bug:
144177780
Bug:
117105007
Test: manual test
Change-Id: I7a64382b36adca37a8ff0c7e361d89ecdc8f3b55
(cherry picked from commit
30efc8c90a846460359a489e17e1461c725958b3)
(cherry picked from commit
5edd605227af9a1b9eedf4fd9f02373a47fd49fb)
Ted Wang [Tue, 26 Nov 2019 03:46:38 +0000 (11:46 +0800)]
Fix potential OOB write in btm_read_remote_ext_features_complete
Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.
Bug:
141552859
Bug:
144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
(cherry picked from commit
6dfae174853e0c49f36362e59a2c7ca607f01cf9)
Venkata Jagadeesh Garaga [Thu, 18 Apr 2019 11:43:49 +0000 (17:13 +0530)]
GAP: Correct the continuous pkt length in l2cap
L2cap continuous pkt length wrongly calculated in
reassembly logic when remote sends more data
than expected.
Wrong pkt length leading to memory corruption
Hence the Correct the continuous pkt length in
l2cap reassembly logic.
Bug:
135239489
Bug:
143894715
CRs-Fixed:
2434229
Test: make and internal testing
Change-Id: I758d9e31465b99e436b9b1841320000f08186c97
Merged-In: I758d9e31465b99e436b9b1841320000f08186c97
(cherry picked from commit
337bd4579453bd6bf98ff519de3ac1019cd30d28)
(cherry picked from commit
602f4b44fe30ec8b225e1cee5f96817607d93e5a)
Nick Desaulniers [Thu, 10 Oct 2019 21:04:47 +0000 (14:04 -0700)]
[system][bt] fix -Wdangling-gsl
BtAddrString() returns a std::string. It's not safe to chain a call to
c_str() as otherwise the returned std::string is a temporary, and the
expression evaluates to an immediately dangling pointer.
Bug:
139945549
Bug:
142558228
Test: mm
Change-Id: I30972458abcc563b24ee0d80b289c3efd6c3e04d
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
(cherry picked from commit
20ed45d6339079645ef9fe576b894e9497684c93)
Chih-Wei Huang [Tue, 15 Oct 2019 08:47:31 +0000 (16:47 +0800)]
Merge tag 'android-8.1.0_r69' into oreo-x86
Android 8.1.0 Release 69 (
5794017)
Conflicts:
stack/btu/btu_hcif.cc
stack/sdp/sdp_discovery.cc
Alistair Strachan [Sat, 2 Mar 2019 01:45:09 +0000 (17:45 -0800)]
Fall back to CLOCK_BOOTTIME if CLOCK_BOOTTIME_ALARM fails
If the cuttlefish device does not have an rtc device (such as the crosvm
VMM) the bt osi layer can promote crashes due to it not being able to
create a CLOCK_BOOTTIME_ALARM timer. Bring back a fallback but enable it
at runtime instead of compile time.
Bug:
126955943
Test: run with cuttlefish
Change-Id: I3ab0282b3e8fde776aa7b37d5772c8f62cf957bf
Martin Brabham [Thu, 20 Jun 2019 15:59:24 +0000 (08:59 -0700)]
JustWorks: Auto-accept only incoming temporary pairing.
Bug:
110433804
Bug:
134461862
Test: Manual; atest net_test_bluetooth
Change-Id: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
Merged-In: I4e3f39bc08e9d9493734a21ea29d76e43aeb50c8
(cherry picked from commit
10e15ee4610969b10e7558969fed8ba229d8e5a0)
Zongheng Wang [Wed, 21 Aug 2019 00:56:04 +0000 (17:56 -0700)]
SDP: Disconnect when there is a bad length
Handle the case when SDP_RAW_DATA_INCLUDED is FALSE.
Related to: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Bug:
137239831
Bug:
117105007
Test: manual test
Change-Id: I354494565005f2ca9093486546fc54c145066413
Merged-In: I354494565005f2ca9093486546fc54c145066413
(cherry picked from commit
e45fe0a8ec678c73c57967b69c2fd485eef92927)
(cherry picked from commit
7f555a1a9b641a8e4892a4e7a7cc1ff294d8f2b7)
Rahul Sabnis [Fri, 30 Aug 2019 01:23:37 +0000 (18:23 -0700)]
Use memcpy instead of casting to convert device_class to int
Bug:
140152619
Test: atest net_test_btcoreclear
Change-Id: Iee71ce35576e438317841d41a81fda6a87e1984a
Merged-In: Iee71ce35576e438317841d41a81fda6a87e1984a
(cherry picked from commit
ec75f1efb6b9be4933225a4b724e7a3ef5e3d70b)
(cherry picked from commit
ecf8f751b0ef9945b1a3e3433116d7363e3a24f9)
Zongheng Wang [Mon, 5 Aug 2019 19:45:35 +0000 (12:45 -0700)]
SDP: disconnect if sdp_copy_raw_data fails
Our partners met with the problem with sdp_copy_raw_data updated in
CVE-2019-2116. When peer device responds with a wrong size,
sdp_copy_raw_data will not complete and won't trigger
disconnection. This CL enables the disconnection when a wrong size is
received.
Bug:
137239831
Bug:
117105007
Test: manual test
Change-Id: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Merged-In: I9f0df8b2de28970e7d69b737ce5d363785183bf3
(cherry picked from commit
bc9df3451dad17c1ab1002fdbc85d60e57d4f0af)
(cherry picked from commit
41939a2b5a8e3584c5a99dfe264a47df79e3091f)
Martin Brabham [Fri, 24 May 2019 22:13:38 +0000 (15:13 -0700)]
DO NOT MERGE: btif: require pairing dialog for JustWorks SSP
Bug:
110433804
Test: Manual; atest net_test_bluetooth
Change-Id: If65a8d53ff368ba3ddddb47cfc0072469090b46a
(cherry picked from commit
ddae6274742e241c03526c7659dca7b3446b9f8d)
(cherry picked from commit
ee34c562b296751cd457e828c3debf38a8d35fb4)
Ugo Yu [Thu, 11 Jul 2019 12:12:42 +0000 (20:12 +0800)]
DO NOT MERGE Store BLE keys using the address from the ble_auth_cmpl_evt
Reading the peer address from btif_dm_ble_auth_cmpl_evt, instead
of using the value from the pairing control block in
btif_dm_save_ble_bonding_keys, ensures that BLE keys are stored with
the correct address.
Bug:
133234174
Bug:
79703832
Test: 1. Initiate crosskey pairing from BLE
2. Check whether BLE keys are stored correctly
Change-Id: I18b4a1d8e2cdcd6dd4a300f1dc9e6d3892a3baff
(cherry picked from commit
0d95651e8b22b1012f1ee103e4a0b8665a0c17d4)
(cherry picked from commit
a65f859b17745fcaee79d55333808d9d589b0187)
Ugo Yu [Thu, 23 May 2019 12:14:14 +0000 (20:14 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: I8a98ba2178039e25c65fc701855066a8788312e6
(cherry picked from commit
9d5a28a536f3c2ce45e6fb7c5a0b78ec1802f006)
Arjun Garg [Mon, 15 Jul 2019 19:58:39 +0000 (12:58 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
1df6bcbe986e783b486789d07afe35c47c2658ae.
Jakub Pawlowski [Thu, 6 Jun 2019 11:54:55 +0000 (13:54 +0200)]
DO NOT MERGE Fix for Bluetooth connection being dropped after HCI Read Encryption Key Size
If remote device stop the encryption before we call "Read Encryption Key Size",
we might receive Insufficient Security, which means that link is no longer
encrypted.
In such cases we should stay connected, rather than disconnecting the
link.
Test: Connect to device that stop encryption right after encryption is
complete, i.e. to change roles.
Bug:
124301137
Bug:
132626699
Change-Id: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
Merged-In: Iab0fd9f357d18a6b048b971d0393fbb47fd4d793
(cherry picked from commit
bdac7b911f710c9c323af60b93eeda045881b5e6)
Ugo Yu [Thu, 23 May 2019 12:14:14 +0000 (20:14 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication for a classic
Bluetooth device is completed.
- Send BONDING event to Java when static identity address is
first obtained during crosskey pairing
- Send BONDING event to Java for the initial random address
before send BONDED event
- Do not send bond event for static identity address when SDP is done.
- Make sure pairing control block always get cleaned up when both SDP
and pairing are done
- Send empty UUIDs to Java layer to unblock bonding intent broadcast
when SDP fails
Bug:
79703832
Test: runtest bluetooth, regression test
Change-Id: I8a98ba2178039e25c65fc701855066a8788312e6
(cherry picked from commit
9d5a28a536f3c2ce45e6fb7c5a0b78ec1802f006)
Chih-Wei Huang [Wed, 5 Jun 2019 09:35:26 +0000 (17:35 +0800)]
Merge tag 'android-8.1.0_r65' into oreo-x86
Android 8.1.0 release 65
Chih-Wei Huang [Thu, 30 May 2019 09:04:59 +0000 (17:04 +0800)]
Support generic USB Bluetooth adapter
Find USB Bluetooth adapter according to device class and subclass.
See https://www.usb.org/defined-class-codes#anchor_BaseClassE0h.
Chih-Wei Huang [Thu, 30 May 2019 02:50:19 +0000 (10:50 +0800)]
hciblecmds: remove unnecessary checking
This fixes Bluetooth USB dongle support.
Chih-Wei Huang [Wed, 29 May 2019 03:56:16 +0000 (11:56 +0800)]
Replace Bluetooth HAL by Intel's implementation
Linaro's implementation is buggy.
Chih-Wei Huang [Fri, 24 May 2019 07:01:27 +0000 (15:01 +0800)]
Add back libbt-vendor
Chih-Wei Huang [Mon, 20 May 2019 09:39:52 +0000 (17:39 +0800)]
Merge tag 'android-8.1.0_r64' into oreo-x86
Android 8.1.0 Release 64 (OPM8.190505.001)
Martin Brabham [Thu, 4 Apr 2019 21:57:41 +0000 (14:57 -0700)]
DO NOT MERGE: osi: Offload mutex pointer to local scope
Create a shared_ptr for the callback_mutex in the alarm struct.
When performing the callback, make a local shared_ptr reference.
lock_guard on the local shared_ptr reference.
Bug:
117997080
Test: atest net_test_bluetooth
Change-Id: Iab800f720f4ccc4735e4d494e0d458eb97b40a4a
(cherry picked from commit
aaa823ae7dbcce43ff9c60e570d5f9583dd9d331)
Ted Wang [Mon, 29 Apr 2019 02:11:04 +0000 (10:11 +0800)]
Fix potential OOB read in sdpu_get_len_from_type
Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.
Bug:
117105007
Test: Manul
Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
(cherry picked from commit
1243f8da338dadfe2a3c281a08297b431402d41c)
(cherry picked from commit
4d8e1d63e1a2116c47702d38d858f5a742e8292f)
android-build-team Robot [Thu, 2 May 2019 06:21:28 +0000 (06:21 +0000)]
Merge cherrypicks of [
7293853,
7292376,
7293922] into oc-m8-release
Change-Id: Idcedfcefb63c6a909de08d4ca448ad5405968bee
Myles Watson [Wed, 1 May 2019 18:31:46 +0000 (18:31 +0000)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
f3681c8616af4d052c410ba3e88747541a974bf5.
Bug:
79703832
Bug:
130553855
Reason for revert: Regression with cross-key pairing
Change-Id: If8652936eb3b24b3d1b3fded0be200bb986b70e3
(cherry picked from commit
c0c3804acd096a6c0fd3bd50b66c9579fed95a94)
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit
054dcec1c9b6ac732e7380c5e921407cd316474f)
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit
e32d4aa7a4b02dd39e918b3b3efae0ccc60ef588)
android-build-team Robot [Tue, 16 Apr 2019 22:37:44 +0000 (22:37 +0000)]
Merge cherrypicks of [
7077328,
7074021,
7074022,
7077576,
7077577,
7077578,
7077579] into oc-m8-release
Change-Id: I13b58695eb4e461c6f451855cd54cd90219b3ca4
Jakub Pawlowski [Mon, 11 Mar 2019 18:22:01 +0000 (19:22 +0100)]
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug:
128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit
054dcec1c9b6ac732e7380c5e921407cd316474f)
Jakub Pawlowski [Thu, 14 Feb 2019 11:44:06 +0000 (12:44 +0100)]
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug:
124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit
e32d4aa7a4b02dd39e918b3b3efae0ccc60ef588)
JP Sugarbroad [Tue, 19 Mar 2019 21:56:08 +0000 (14:56 -0700)]
Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
This reverts commit
dc44715a83fcb547a74941ce8eb689ba7f08860f.
android-build-team Robot [Tue, 19 Feb 2019 22:40:22 +0000 (22:40 +0000)]
Merge cherrypicks of [
6452478,
6451642,
6451643,
6453811,
6451644,
6451645,
6453831,
6453851,
6453852,
6453853,
6453854,
6452479,
6452480,
6452481,
6452482,
6452483] into oc-m8-release
Change-Id: Iadc4f830ab9ad69e26c783994413486d31c50c2a
Hansong Zhang [Thu, 10 Jan 2019 02:18:17 +0000 (18:18 -0800)]
btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit
953dd279502980b1d8d30656eb78c6445a6e31f7)
Ugo Yu [Fri, 2 Nov 2018 12:32:14 +0000 (20:32 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit
f3681c8616af4d052c410ba3e88747541a974bf5)
Hansong Zhang [Mon, 14 Jan 2019 22:59:35 +0000 (14:59 -0800)]
process_l2cap_cmd: Fix OOB
Bug:
119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit
94fd011bc9a72081cc691ed7d6e6eec42e9f4539)
Hansong Zhang [Wed, 16 Jan 2019 20:33:26 +0000 (12:33 -0800)]
btm_ble_multi_adv: Check data length in HCI interface
For BleAdvertiserVscHciInterfaceImpl and
BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response
and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31).
Bug:
121145627
Test: POC
Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140
(cherry picked from commit
a99fe8a175a6d209e741871544ae3f857c8a7cbb)
Hansong Zhang [Thu, 10 Jan 2019 02:18:17 +0000 (18:18 -0800)]
btm_proc_smp_cback: Don't access p_dev_rec if freed
In btm_proc_smp_cback(), return after p_dev_rec is freed in the middle
to prevent use after free
Bug:
120612744
Test: Use ASAN build; connect to a LE device and wait for timeout
Change-Id: Ic9d0eaeb62a1a1b24884146ca82f4104fabc5bac
(cherry picked from commit
953dd279502980b1d8d30656eb78c6445a6e31f7)
Hansong Zhang [Mon, 14 Jan 2019 22:59:35 +0000 (14:59 -0800)]
process_l2cap_cmd: Fix OOB
Bug:
119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit
94fd011bc9a72081cc691ed7d6e6eec42e9f4539)
Hansong Zhang [Wed, 16 Jan 2019 20:33:26 +0000 (12:33 -0800)]
btm_ble_multi_adv: Check data length in HCI interface
For BleAdvertiserVscHciInterfaceImpl and
BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response
and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31).
Bug:
121145627
Test: POC
Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140
(cherry picked from commit
a99fe8a175a6d209e741871544ae3f857c8a7cbb)
Ugo Yu [Fri, 2 Nov 2018 12:32:14 +0000 (20:32 +0800)]
DO NOT MERGE Separate SDP procedure from bonding state (1/2)
- Do not stay in bonding state if the device is paried but still
discovering service.
- Report BOND_BONDED to Java after authentication is completed.
- Report empty UUID to Java if a classic Bluetooth device SDP
failed while pairing.
- Hold BOND_BONDED intent util SDP is findished.
- Only accept profile connection for the device is at bonded
state. Any attempt to connect while bonding would potentially
lead to an unauthorized connection.
Bug:
79703832
Test: runtest bluetooth
Change-Id: I023713e07308bfc0e5bb8d67f386bcc50f6a0f85
(cherry picked from commit
122e115b87fe98ca5e5e65b9765c146f9e52b65e)
(cherry picked from commit
f3681c8616af4d052c410ba3e88747541a974bf5)
android-build-team Robot [Wed, 16 Jan 2019 18:57:19 +0000 (18:57 +0000)]
Merge cherrypicks of [
6072696,
6072074,
6072757,
6072120,
6072121,
6072122,
6072123,
6072575,
6072576,
6072577,
6072578,
6072579,
6072193,
6072131,
6072194,
6072076,
6072210,
6072759,
6072760,
6072698,
6072699,
6072700,
6072701,
6072702,
6072703,
6072704,
6072905,
6072906,
6072907,
6072761] into oc-m8-release
Change-Id: I27e774674fdab8b33d306a723f98a6038ddfd637
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit
8f52ed93ba0fe67c310473b539d37c7201c83454)
Stanley Tng [Tue, 11 Dec 2018 22:45:13 +0000 (14:45 -0800)]
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug:
120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit
fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit
1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit
6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit
8f52ed93ba0fe67c310473b539d37c7201c83454)
Ugo Yu [Tue, 13 Nov 2018 12:03:28 +0000 (20:03 +0800)]
Add OOB check in avrc_pars_browse_rsp
Bug:
111451066
Test: Manully
Change-Id: I068d218b8957bb8f053148d252a9119a8def28cc
(cherry picked from commit
f44cbb20e7658116472981bac0ffb0305f4a2c04)
Jakub Pawlowski [Tue, 27 Nov 2018 17:22:22 +0000 (18:22 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit
64c6f33e7e3245f0bc2109001893704763a2ff79)
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit
889efd5b9165ed7641fcd75eabbbef56be2ef5df)
JP Sugarbroad [Thu, 10 Jan 2019 22:50:42 +0000 (14:50 -0800)]
Revert "Fix OOB in avrc_pars_browse_rsp"
This reverts commit
e46805c89b1b770d5cdb48cc7d48944b58017221.
Chih-Wei Huang [Tue, 8 Jan 2019 08:16:56 +0000 (16:16 +0800)]
Merge tag 'android-8.1.0_r60' into oreo-x86
Android 8.1.0 Release 60 (OPM8.190105.002)
Chih-Wei Huang [Fri, 21 Dec 2018 09:19:56 +0000 (17:19 +0800)]
Merge tag 'android-8.1.0_r53' into oreo-x86
Android 8.1.0 release 53
android-build-team Robot [Fri, 7 Dec 2018 21:43:36 +0000 (21:43 +0000)]
Merge cherrypicks of [
5745882,
5746123,
5746124,
5746125,
5745544,
5745819,
5746700,
5745883,
5745545,
5746720,
5746344,
5745884,
5745885,
5745886,
5746740,
5746741] into oc-m8-release
Change-Id: I5edb98075600b97febb2b505a02ee7246d7e4612
Ugo Yu [Tue, 13 Nov 2018 12:03:28 +0000 (20:03 +0800)]
Add OOB check in avrc_pars_browse_rsp
Bug:
111451066
Test: Manully
Change-Id: I068d218b8957bb8f053148d252a9119a8def28cc
(cherry picked from commit
f44cbb20e7658116472981bac0ffb0305f4a2c04)
Jakub Pawlowski [Tue, 27 Nov 2018 17:22:22 +0000 (18:22 +0100)]
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug:
110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit
64c6f33e7e3245f0bc2109001893704763a2ff79)
Jakub Pawlowski [Tue, 20 Nov 2018 21:31:31 +0000 (22:31 +0100)]
Fix potential usage of freed memory in btif_hl_proc_sdp_query_cfm
Bug:
116222069
Test: compilation
Change-Id: Iebe2c500dfc2806ca321fdcd170e20c680619d4d
(cherry picked from commit
889efd5b9165ed7641fcd75eabbbef56be2ef5df)
android-build-team Robot [Mon, 26 Nov 2018 17:21:00 +0000 (17:21 +0000)]
Merge cherrypicks of [
5610460,
5610582,
5610249,
5610250,
5610113,
5610163,
5610980,
5610981,
5610982,
5610983,
5610984,
5610461,
5610462,
5610463,
5610464,
5610114,
5610076,
5610985,
5610986,
5610251,
5610583] into oc-m8-release
Change-Id: I1404e0a821b4c44bd5a924a6e10dc3928672437f
Chienyuan [Thu, 11 Oct 2018 01:47:46 +0000 (09:47 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
749063afebb8324276a47bdfbf320aa70f94a8ba)
(cherry picked from commit
9cb959d00d33737b399377cfc0f4070081d48f5e)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
ff8a52d8fefed1ba38f424b1db48a81d46cb7226)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2aad270709f01481e91f7fdaafbebee49130cd28)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
f34d740521ec583b0089fdeca283748a809a9c1a)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
Chienyuan [Thu, 11 Oct 2018 01:47:46 +0000 (09:47 +0800)]
DO NOT MERGE HFP: Check AT command buffer boundary during parsing
* add p_end parameter to tBTA_AG_AT_CMD_CBACK, bta_ag_at_hsp_cback
and bta_ag_at_hfp_cback to indicate effective data range of p_arg
* add checks for buffer copy overflow in bta_ag_at_hsp_cback and
bta_ag_at_hfp_cback
* add packet legnth checks with p_end in bta_ag_parse_cmer
* add packet length checks with p_end in bta_ag_parse_bac
Bug:
112860487
Test: manual
Change-Id: I6bbbc2ba29ad025c7d3ba023d8191af6a11c4aa9
(cherry picked from commit
749063afebb8324276a47bdfbf320aa70f94a8ba)
(cherry picked from commit
9cb959d00d33737b399377cfc0f4070081d48f5e)
Myles Watson [Thu, 25 Oct 2018 00:05:12 +0000 (17:05 -0700)]
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug:
115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit
2aad270709f01481e91f7fdaafbebee49130cd28)
Myles Watson [Thu, 25 Oct 2018 22:27:03 +0000 (15:27 -0700)]
DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp
Bug:
116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit
f34d740521ec583b0089fdeca283748a809a9c1a)
Myles Watson [Thu, 25 Oct 2018 21:33:33 +0000 (14:33 -0700)]
DO NOT MERGE: HH: Check parameter length in bta_hh_ctrl_dat_act
Bug:
116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit
ff8a52d8fefed1ba38f424b1db48a81d46cb7226)
Ugo Yu [Fri, 26 Oct 2018 10:15:17 +0000 (18:15 +0800)]
Fix OOB in avrc_pars_browse_rsp
- Check packet length before assign bytes to the pointer.
Bug:
111451066
Test: PoC test
Change-Id: I8ce4f4678a043fc16b0beeea2345253e7542b506
(cherry picked from commit
32a33dc12d4a9b21306510a98bcd039ca3be1dd3)
Ugo Yu [Mon, 29 Oct 2018 16:47:04 +0000 (00:47 +0800)]
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
Bug:
111450156
Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit
b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit
f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
android-build-team Robot [Fri, 19 Oct 2018 16:33:43 +0000 (16:33 +0000)]
Merge cherrypicks of [
5313290,
5313323,
5313343,
5313415,
5313291,
5313441,
5313557,
5313344,
5313383,
5313384,
5313324,
5313325,
5313326,
5313294,
5313295,
5313296,
5313498] into oc-m8-release
Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
Jakub Pawlowski [Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)]
Fix possible OOB read
Bug:
74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit
6e6c347e798bf8195a9a02457edf871a97b1cfad)
Ugo Yu [Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)]
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug:
112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit
6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
Chih-Wei Huang [Tue, 9 Oct 2018 10:01:42 +0000 (18:01 +0800)]
Merge tag 'android-8.1.0_r48' into oreo-x86
Android 8.1.0 release 48
android-build-team Robot [Tue, 11 Sep 2018 23:09:09 +0000 (23:09 +0000)]
Merge cherrypicks of [
4995494,
4995495,
4995496,
4995497,
4997652,
4997881,
4997052,
4997883,
4995518,
4997653,
4997654] into oc-m8-release
Change-Id: I85beb831bb99d381e91572820887d034e9e4c942
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
Chih-Wei Huang [Mon, 10 Sep 2018 16:20:37 +0000 (00:20 +0800)]
Merge tag 'android-8.1.0_r46' into oreo-x86
Android 8.1.0 Release 46 (OPM6.171019.030.K1)
Pavlin Radoslavov [Thu, 6 Sep 2018 22:41:27 +0000 (15:41 -0700)]
DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp()
Bug:
111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit
2692408d05bf16738284b61833649cee5d2a2233)
Pavlin Radoslavov [Thu, 6 Sep 2018 01:21:31 +0000 (18:21 -0700)]
Check data length when parsing AVRCP vendor specific command responses
Bug:
111450531
Bug:
111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit
7439ea940354f65a147c4ecfce3bada49c688047)
android-build-team Robot [Thu, 30 Aug 2018 04:26:40 +0000 (04:26 +0000)]
Merge cherrypicks of [
4897833,
4897834,
4897835] into oc-m8-release
Change-Id: I67a29ac6b41042b98bf78c34151436502cc23c43
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
Hansong Zhang [Wed, 8 Aug 2018 18:31:28 +0000 (11:31 -0700)]
Check remaining frame length in rfc_process_mx_message
Bug:
111936792
Bug:
80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit
0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
Hansong Zhang [Fri, 13 Jul 2018 20:45:46 +0000 (13:45 -0700)]
Fix a wrong check in rfc_parse_data
Bug:
78288018
Bug:
111436796
Test: manual
Change-Id: I16e6026acbaac230fe1453bbac040d1b75bcea2a
(cherry picked from commit
d1ced302cd1066087588c891027b1756be31db46)
Hansong Zhang [Thu, 7 Jun 2018 23:18:52 +0000 (16:18 -0700)]
Add bound check for rfc_parse_data
Bug:
78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit
6039cb7225733195192b396ad19c528800feb735)
android-build-team Robot [Thu, 16 Aug 2018 16:58:55 +0000 (16:58 +0000)]
Merge cherrypicks of [
4793902] into oc-m8-release
Change-Id: I91773bc663618ed079887b7501b81bfb21e7abfb
Hansong Zhang [Thu, 16 Aug 2018 16:46:45 +0000 (09:46 -0700)]
Fix build failure in stack/rfcomm/rfc_ts_frames.c
Test: compile
Bug:
112673718
Change-Id: I93cd39f943dd2f0fb65b785c15dc91649c7ee384
(cherry picked from commit
eb3e2528714bd6ea59ad369798f522d75a2e55c7)
android-build-team Robot [Thu, 16 Aug 2018 01:24:41 +0000 (01:24 +0000)]
Merge cherrypicks of [
4787660,
4787680,
4787071,
4787700,
4787592,
4787701,
4787720,
4787721,
4787072,
4787073,
4787074,
4787075,
4787076,
4787077,
4787740,
4787760,
4787722,
4787723,
4787724,
4787725,
4787726,
4787727,
4787728,
4787729,
4787730,
4787731] into oc-m8-release
Change-Id: Ic84dec3c93161420dd4c72ee698154e8188d1ac7
Cheney Ni [Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)]
Add packet length checks in mca_ccb_hdl_req
Bug:
110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit
4de7ccdd914b7a178df9180d15f675b257ea6e02)
Cheney Ni [Wed, 8 Aug 2018 14:40:27 +0000 (22:40 +0800)]
Checks the SMP length to fix OOB read
Bug:
111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit
4978acce4af0c3975ffde9386b7da38f88bb1711)
Ugo Yu [Wed, 8 Aug 2018 08:09:58 +0000 (16:09 +0800)]
Add packet length check in smp_proc_master_id
Bug:
111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit
c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
Pavlin Radoslavov [Thu, 9 Aug 2018 20:07:48 +0000 (13:07 -0700)]
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug:
111803925
Bug:
79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit
282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit
007868d05f4b761842c7345161aeda6fd40dd245)