From da8fcb1ae16c07856cba80163c8b243b030be5bc Mon Sep 17 00:00:00 2001 From: Hui Peng Date: Tue, 16 May 2023 02:30:39 +0000 Subject: [PATCH 1/2] Fix an OOB Write bug in avrc_vendor_msg Plus some cleanup Bug: 271962784 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from commit d5de235b461ec83e43a7db513e286d3204c4cedf) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f685c51b0bc63369107efe59b12162bbb145a4d) Merged-In: Ice5ad780ac0b177c73d84ed37960b4540df1ec86 Change-Id: Ice5ad780ac0b177c73d84ed37960b4540df1ec86 --- system/stack/avrc/avrc_opt.cc | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/system/stack/avrc/avrc_opt.cc b/system/stack/avrc/avrc_opt.cc index a611e3f5a72..87c685c2c49 100644 --- a/system/stack/avrc/avrc_opt.cc +++ b/system/stack/avrc/avrc_opt.cc @@ -49,9 +49,20 @@ static BT_HDR* avrc_vendor_msg(tAVRC_MSG_VENDOR* p_msg) { BT_HDR* p_cmd; uint8_t* p_data; - CHECK(p_msg != NULL); + /* + An AVRC cmd consists of at least of: + - A BT_HDR, plus + - AVCT_MSG_OFFSET, plus + - 3 bytes for ctype, subunit_type and op_vendor, plus + - 3 bytes for company_id + */ + #define AVRC_MIN_VENDOR_CMD_LEN (sizeof(BT_HDR) + AVCT_MSG_OFFSET + 3 + 3) + + if (p_msg == nullptr || + AVRC_META_CMD_BUF_SIZE < AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) { + return nullptr; + } - CHECK(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len)); p_cmd = (BT_HDR*)osi_calloc(AVRC_META_CMD_BUF_SIZE); p_cmd->offset = AVCT_MSG_OFFSET; -- GitLab From 62156f4326dae432f36d067117b6f27f9513337d Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Tue, 6 May 2025 17:51:32 +0000 Subject: [PATCH 2/2] Check for existing discovery database in bta_hf_client_cb_init Researcher finds an RCE related to HF client discovery database. Changes against the related issue b/291281168 (guarded by flag below) partially resolve this issue, but it is necessary to add a check in another location. Bug: 374746961 Bug: 356201480 Test: m libbluetooth Test: researcher POC Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:00c8b2a9cd94d0a2c71ccf4985b1789526310fce) Merged-In: I69b2e80f0dd8682dcc8862b4b9aa7845c48c3bb8 Change-Id: I69b2e80f0dd8682dcc8862b4b9aa7845c48c3bb8 --- system/bta/Android.bp | 8 +++++--- system/bta/hf_client/bta_hf_client_main.cc | 8 ++++++++ system/bta/test/bta_dip_test.cc | 1 - 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/system/bta/Android.bp b/system/bta/Android.bp index 939f0bec725..85e2389a7f8 100644 --- a/system/bta/Android.bp +++ b/system/bta/Android.bp @@ -161,6 +161,7 @@ cc_test { test_suites: ["device-tests"], srcs: [ ":TestMockStackBtm", + ":TestMockStackSdp", ":TestCommonMockFunctions", "test/bta_hf_client_test.cc", "test/bta_dm_cust_uuid_test.cc", @@ -204,9 +205,9 @@ cc_test { test_suites: ["device-tests"], srcs: [ ":TestCommonMockFunctions", - ":TestMockDevice", - ":TestMockStack", - ":TestMockBtif", + ":TestMockDevice", + ":TestMockStack", + ":TestMockBtif", "test/bta_hf_client_security_test.cc", ], shared_libs: [ @@ -227,6 +228,7 @@ cc_test { "libbt-common", ], } + cc_test { name: "bt_host_test_bta", defaults: [ diff --git a/system/bta/hf_client/bta_hf_client_main.cc b/system/bta/hf_client/bta_hf_client_main.cc index 441e3247f41..2533cd39c5f 100644 --- a/system/bta/hf_client/bta_hf_client_main.cc +++ b/system/bta/hf_client/bta_hf_client_main.cc @@ -305,6 +305,14 @@ void bta_hf_client_cb_init(tBTA_HF_CLIENT_CB* client_cb, uint16_t handle) { client_cb->enabled_hf_indicators.clear(); client_cb->peer_hf_indicators.clear(); + if (client_cb->p_disc_db) { + if (!SDP_CancelServiceSearch(client_cb->p_disc_db)) { + APPL_TRACE_WARNING("Unable to cancel SDP service discovery peer: %s", + client_cb->peer_addr.ToString().c_str()); + } + osi_free_and_reset((void**)&client_cb->p_disc_db); + } + // Memset the rest of the block // memset(client_cb, 0, sizeof(tBTA_HF_CLIENT_CB)); *client_cb = {}; diff --git a/system/bta/test/bta_dip_test.cc b/system/bta/test/bta_dip_test.cc index 3e71e2e6e16..d1f985e9e36 100644 --- a/system/bta/test/bta_dip_test.cc +++ b/system/bta/test/bta_dip_test.cc @@ -20,7 +20,6 @@ #include "bta/sdp/bta_sdp_act.cc" #include "main/shim/metrics_api.h" -#include "stack/sdp/sdp_api.cc" #include "types/bluetooth/uuid.h" #include "types/raw_address.h" -- GitLab