{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":193171789,"defaultBranch":"cm-14.1","name":"android_system_bt","ownerLogin":"syphyr","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2019-06-21T23:48:01.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/5009268?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1614101692.241002","currentOid":""},"activityList":{"items":[{"before":"5c5a8573e477a42161f146bacecc2c62d284c74b","after":"861d681c4c8d3a63ab1c3621292fccf0b4db9b07","ref":"refs/heads/cm-14.1","pushedAt":"2024-07-03T21:01:09.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix an authentication bypass bug in SMP\n\nWhen pairing with BLE legacy pairing initiated\nfrom remote, authentication can be bypassed.\nThis change fixes it.\n\nBug: 251514170\nTest: m com.android.btservices\nTest: manual run against PoC\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)\nMerged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8\nChange-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8","shortMessageHtmlLink":"[BACKPORT] Fix an authentication bypass bug in SMP"}},{"before":"378a38d648f90591063c33cb518b45d38e462e05","after":"5c5a8573e477a42161f146bacecc2c62d284c74b","ref":"refs/heads/cm-14.1","pushedAt":"2024-03-05T21:08:41.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix a security bypass issue in access_secure_service_from_temp_bond\n\nBackport I48df2c2d77810077e97d4131540277273d441998\nto rvc-dev\n\nBug: 318374503\nTest: m com.android.btservices | manual test against PoC | QA\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8)\nMerged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f\nChange-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f","shortMessageHtmlLink":"Fix a security bypass issue in access_secure_service_from_temp_bond"}},{"before":"ae307e498896604652dbf59be11a2aaa52799f8a","after":"378a38d648f90591063c33cb518b45d38e462e05","ref":"refs/heads/cm-14.1","pushedAt":"2024-02-06T21:57:23.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write bug in attp_build_read_by_type_value_cmd\n\nThis is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e\n\nBug: 297524203\nTest: m com.android.btservices\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)\nMerged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181\nChange-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181","shortMessageHtmlLink":"Fix an OOB write bug in attp_build_read_by_type_value_cmd"}},{"before":"a06156a41f5de06af45a34b2d1fc5ad3ef6697e9","after":"ae307e498896604652dbf59be11a2aaa52799f8a","ref":"refs/heads/cm-14.1","pushedAt":"2024-02-06T21:21:42.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write bug in attp_build_read_by_type_value_cmd\n\nThis is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e\n\nBug: 297524203\nTest: m com.android.btservices\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)\nMerged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181\nChange-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181","shortMessageHtmlLink":"Fix an OOB write bug in attp_build_read_by_type_value_cmd"}},{"before":"6a0d93410f68e9dd7ccbdc1d26756dbb8ccad7bb","after":"a06156a41f5de06af45a34b2d1fc5ad3ef6697e9","ref":"refs/heads/cm-14.1","pushedAt":"2024-02-06T19:58:54.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write bug in attp_build_read_by_type_value_cmd\n\nThis is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e\n\nBug: 297524203\nTest: m com.android.btservices\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)\nMerged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181\nChange-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181","shortMessageHtmlLink":"Fix an OOB write bug in attp_build_read_by_type_value_cmd"}},{"before":"809da2f2e62773fb59bfee77f7b4404673cac54c","after":"6a0d93410f68e9dd7ccbdc1d26756dbb8ccad7bb","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T20:18:02.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"9eb68c182fabd427fe31819d9859361cb3f000ba","after":"809da2f2e62773fb59bfee77f7b4404673cac54c","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T20:04:49.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"8df8b2e09db1f3fc984b7751dbfc1d583474cc1f","after":"9eb68c182fabd427fe31819d9859361cb3f000ba","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T01:37:41.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"9dd497fcc469aba05899ca47e6b40057936da90c","after":"8df8b2e09db1f3fc984b7751dbfc1d583474cc1f","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T00:47:05.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"d5be0db0708e2459f509f01421b8fd9bcd382b12","after":"9dd497fcc469aba05899ca47e6b40057936da90c","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T00:29:54.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"458c61832f52e12883dd59cbc465e54d5723916e","after":"d5be0db0708e2459f509f01421b8fd9bcd382b12","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-05T00:12:13.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"46eb43ae5beb930481ce38b20812eefc0df6bf9a","after":"458c61832f52e12883dd59cbc465e54d5723916e","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-04T23:46:51.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"8e59d87b5f24ff60c421d8e6ece7c99c0077fbe1","after":"46eb43ae5beb930481ce38b20812eefc0df6bf9a","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-04T21:11:31.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"cf11c8dfa23350f8b32a10b0eb57919b941240ca","after":"8e59d87b5f24ff60c421d8e6ece7c99c0077fbe1","ref":"refs/heads/cm-14.1","pushedAt":"2024-01-04T20:00:25.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"[BACKPORT] Fix some OOB errors in BTM parsing\n\nSome HCI BLE events are missing bounds checks, leading to possible OOB\naccess.  Add the appropriate bounds checks on the packets.\n\nBug: 279169188\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)\nMerged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57\nChange-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57","shortMessageHtmlLink":"[BACKPORT] Fix some OOB errors in BTM parsing"}},{"before":"9da53d5ce41c82997b61cfd283255a1fab1e5787","after":"cf11c8dfa23350f8b32a10b0eb57919b941240ca","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-06T19:33:10.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"5621bf2e59eff8806d3aebfd0f588976b9d5669b","after":"9da53d5ce41c82997b61cfd283255a1fab1e5787","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-06T19:31:06.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"01817daff18f0c07121573afcd71e8ba2c0edb44","after":"5621bf2e59eff8806d3aebfd0f588976b9d5669b","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-06T19:24:40.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"0e27c5a09a143612015eb20da68e3ea4cf380776","after":"01817daff18f0c07121573afcd71e8ba2c0edb44","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-06T01:40:42.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"9aab82a28133a7da7f5045eea8bc258b9412c0b9","after":"0e27c5a09a143612015eb20da68e3ea4cf380776","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-06T01:17:48.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"2895360c7d99583ec9d0bb702486b4298186e9ad","after":"9aab82a28133a7da7f5045eea8bc258b9412c0b9","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-05T23:20:19.000Z","pushType":"push","commitsCount":6,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix timing attack in BTM_BleVerifySignature\n\nBTM_BleVerifySignature uses a stock memcmp, allowing signature contents\nto be deduced through a side-channel attack.\n\nChange to CRYPTO_memcmp, which is hardened against this attack, to\neliminate this attack.\n\nBug: 274478807\nTest: atest bluetooth_test_gd_unit\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)\nMerged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c\nChange-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c","shortMessageHtmlLink":"Fix timing attack in BTM_BleVerifySignature"}},{"before":"9116cb3f138e4fa8fa5bcc9888e31e5ce7106bb2","after":"2895360c7d99583ec9d0bb702486b4298186e9ad","ref":"refs/heads/cm-14.1","pushedAt":"2023-12-04T21:29:30.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix OOB Write in pin_reply in bluetooth.cc\n\nRoot cause:\nif the length of \"pin_code\" is greater than 16,\nan OOBW will be triggered due to a missing bounds check.\n\nFix:\nCheck is added to avoid Out of Bound Write.\n\nCRs-Fixed: 3507292\nChange-Id: I15a1eae59b17f633e29180a01676c260189b8353","shortMessageHtmlLink":"Fix OOB Write in pin_reply in bluetooth.cc"}},{"before":"99c49febc152d6f8db2d2baf00c4fbb86044a278","after":"9116cb3f138e4fa8fa5bcc9888e31e5ce7106bb2","ref":"refs/heads/cm-14.1","pushedAt":"2023-09-05T23:00:53.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an integer overflow bug in avdt_msg_asmbl\n\nBug: 280633699\nTest: manual\nIgnore-AOSP-First: security\nTag: #security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bf9449a704c2983861dbe0ede9ab660e42826179)\nMerged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2\nChange-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2","shortMessageHtmlLink":"Fix an integer overflow bug in avdt_msg_asmbl"}},{"before":"a4067bc07e5238f6e5b4c2d835544881d34acf2c","after":"99c49febc152d6f8db2d2baf00c4fbb86044a278","ref":"refs/heads/cm-14.1","pushedAt":"2023-07-06T21:35:12.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix gatt_end_operation buffer overflow\n\nAdded boundary check for gatt_end_operation to prevent writing out of\nboundary.\n\nSince response of the GATT server is handled in\ngatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum\nlenth that can be passed into the handlers is bounded by\nGATT_MAX_MTU_SIZE, which is set to 517, which is greater than\nGATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec\nthat gaurentees MTU response to be less than or equal to 512 bytes can\ncause a buffer overflow when performing memcpy without length check.\n\nBug: 261068592\nTest: No test since not affecting behavior\nTag: #security\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)\nMerged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873\nChange-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873","shortMessageHtmlLink":"Fix gatt_end_operation buffer overflow"}},{"before":"4a43dbd69abf3491f643399347145fef7349efbb","after":"a4067bc07e5238f6e5b4c2d835544881d34acf2c","ref":"refs/heads/cm-14.1","pushedAt":"2023-06-09T18:04:59.374Z","pushType":"push","commitsCount":3,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Revert \"Revert \"Fix wrong BR/EDR link key downgrades (P_256->P_192)\"\"\n\nThis reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.\n\nFunction btm_sec_encrypt_change() is called at most places\nwith argument \"encr_enable\" treated as bool and not as per\n(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The\nfunction has special handling for \"encr_enable=1\" to downgrade\nthe link key type for BR/EDR case. This gets executed even\nwhen the caller/context did not mean/expect so. It appears\nthis handling in btm_sec_encrypt_change() is not necessary and\nis removed by this commit to prevent accidental execution of it.\n\nTest: Verified re-pairing with an iPhone works fine now\n\nIssue Reproduction Steps:\n1. Enable Bluetooth Hotspot on Android device (DUT).\n2. Pair and connect an iPhone to DUT.\n3. Forget this pairing on DUT.\n4. On iPhone settings, click on old DUT's paired entry to connect.\n5. iPhone notifies to click 'Forget Device' and try fresh pairing.\n6. On iPhone, after doing 'Forget Device', discover DUT again.\n7. Attempt pairing to DUT by clicking on discovered DUT entry.\n   Pairing will be unsuccessful.\n\nIssue Cause:\nDuring re-pairing, DUT is seen to downgrade\nBR/EDR link key unexpectedly from link key type 0x8\n(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).\n\nLog snippet (re-pairing time):\nbtm_sec_link_key_notification set new_encr_key_256 to 1\nbtif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1\nbtm_sec_encrypt_change new_encr_key_256 is 1\n--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---\nbtm_sec_encrypt_change new_encr_key_256 is 0\nupdated link key type to 5\nbtif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1\n\nThis is a backport of the following patch: aosp/1890096\n\nBug: 258834033\n\nReason for revert: Reinstate original change for QPR\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)\nMerged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6\nChange-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6","shortMessageHtmlLink":"Revert \"Revert \"Fix wrong BR/EDR link key downgrades (P_256->P_192)\"\""}},{"before":"9a9092d44d4552910f2899f25a485a115c8044d2","after":"4a43dbd69abf3491f643399347145fef7349efbb","ref":"refs/heads/cm-14.1","pushedAt":"2023-04-11T20:58:20.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB bug in register_notification_rsp\n\nThis is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f\nto rvc-dev.\n\nBug: 245916076\nTest: manual\nIgnore-AOSP-First: security\nChange-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765\n(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf)\nMerged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765","shortMessageHtmlLink":"Fix an OOB bug in register_notification_rsp"}},{"before":"894f49fc289868dc4750812c4f7047422b701c84","after":"9a9092d44d4552910f2899f25a485a115c8044d2","ref":"refs/heads/cm-14.1","pushedAt":"2023-04-05T20:58:51.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"AVDTP: Fix a potential overflow about the media payload offset\n\nThis variable is uint16, and is possible to overflow when the length of\nheader extension is larger. Here we compare with the data length to\nprevent any exceptions.\n\nBug: 142546355\nTag: #security\nTest: A2DP sink playback\nIgnore-AOSP-First: security vulnerabilities\nChange-Id: Id13b1ebde8f603123c8b7a49922b2f1378ab788f","shortMessageHtmlLink":"AVDTP: Fix a potential overflow about the media payload offset"}},{"before":"0a72fa47435068ef1bd66a36345306ebb589f122","after":"894f49fc289868dc4750812c4f7047422b701c84","ref":"refs/heads/cm-14.1","pushedAt":"2023-03-13T20:29:50.997Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write in SDP_AddAttribute\n\nWhen the `attr_pad` becomes full, it is possible\nthat un index of `-1` is computed write\na zero byte to `p_val`, rusulting OOB write.\n\n```\n  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\\0';\n```\n\nBug: 261867748\nTest: manual\nTag: #security\nIgnore-AOSP-First: security\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\nChange-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\n(cherry picked from commit 0846b5b746e844464fb728478fea3c2ad6aaef1f)\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b","shortMessageHtmlLink":"Fix an OOB write in SDP_AddAttribute"}},{"before":"b21e52a817f7007fd852632db014af431a57b822","after":"0a72fa47435068ef1bd66a36345306ebb589f122","ref":"refs/heads/cm-14.1","pushedAt":"2023-03-13T20:27:39.387Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write in SDP_AddAttribute\n\nWhen the `attr_pad` becomes full, it is possible\nthat un index of `-1` is computed write\na zero byte to `p_val`, rusulting OOB write.\n\n```\n  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\\0';\n```\n\nBug: 261867748\nTest: manual\nTag: #security\nIgnore-AOSP-First: security\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\nChange-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\n(cherry picked from commit 0846b5b746e844464fb728478fea3c2ad6aaef1f)\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b","shortMessageHtmlLink":"Fix an OOB write in SDP_AddAttribute"}},{"before":"2446d592c29d146172cd1c0865926e8c205954f3","after":"b21e52a817f7007fd852632db014af431a57b822","ref":"refs/heads/cm-14.1","pushedAt":"2023-03-13T20:21:11.102Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write in SDP_AddAttribute\n\nWhen the `attr_pad` becomes full, it is possible\nthat un index of `-1` is computed write\na zero byte to `p_val`, rusulting OOB write.\n\n```\n  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\\0';\n```\n\nBug: 261867748\nTest: manual\nTag: #security\nIgnore-AOSP-First: security\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\nChange-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\n(cherry picked from commit 0846b5b746e844464fb728478fea3c2ad6aaef1f)\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b","shortMessageHtmlLink":"Fix an OOB write in SDP_AddAttribute"}},{"before":"2af77b4cb4acfc7750b976f01cc363f09caaa1f5","after":"2446d592c29d146172cd1c0865926e8c205954f3","ref":"refs/heads/cm-14.1","pushedAt":"2023-03-13T20:15:30.008Z","pushType":"push","commitsCount":2,"pusher":{"login":"syphyr","name":"Deltadroid","path":"/syphyr","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5009268?s=80&v=4"},"commit":{"message":"Fix an OOB write in SDP_AddAttribute\n\nWhen the `attr_pad` becomes full, it is possible\nthat un index of `-1` is computed write\na zero byte to `p_val`, rusulting OOB write.\n\n```\n  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\\0';\n```\n\nBug: 261867748\nTest: manual\nTag: #security\nIgnore-AOSP-First: security\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\nChange-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b\n(cherry picked from commit 0846b5b746e844464fb728478fea3c2ad6aaef1f)\nMerged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b","shortMessageHtmlLink":"Fix an OOB write in SDP_AddAttribute"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEdkx8CgA","startCursor":null,"endCursor":null}},"title":"Activity · syphyr/android_system_bt"}