Merge tag 'android-security-13.0.0_r20' into staging/lineage-20.0_android-security-13.0.0_r20
Android Security 13.0.0 Release 20 (11933030)
* tag 'android-security-13.0.0_r20':
Fix heap-buffer overflow in sdp_utils.cc
Fix permission bypasses to multiple methods
Change-Id: I8df24760404b8ee416c7da7584d9b2294b896cb1
diff --git a/android/app/src/com/android/bluetooth/Utils.java b/android/app/src/com/android/bluetooth/Utils.java
index b22b3aa..6b56600 100644
--- a/android/app/src/com/android/bluetooth/Utils.java
+++ b/android/app/src/com/android/bluetooth/Utils.java
@@ -466,10 +466,10 @@
}
// STOPSHIP(b/188391719): enable this security enforcement
// attributionSource.enforceCallingUid();
- AttributionSource currentAttribution = new AttributionSource
- .Builder(context.getAttributionSource())
- .setNext(attributionSource)
- .build();
+ AttributionSource currentAttribution =
+ new AttributionSource.Builder(context.getAttributionSource())
+ .setNext(Objects.requireNonNull(attributionSource))
+ .build();
PermissionManager pm = context.getSystemService(PermissionManager.class);
if (pm == null) {
return false;
@@ -718,10 +718,10 @@
Log.e(TAG, "Permission denial: Location is off.");
return false;
}
- AttributionSource currentAttribution = new AttributionSource
- .Builder(context.getAttributionSource())
- .setNext(attributionSource)
- .build();
+ AttributionSource currentAttribution =
+ new AttributionSource.Builder(context.getAttributionSource())
+ .setNext(Objects.requireNonNull(attributionSource))
+ .build();
// STOPSHIP(b/188391719): enable this security enforcement
// attributionSource.enforceCallingUid();
PermissionManager pm = context.getSystemService(PermissionManager.class);
@@ -752,10 +752,10 @@
return false;
}
- final AttributionSource currentAttribution = new AttributionSource
- .Builder(context.getAttributionSource())
- .setNext(attributionSource)
- .build();
+ final AttributionSource currentAttribution =
+ new AttributionSource.Builder(context.getAttributionSource())
+ .setNext(Objects.requireNonNull(attributionSource))
+ .build();
// STOPSHIP(b/188391719): enable this security enforcement
// attributionSource.enforceCallingUid();
PermissionManager pm = context.getSystemService(PermissionManager.class);
@@ -790,10 +790,10 @@
return false;
}
- AttributionSource currentAttribution = new AttributionSource
- .Builder(context.getAttributionSource())
- .setNext(attributionSource)
- .build();
+ AttributionSource currentAttribution =
+ new AttributionSource.Builder(context.getAttributionSource())
+ .setNext(Objects.requireNonNull(attributionSource))
+ .build();
// STOPSHIP(b/188391719): enable this security enforcement
// attributionSource.enforceCallingUid();
PermissionManager pm = context.getSystemService(PermissionManager.class);
diff --git a/system/stack/sdp/sdp_utils.cc b/system/stack/sdp/sdp_utils.cc
index 79bb131..d67e774 100644
--- a/system/stack/sdp/sdp_utils.cc
+++ b/system/stack/sdp/sdp_utils.cc
@@ -1114,8 +1114,28 @@
******************************************************************************/
bool sdpu_compare_uuid_with_attr(const Uuid& uuid, tSDP_DISC_ATTR* p_attr) {
int len = uuid.GetShortestRepresentationSize();
- if (len == 2) return uuid.As16Bit() == p_attr->attr_value.v.u16;
- if (len == 4) return uuid.As32Bit() == p_attr->attr_value.v.u32;
+ if (len == 2) {
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes16) {
+ return uuid.As16Bit() == p_attr->attr_value.v.u16;
+ } else {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+ }
+ if (len == 4) {
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes32) {
+ return uuid.As32Bit() == p_attr->attr_value.v.u32;
+ } else {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+ }
+
+ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) != Uuid::kNumBytes128) {
+ LOG(ERROR) << "invalid length for discovery attribute";
+ return (false);
+ }
+
if (memcmp(uuid.To128BitBE().data(), (void*)p_attr->attr_value.v.array,
Uuid::kNumBytes128) == 0)
return (true);