Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / e9c471fd0ed9882ed49b6e23860587e4315da3e1
commite9c471fd0ed9882ed49b6e23860587e4315da3e1[log] [tgz]
authorBrian Delwiche <delwiche@google.com>Fri Dec 02 00:41:24 2022 +0000
committerBharath <bharath@teamb58.org>Thu Jan 12 18:28:38 2023 +0530
treefaa1123782d69cc7040880494333eaf4dc792ae1
parent2a7ab5cf369bac1c89a8f7e3db0fdfb1acf88fbb [diff]
Report failure when not able to connect to AVRCP

A crash may occur when creating a bluetooth AVRCP connection to a
device.

The code fails to check a return value from an AVRCP function
being used to index into an array. The return value may exceed the
size of the array causing memory outside the bounds of the array to be
accessed leading to memory corruption and a crash.

The fix is to ensure the return value is within the bounds of the
array before accessing the array contents. If the return value is
not within the bounds of the array report it as a failure to the
bluetooth stack.

This change is relevant for android automotive because the IVI
(in-vehicle infotainment system) acts as the an AVRCP controller
which still executes this code.

Note: this is a backport of b/214569798, inducted as a non-security
issue.  Per b/226927612 it has been found to have security impact
and should be backported to earlier branches.

Bug: 226927612
Test: Manual - set return value to be out of bounds, verify no crash
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c
(cherry picked from commit 6a543761f2dc3db0ebf541285a0b3b2afc83a6a6)
Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
1 file changed
tree: faa1123782d69cc7040880494333eaf4dc792ae1
  1. apex/
  2. audio_a2dp_hw/
  3. audio_bluetooth_hw/
  4. audio_hal_interface/
  5. audio_hearing_aid_hw/
  6. binder/
  7. bta/
  8. btcore/
  9. btif/
  10. build/
  11. common/
  12. conf/
  13. device/
  14. doc/
  15. embdrv/
  16. gd/
  17. hci/
  18. include/
  19. internal_include/
  20. linux_include/
  21. main/
  22. osi/
  23. packet/
  24. profile/
  25. proto/
  26. service/
  27. stack/
  28. test/
  29. tools/
  30. types/
  31. udrv/
  32. utils/
  33. vendor_libs/
  34. vnd/
  35. .clang-format
  36. .gitignore
  37. .gn
  38. .style.yapf
  39. Android.bp
  40. AndroidTestTemplate.xml
  41. BUILD.gn
  42. CleanSpec.mk
  43. EventLogTags.logtags
  44. MODULE_LICENSE_APACHE2
  45. NOTICE
  46. OWNERS
  47. PREUPLOAD.cfg
  48. README.md
  49. TEST_MAPPING
README.md

Fluoride Bluetooth stack

Building and running on AOSP

Just build AOSP - Fluoride is there by default.

Building and running on Linux

Instructions for Ubuntu, tested on 14.04 with Clang 3.5.0 and 16.10 with Clang 3.8.0

Download source

mkdir ~/fluoride
cd ~/fluoride
git clone https://android.googlesource.com/platform/system/bt

Install dependencies (require sudo access):

cd ~/fluoride/bt
build/install_deps.sh

Then fetch third party dependencies:

cd ~/fluoride/bt
mkdir third_party
cd third_party
git clone https://github.com/google/googletest.git
git clone https://android.googlesource.com/platform/external/aac
git clone https://android.googlesource.com/platform/external/libchrome
git clone https://android.googlesource.com/platform/external/libldac
git clone https://android.googlesource.com/platform/external/modp_b64
git clone https://android.googlesource.com/platform/external/tinyxml2

And third party dependencies of third party dependencies:

cd fluoride/bt/third_party/libchrome/base/third_party
mkdir valgrind
cd valgrind
curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/valgrind.h?format=TEXT | base64 -d > valgrind.h
curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/memcheck.h?format=TEXT | base64 -d > memcheck.h

NOTE: If system/bt is checked out under AOSP, then create symbolic links instead of downloading sources

cd system/bt
mkdir third_party
cd third_party
ln -s ../../../external/aac aac
ln -s ../../../external/libchrome libchrome
ln -s ../../../external/libldac libldac
ln -s ../../../external/modp_b64 modp_b64
ln -s ../../../external/tinyxml2 tinyxml2
ln -s ../../../external/googletest googletest

Generate your build files

cd ~/fluoride/bt
gn gen out/Default

Build

cd ~/fluoride/bt
ninja -C out/Default all

This will build all targets (the shared library, executables, tests, etc) and put them in out/Default. To build an individual target, replace "all" with the target of your choice, e.g. ninja -C out/Default net_test_osi.

Run

cd ~/fluoride/bt/out/Default
LD_LIBRARY_PATH=./ ./bluetoothtbd -create-ipc-socket=fluoride

Eclipse IDE Support

  1. Follows the Chromium project Eclipse Setup Instructions until "Optional: Building inside Eclipse" section (don't do that section, we will set it up differently)

  2. Generate Eclipse settings:

cd system/bt
gn gen --ide=eclipse out/Default

  1. In Eclipse, do File->Import->C/C++->C/C++ Project Settings, choose the XML location under system/bt/out/Default

  2. Right click on the project. Go to Preferences->C/C++ Build->Builder Settings. Uncheck "Use default build command", but instead using "ninja -C out/Default"

  3. Goto Behaviour tab, change clean command to "-t clean"