{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":75635542,"defaultBranch":"lineage-19.1","name":"android_system_bt","ownerLogin":"LineageOS","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2016-12-05T14:59:35.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/24304779?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1715102729.0","currentOid":""},"activityList":{"items":[{"before":"fb268a6fb288db4222f8f710c2d71ee066281239","after":"dd99e2366adbdac7f05aa1c162f887555d2afa78","ref":"refs/heads/lineage-19.1","pushedAt":"2024-08-24T17:07:01.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix heap-buffer overflow in sdp_utils.cc\n\nFuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with\nan out of bounds comparison.  Although the bug claims this is due to a\ncomparison of a uuid with a smaller data field thana the discovery\nattribute, my research suggests that this instead stems from a\ncomparison of a 128 bit UUID with a discovery attribute of some other,\ninvalid size.\n\nAdd checks for discovery attribute size.\n\nBug: 287184435\nTest: atest bluetooth_test_gd_unit, net_test_stack_sdp\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99210e2f251e2189c1eede15942c832e017404c2)\nMerged-In: Ib536cbeac454efbf6af3d713c05c8e3e077e069b\nChange-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b","shortMessageHtmlLink":"Fix heap-buffer overflow in sdp_utils.cc"}},{"before":"b906f83ef95d9e0269218bc6e7a1c2c63d4bb683","after":"fb268a6fb288db4222f8f710c2d71ee066281239","ref":"refs/heads/lineage-19.1","pushedAt":"2024-07-18T12:07:08.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix an authentication bypass bug in SMP\n\nWhen pairing with BLE legacy pairing initiated\nfrom remote, authentication can be bypassed.\nThis change fixes it.\n\nBug: 251514170\nTest: m com.android.btservices\nTest: manual run against PoC\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)\nMerged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8\nChange-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8","shortMessageHtmlLink":"Fix an authentication bypass bug in SMP"}},{"before":"18747f4a77bf18a1ae0406ab3985bda549df6a0b","after":"b906f83ef95d9e0269218bc6e7a1c2c63d4bb683","ref":"refs/heads/lineage-19.1","pushedAt":"2024-03-16T14:20:39.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix a security bypass issue in access_secure_service_from_temp_bond\n\nBackport I48df2c2d77810077e97d4131540277273d441998\nto rvc-dev\n\nBug: 318374503\nTest: m com.android.btservices | manual test against PoC | QA\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8)\nMerged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f\nChange-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f","shortMessageHtmlLink":"Fix a security bypass issue in access_secure_service_from_temp_bond"}},{"before":"4c9e4c54140bb38fb8e0fe25331b3fb77dee73ca","after":"abb80f9c288fe41be36e576c6cc65a9b67286fc2","ref":"refs/heads/lineage-18.1","pushedAt":"2024-02-14T13:28:25.000Z","pushType":"push","commitsCount":7,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r76' into staging/lineage-18.1_android-security-11.0.0_r76\n\nAndroid Security 11.0.0 Release 76 (11228177)\n\n* tag 'android-security-11.0.0_r76':\n  Revert \"Fix an OOB write bug in attp_build_value_cmd\"\n  Fix an OOB write bug in attp_build_read_by_type_value_cmd\n  Fix an OOB write bug in attp_build_value_cmd\n  Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd\n\nChange-Id: I602125a6a26280939912c7c457aeaf12e08654bf","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r76' into staging/lineage-18.1_and…"}},{"before":"55c8adf7c16786f5419fb7d8dea8d50db8bb8968","after":"18747f4a77bf18a1ae0406ab3985bda549df6a0b","ref":"refs/heads/lineage-19.1","pushedAt":"2024-02-14T13:22:27.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix an OOB write bug in attp_build_read_by_type_value_cmd\n\nThis is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e\n\nBug: 297524203\nTest: m com.android.btservices\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)\nMerged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181\nChange-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181","shortMessageHtmlLink":"Fix an OOB write bug in attp_build_read_by_type_value_cmd"}},{"before":"6761a0734ddd7d64cc1b5a9c0a323f7efbd7ccb9","after":"4c9e4c54140bb38fb8e0fe25331b3fb77dee73ca","ref":"refs/heads/lineage-18.1","pushedAt":"2024-01-18T14:02:43.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r75' into staging/lineage-18.1_android-security-11.0.0_r75\n\nAndroid security 11.0.0 release 75\n\n* tag 'android-security-11.0.0_r75':\n  Fix some OOB errors in BTM parsing\n\nChange-Id: I3f4ae4831a51f089cead61d91a57293f84747383","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r75' into staging/lineage-18.1_and…"}},{"before":"294ef029fc50fa729df1cf5df5557861a08370d7","after":"55c8adf7c16786f5419fb7d8dea8d50db8bb8968","ref":"refs/heads/lineage-19.1","pushedAt":"2024-01-18T13:56:52.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"[conflict] Merge \"Fix some OOB errors in BTM parsing\" into rvc-dev am: d8ecaf17b4 am: 91f5cb80a3\n\nOriginal change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/23399019\n\nBug: 279169188\nSigned-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>\n(cherry picked from commit 71b8613d95d78817cda6c49f2a7e849ce4e99339)\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:39f169ac20960710c308079236ad3d631e6ef833)\nMerged-In: I294455124fbd06f5742b64f8bae5455f09358fe4\nChange-Id: I294455124fbd06f5742b64f8bae5455f09358fe4","shortMessageHtmlLink":"[conflict] Merge \"Fix some OOB errors in BTM parsing\" into rvc-dev am…"}},{"before":"baa369310e7d9a1be1c99b6f6709ca745de91923","after":"6761a0734ddd7d64cc1b5a9c0a323f7efbd7ccb9","ref":"refs/heads/lineage-18.1","pushedAt":"2023-12-14T14:37:15.000Z","pushType":"push","commitsCount":9,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r74' into staging/lineage-18.1_android-security-11.0.0_r74\n\nAndroid Security 11.0.0 Release 74 (10993236)\n\n* tag 'android-security-11.0.0_r74':\n  Fix timing attack in BTM_BleVerifySignature\n  Add bounds checks in btif_avrcp_audio_track.cc\n  Enforce authentication if encryption is required\n  Reorganize the code for checking auth requirement\n  Reject access to  secure service authenticated from a temp bonding [3]\n  Reject access to secure services authenticated from temp bonding [2]\n  Reject access to secure service authenticated from a temp bonding [1]\n\nChange-Id: I2a2d098d257fc0037d8d10369a581cc06b9ac77f","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r74' into staging/lineage-18.1_and…"}},{"before":"e2f03341ce93e2e4beeaadbf8d375fe0aca6772f","after":"294ef029fc50fa729df1cf5df5557861a08370d7","ref":"refs/heads/lineage-19.1","pushedAt":"2023-12-14T14:21:33.000Z","pushType":"push","commitsCount":9,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Add bounds checks in btif_avrcp_audio_track.cc\n\nFuzz testing reveals that the transcodeQ*ToFloat family of functions are\nnot bounds checked, causing a potential OOB write.\n\nCheck these functions against bounds of the destination array.\n\nBug: 275895309\nTest: atest bluetooth_test_gd_unit, net_test_stack_btm\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff1a4a98c75ac9d6b850655efb1eeaae3503a511)\nMerged-In: I7d47860e7636282e3f7f1b8001aa1aa3b6d0c12e\nChange-Id: I7d47860e7636282e3f7f1b8001aa1aa3b6d0c12e","shortMessageHtmlLink":"Add bounds checks in btif_avrcp_audio_track.cc"}},{"before":"8a1550100f075f1faac39c67fbcb01032a5ea4b2","after":"e2f03341ce93e2e4beeaadbf8d375fe0aca6772f","ref":"refs/heads/lineage-19.1","pushedAt":"2023-10-09T12:59:01.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix an integer underflow in build_read_multi_rsp\n\nThis is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\nto sc-dev\n\nBug: 273874525\nTest: manual\nIgnore-AOSP-First: security\nTag: #security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)\nMerged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\nChange-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4","shortMessageHtmlLink":"Fix an integer underflow in build_read_multi_rsp"}},{"before":"7d057c89ab62916a31934f6e9a6f527fe7fc87fb","after":"8a1550100f075f1faac39c67fbcb01032a5ea4b2","ref":"refs/heads/lineage-19.1","pushedAt":"2023-09-18T13:46:56.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix UAF in gatt_cl.cc\n\ngatt_cl.cc accesses a header field after the buffer holding it may have\nbeen freed.\n\nTrack the relevant state as a local variable instead.\n\nBug: 274617156\nTest: atest: bluetooth, validated against fuzzer\nTag: #security\nIgnore-AOSP-First: Security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)\nMerged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724\nChange-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724","shortMessageHtmlLink":"Fix UAF in gatt_cl.cc"}},{"before":"f43eff1835ba0e6f5cbb8846ea2d5af26bb67646","after":"baa369310e7d9a1be1c99b6f6709ca745de91923","ref":"refs/heads/lineage-18.1","pushedAt":"2023-09-13T10:40:54.000Z","pushType":"push","commitsCount":9,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r71' of https://android.googlesource.com/platform/system/bt into staging/lineage-18.1_merge_android-security-11.0.0_r71\n\nAndroid security 11.0.0 release 71\n\n* tag 'android-security-11.0.0_r71' of https://android.googlesource.com/platform/system/bt:\n  Revert \"Fix a type confusion bug in bta_av_setconfig_rej\"\n  Fix UAF in gatt_cl.cc\n  Fix potential abort in btu_av_act.cc\n  Fix integer overflow in build_read_multi_rsp\n  Fix an integer overflow bug in avdt_msg_asmbl\n  Fix a type confusion bug in bta_av_setconfig_rej\n\nChange-Id: I1d8f6df13a3034d047b50177333f23da78d324f2","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r71' of <a href=\"https://android.googlesource.com/platform/system/bt\" rel=\"nofollow\">https://android.googlesour…</a>"}},{"before":"a4092a05825680c0abfc93d43f7a33a692926f27","after":"f43eff1835ba0e6f5cbb8846ea2d5af26bb67646","ref":"refs/heads/lineage-18.1","pushedAt":"2023-07-11T12:04:00.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r69' of https://android.googlesource.com/platform/system/bt into staging/lineage-18.1_merge_android-security-11.0.0_r69\n\nAndroid security 11.0.0 release 69\n\n* tag 'android-security-11.0.0_r69' of https://android.googlesource.com/platform/system/bt:\n  Fix gatt_end_operation buffer overflow\n\nChange-Id: I2d6c2f73ea53d832963160440b96fe7ace2bed88","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r69' of <a href=\"https://android.googlesource.com/platform/system/bt\" rel=\"nofollow\">https://android.googlesour…</a>"}},{"before":"25d3ccb62b6561d0f3cc3b3221d1055596e5ad21","after":"7d057c89ab62916a31934f6e9a6f527fe7fc87fb","ref":"refs/heads/lineage-19.1","pushedAt":"2023-07-11T11:59:03.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix gatt_end_operation buffer overflow\n\nAdded boundary check for gatt_end_operation to prevent writing out of\nboundary.\n\nSince response of the GATT server is handled in\ngatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum\nlenth that can be passed into the handlers is bounded by\nGATT_MAX_MTU_SIZE, which is set to 517, which is greater than\nGATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec\nthat gaurentees MTU response to be less than or equal to 512 bytes can\ncause a buffer overflow when performing memcpy without length check.\n\nBug: 261068592\nTest: No test since not affecting behavior\nTag: #security\nIgnore-AOSP-First: security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)\nMerged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873\nChange-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873","shortMessageHtmlLink":"Fix gatt_end_operation buffer overflow"}},{"before":"a9cc219898c18f1024059583ec4f9d117eb15c0d","after":"a4092a05825680c0abfc93d43f7a33a692926f27","ref":"refs/heads/lineage-18.1","pushedAt":"2023-06-11T13:48:12.748Z","pushType":"push","commitsCount":5,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r68' of https://android.googlesource.com/platform/system/bt into staging/lineage-18.1_merge_android-security-11.0.0_r68\n\nAndroid Security 11.0.0 Release 68 (9892680)\n\n* tag 'android-security-11.0.0_r68' of https://android.googlesource.com/platform/system/bt:\n  Revert \"Revert \"Fix wrong BR/EDR link key downgrades (P_256->P_192)\"\"\n  Revert \"Revert \"[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq\"\"\n  Prevent use-after-free of HID reports\n\nChange-Id: I6e35fcf2c295e9bbc548d198dc085a8600a41542","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r68' of <a href=\"https://android.googlesource.com/platform/system/bt\" rel=\"nofollow\">https://android.googlesour…</a>"}},{"before":"4247ed0e24dc60d868194ee884eab8adb660c782","after":"25d3ccb62b6561d0f3cc3b3221d1055596e5ad21","ref":"refs/heads/lineage-19.1","pushedAt":"2023-06-10T19:17:42.476Z","pushType":"push","commitsCount":3,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Revert \"Revert \"Fix wrong BR/EDR link key downgrades (P_256->P_192)\"\"\n\nThis reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.\n\nFunction btm_sec_encrypt_change() is called at most places\nwith argument \"encr_enable\" treated as bool and not as per\n(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The\nfunction has special handling for \"encr_enable=1\" to downgrade\nthe link key type for BR/EDR case. This gets executed even\nwhen the caller/context did not mean/expect so. It appears\nthis handling in btm_sec_encrypt_change() is not necessary and\nis removed by this commit to prevent accidental execution of it.\n\nTest: Verified re-pairing with an iPhone works fine now\n\nIssue Reproduction Steps:\n1. Enable Bluetooth Hotspot on Android device (DUT).\n2. Pair and connect an iPhone to DUT.\n3. Forget this pairing on DUT.\n4. On iPhone settings, click on old DUT's paired entry to connect.\n5. iPhone notifies to click 'Forget Device' and try fresh pairing.\n6. On iPhone, after doing 'Forget Device', discover DUT again.\n7. Attempt pairing to DUT by clicking on discovered DUT entry.\n   Pairing will be unsuccessful.\n\nIssue Cause:\nDuring re-pairing, DUT is seen to downgrade\nBR/EDR link key unexpectedly from link key type 0x8\n(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).\n\nLog snippet (re-pairing time):\nbtm_sec_link_key_notification set new_encr_key_256 to 1\nbtif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1\nbtm_sec_encrypt_change new_encr_key_256 is 1\n--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---\nbtm_sec_encrypt_change new_encr_key_256 is 0\nupdated link key type to 5\nbtif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1\n\nThis is a backport of the following patch: aosp/1890096\n\nBug: 258834033\n\nReason for revert: Reinstate original change for QPR\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)\nMerged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6\nChange-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6","shortMessageHtmlLink":"Revert \"Revert \"Fix wrong BR/EDR link key downgrades (P_256-&gt;P_192)\"\""}},{"before":"3196777d4e3de590d3a955012451352ef64a21e7","after":"a9cc219898c18f1024059583ec4f9d117eb15c0d","ref":"refs/heads/lineage-18.1","pushedAt":"2023-04-17T23:56:55.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r66' of https://android.googlesource.com/platform/system/bt into staging/lineage-18.1_merge_android-security-11.0.0_r66\n\nAndroid Security 11.0.0 Release 66 (9682389)\n\n* tag 'android-security-11.0.0_r66' of https://android.googlesource.com/platform/system/bt:\n  Fix an OOB bug in register_notification_rsp\n  Fix OOB access in avdt_scb_hdl_pkt_no_frag\n\nChange-Id: I77fcfe6244a72ed279a946713f79799a98266536","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r66' of <a href=\"https://android.googlesource.com/platform/system/bt\" rel=\"nofollow\">https://android.googlesour…</a>"}},{"before":"12a4c8ce72babda856737920f79f6a8872179876","after":"4247ed0e24dc60d868194ee884eab8adb660c782","ref":"refs/heads/lineage-19.1","pushedAt":"2023-04-17T10:40:17.000Z","pushType":"push","commitsCount":5,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix a use-after-free bug in AttributionProcessor::OnWakelockReleased\n\nThere is a use-after-free bug in AttributionProcessor::OnWakelockReleased\nresulted from a well-known misuse of using iterators to delete\nitems in containers (the deleted items are used for calculating the next iterator\nin the next round). This patch fix it with correct usage.\n\nNote:\n1. This is a cherry-pick of  If9f14d5fe2fbf2150f2ab0d1f90ce0f263399227\n2. The regression test is: If40eb63e00c1a97e15dcdfdbbf12fad1070cd97b\n\nBug: 254774758\nIgnore-AOSP-First: security\nTest: atest bluetooth_test_gd_unit\nChange-Id: I75576e59e0c81a82473a68a6c5ba3ce882a84f99\n(cherry picked from commit 9774aeff84a834ae4403300b5ef88f0a4635e9ac)\nMerged-In: I75576e59e0c81a82473a68a6c5ba3ce882a84f99","shortMessageHtmlLink":"Fix a use-after-free bug in AttributionProcessor::OnWakelockReleased"}},{"before":"7fbc65b85d3bfaeb02c3aada8da28e22aa267795","after":"3196777d4e3de590d3a955012451352ef64a21e7","ref":"refs/heads/lineage-18.1","pushedAt":"2023-03-22T11:22:37.000Z","pushType":"push","commitsCount":6,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Merge tag 'android-security-11.0.0_r65' of https://android.googlesource.com/platform/system/bt into staging/lineage-18.1_merge_android-security-11.0.0_r65\n\nAndroid security 11.0.0 release 65\n\n* tag 'android-security-11.0.0_r65' of https://android.googlesource.com/platform/system/bt:\n  Fix an OOB write in SDP_AddAttribute\n  Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc\n  Fix an OOB Write bug in gatt_check_write_long_terminate\n  Add bounds check in avdt_scb_act.cc\n\nChange-Id: I3d4f0d5497d148759741832634342d9cb7d5f13e","shortMessageHtmlLink":"Merge tag 'android-security-11.0.0_r65' of <a href=\"https://android.googlesource.com/platform/system/bt\" rel=\"nofollow\">https://android.googlesour…</a>"}},{"before":"0b82abb35b0cf32d129e63905cea0ea8f1c5de62","after":"12a4c8ce72babda856737920f79f6a8872179876","ref":"refs/heads/lineage-19.1","pushedAt":"2023-03-22T11:17:31.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"lineageos-gerrit","name":null,"path":"/lineageos-gerrit","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24783018?s=80&v=4"},"commit":{"message":"Fix an OOB write in SDP_AddAttribute\n\nWhen the `attr_pad` becomes full, it is possible\nthat un index of `-1` is computed write\na zero byte to `p_val`, rusulting OOB write.\n\n```\n  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\\0';\n```\n\nThis is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b\n\nBug: 261867748\nTest: manual\nTag: #security\nIgnore-AOSP-First: security\nChange-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1\n(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)\nMerged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1","shortMessageHtmlLink":"Fix an OOB write in SDP_AddAttribute"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOC0yNFQxNzowNzowMS4wMDAwMDBazwAAAASjJJPv","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOC0yNFQxNzowNzowMS4wMDAwMDBazwAAAASjJJPv","endCursor":"Y3Vyc29yOnYyOpK7MjAyMy0wMy0yMlQxMToxNzozMS4wMDAwMDBazwAAAAMIxsHl"}},"title":"Activity · LineageOS/android_system_bt"}