From c08175b5f15b161a6ba1444e1071e92b03552915 Mon Sep 17 00:00:00 2001 From: Chris Manton Date: Mon, 8 Nov 2021 16:45:42 -0800 Subject: security: Use-After-Free in btm_sec_[dis]connected Bug: 201083442 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975 --- stack/btm/btm_sec.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index bdda174ac..eecbed5ea 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -3913,7 +3913,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) { ******************************************************************************/ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, uint8_t enc_mode) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); uint8_t res; bool is_pairing_device = false; bool addr_matched; @@ -3922,6 +3921,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); if (p_dev_rec) { VLOG(2) << __func__ << ": Security Manager: in state: " << btm_pair_state_descr(btm_cb.pairing_state) @@ -4258,7 +4258,6 @@ tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) { * ******************************************************************************/ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); uint8_t old_pairing_flags = btm_cb.pairing_flags; int result = HCI_ERR_AUTH_FAILURE; tBTM_SEC_CALLBACK* p_callback = NULL; @@ -4269,6 +4268,7 @@ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); if (!p_dev_rec) return; transport = -- cgit v1.2.3 From 4f3fdf141b248cacd7c7dd09c06d058931726c98 Mon Sep 17 00:00:00 2001 From: Chris Manton Date: Mon, 8 Nov 2021 16:45:42 -0800 Subject: security: Use-After-Free in btm_sec_[dis]connected Bug: 201083442 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975 --- stack/btm/btm_sec.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index 62b1b1858..1c1ceadf6 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -4122,7 +4122,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) { ******************************************************************************/ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, uint8_t enc_mode) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); uint8_t res; bool is_pairing_device = false; bool addr_matched; @@ -4131,6 +4130,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); if (p_dev_rec) { VLOG(2) << __func__ << ": Security Manager: in state: " << btm_pair_state_descr(btm_cb.pairing_state) @@ -4464,7 +4464,6 @@ tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) { * ******************************************************************************/ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); uint8_t old_pairing_flags = btm_cb.pairing_flags; int result = HCI_ERR_AUTH_FAILURE; tBTM_SEC_CALLBACK* p_callback = NULL; @@ -4475,6 +4474,7 @@ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); if (!p_dev_rec) return; transport = -- cgit v1.2.3 From 64f6fb234738992c1472cfcf48a924a3e5c2e534 Mon Sep 17 00:00:00 2001 From: Chris Manton Date: Mon, 8 Nov 2021 16:45:42 -0800 Subject: security: Use-After-Free in btm_sec_[dis]connected Bug: 201083442 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975 --- stack/btm/btm_sec.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index f13bbb9e9..168750140 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -4117,7 +4117,6 @@ static void btm_sec_connect_after_reject_timeout(UNUSED_ATTR void* data) { ******************************************************************************/ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, uint8_t enc_mode) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); uint8_t res; bool is_pairing_device = false; tACL_CONN* p_acl_cb; @@ -4125,6 +4124,7 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status, btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda); if (p_dev_rec) { VLOG(2) << __func__ << ": Security Manager: in state: " << btm_pair_state_descr(btm_cb.pairing_state) @@ -4457,7 +4457,6 @@ tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason) { * ******************************************************************************/ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { - tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); uint8_t old_pairing_flags = btm_cb.pairing_flags; int result = HCI_ERR_AUTH_FAILURE; tBTM_SEC_CALLBACK* p_callback = NULL; @@ -4468,6 +4467,7 @@ void btm_sec_disconnected(uint16_t handle, uint8_t reason) { btm_acl_resubmit_page(); + tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle); if (!p_dev_rec) return; transport = -- cgit v1.2.3 From d6d753d733cdefad3c9edfda5cb2e857b0fdf5f4 Mon Sep 17 00:00:00 2001 From: Martin Brabham Date: Fri, 29 Oct 2021 21:27:27 +0000 Subject: Reset the IRK after all devices are unpaired Bug: 204355134 Bug: 195410559 Test: Check IRK, pair devices, unpair all devices, Check IRK Tag: #security Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065 Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065 --- bta/dm/bta_dm_act.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index d1b260c19..3900594bf 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -39,6 +39,7 @@ #include "bta_dm_int.h" #include "bta_sys.h" #include "btif_storage.h" +#include "btif_config.h" #include "btm_api.h" #include "btm_int.h" #include "btu.h" @@ -48,6 +49,7 @@ #include "osi/include/log.h" #include "osi/include/osi.h" #include "sdp_api.h" +#include "stack/btm/btm_ble_int.h" #include "stack/gatt/connection_manager.h" #include "stack/include/gatt_api.h" #include "utl.h" @@ -705,6 +707,12 @@ void bta_dm_remove_device(const RawAddress& bd_addr) { if (!other_address_connected && !other_address.IsEmpty()) { bta_dm_process_remove_device(other_address); } + + /* Check the length of the paired devices, and if 0 then reset IRK */ + if (btif_storage_get_num_bonded_devices() < 1) { + LOG(INFO) << "Last paired device removed, resetting IRK"; + btm_ble_reset_id(); + } } /******************************************************************************* -- cgit v1.2.3 From 6b3c0f6a368dbf6fe9d0d3ca625d47a69fe15d2f Mon Sep 17 00:00:00 2001 From: Martin Brabham Date: Fri, 29 Oct 2021 21:27:27 +0000 Subject: Reset the IRK after all devices are unpaired Bug: 204355134 Bug: 195410559 Test: Check IRK, pair devices, unpair all devices, Check IRK Tag: #security Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065 Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065 --- bta/dm/bta_dm_act.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index 5ca3542b1..77c782235 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -39,6 +39,7 @@ #include "bta_dm_int.h" #include "bta_sys.h" #include "btif_storage.h" +#include "btif_config.h" #include "btm_api.h" #include "btm_int.h" #include "btu.h" @@ -47,6 +48,7 @@ #include "osi/include/log.h" #include "osi/include/osi.h" #include "sdp_api.h" +#include "stack/btm/btm_ble_int.h" #include "stack/gatt/connection_manager.h" #include "stack/include/gatt_api.h" #include "utl.h" @@ -704,6 +706,12 @@ void bta_dm_remove_device(const RawAddress& bd_addr) { if (!other_address_connected && !other_address.IsEmpty()) { bta_dm_process_remove_device(other_address); } + + /* Check the length of the paired devices, and if 0 then reset IRK */ + if (btif_storage_get_num_bonded_devices() < 1) { + LOG(INFO) << "Last paired device removed, resetting IRK"; + btm_ble_reset_id(); + } } /******************************************************************************* -- cgit v1.2.3 From eb3465095abcf7ca91e40c37423cdfe1e7cb871f Mon Sep 17 00:00:00 2001 From: Martin Brabham Date: Fri, 29 Oct 2021 21:27:27 +0000 Subject: Reset the IRK after all devices are unpaired Bug: 204355134 Bug: 195410559 Test: Check IRK, pair devices, unpair all devices, Check IRK Tag: #security Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065 Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065 --- bta/dm/bta_dm_act.cc | 9 +++++++++ btif/include/btif_storage.h | 3 +++ btif/src/btif_storage.cc | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index 51201f537..d09ead3c7 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -38,6 +38,8 @@ #include "bta_dm_co.h" #include "bta_dm_int.h" #include "bta_sys.h" +#include "btif_storage.h" +#include "btif_config.h" #include "btm_api.h" #include "btm_int.h" #include "btu.h" @@ -46,6 +48,7 @@ #include "osi/include/log.h" #include "osi/include/osi.h" #include "sdp_api.h" +#include "stack/btm/btm_ble_int.h" #include "utl.h" #if (GAP_INCLUDED == TRUE) @@ -690,6 +693,12 @@ void bta_dm_remove_device(const RawAddress& bd_addr) { if (!other_address_connected && !other_address.IsEmpty()) { bta_dm_process_remove_device(other_address); } + + /* Check the length of the paired devices, and if 0 then reset IRK */ + if (btif_storage_get_num_bonded_devices() < 1) { + LOG(INFO) << "Last paired device removed, resetting IRK"; + btm_ble_reset_id(); + } } /******************************************************************************* diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h index 07d29c81a..e7bef34c8 100644 --- a/btif/include/btif_storage.h +++ b/btif/include/btif_storage.h @@ -290,4 +290,7 @@ bool btif_storage_get_stored_remote_name(const RawAddress& bd_addr, char* name); size_t btif_split_uuids_string(const char* str, bluetooth::Uuid* p_uuid, size_t max_uuids); +// Get the number of bonded devices +int btif_storage_get_num_bonded_devices(void); + #endif /* BTIF_STORAGE_H */ diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc index ef2e191eb..6bae491cf 100644 --- a/btif/src/btif_storage.cc +++ b/btif/src/btif_storage.cc @@ -1550,6 +1550,12 @@ bool btif_storage_is_restricted_device(const RawAddress* remote_bd_addr) { return btif_config_exist(remote_bd_addr->ToString(), "Restricted"); } +int btif_storage_get_num_bonded_devices(void) { + btif_bonded_devices_t bonded_devices; + btif_in_fetch_bonded_devices(&bonded_devices, 0); + return bonded_devices.num_devices; +} + /******************************************************************************* * Function btif_storage_load_hidd * -- cgit v1.2.3