ASB 2018.09

[MSe1969]

September ASB is out - yet w/o AOSP links . . .

Observations: a. MM is also not updated anymore b. Pixel bulletin only contains kernel references

[MSe1969]

Android Bulletin, 2018-09-01

Android Runtime

• [x] CVE-2018-9466 A-62151041 RCE High "backported", see comments
• [x] CVE-2018-9467 A-110955991 EoP High implemented

Framework

• n/a CVE-2018-9469 A-109824443 EoP High N/A: 7.1.x and above
• [x] CVE-2018-9470 A-78290481 EoP High implemented
• n/a CVE-2018-9471 A-77599679 EoP High no NanoApp.java

Library

• [x] CVE-2018-9472 A-79662501 RCE High same as CVE-2018-9466 => see comments

Media Framework

• [x] CVE-2018-9474 A-77600398 EoP High implemented
• [x] CVE-2018-9440 [2] A-77823362 DoS Moderate implemented

System

• [x] CVE-2018-9475 A-79266386 EoP Critical implemented
• [x] CVE-2018-9478 A-79217522 EoP Critical implemented, same as CVE-2018-9479
• [x] CVE-2018-9479 A-79217770 EoP Critical implemented
• [x] CVE-2018-9456 A-78136869 DoS High implemented
• n/a CVE-2018-9477 A-92497653 EoP High N/A: 8.x only
• n/a CVE-2018-9480 A-109757168 ID High N/A: 8.x and above
• n/a CVE-2018-9481 A-109757435 ID High N/A: 8.x and above
• n/a CVE-2018-9482 A-109757986 ID High N/A: 8.x and above
• [x] CVE-2018-9483 A-110216173 ID High implemented
• [x] CVE-2018-9484 A-79488381 ID High implemented
• [x] CVE-2018-9485 A-80261585 ID High implemented
• [x] CVE-2018-9486 A-80493272 ID High implemented
• n/a CVE-2018-9487 A-69873852 DoS High N/A: 8.x and above
• n/a CVE-2018-9488 A-110107376 EoP Moderate N/A: 8.x and above

Update Media Framework

• n/a CVE-2018-9411 A-79376389 RCE Critical N/A: 8.x and above
• n/a CVE-2018-9427 A-77486542 RCE Critical N/A: 8.x and above

Android Bulletin, 2018-09-05

Framework

• [x] CVE-2018-9468 A-111084083 ID High implemented

Kernel components

• n/a CVE-2017-5754 A-69856074* ID High N/A: arm64 only

Qualcomm components

• n/a CVE-2018-11816 A-63527106* High not found/not publicly avail.
• [x] CVE-2018-11261 A-64340487* High implemented
• n/a CVE-2018-11836 A-111128620 High no htt_rx.c
• n/a CVE-2018-11842 A-111124974 High no lim_send_management_frames.c
• n/a CVE-2018-11898 A-111128799 High no lim_process_mlm_req_messages.c
• n/a CVE-2017-15825 A-68992460 Moderate Boot
• n/a CVE-2018-11270 A-109741697 Moderate no dbm-1_4.c

Pixel/Nexus Bulletin

Kernel components

• [x] CVE-2018-9517 A-38159931 EoP Moderate implemented
• n/a CVE-2018-9519 A-69808833* EoP Moderate not found/not publicly avail.
• [x] CVE-2018-9516 A-71361580 EoP Moderate implemented
• n/a CVE-2018-9518 A-73083945 EoP Moderate no llcp_commands.c

Qualcomm Components

• n/a CVE-2018-11265 A-109741922 Moderate no ipc_router_core.c
• [x] CVE-2018-11273 A-109741750 [2] Moderate implemented
• n/a CVE-2018-11276 A-109741853 Moderate no arm-memlat-mon.c
• def. CVE-2018-11281 A-109741734 [2] Moderate Data HLOS - LNX - deferred
• n/a CVE-2018-11293 A-109741621 Moderate no wma_nan_datapath.c
• n/a CVE-2018-11295 A-109741911 Moderate no wma_scan_roam.c
• n/a CVE-2018-11296 A-109741886 Moderate no ol_rx.c
• n/a CVE-2018-11297 A-109741872 Moderate no wma_nan_datapath.c
• n/a CVE-2018-11298 A-109741777 Moderate no wlan_hdd_ext_scan.c
• n/a CVE-2018-11300 A-109741735 Moderate patched function not present
• n/a CVE-2018-11301 A-109741830 Moderate no dbglog_host.c

[MSe1969]

Backporting CVE-2018-9483 drives me nuts! C-Casting :( @hahnjo - I think you are more familiar with C, I'll upload the patch (i.e. my unsuccessful attempt of a backport) to the discussion repo, maybe you have a better idea - BD_ADDR is an array-typedef, which is passed to the function, and I am struggling whether now the array is passed or maybe only the pointer to its 1st element... (I don't really like C, by the way...)

[MSe1969]

0001-BACKPORT-Don-t-use-Address-after-it-was-deleted.patch is the file name

[MSe1969]

Update libxml2 to 2.9.8 I have set CVE-2018-9466 / CVE-2018-9472, which both point to the update of libxml2 to 2.9.8, to 'deferred' and added to our open CVE issue. We can't build it due to too many dependencies in the LP build tree; also usage as prebuilt (build in cm-14.1 and use compiled shared and static libs as prebuilts) won't work. So the only way, I see, is to maybe find and pick/backport the relevant single commits in the Github mirror https://github.com/GNOME/libxml2 ...? However, if Google has decided that it makes more sense to simply upgrade the lib, I doubt this will make a lot of sense...

[Micha-Btz]

I'm on vacation the next two weeks, so I can only help after this.

[hahnjo]

@MSe1969 can you post the error message that is failing the build?

The patch looks mostly good, having an array parameter in a function signature means "pass the pointer" IIRC. So maybe it's enough to say BTM_DeleteStoredLinkKey (bda, NULL); (without ampersand)?

[MSe1969]

CVE-2018-9466, CVE-2018-9467, CVE-2018-9472 - Comments Those three commits are described in the ASB as "The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an application that uses the library."

CVE-2018-9467 adds the characters '\', '#' and '?', next to '/' as terminators when parsing the host part of a URL. In our LP coding, '#' and '?' are already considered, only missing was '\', so I performed the backport accordingly - please have a look and confirm, that the backport indeed is that simple

CVE-2018-9466/CVE-2018-9472 point in the ASB to the upgrade of libxml2 to 2.9.8, which - as already outlined - is not possible, because our version is too old and there are dependencies in the build tree. So as the "next best" approach, I have taken a couple of commits from https://github.com/GNOME/libxml2 , which address parsing issues potentially leading to endless loops, or other uncaught parsing errors. please advise, whether you consider this as an appropriate approach

[MSe1969]

Hi @hahnjo - with regards to CVE-2018-9483, it is important to look at the context. Although I am pretty sure, I am not telling you anything you aren't already aware of, I would like to outline the broader context:

Our code in external/bluetooth/bluedroid is written in C, whilst the N/O/P code in system/bt is C++ The code was simply taken and, besides formatting, only adapted by Google, where C++ differs from C. And afterwards of course further fixes applied...

In the coding of CVE-2018-9483, the function parameters 'remote_bd_addr' and 'bd_addr' are in fact copied into new variables and those copies are passed on to the next functions. In O/P those are of type 'RawAddress', whilst in our LP code, the same parameters are passed as type 'BD_ADDR'. In LP, BD_ADDR is a typedef of an UINT8 length 6 array, in O/P, RawAddress is an own class (see types/raw_address.h).

My first attempt was to simply replace the declaration of the 'copy variables', simply to say e.g. BD_ADDR addr_copy = remote_bd_addr; instead of RawAddress addr_copy = remote_bd_addr; and BD_ADDR bda = p_dev_rec->bd_addr; instead of RawAddress bda = p_dev_rec->bd_addr;.

Result:

external/bluetooth/bluedroid/bta/./dm/bta_dm_act.c:4137:9: error: invalid initializer
         BD_ADDR addr_copy = remote_bd_addr;
         ^

Splitting declaration and assignment BD_ADDR addr_copy; addr_copy = remote_bd_addr; leads to

external/bluetooth/bluedroid/bta/./dm/bta_dm_act.c:4137:38: error: incompatible types when assigning to type 'BD_ADDR' from type 'UINT8 *'
         BD_ADDR addr_copy; addr_copy = remote_bd_addr;
                                      ^

And finally using 'memcpy' for array-processing (my uploaded patch file) brings

external/bluetooth/bluedroid/stack/./btm/btm_dev.c:197:5: error: passing argument 1 of 'BTM_DeleteStoredLinkKey' from incompatible pointer type [-Werror]
     BTM_DeleteStoredLinkKey (&bda, NULL);
     ^
In file included from external/bluetooth/bluedroid/stack/./btm/btm_dev.c:34:0:
external/bluetooth/bluedroid/stack/include/btm_api.h:4411:32: note: expected 'UINT8 *' but argument is of type 'UINT8 (*)[6]'
     BTM_API extern tBTM_STATUS BTM_DeleteStoredLinkKey(BD_ADDR bd_addr, tBTM_CMPL_CB *p_cb);
                                ^

My main concern meanwhile is, that I don't really understand, what 'RawAddress' really does and what is passed on to the follow-on functions. So when backporting this, I am not sure whether the follow-on functions expect a pointer to the 1st array-element or the entire array. Further looking at the original patch, I am struggling to understand the logic at all - before the patch, the "device representation" should be deleted, now - a copy of that is passed for deletion (so the 'original' remains untouched) and the code contains warnings about invalidations...

I am almost at the point to say, don't apply that back port - but as indicated, my C / C++ knowledge is limited. So if you with your deeper C / C++ knowledge understand the logic behind, you will most probably have the right idea on how to proceed...?

[hahnjo]

Ah, there's the catch and the reason why I wasn't able to find the upstream patch (looked at the old repo).

I think the problem applies to the old code as well, and my guess should have been right: You need to pass the array (the address of its first element, that's the same) and not the address of the array. For illustration purpose:

typedef int addr[8];

void foo(addr a);

void bar() {
  addr a;
  foo(a);
  // foo(&a); // expected ‘int *’ but argument is of type ‘int (*)[8]’
  foo(&a[0]);
}

So change BTM_DeleteStoredLinkKey (&bda, NULL); to BTM_DeleteStoredLinkKey (bda, NULL); and it should work. The addressof-operator is needed in C++ because it's passing the location of a member in the object.

For completeness: RawAddress is now a class in C++ which has a constructor RawAddress::RawAddress(const uint8_t (&addr)[6]). This performs a copy of the passed array, the same operation that you are now performing with a call to memcpy.

[MSe1969]

Thanks @hahnjo - it compiled now, will test later when I am done with all remaining patches. What is your thought about my approch with regards to CVE-2018-9466, CVE-2018-9467, CVE-2018-9472 (see above)?

[MSe1969]

CVE-2018-11281 deferred, would require significant further backports

[MSe1969]

Ready to test now - all uploaded, final test build running, will then flash and test. Focal areas for testing:

• Bluetooth (test with different scenarios)
• Processing of XML and HTML stuff of any kind (not sure how to test that?)
• Playing of media files
• Downloads (using Android Download manager)
• Overall behavior, so comprehensive use of various functionalities recommended

[MSe1969]

Btw, seems that CVE-2018-9475 is relevant - will analyze tomorrow

[MSe1969]

Found and added/implemented CVE-2018-9475 and CVE-2018-11261

[MSe1969]

Tested, looks good. From my point of view, ready to ship. Thoughts?

[hahnjo]

@MSe1969 sorry, didn't have time for a detailed look. Approach for libxml2 sounds ok, the project was meant to be a "best effort".

[MSe1969]

OK, thanks - I'll ship it, then

[MSe1969]

Shipped, stuff merged into stable branch - closing this issue now