In gattendoperation of gatt_utils.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1711.0, "function_hash": "147527530172533466624622267759232095927" }, "id": "ASB-A-261068592-be366593", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_utils.cc", "function": "gatt_end_operation" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "165079517157126764450332025370767053702", "68954298953311541198704172660533801470", "18332213301413389718544589642577575988" ] }, "id": "ASB-A-261068592-ddf7625e", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_utils.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4" ], "spl": "2023-07-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 1701.0, "function_hash": "324724727108349940384182174189829733316" }, "id": "ASB-A-261068592-0cc6e285", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc", "function": "gatt_end_operation" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "165079517157126764450332025370767053702", "68954298953311541198704172660533801470", "18332213301413389718544589642577575988" ] }, "id": "ASB-A-261068592-d0e1441b", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200" ], "spl": "2023-07-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 1701.0, "function_hash": "324724727108349940384182174189829733316" }, "id": "ASB-A-261068592-7d66e178", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc", "function": "gatt_end_operation" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "165079517157126764450332025370767053702", "68954298953311541198704172660533801470", "18332213301413389718544589642577575988" ] }, "id": "ASB-A-261068592-e4612ec5", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200" ], "spl": "2023-07-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 1701.0, "function_hash": "324724727108349940384182174189829733316" }, "id": "ASB-A-261068592-5a55bbd1", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc", "function": "gatt_end_operation" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "165079517157126764450332025370767053702", "68954298953311541198704172660533801470", "18332213301413389718544589642577575988" ] }, "id": "ASB-A-261068592-95946b6c", "source": "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200", "deprecated": false, "signature_version": "v1", "target": { "file": "stack/gatt/gatt_utils.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/system/bt/+/dd7298e982e4bbf0138a490562679c9a4a755200" ], "spl": "2023-07-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "165079517157126764450332025370767053702", "68954298953311541198704172660533801470", "18332213301413389718544589642577575988" ] }, "id": "ASB-A-261068592-f5efb08d", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_utils.cc" }, "signature_type": "Line" }, { "digest": { "length": 1711.0, "function_hash": "147527530172533466624622267759232095927" }, "id": "ASB-A-261068592-f829a556", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_utils.cc", "function": "gatt_end_operation" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7236e4492470e30c129d01d521a7d218494725b4" ], "spl": "2023-07-01", "severity": "Critical", "types": [ "RCE" ] }