In buildreadmultirsp of gattsr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1856.0, "function_hash": "240925002555156140249518465647210347099" }, "id": "ASB-A-273966636-4055f2f0", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_sr.cc", "function": "build_read_multi_rsp" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2595529555414629676206999964520684550", "183504299268696529699332370268148851082", "199471212518345456923129245182522694027", "252152932270604754934792315083902041917", "51554914984240895083286702700298661153", "54865752525013115485817960974458127610", "138400960017935528663548606489186108685", "36679679188416012704038671968509033341", "122920067994958519894144405910339995677", "262658403677556901038941525980560849440", "333165447868284643075011688300903607556", "237475983115649658632985560846409519343", "13227297075605735205156259313947404717", "85253462756822884360816865997710830720" ] }, "id": "ASB-A-273966636-ae4e247b", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_sr.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/70a4d628fa016a9487fae07f211644b95e1f0000" ], "spl": "2023-09-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 1856.0, "function_hash": "240925002555156140249518465647210347099" }, "id": "ASB-A-273966636-9220b9a5", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_sr.cc", "function": "build_read_multi_rsp" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "2595529555414629676206999964520684550", "183504299268696529699332370268148851082", "199471212518345456923129245182522694027", "252152932270604754934792315083902041917", "51554914984240895083286702700298661153", "54865752525013115485817960974458127610", "138400960017935528663548606489186108685", "36679679188416012704038671968509033341", "122920067994958519894144405910339995677", "262658403677556901038941525980560849440", "333165447868284643075011688300903607556", "237475983115649658632985560846409519343", "13227297075605735205156259313947404717", "85253462756822884360816865997710830720" ] }, "id": "ASB-A-273966636-ebc12258", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/gatt_sr.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/badb8ffce06b517cbcfdbfa68cb7b7e02d22494a" ], "spl": "2023-09-01", "severity": "Critical", "types": [ "RCE" ] }