ASB-A-275895309

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-275895309.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-275895309
Aliases
  • A-275895309
  • CVE-2023-40087
Published
2023-12-01T00:00:00Z
Modified
2024-08-07T19:29:45.058926Z
Summary
[Bluetooth][BTIF] transcodeQ*ToFloat OOB Write
Details

In transcodeQ*ToFloat of btifavrcpaudio_track.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14-next:0
Fixed
14-next:2023-12-01

Affected versions

Other

14-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 362.0,
                "function_hash": "179409621985045160296351825110415588968"
            },
            "id": "ASB-A-275895309-42699483",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ23ToFloat"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "38423773015147842072013134283567083750",
                    "174012189830858507863955762077560044532",
                    "135633024102966060844116958453338085129",
                    "137955535784968096964447016227385160391"
                ]
            },
            "id": "ASB-A-275895309-6eb4d82a",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/test/btif_avrcp_audio_track_test.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 299.0,
                "function_hash": "337201100461407330566560557139231567778"
            },
            "id": "ASB-A-275895309-73b3356e",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ15ToFloat"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "280300558855275674199073422000799402164",
                    "107168998118329345017595707569814065066",
                    "18611739428002861618066819872890431536",
                    "228166335113269603158773669243040108266",
                    "157145627262574148936630890906564492018",
                    "242518214498169388595764073932091846869",
                    "206974252045441517950773964414720523864",
                    "157086730303617775190328394988974882937",
                    "155628381518578166635249144154909470906",
                    "152605060078863256043911922730161438363",
                    "209190599766860934952205247338007455652",
                    "36054002484998715192852893344464866982"
                ]
            },
            "id": "ASB-A-275895309-a1ff255b",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 299.0,
                "function_hash": "212496003472669476486839688612433944610"
            },
            "id": "ASB-A-275895309-ab56f426",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ31ToFloat"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 744.0,
                "function_hash": "188602126122561855613898982677106130891"
            },
            "id": "ASB-A-275895309-d3dfec94",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/test/btif_avrcp_audio_track_test.cc",
                "function": "TEST_F"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d66257f2a982558ac64a855c6106ac0391e41bbd"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13:0
Fixed
13:2023-12-01

Affected versions

Other

13

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 322.0,
                "function_hash": "160839904381245494536719496155209634073"
            },
            "id": "ASB-A-275895309-0ece7682",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ23ToFloat"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "191428222968463232427926042594146717576",
                    "253598044910384043603403844772757449644",
                    "239251536732578059726440347451173289867",
                    "40261156309124551414125193428140080670",
                    "153947787613562610819393265494878747209",
                    "250886031778227828577576943365076577525",
                    "253170039393634181199450159638815638941",
                    "40261156309124551414125193428140080670",
                    "123455794058549669091331259783262013798",
                    "323895979791774482031446368656521984397",
                    "179063609923396586946554846516084954892",
                    "40261156309124551414125193428140080670",
                    "149631365881432395763508659892935014388",
                    "131032745821785502405149665779159932548",
                    "202492912323566500215671768492095917498"
                ]
            },
            "id": "ASB-A-275895309-44e05d9f",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 259.0,
                "function_hash": "145723624787213910446231391396063834514"
            },
            "id": "ASB-A-275895309-4eddd102",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ31ToFloat"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 259.0,
                "function_hash": "67189886256562712738594874091172843917"
            },
            "id": "ASB-A-275895309-7cddce28",
            "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "system/btif/src/btif_avrcp_audio_track.cc",
                "function": "transcodeQ15ToFloat"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/46803ae95d63ee133eae83d885e7c051964dc8ed"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/modules/Bluetooth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2023-12-01

Affected versions

Other

14

Ecosystem specific

{
    "fixes": [
        "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/3d7c7f4c2c514b6a62f827615cb75ba61319b115"
    ],
    "spl": "2023-12-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}