In attpbuildvaluecmd of attprotocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-3116a55c", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b927f3fb660dafaf97b2fa0398353a8c39125efc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-4712a766", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/09e48e0d5377ef56a556f9f05ed3e3e97849475e", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-8d6ed33f", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b927f3fb660dafaf97b2fa0398353a8c39125efc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "length": 283.0, "function_hash": "101860085083949391930045778871523559507" }, "id": "ASB-A-295887535-cec6519b", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/074b81c0b0352f254735b6bbd60b0501ac55096b", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "262052793737009848683627949144756570883", "2620899983697621270958166135546666396", "184078637487725543100585161708176120248", "83800892356238873619038035959339635830", "187753795406610831569239171887435677017", "10594516150597866487632194291835658011", "155357051166553670530980970024261499300", "82545403040319563639188475160077374779", "83324724150684817983341373127923911730", "203384198558095525880264766775409137812", "237005054856954347995260967340181291153", "87079783638580616507108581456710399424", "281260974938958622468964608964686769420", "5527077743371978300662653713693542827", "154889491036627272244998104148351228930", "309544226748686482973683777552664711303", "77030012445074694825021361198933900180", "129102091069482238311861272735328327817", "154883086107031587622631318587316186285", "290219773632778731022141433032676660468", "243750422467433048270395897487163892153", "41067998688836944788336178267799761524", "180139992342009461178112939040310493054", "10113458376469051509692552876665558106", "247612618827287018216874507010327463887", "143490447529968365356901985941244848611", "94619543440296740648940232035493746677", "35534367727080882427743660636247049587", "304921345599723399204920995715186059693", "215098673835190249962199793817953456666", "125435103813922115751211688163559031860", "171559785174694317683889917748739218142", "230897598609613976210973818755067833219", "310644215509690840429061356632039192308", "192181489086071488585400953101708462707", "238676284701933849630504866278689618653", "332694470627817904573366130363929739898", "280370392157982657408414143547292543428", "147954308535849477449980526300476470338", "251890210818412922712515780337495244132", "235588325202940975443072493906674823874", "70904285491825525999727963804863508988", "253894583089172973802804852074566194269", "6129595709678567991445896004976141712", "198209519604318412433781101741122784299", "162952124822853211544566651464943611650", "102245364726200595160489026175501783446", "30971143604500167574321024292748922891", "133170829835068988561762674420684630454", "209778762634809918924196549257378468809", "93948448630534267037261100943563153300", "312228465099380957162740146179351674328", "175629558791262739660891295806922924227", "139575474406963129142350280687161850472", "316653482088553147247158258957556877474", "260406926021321159758925401998728449152", "248598836724628441297374636966022269176" ] }, "id": "ASB-A-295887535-eca92bd9", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/074b81c0b0352f254735b6bbd60b0501ac55096b", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-ffe27136", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/09e48e0d5377ef56a556f9f05ed3e3e97849475e", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/b927f3fb660dafaf97b2fa0398353a8c39125efc", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/074b81c0b0352f254735b6bbd60b0501ac55096b", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/09e48e0d5377ef56a556f9f05ed3e3e97849475e" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-156d49ec", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "262052793737009848683627949144756570883", "2620899983697621270958166135546666396", "184078637487725543100585161708176120248", "83800892356238873619038035959339635830", "187753795406610831569239171887435677017", "10594516150597866487632194291835658011", "155357051166553670530980970024261499300", "82545403040319563639188475160077374779", "83324724150684817983341373127923911730", "203384198558095525880264766775409137812", "237005054856954347995260967340181291153", "87079783638580616507108581456710399424", "281260974938958622468964608964686769420", "5527077743371978300662653713693542827", "154889491036627272244998104148351228930", "309544226748686482973683777552664711303", "77030012445074694825021361198933900180", "129102091069482238311861272735328327817", "154883086107031587622631318587316186285", "290219773632778731022141433032676660468", "243750422467433048270395897487163892153", "41067998688836944788336178267799761524", "180139992342009461178112939040310493054", "10113458376469051509692552876665558106", "247612618827287018216874507010327463887", "143490447529968365356901985941244848611", "94619543440296740648940232035493746677", "35534367727080882427743660636247049587", "304921345599723399204920995715186059693", "215098673835190249962199793817953456666", "125435103813922115751211688163559031860", "171559785174694317683889917748739218142", "230897598609613976210973818755067833219", "310644215509690840429061356632039192308", "192181489086071488585400953101708462707", "238676284701933849630504866278689618653", "332694470627817904573366130363929739898", "280370392157982657408414143547292543428", "147954308535849477449980526300476470338", "251890210818412922712515780337495244132", "235588325202940975443072493906674823874", "70904285491825525999727963804863508988", "253894583089172973802804852074566194269", "6129595709678567991445896004976141712", "198209519604318412433781101741122784299", "162952124822853211544566651464943611650", "102245364726200595160489026175501783446", "30971143604500167574321024292748922891", "133170829835068988561762674420684630454", "209778762634809918924196549257378468809", "93948448630534267037261100943563153300", "312228465099380957162740146179351674328", "175629558791262739660891295806922924227", "139575474406963129142350280687161850472", "316653482088553147247158258957556877474", "260406926021321159758925401998728449152", "248598836724628441297374636966022269176" ] }, "id": "ASB-A-295887535-167e8664", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "length": 283.0, "function_hash": "101860085083949391930045778871523559507" }, "id": "ASB-A-295887535-2375428c", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-3e18e312", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-87aa8d01", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-9b81ab59", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "262052793737009848683627949144756570883", "2620899983697621270958166135546666396", "184078637487725543100585161708176120248", "83800892356238873619038035959339635830", "187753795406610831569239171887435677017", "10594516150597866487632194291835658011", "155357051166553670530980970024261499300", "82545403040319563639188475160077374779", "83324724150684817983341373127923911730", "203384198558095525880264766775409137812", "237005054856954347995260967340181291153", "87079783638580616507108581456710399424", "281260974938958622468964608964686769420", "5527077743371978300662653713693542827", "154889491036627272244998104148351228930", "309544226748686482973683777552664711303", "77030012445074694825021361198933900180", "129102091069482238311861272735328327817", "154883086107031587622631318587316186285", "290219773632778731022141433032676660468", "243750422467433048270395897487163892153", "41067998688836944788336178267799761524", "180139992342009461178112939040310493054", "10113458376469051509692552876665558106", "247612618827287018216874507010327463887", "143490447529968365356901985941244848611", "94619543440296740648940232035493746677", "35534367727080882427743660636247049587", "304921345599723399204920995715186059693", "215098673835190249962199793817953456666", "125435103813922115751211688163559031860", "171559785174694317683889917748739218142", "230897598609613976210973818755067833219", "310644215509690840429061356632039192308", "192181489086071488585400953101708462707", "238676284701933849630504866278689618653", "332694470627817904573366130363929739898", "280370392157982657408414143547292543428", "147954308535849477449980526300476470338", "251890210818412922712515780337495244132", "235588325202940975443072493906674823874", "70904285491825525999727963804863508988", "253894583089172973802804852074566194269", "6129595709678567991445896004976141712", "198209519604318412433781101741122784299", "162952124822853211544566651464943611650", "102245364726200595160489026175501783446", "30971143604500167574321024292748922891", "133170829835068988561762674420684630454", "209778762634809918924196549257378468809", "93948448630534267037261100943563153300", "312228465099380957162740146179351674328", "175629558791262739660891295806922924227", "139575474406963129142350280687161850472", "316653482088553147247158258957556877474", "260406926021321159758925401998728449152", "248598836724628441297374636966022269176" ] }, "id": "ASB-A-295887535-1dc2face", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-50920ab5", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "length": 1067.0, "function_hash": "116161759212050450161068194770742124445" }, "id": "ASB-A-295887535-57d20fc1", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-6e6971c0", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" }, { "digest": { "length": 283.0, "function_hash": "101860085083949391930045778871523559507" }, "id": "ASB-A-295887535-7bb89597", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc", "function": "attp_build_value_cmd" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "14110221903912855438058865520838285717", "96289786954784120315151209674941264891", "301947428914401377370371880234052912923", "196504407100250633246575651257458747782", "91472567662480428040289100240087301204", "275187422368600918752220374183304820781", "55839518121802372096489907987216166753", "332428060753109755875526808231159728522", "185513232099437301474493101408523216295", "220532208768759993949190902421055519363", "125007687658822462701443793970748388945", "283159414515024602172586083946591827651", "329144891007060192837062170898407653721", "147787511722932757543743393726241232556", "176681060058112075481043891936815971399", "141683149303996989576102567777315931832", "124662853024012203018279806279085595949", "49937659323552973862763243590449325456", "179972565987152308395733266772701040091", "239264586812991181918785443643077580097", "210858965649663280596861914409565194902", "323198502929534331749802939093154304032", "325449528027142978704690029105311581468", "175893957253260318367636668044127057883", "210725645948194812520672404207804616841", "37126999780291473166076925868687553804", "297540907476269246488054859049307387603", "93580845581263614112489837613625596518", "296729312086369440192135083326170768002", "313581407135081199944023661844864739048", "56697825978000885594682066679029605750", "70017807537520725341085891901415670695", "323160083269779058186146836592869927052", "86506767386883301657944122986319108449" ] }, "id": "ASB-A-295887535-87e367d0", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/gatt/att_protocol.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a0d4425c3964f99f589d449deed2f1bbe520218c", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/6dbe94fe556ef67f3bbb7d7bb2da3320d68619df", "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/4ae5e736813bf2928bfc8c71e3dacf3b78394046" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "RCE" ] }