Headline
CVE-2023-40129
In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "c0151aa3ba76c785b32c7f9d16c98febe53017b1", "tree": "96bf9c2e4aeb3c9a5db37467c05c328039ae7d60", "parents": [ “48779ff3ddafee92e4f098bdbaaf2e9f21b0957e” ], "author": { "name": "Hui Peng", "email": "[email protected]", "time": “Tue May 16 02:09:38 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Aug 10 17:12:27 2023 +0000” }, "message": "Fix an integer underflow in build_read_multi_rsp\n\nWhen p_buf-\u003elen is mtu - 1 and p_cmd-\u003emulti_req.variable_len\nevaluates to true, integer underflow is triggered\nin the following line, resulting OOB access.\n\n```\n len \u003d p_rsp-\u003eattr_value.len - (total_len - mtu);\n```\n\nBug: 273874525\nTest: manual\nIgnore-AOSP-First: security\nTag: #security\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)\nMerged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\nChange-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\n", "tree_diff": [ { "type": "modify", "old_id": "0b60a6a8db91e9e1af0bc1f1426a73f50cfc2864", "old_mode": 33188, "old_path": "system/stack/gatt/gatt_sr.cc", "new_id": "4c00743228252e0d2805433ad5cc663b6f169250", "new_mode": 33188, "new_path": “system/stack/gatt/gatt_sr.cc” } ] }
Related news
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.