Seems like Android 9-6 have similar Bluetooth subsystem, Android 5 and 4 are different.
Android 9.0
BlueFrag experiments
Patch:
https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf
Below I hit the patched condition. OK I think I got it, but somehow I cannot crash the process.
hmmmm
Actually, managed to get signed length value to memcpy()
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch reassemble_and_dispatch
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch partial_packet->offset 40 packet->len 304 HCI_ACL_PREAMBLE_SIZE 4
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch projected_offset 340 partial_packet->len 41
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 41. Truncating.
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch memcpy packet->len 1 packet->offset 4 expr -3
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch partial_packet->data 0xacb14580 partial_packet->data + partial_packet->offset 0xacb145a8 packet->data 0xa553e110 packet->data + packet->offset 0xa553e114
02-16 01:44:49.097 6423 6469 W bt_hci_packet_fragmenter: fragment_and_dispatch fragment_and_dispatch
Still no crash, but should.....
In the example above, with a memcpy size of -3, this value is interpreted as an unsigned integer (4294967293) and the memcpy continues until there is a page fault due to unmapped memory and the process should terminate.
My phone in 32 bits, maybe that's why. Mobile is Samsung S3 Neo+. Using jemalloc at least at Android 9.0 tests.
¯\_(ツ)_/¯
Well it looks correctly
I suspect you have to open many connections (for some time) and somehow allocate a lot of memory before it crashes.
We are pushing here 4294967293 almost 4GB
¯\_(ツ)_/¯
Swing and leommxj found this weird behavior of Android 8:
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fbestwing.me%2FAndroid-8.1-memcpy-func.html (Translated from Chinese)
It possibly also affect Android 9. Will check it.
Actually, it can be that this doesn't run in process context, but perhaps in interrupt context. Then maybe the fault could be hidden.
Seeme like. It does Segfaults in GDB. So possibly you can RCE/execute code:
Thread 27 "hci_thread" hit Breakpoint 2, 0x917cc470 in reassemble_and_dispatch(BT_HDR*) () from target:/system/lib/libbluetooth.so
(gdb) i r
r0 0xa9f14738 2851161912
r1 0xa28be294 2727076500
r2 0xffffffff 4294967295
r3 0x3 3
r4 0x154 340
r5 0xa28be290 2727076496
r6 0xa9f14708 2851161864
r7 0xa9f14710 2851161872
r8 0xa28be288 2727076488
r9 0x9196bda1 2442575265
r10 0x2b 43
r11 0xa28be290 2727076496
r12 0x903131a0 2419143072
sp 0x90313680 0x90313680
lr 0x917cc445 -1854094267
pc 0x917cc470 0x917cc470 <reassemble_and_dispatch(BT_HDR*)+864>
cpsr 0x800e0030 -2146566096
fpscr 0x20000011 536870929
(gdb) stepi
[New LWP 2187]
0x916f4e90 in __aeabi_memcpy@plt () from target:/system/lib/libbluetooth.so
(gdb)
0x916f4e94 in __aeabi_memcpy@plt () from target:/system/lib/libbluetooth.so
(gdb)
0x916f4e98 in __aeabi_memcpy@plt () from target:/system/lib/libbluetooth.so
(gdb) disass
Dump of assembler code for function __aeabi_memcpy@plt:
0x916f4e90 <+0>: add r12, pc, #2097152 ; 0x200000
0x916f4e94 <+4>: add r12, r12, #208, 20 ; 0xd0000
=> 0x916f4e98 <+8>: ldr pc, [r12, #2824]! ; 0xb08
End of assembler dump.
(gdb) stepi
0xab920fa6 in __aeabi_memcpy_impl2 () from target:/system/lib/libc.so
(gdb)
0xab994b08 in ?? () from target:/system/lib/libc.so
(gdb)
0xab994b0c in ?? () from target:/system/lib/libc.so
(gdb)
0xab994b10 in ?? () from target:/system/lib/libc.so
(gdb)
0xab91e454 in memcpy@plt () from target:/system/lib/libc.so
(gdb)
0xab91e458 in memcpy@plt () from target:/system/lib/libc.so
(gdb) disass
Dump of assembler code for function memcpy@plt:
0xab91e454 <+0>: add r12, pc, #0, 12
=> 0xab91e458 <+4>: add r12, r12, #140, 20 ; 0x8c000
0xab91e45c <+8>: ldr pc, [r12, #408]! ; 0x198
End of assembler dump.
(gdb) stepi
0xab91e45c in memcpy@plt () from target:/system/lib/libc.so
(gdb)
0xab921e60 in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921e64 in memcpy () from target:/system/lib/libc.so
(gdb) disass
Dump of assembler code for function memcpy:
0xab921e60 <+0>: pld [r1, #64] ; 0x40
=> 0xab921e64 <+4>: stmdb sp!, {r0, lr}
0xab921e68 <+8>: cmp r2, #4
0xab921e6a <+10>: blt.w 0xab921fb0 <memcpy+336>
0xab921e6e <+14>: cmp r2, #16
0xab921e70 <+16>: blt.w 0xab921f9a <memcpy+314>
0xab921e74 <+20>: cmp r2, #32
0xab921e76 <+22>: blt.w 0xab921f8a <memcpy+298>
0xab921e7a <+26>: cmp r2, #64 ; 0x40
0xab921e7c <+28>: blt.n 0xab921f7e <memcpy+286>
0xab921e7e <+30>: mov.w r12, r2, lsr #6
0xab921e82 <+34>: cmp.w r12, #10
0xab921e86 <+38>: ble.n 0xab921f62 <memcpy+258>
0xab921e88 <+40>: stmdb sp!, {r9, r10}
0xab921e8c <+44>: cmp.w r12, #64 ; 0x40
0xab921e90 <+48>: ble.n 0xab921f28 <memcpy+200>
0xab921e92 <+50>: add.w lr, r0, #1024 ; 0x400
0xab921e96 <+54>: add.w r9, r1, #640 ; 0x280
0xab921e9a <+58>: sub.w lr, lr, r9
0xab921e9e <+62>: mov.w lr, lr, lsl #21
0xab921ea2 <+66>: mov.w lr, lr, lsr #21
0xab921ea6 <+70>: add.w lr, lr, #640 ; 0x280
--Type <RET> for more, q to quit, c to continue without paging--
0xab921eaa <+74>: cmp.w r12, lr, lsr #6
0xab921eae <+78>: ble.n 0xab921f28 <memcpy+200>
0xab921eb0 <+80>: itt gt
0xab921eb2 <+82>: movgt.w r9, #10
0xab921eb6 <+86>: rsbsgt r9, r9, lr, lsr #6
0xab921eba <+90>: ble.n 0xab921f28 <memcpy+200>
0xab921ebc <+92>: add.w r10, r1, lr
0xab921ec0 <+96>: bic.w r10, r10, #63 ; 0x3f
0xab921ec4 <+100>: sub.w r12, r12, lr, lsr #6
0xab921ec8 <+104>: cmp r9, r12
0xab921eca <+106>: itee le
0xab921ecc <+108>: suble.w r12, r12, r9
0xab921ed0 <+112>: movgt r9, r12
0xab921ed2 <+114>: movgt.w r12, #0
0xab921ed6 <+118>: pld [r1, #576] ; 0x240
0xab921eda <+122>: pld [r1, #640] ; 0x280
0xab921ede <+126>: vld1.32 {d0-d3}, [r1]!
0xab921ee2 <+130>: vld1.32 {d4-d7}, [r1]!
0xab921ee6 <+134>: ldr.w r3, [r10]
0xab921eea <+138>: subs.w r9, r9, #1
0xab921eee <+142>: vst1.32 {d0-d3}, [r0]!
0xab921ef2 <+146>: vst1.32 {d4-d7}, [r0]!
0xab921ef6 <+150>: add.w r10, r10, #64 ; 0x40
--Type <RET> for more, q to quit, c to continue without paging--
0xab921efa <+154>: bne.n 0xab921eda <memcpy+122>
0xab921efc <+156>: cmp.w r12, #0
0xab921f00 <+160>: beq.n 0xab921f5a <memcpy+250>
0xab921f02 <+162>: cmp.w r12, #8192 ; 0x2000
0xab921f06 <+166>: blt.n 0xab921f3c <memcpy+220>
0xab921f08 <+168>: vld1.32 {d0-d3}, [r1]!
0xab921f0c <+172>: vld1.32 {d4-d7}, [r1]!
0xab921f10 <+176>: pld [r10]
0xab921f14 <+180>: subs.w r12, r12, #1
0xab921f18 <+184>: vst1.32 {d0-d3}, [r0]!
0xab921f1c <+188>: vst1.32 {d4-d7}, [r0]!
0xab921f20 <+192>: add.w r10, r10, #64 ; 0x40
0xab921f24 <+196>: bne.n 0xab921f08 <memcpy+168>
0xab921f26 <+198>: b.n 0xab921f5a <memcpy+250>
0xab921f28 <+200>: movw lr, #640 ; 0x280
0xab921f2c <+204>: add.w r10, r1, #640 ; 0x280
0xab921f30 <+208>: bic.w r10, r10, #63 ; 0x3f
0xab921f34 <+212>: sub.w r12, r12, #10
0xab921f38 <+216>: ldr.w r3, [r10, #-64]
0xab921f3c <+220>: vld1.32 {d0-d3}, [r1]!
0xab921f40 <+224>: vld1.32 {d4-d7}, [r1]!
0xab921f44 <+228>: ldr.w r3, [r10]
0xab921f48 <+232>: subs.w r12, r12, #1
--Type <RET> for more, q to quit, c to continue without paging--
0xab921f4c <+236>: vst1.32 {d0-d3}, [r0]!
0xab921f50 <+240>: vst1.32 {d4-d7}, [r0]!
0xab921f54 <+244>: add.w r10, r10, #64 ; 0x40
0xab921f58 <+248>: bne.n 0xab921f3c <memcpy+220>
0xab921f5a <+250>: mov.w r12, lr, lsr #6
0xab921f5e <+254>: ldmia.w sp!, {r9, r10}
0xab921f62 <+258>: vld1.32 {d16-d19}, [r1]!
0xab921f66 <+262>: vld1.32 {d20-d23}, [r1]!
0xab921f6a <+266>: subs.w r12, r12, #1
0xab921f6e <+270>: vst1.32 {d16-d19}, [r0]!
0xab921f72 <+274>: vst1.32 {d20-d23}, [r0]!
0xab921f76 <+278>: bne.n 0xab921f62 <memcpy+258>
0xab921f78 <+280>: ands.w r2, r2, #63 ; 0x3f
0xab921f7c <+284>: beq.n 0xab921fc2 <memcpy+354>
0xab921f7e <+286>: lsls r3, r2, #27
0xab921f80 <+288>: bcc.n 0xab921f8a <memcpy+298>
0xab921f82 <+290>: vld1.32 {d0-d3}, [r1]!
0xab921f86 <+294>: vst1.32 {d0-d3}, [r0]!
0xab921f8a <+298>: bpl.n 0xab921f9a <memcpy+314>
0xab921f8c <+300>: vld1.32 {d16-d17}, [r1]!
0xab921f90 <+304>: vst1.32 {d16-d17}, [r0]!
0xab921f94 <+308>: ands.w r2, r2, #15
0xab921f98 <+312>: beq.n 0xab921fc2 <memcpy+354>
--Type <RET> for more, q to quit, c to continue without paging--
0xab921f9a <+314>: lsls r3, r2, #29
0xab921f9c <+316>: bcc.n 0xab921fa6 <memcpy+326>
0xab921f9e <+318>: vld1.8 {d0}, [r1]!
0xab921fa2 <+322>: vst1.8 {d0}, [r0]!
0xab921fa6 <+326>: bge.n 0xab921fb0 <memcpy+336>
0xab921fa8 <+328>: vld4.8 {d0[0],d1[0],d2[0],d3[0]}, [r1]!
0xab921fac <+332>: vst4.8 {d0[0],d1[0],d2[0],d3[0]}, [r0]!
0xab921fb0 <+336>: lsls r2, r2, #31
0xab921fb2 <+338>: itt cs
0xab921fb4 <+340>: ldrhcs.w r3, [r1], #2
0xab921fb8 <+344>: strhcs.w r3, [r0], #2
0xab921fbc <+348>: itt mi
0xab921fbe <+350>: ldrbmi r3, [r1, #0]
0xab921fc0 <+352>: strbmi r3, [r0, #0]
0xab921fc2 <+354>: pop {r0, pc}
End of assembler dump.
(gdb) stepi
[New LWP 2188]
0xab921e68 in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921e6a in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921fb0 in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921fb2 in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921fb4 in memcpy () from target:/system/lib/libc.so
(gdb)
0xab921fb8 in memcpy () from target:/system/lib/libc.so
(gdb)
Thread 49 "Binder:777_7" received signal SIGSEGV, Segmentation fault.
[Switching to LWP 2188]
0xa96c9708 in ?? ()
(gdb)
[New LWP 2189]
[New LWP 2190]
process 777 is executing new program: /system/bin/crash_dump32
Warning:
Cannot insert breakpoint 2.
Cannot access memory at address 0x917cc470
(gdb) cont
Continuing.
Warning:
Cannot insert breakpoint 2.
Cannot access memory at address 0x917cc470
Command
Sample crash on antother iteration (PIDs and offsets will be different):
02-19 21:23:03.676 2212 2245 F libc : Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xaa1f5f52 in tid 2245 (hci_thread), pid 2212 (droid.bluetooth)
02-19 21:22:59.332 617 729 E WifiScanner: listener cannot be found
02-19 21:23:03.950 2371 2371 I chatty : uid=1002(bluetooth) crash_dump32 expire 125 lines
02-19 21:23:04.149 409 409 I /system/bin/tombstoned: received crash request for pid 2245
02-19 21:23:04.325 2371 2371 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-19 21:23:04.325 2371 2371 F DEBUG : LineageOS Version: '16.0-20200216-UNOFFICIAL-s3ve3gjv'
02-19 21:23:04.326 2371 2371 F DEBUG : Build fingerprint: 'samsung/s3ve3gxx/s3ve3g:4.4.2/KOT49H/I9301IXXUANL1:user/release-keys'
02-19 21:23:04.326 2371 2371 F DEBUG : Revision: '0'
02-19 21:23:04.327 2371 2371 F DEBUG : ABI: 'arm'
02-19 21:23:04.327 2371 2371 F DEBUG : pid: 2212, tid: 2245, name: hci_thread >>> com.android.bluetooth <<<
02-19 21:23:04.327 2371 2371 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xaa1f5f52
02-19 21:23:04.327 2371 2371 F DEBUG : r0 00000400 r1 00000400 r2 919ef025 r3 9041967c
02-19 21:23:04.328 2371 2371 F DEBUG : r4 919eeda1 r5 00000005 r6 6e61166f r7 a9f14710
02-19 21:23:04.328 2371 2371 F DEBUG : r8 a28be288 r9 919eeda1 r10 0000002b r11 a28be290
02-19 21:23:04.328 2371 2371 F DEBUG : ip 00000400 sp 90419258 lr abda4160 pc aa1f5f52
02-19 21:23:04.355 2371 2371 F DEBUG :
02-19 21:23:04.355 2371 2371 F DEBUG : backtrace:
02-19 21:23:04.355 2371 2371 F DEBUG : #00 pc 0232ff52 /system/framework/framework-res.apk (offset 0x2313000)
02-19 21:23:04.448 617 729 E WifiScanner: listener cannot be found
02-19 21:23:05.118 409 409 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_05
02-19 21:23:05.120 2245 2245 I chatty : uid=1002(bluetooth) com.android.bluetooth expire 1 line
02-19 21:23:05.132 303 303 I Zygote : Process 2212 exited due to signal (11)
02-19 21:23:05.143 617 638 I BootReceiver: Copying /data/tombstones/tombstone_05 to DropBox (SYSTEM_TOMBSTONE)
Android 8.1.0
01-01 02:35:50.429 1496 1594 D bt_btif_dm: remote version info [00:1a:7d:da:71:13]: 0, 0, 0
01-01 02:35:50.430 1496 1594 E BluetoothRemoteDevices: aclStateChangeCallback: device is NULL, address=00:1A:7D:DA:71:13, newState=0
01-01 02:35:50.475 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating.
01-01 02:35:50.476 1496 1945 W bt_l2cap: L2CAP - Invalid MTU Size
01-01 02:35:50.478 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 02:35:50.482 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch found l2cap full length 201 less than the hci length 683.
01-01 02:35:50.482 1496 1945 W bt_l2cap: L2CAP - bad length in pkt. Exp: 201 Act: 675
01-01 02:35:50.484 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 02:35:50.487 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 02:35:50.490 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch found l2cap full length 201 less than the hci length 683.
01-01 02:35:50.491 1496 1945 W bt_l2cap: L2CAP - bad length in pkt. Exp: 201 Act: 675
01-01 02:35:50.493 1496 1765 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 02:35:52.576 1496 1945 I bt_btm_sec: btm_sec_disconnected clearing pending flag handle:3 reason:19
Android 7.1.2
12-31 13:13:53.209 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch found l2cap full length 201 less than the hci length 683.
12-31 13:13:53.209 2820 2878 W bt_l2cap: L2CAP - bad length in pkt. Exp: 201 Act: 675
12-31 13:13:53.214 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
12-31 13:13:53.217 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
12-31 13:13:53.221 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch found l2cap full length 201 less than the hci length 683.
12-31 13:13:53.221 2820 2878 W bt_l2cap: L2CAP - bad length in pkt. Exp: 201 Act: 675
12-31 13:13:53.223 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
12-31 13:13:53.231 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating.
12-31 13:13:53.231 2820 2878 W bt_l2cap: L2CAP - Invalid MTU Size
12-31 13:13:53.233 2820 2855 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
Android 6.0.1
01-01 01:09:12.828 4314 4340 E BluetoothRemoteDevices: aclStateChangeCallback: Device is NULL
01-01 01:09:12.839 4314 4455 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating.
01-01 01:09:12.839 4314 4456 W bt_l2cap: L2CAP - Invalid MTU Size
01-01 01:09:12.841 4314 4455 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 01:09:12.847 4314 4455 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating.
01-01 01:09:12.847 4314 4456 W bt_l2cap: L2CAP ignoring duplicate echo request (1)
01-01 01:09:12.847 4314 4456 W bt_l2cap: L2CAP - Invalid MTU Size
01-01 01:09:12.850 4314 4455 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 01:09:12.854 4314 4455 E bt_hci_packet_fragmenter: reassemble_and_dispatch Invalid L2cap length : 201 :return .
01-01 01:09:12.856 4314 4455 W bt_hci_packet_fragmenter: reassemble_and_dispatch got continuation for unknown packet. Dropping it.
01-01 01:09:14.931 4314 4456 I bt_btm_sec: btm_sec_disconnected clearing pending flag handle:1 reason:19
01-01 01:09:14.931 4314 4456 W bt_l2cap: L2CA_SetDesireRole() new:x0, disallow_switch:0
01-01 01:09:14.931 4314 4340 E BluetoothRemoteDevices: aclStateChangeCallback: Device is NULL
Android 5.1.1
E/bt_mct ( 2413): Unable to acquire buffer for incoming HCI message.
E/bt_mct ( 2413): Invalid L2CAP Con't Packet: return NULL
E/bt_mct ( 2413): Unable to acquire buffer for incoming HCI message.
W/bt_mct ( 2413): dropping incomplete ACL frame
Android 4.3
E/bt_h4 ( 6647): H4 - ACL frames reassembly failed:
E/bt_h4 ( 6647): Total length of all segmented packets exceeds the original PDU length [CID:0x0001].
W/bt_h4 ( 6647): H4 - dropping invalid ACL frames
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception(): Task State Table
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [0] task name [BTU] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [1] task name [BTIF] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [2] task name [A2DP-MEDIA] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception 65535 Send - Buffer corrupted#####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception:
E/GKI_LINUX( 6647): ********************************************************************
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: * GKI_exception(): 65535 Send - Buffer corrupted
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: ********************************************************************
E/GKI_LINUX( 6647): #####
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
D/IOP_DB_BT( 6647): db_query_create: id EnforceMasterRole :: key KEY_BDADDR, value 00:1a:7d:da:71:13
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_LMP_MFCT, value 10
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_LMP_VER, value 6:8891
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_DIR_ALL, value *
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
D/IOP_DB_BT( 6647): db_query_execute: result 1
D/ ( 6647): remote version info [00:1a:7d:da:71:13]: 6, a, 22bb
D/BluetoothRemoteDevices( 6647): aclStateChangeCallback: State:Connected to Device:00:1A:7D:DA:71:13
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception(): Task State Table
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [0] task name [BTU] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [1] task name [BTIF] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [2] task name [A2DP-MEDIA] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception 65535 Send - Buffer corrupted#####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception:
E/GKI_LINUX( 6647): ********************************************************************
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: * GKI_exception(): 65535 Send - Buffer corrupted
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: ********************************************************************
E/GKI_LINUX( 6647): #####
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception(): Task State Table
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [0] task name [BTU] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [1] task name [BTIF] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: TASK ID [2] task name [A2DP-MEDIA] state [1]
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: GKI_exception 65535 Send - Buffer corrupted#####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception:
E/GKI_LINUX( 6647): ********************************************************************
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: * GKI_exception(): 65535 Send - Buffer corrupted
E/GKI_LINUX( 6647): #####
E/GKI_LINUX( 6647): ##### ERROR : GKI_exception: ********************************************************************
E/GKI_LINUX( 6647): #####
E/bt_h4 ( 6647): H4: Unable to acquire buffer for incoming HCI message.
D/BluetoothRemoteDevices( 6647): Remote Device name is: N20180019
D/KeyguardViewMediator( 2341): Received android.bluetooth.device.action.ACL_CONNECTED deviceClass = 268
V/BluetoothEventManager( 4184): Received android.bluetooth.device.action.NAME_CHANGED
D/BluetoothDevicePreference( 4184): Is my device connected::false
I/BluetoothDevicePreference( 4184): summaryResId else part
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/BluetoothNotiBroadcastReceiver( 4184): onReceive
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/SSRMv2:Monitor( 2341): SIOP:: AP = 300 (read only)
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/btif_config_util( 6647): btif_config_save_file(L181): in file name:/data/misc/bluedroid/bt_config.new
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/IOP_DB_BT( 6647): db_query_create: id DisablePwlCtrReq :: key KEY_BDADDR, value 00:1a:7d:da:71:13
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_LMP_MFCT, value 10
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_LMP_VER, value 6:8891
D/IOP_DB_BT( 6647): db_query_add_key: key KEY_DIR_ALL, value *
D/IOP_DB_BT( 6647): db_query_execute: result 1
D/BluetoothRemoteDevices( 6647): aclStateChangeCallback: State:DisConnected to Device:00:1A:7D:DA:71:13
V/BluetoothEventManager( 4184): Received android.bluetooth.device.action.ACL_DISCONNECTED
E/BluetoothEventManager( 4184): ACTION_ACL_DISCONNECTED
D/BleAutoConnectService( 6647): android.bluetooth.device.action.ACL_DISCONNECTED
D/BleAutoConnectService( 6647): ACTION_ACL_DISCONNECTED, reason is 19linktype is 1
I/NfcService( 2661): android.bluetooth.device.action.ACL_DISCONNECTED, restart
D/BleAutoConnectService( 6647): getAddress() - address ==> null
D/KeyguardViewMediator( 2341): Received android.bluetooth.device.action.ACL_DISCONNECTED connectedBTforSmartLock = false
I/NfcService( 2661): Disabling NFC
D/NfcService( 2661): updateState : newSate = 4 mState = 4
D/BluetoothDevicePreference( 4184): Is my device connected::false
I/BluetoothDevicePreference( 4184): summaryResId else part
I/SecNdefService( 2661): enableDisable(sendEnable=false,receiveEnable=false)
I/SecNdefService( 2661): stopSecNdefService()size=1
I/SecNdefService( 2661): stopServer() : SAP(21).
E/NdefPushServer( 2661): IO error
E/NdefPushServer( 2661): java.io.IOException
E/NdefPushServer( 2661): at com.android.nfc.dhimpl.NativeLlcpServiceSocket.accept(NativeLlcpServiceSocket.java:42)
E/NdefPushServer( 2661): at com.android.nfc.ndefpush.NdefPushServer$ServerThread.run(NdefPushServer.java:160)
E/SnepServer( 2661): IO error
E/SnepServer( 2661): java.io.IOException
E/SnepServer( 2661): at com.android.nfc.dhimpl.NativeLlcpServiceSocket.accept(NativeLlcpServiceSocket.java:42)
E/SnepServer( 2661): at com.android.nfc.snep.SnepServer$ServerThread.run(SnepServer.java:211)
E/SnepServer( 2661): IO error
E/SnepServer( 2661): java.io.IOException
E/SnepServer( 2661): at com.android.nfc.dhimpl.NativeLlcpServiceSocket.accept(NativeLlcpServiceSocket.java:42)
E/SnepServer( 2661): at com.android.nfc.snep.SnepServer$ServerThread.run(SnepServer.java:211)
E/HandoverServer( 2661): IO error
E/HandoverServer( 2661): java.io.IOException
E/HandoverServer( 2661): at com.android.nfc.dhimpl.NativeLlcpServiceSocket.accept(NativeLlcpServiceSocket.java:42)
E/HandoverServer( 2661): at com.android.nfc.handover.HandoverServer$ServerThread.run(HandoverServer.java:108)
I/SecNdefService( 2661): Stop SendThread
E/NFCJNI ( 2661): phLibNfc_SE_SetMode() returned 0x0095[NFCSTATUS_INVALID_HANDLE]
D/NfcService( 2661): NFC-C ON
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/NFCJNI ( 2661): Terminating client thread...
D/NFCJNI ( 2661): phLibNfc_Mgt_UnConfigureDriver() returned 0x0000[NFCSTATUS_SUCCESS]
D/NfcService( 2661): updateState : newSate = 1 mState = 1
D/ProgressBar( 4184): setProgress = 0
D/ProgressBar( 4184): setProgress = 0, fromUser = false
D/ProgressBar( 4184): mProgress = 0mIndeterminate = false, mMin = 0, mMax = 100
D/AbsListView( 4184): unregisterIRListener() is called
D/[SBeam] ( 4184): SBeamEnabler.saveSbeamOn : false
Just verified and Android 6.0.1 is vulnerable. So I am pretty sure it will affect Androids 6-9
Below is the Crash
01-01 01:07:34.331 5258 5279 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 34. Truncating.
01-01 01:07:34.333 5258 5279 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xb8aa2000 in tid 5279 (hci_thread)
01-01 01:07:34.334 5257 5257 I DEBUG : property debug.db.uid not set; NOT waiting for gdb.
01-01 01:07:34.334 5257 5257 I DEBUG : HINT: adb shell setprop debug.db.uid 100000
01-01 01:07:34.334 5257 5257 I DEBUG : HINT: adb forward tcp:5039 tcp:5039
01-01 01:07:34.385 5257 5257 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-01 01:07:34.385 5257 5257 F DEBUG : LineageOS Version: '13.0-20171001-UNOFFICIAL-s3ve3g'
01-01 01:07:34.385 5257 5257 F DEBUG : Build fingerprint: 'samsung/s3ve3gxx/s3ve3g:4.4.2/KOT49H/I9301IXXUANL1:user/release-keys'
01-01 01:07:34.385 5257 5257 F DEBUG : Revision: '0'
01-01 01:07:34.385 5257 5257 F DEBUG : ABI: 'arm'
01-01 01:07:34.385 5257 5257 F DEBUG : pid: 5258, tid: 5279, name: hci_thread >>> com.android.bluetooth <<<
01-01 01:07:34.385 5257 5257 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb8aa2000
01-01 01:07:34.404 5257 5257 F DEBUG : r0 b8aa19d0 r1 b8aa1ff4 r2 fff46432 r3 0000000c
01-01 01:07:34.404 5257 5257 F DEBUG : r4 b89e843c r5 00000022 r6 b89e7e1c r7 b3964d28
01-01 01:07:34.405 5257 5257 F DEBUG : r8 00000010 r9 00000002 sl 00000018 fp 00000000
01-01 01:07:34.405 5257 5257 F DEBUG : ip 80000000 sp a05763d0 lr b38fc2cf pc b6c30514 cpsr a00f0010
01-01 01:07:34.414 5257 5257 F DEBUG :
01-01 01:07:34.414 5257 5257 F DEBUG : backtrace:
01-01 01:07:34.415 5257 5257 F DEBUG : #00 pc 00016514 /system/lib/libc.so (memcpy+100)
01-01 01:07:34.415 5257 5257 F DEBUG : #01 pc 001182cb /system/lib/hw/bluetooth.default.so
01-01 01:07:34.415 5257 5257 F DEBUG : #02 pc 00116b27 /system/lib/hw/bluetooth.default.so
01-01 01:07:34.415 5257 5257 F DEBUG : #03 pc 00116c35 /system/lib/hw/bluetooth.default.so
01-01 01:07:34.415 5257 5257 F DEBUG : #04 pc 0011e781 /system/lib/hw/bluetooth.default.so
01-01 01:07:34.415 5257 5257 F DEBUG : #05 pc 0011f76f /system/lib/hw/bluetooth.default.so
01-01 01:07:34.415 5257 5257 F DEBUG : #06 pc 0004ac79 /system/lib/libc.so (_ZL15__pthread_startPv+32)
01-01 01:07:34.416 5257 5257 F DEBUG : #07 pc 000181e5 /system/lib/libc.so (__start_thread+8)
01-01 01:07:34.871 5257 5257 F DEBUG :
01-01 01:07:34.871 5257 5257 F DEBUG : Tombstone written to: /data/tombstones/tombstone_02
01-01 01:07:34.871 5257 5257 E DEBUG : AM write failed: Broken pipe
01-01 01:07:34.869 5265 5265 W ReferenceQueueD: type=1701 audit(0.0:230): auid=4294967295 uid=1002 gid=1002 ses=4294967295 subj=u:r:bluetooth:s0 reason="memory violation" sig=11
01-01 01:07:34.871 5258 5258 F Looper : Could not add wake event fd to epoll instance. errno=1
01-01 01:07:34.872 792 916 I BootReceiver: Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE)
01-01 01:07:34.872 5258 5258 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 5258 (droid.bluetooth)
01-01 01:07:34.872 5258 5258 I libc : Another thread contacted debuggerd first; not contacting debuggerd.
The above work was done before official and original finder writeup.
You can read original finder great writeup here:
https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/