Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-05-06 00:12:07 -04:00
parent 6d2a255eef
commit 0004c224cf
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
9 changed files with 334 additions and 3 deletions

View File

@ -0,0 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Orion Hodson <oth@google.com>
Date: Thu, 7 Apr 2022 21:42:04 +0100
Subject: [PATCH] Uri: check authority and scheme as part of determining URI
path
The interpretation of the path depends on whether the scheme or
authority are specified and should be observed when unparcelling
URIs.
Bug: 171966843
Test: atest FrameworksCoreTests:android.net.UriTest
Test: atest com.android.devicehealthchecks.SystemAppCheck
Change-Id: I06981d1c6e387b16df792494523994518848db37
Merged-In: I06981d1c6e387b16df792494523994518848db37
(cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1)
(cherry picked from commit on googleplex-android-review.googlesource.com host: c87f0623be4042c39a9b73f7a6e02aa116925e50)
Merged-In: I06981d1c6e387b16df792494523994518848db37
---
core/java/android/net/Uri.java | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
index 6c069be07e3e..24941a4055f3 100644
--- a/core/java/android/net/Uri.java
+++ b/core/java/android/net/Uri.java
@@ -1164,13 +1164,16 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
}
static Uri readFrom(Parcel parcel) {
- return new HierarchicalUri(
- parcel.readString(),
- Part.readFrom(parcel),
- PathPart.readFrom(parcel),
- Part.readFrom(parcel),
- Part.readFrom(parcel)
- );
+ final String scheme = parcel.readString();
+ final Part authority = Part.readFrom(parcel);
+ // In RFC3986 the path should be determined based on whether there is a scheme or
+ // authority present (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.3).
+ final boolean hasSchemeOrAuthority =
+ (scheme != null && scheme.length() > 0) || !authority.isEmpty();
+ final PathPart path = PathPart.readFrom(hasSchemeOrAuthority, parcel);
+ final Part query = Part.readFrom(parcel);
+ final Part fragment = Part.readFrom(parcel);
+ return new HierarchicalUri(scheme, authority, path, query, fragment);
}
public int describeContents() {
@@ -2224,6 +2227,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
}
}
+ static PathPart readFrom(boolean hasSchemeOrAuthority, Parcel parcel) {
+ final PathPart path = readFrom(parcel);
+ return hasSchemeOrAuthority ? makeAbsolute(path) : path;
+ }
+
/**
* Creates a path from the encoded string.
*

View File

@ -0,0 +1,81 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Thu, 9 Feb 2023 12:28:26 -0800
Subject: [PATCH] Checks if AccessibilityServiceInfo is within parcelable size.
- If too large when parsing service XMLs then skip this service.
- If too large when a service attempts to update its own info
then throw an error.
Bug: 261589597
Test: atest AccessibilityServiceInfoTest
Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
(cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142)
Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
---
.../accessibilityservice/AccessibilityService.java | 4 ++++
.../accessibilityservice/AccessibilityServiceInfo.java | 10 ++++++++++
.../accessibility/AccessibilityManagerService.java | 6 ++++++
3 files changed, 20 insertions(+)
diff --git a/core/java/android/accessibilityservice/AccessibilityService.java b/core/java/android/accessibilityservice/AccessibilityService.java
index b311c218de30..c0f6c3e5cb06 100644
--- a/core/java/android/accessibilityservice/AccessibilityService.java
+++ b/core/java/android/accessibilityservice/AccessibilityService.java
@@ -1400,6 +1400,10 @@ public abstract class AccessibilityService extends Service {
IAccessibilityServiceConnection connection =
AccessibilityInteractionClient.getInstance().getConnection(mConnectionId);
if (mInfo != null && connection != null) {
+ if (!mInfo.isWithinParcelableSize()) {
+ throw new IllegalStateException(
+ "Cannot update service info: size is larger than safe parcelable limits.");
+ }
try {
connection.setServiceInfo(mInfo);
mInfo = null;
diff --git a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
index ee03280578e5..7be5eabc66c7 100644
--- a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
+++ b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
@@ -26,6 +26,7 @@ import android.content.res.Resources;
import android.content.res.TypedArray;
import android.content.res.XmlResourceParser;
import android.os.Build;
+import android.os.IBinder;
import android.os.Parcel;
import android.os.Parcelable;
import android.util.AttributeSet;
@@ -702,6 +703,15 @@ public class AccessibilityServiceInfo implements Parcelable {
return 0;
}
+ /** @hide */
+ public final boolean isWithinParcelableSize() {
+ final Parcel parcel = Parcel.obtain();
+ writeToParcel(parcel, 0);
+ final boolean result = parcel.dataSize() <= IBinder.MAX_IPC_SIZE;
+ parcel.recycle();
+ return result;
+ }
+
public void writeToParcel(Parcel parcel, int flagz) {
parcel.writeInt(eventTypes);
parcel.writeStringArray(packageNames);
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
index 718e30a43337..cae1adcafc23 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
@@ -1069,6 +1069,12 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
AccessibilityServiceInfo accessibilityServiceInfo;
try {
accessibilityServiceInfo = new AccessibilityServiceInfo(resolveInfo, mContext);
+ if (!accessibilityServiceInfo.isWithinParcelableSize()) {
+ Slog.e(LOG_TAG, "Skipping service "
+ + accessibilityServiceInfo.getResolveInfo().getComponentInfo()
+ + " because service info size is larger than safe parcelable limits.");
+ continue;
+ }
mTempAccessibilityServiceInfoList.add(accessibilityServiceInfo);
} catch (XmlPullParserException | IOException xppe) {
Slog.e(LOG_TAG, "Error while initializing AccessibilityServiceInfo", xppe);

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Tue, 5 Oct 2021 11:44:37 +0000
Subject: [PATCH] Stop managed profile owner granting READ_SMS
Reason: There is only one telephony stack shared
between the personal and work profile.
Bug: 194382185
Bug: 189942529
Test: build
Change-Id: If0d27a317a7c0ee46af371b30208327e5636c7cf
(cherry picked from commit 87f37319bf7ee22c6e7c29432b6c9bbce0fdb591)
Merged-In: If0d27a317a7c0ee46af371b30208327e5636c7cf
---
core/java/android/app/admin/DevicePolicyManager.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 592026cda79b..a6ee45a7d1dc 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -5861,6 +5861,15 @@ public class DevicePolicyManager {
* Permissions can be granted or revoked only for applications built with a
* {@code targetSdkVersion} of {@link android.os.Build.VERSION_CODES#M} or later.
*
+ * Control over the following permissions are restricted for managed profile owners:
+ * <ul>
+ * <li>Manifest.permission.READ_SMS</li>
+ * </ul>
+ * <p>
+ * A managed profile owner may not grant these permissions (i.e. call this method with any of
+ * the permissions listed above and {@code grantState} of
+ * {@code #PERMISSION_GRANT_STATE_GRANTED}), but may deny them.
+ *
* @param admin Which profile or device owner this request is associated with.
* @param packageName The application to grant or revoke a permission to.
* @param permission The permission to grant or revoke.

View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Fri, 17 Feb 2023 17:12:46 +0000
Subject: [PATCH] Check for malformed Sensor Flattenable
Test: libsensorserviceaidl_fuzzer with testcase from bug
Bug: 269014004
Merged-In: I0e255c64243c38876fb657cbf942fc1613363216
Change-Id: I0e255c64243c38876fb657cbf942fc1613363216
(cherry picked from commit aeec1802f7befc8fbb18313ad3ac0969c3811870)
Merged-In: I0e255c64243c38876fb657cbf942fc1613363216
(cherry picked from commit on googleplex-android-review.googlesource.com host: f1aa5fb53437ec2fabc9be00099af836da5f07f2)
Merged-In: I0e255c64243c38876fb657cbf942fc1613363216
---
libs/gui/Sensor.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libs/gui/Sensor.cpp b/libs/gui/Sensor.cpp
index 8edacc0c6d..93cd9fe2db 100644
--- a/libs/gui/Sensor.cpp
+++ b/libs/gui/Sensor.cpp
@@ -546,7 +546,13 @@ bool Sensor::unflattenString8(void const*& buffer, size_t& size, String8& output
return false;
}
outputString8.setTo(static_cast<char const*>(buffer), len);
+
+ if (size < FlattenableUtils::align<4>(len)) {
+ ALOGE("Malformed Sensor String8 field. Should be in a 4-byte aligned buffer but is not.");
+ return false;
+ }
FlattenableUtils::advance(buffer, size, FlattenableUtils::align<4>(len));
+
return true;
}

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ivan Lozano <ivanlozano@google.com>
Date: Tue, 7 Nov 2017 12:23:26 -0800
Subject: [PATCH] Fix sanitizer in ISensorService list functions.
The integer overflow sanitizer is throwing unsigned integer overflow
errors in the list functions in ISensorService. This refactors the loops
to prevent the overflow on the last iteration.
Test: Compiles and device boots without sanitizer errors.
Bug: 30969751
Change-Id: I6a7993024fdc71702e8e4e8ae535cfaf999e9dab
---
libs/gui/ISensorServer.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libs/gui/ISensorServer.cpp b/libs/gui/ISensorServer.cpp
index 3a4c7e4edc..23682e33d8 100644
--- a/libs/gui/ISensorServer.cpp
+++ b/libs/gui/ISensorServer.cpp
@@ -59,7 +59,8 @@ public:
Vector<Sensor> v;
uint32_t n = reply.readUint32();
v.setCapacity(n);
- while (n--) {
+ while (n) {
+ n--;
reply.read(s);
v.add(s);
}
@@ -76,7 +77,8 @@ public:
Vector<Sensor> v;
uint32_t n = reply.readUint32();
v.setCapacity(n);
- while (n--) {
+ while (n) {
+ n--;
reply.read(s);
v.add(s);
}

View File

@ -0,0 +1,67 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Fri, 17 Feb 2023 19:35:25 +0000
Subject: [PATCH] Remove some new memory leaks from SensorManager
After catching an error in Sensor::unflatten, there are memory leaks
caught by the fuzzer in the same test case.
Test: libsensorserviceaidl_fuzzer with testcase from bug
Bug: 269014004
Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582
Change-Id: I509cceb41f56ca117d9475f6f6674244560fe582
(cherry picked from commit c95fa0f0e7c7b73746ff850b85a79fc5f92b784e)
Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582
(cherry picked from commit on googleplex-android-review.googlesource.com host: ceb0d52273256c6a5c5622bf81b0ac4ba106faa1)
Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582
---
libs/gui/ISensorServer.cpp | 12 ++++++++++--
libs/gui/SensorManager.cpp | 5 +++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/libs/gui/ISensorServer.cpp b/libs/gui/ISensorServer.cpp
index 23682e33d8..82ece230c7 100644
--- a/libs/gui/ISensorServer.cpp
+++ b/libs/gui/ISensorServer.cpp
@@ -61,7 +61,11 @@ public:
v.setCapacity(n);
while (n) {
n--;
- reply.read(s);
+ if(reply.read(s) != OK) {
+ ALOGE("Failed to read reply from getSensorList");
+ v.clear();
+ break;
+ }
v.add(s);
}
return v;
@@ -79,7 +83,11 @@ public:
v.setCapacity(n);
while (n) {
n--;
- reply.read(s);
+ if(reply.read(s) != OK) {
+ ALOGE("Failed to read reply from getDynamicSensorList");
+ v.clear();
+ break;
+ }
v.add(s);
}
return v;
diff --git a/libs/gui/SensorManager.cpp b/libs/gui/SensorManager.cpp
index f49dd6e703..5a94279ee8 100644
--- a/libs/gui/SensorManager.cpp
+++ b/libs/gui/SensorManager.cpp
@@ -149,6 +149,11 @@ status_t SensorManager::assertStateLocked() {
mSensors = mSensorServer->getSensorList(mOpPackageName);
size_t count = mSensors.size();
+ if (count == 0) {
+ ALOGE("Failed to get Sensor list");
+ mSensorServer.clear();
+ return UNKNOWN_ERROR;
+ }
mSensorList =
static_cast<Sensor const**>(malloc(count * sizeof(Sensor*)));
LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL");

View File

@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-04 #XXX
sed -i 's/2021-06-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-05 #XXX
fi;
if enterAndClear "device/qcom/sepolicy"; then
@ -188,6 +188,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/353756.patch"; #n-asb-2023-04 C
applyPatch "$DOS_PATCHES/android_frameworks_base/353757.patch"; #n-asb-2023-04 Checking if package belongs to UID before registering broadcast receiver
applyPatch "$DOS_PATCHES/android_frameworks_base/353758.patch"; #n-asb-2023-04 Fix checkKeyIntentParceledCorrectly's bypass
applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 Encode Intent scheme when serializing to URI string
applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path
applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -211,6 +214,9 @@ fi;
if enterAndClear "frameworks/native"; then
applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references
applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters
applyPatch "$DOS_PATCHES/android_frameworks_native/355868.patch"; #n-asb-2023-05 Check for malformed Sensor Flattenable
applyPatch "$DOS_PATCHES/android_frameworks_native/355869.patch"; #n-asb-2023-05 Fix sanitizer in ISensorService list functions.
applyPatch "$DOS_PATCHES/android_frameworks_native/355870.patch"; #n-asb-2023-05 Remove some new memory leaks from SensorManager
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
fi;

View File

@ -114,10 +114,11 @@ patchWorkspaceReal() {
verifyAllPlatformTags;
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
#source build/envsetup.sh;
source build/envsetup.sh;
#repopick -it eleven-firewall;
#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
repopick -it R_asb_2023-05;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

View File

@ -73,9 +73,10 @@ patchWorkspaceReal() {
verifyAllPlatformTags;
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
#source build/envsetup.sh;
source build/envsetup.sh;
#repopick -ift twelve-bt-sbc-hd-dualchannel;
#repopick -it twelve-colors;
repopick -it S_asb_2023-05;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";