diff --git a/Patches/LineageOS-14.1/android_frameworks_base/355865.patch b/Patches/LineageOS-14.1/android_frameworks_base/355865.patch new file mode 100644 index 00000000..29d6a676 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/355865.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Orion Hodson +Date: Thu, 7 Apr 2022 21:42:04 +0100 +Subject: [PATCH] Uri: check authority and scheme as part of determining URI + path + +The interpretation of the path depends on whether the scheme or +authority are specified and should be observed when unparcelling +URIs. + +Bug: 171966843 +Test: atest FrameworksCoreTests:android.net.UriTest +Test: atest com.android.devicehealthchecks.SystemAppCheck +Change-Id: I06981d1c6e387b16df792494523994518848db37 +Merged-In: I06981d1c6e387b16df792494523994518848db37 +(cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1) +(cherry picked from commit on googleplex-android-review.googlesource.com host: c87f0623be4042c39a9b73f7a6e02aa116925e50) +Merged-In: I06981d1c6e387b16df792494523994518848db37 +--- + core/java/android/net/Uri.java | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java +index 6c069be07e3e..24941a4055f3 100644 +--- a/core/java/android/net/Uri.java ++++ b/core/java/android/net/Uri.java +@@ -1164,13 +1164,16 @@ public abstract class Uri implements Parcelable, Comparable { + } + + static Uri readFrom(Parcel parcel) { +- return new HierarchicalUri( +- parcel.readString(), +- Part.readFrom(parcel), +- PathPart.readFrom(parcel), +- Part.readFrom(parcel), +- Part.readFrom(parcel) +- ); ++ final String scheme = parcel.readString(); ++ final Part authority = Part.readFrom(parcel); ++ // In RFC3986 the path should be determined based on whether there is a scheme or ++ // authority present (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.3). ++ final boolean hasSchemeOrAuthority = ++ (scheme != null && scheme.length() > 0) || !authority.isEmpty(); ++ final PathPart path = PathPart.readFrom(hasSchemeOrAuthority, parcel); ++ final Part query = Part.readFrom(parcel); ++ final Part fragment = Part.readFrom(parcel); ++ return new HierarchicalUri(scheme, authority, path, query, fragment); + } + + public int describeContents() { +@@ -2224,6 +2227,11 @@ public abstract class Uri implements Parcelable, Comparable { + } + } + ++ static PathPart readFrom(boolean hasSchemeOrAuthority, Parcel parcel) { ++ final PathPart path = readFrom(parcel); ++ return hasSchemeOrAuthority ? makeAbsolute(path) : path; ++ } ++ + /** + * Creates a path from the encoded string. + * diff --git a/Patches/LineageOS-14.1/android_frameworks_base/355866.patch b/Patches/LineageOS-14.1/android_frameworks_base/355866.patch new file mode 100644 index 00000000..0e762d42 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/355866.patch @@ -0,0 +1,81 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Thu, 9 Feb 2023 12:28:26 -0800 +Subject: [PATCH] Checks if AccessibilityServiceInfo is within parcelable size. + +- If too large when parsing service XMLs then skip this service. +- If too large when a service attempts to update its own info + then throw an error. + +Bug: 261589597 +Test: atest AccessibilityServiceInfoTest +Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +(cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142) +Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +--- + .../accessibilityservice/AccessibilityService.java | 4 ++++ + .../accessibilityservice/AccessibilityServiceInfo.java | 10 ++++++++++ + .../accessibility/AccessibilityManagerService.java | 6 ++++++ + 3 files changed, 20 insertions(+) + +diff --git a/core/java/android/accessibilityservice/AccessibilityService.java b/core/java/android/accessibilityservice/AccessibilityService.java +index b311c218de30..c0f6c3e5cb06 100644 +--- a/core/java/android/accessibilityservice/AccessibilityService.java ++++ b/core/java/android/accessibilityservice/AccessibilityService.java +@@ -1400,6 +1400,10 @@ public abstract class AccessibilityService extends Service { + IAccessibilityServiceConnection connection = + AccessibilityInteractionClient.getInstance().getConnection(mConnectionId); + if (mInfo != null && connection != null) { ++ if (!mInfo.isWithinParcelableSize()) { ++ throw new IllegalStateException( ++ "Cannot update service info: size is larger than safe parcelable limits."); ++ } + try { + connection.setServiceInfo(mInfo); + mInfo = null; +diff --git a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java +index ee03280578e5..7be5eabc66c7 100644 +--- a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java ++++ b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java +@@ -26,6 +26,7 @@ import android.content.res.Resources; + import android.content.res.TypedArray; + import android.content.res.XmlResourceParser; + import android.os.Build; ++import android.os.IBinder; + import android.os.Parcel; + import android.os.Parcelable; + import android.util.AttributeSet; +@@ -702,6 +703,15 @@ public class AccessibilityServiceInfo implements Parcelable { + return 0; + } + ++ /** @hide */ ++ public final boolean isWithinParcelableSize() { ++ final Parcel parcel = Parcel.obtain(); ++ writeToParcel(parcel, 0); ++ final boolean result = parcel.dataSize() <= IBinder.MAX_IPC_SIZE; ++ parcel.recycle(); ++ return result; ++ } ++ + public void writeToParcel(Parcel parcel, int flagz) { + parcel.writeInt(eventTypes); + parcel.writeStringArray(packageNames); +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 718e30a43337..cae1adcafc23 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -1069,6 +1069,12 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { + AccessibilityServiceInfo accessibilityServiceInfo; + try { + accessibilityServiceInfo = new AccessibilityServiceInfo(resolveInfo, mContext); ++ if (!accessibilityServiceInfo.isWithinParcelableSize()) { ++ Slog.e(LOG_TAG, "Skipping service " ++ + accessibilityServiceInfo.getResolveInfo().getComponentInfo() ++ + " because service info size is larger than safe parcelable limits."); ++ continue; ++ } + mTempAccessibilityServiceInfoList.add(accessibilityServiceInfo); + } catch (XmlPullParserException | IOException xppe) { + Slog.e(LOG_TAG, "Error while initializing AccessibilityServiceInfo", xppe); diff --git a/Patches/LineageOS-14.1/android_frameworks_base/355867.patch b/Patches/LineageOS-14.1/android_frameworks_base/355867.patch new file mode 100644 index 00000000..51f63aac --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/355867.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Johnston +Date: Tue, 5 Oct 2021 11:44:37 +0000 +Subject: [PATCH] Stop managed profile owner granting READ_SMS + +Reason: There is only one telephony stack shared +between the personal and work profile. + +Bug: 194382185 +Bug: 189942529 +Test: build +Change-Id: If0d27a317a7c0ee46af371b30208327e5636c7cf +(cherry picked from commit 87f37319bf7ee22c6e7c29432b6c9bbce0fdb591) +Merged-In: If0d27a317a7c0ee46af371b30208327e5636c7cf +--- + core/java/android/app/admin/DevicePolicyManager.java | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java +index 592026cda79b..a6ee45a7d1dc 100644 +--- a/core/java/android/app/admin/DevicePolicyManager.java ++++ b/core/java/android/app/admin/DevicePolicyManager.java +@@ -5861,6 +5861,15 @@ public class DevicePolicyManager { + * Permissions can be granted or revoked only for applications built with a + * {@code targetSdkVersion} of {@link android.os.Build.VERSION_CODES#M} or later. + * ++ * Control over the following permissions are restricted for managed profile owners: ++ *
    ++ *
  • Manifest.permission.READ_SMS
    • ++ *
++ *

++ * A managed profile owner may not grant these permissions (i.e. call this method with any of ++ * the permissions listed above and {@code grantState} of ++ * {@code #PERMISSION_GRANT_STATE_GRANTED}), but may deny them. ++ * + * @param admin Which profile or device owner this request is associated with. + * @param packageName The application to grant or revoke a permission to. + * @param permission The permission to grant or revoke. diff --git a/Patches/LineageOS-14.1/android_frameworks_native/355868.patch b/Patches/LineageOS-14.1/android_frameworks_native/355868.patch new file mode 100644 index 00000000..8c3150cc --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_native/355868.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Fri, 17 Feb 2023 17:12:46 +0000 +Subject: [PATCH] Check for malformed Sensor Flattenable + +Test: libsensorserviceaidl_fuzzer with testcase from bug +Bug: 269014004 +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +Change-Id: I0e255c64243c38876fb657cbf942fc1613363216 +(cherry picked from commit aeec1802f7befc8fbb18313ad3ac0969c3811870) +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +(cherry picked from commit on googleplex-android-review.googlesource.com host: f1aa5fb53437ec2fabc9be00099af836da5f07f2) +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +--- + libs/gui/Sensor.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libs/gui/Sensor.cpp b/libs/gui/Sensor.cpp +index 8edacc0c6d..93cd9fe2db 100644 +--- a/libs/gui/Sensor.cpp ++++ b/libs/gui/Sensor.cpp +@@ -546,7 +546,13 @@ bool Sensor::unflattenString8(void const*& buffer, size_t& size, String8& output + return false; + } + outputString8.setTo(static_cast(buffer), len); ++ ++ if (size < FlattenableUtils::align<4>(len)) { ++ ALOGE("Malformed Sensor String8 field. Should be in a 4-byte aligned buffer but is not."); ++ return false; ++ } + FlattenableUtils::advance(buffer, size, FlattenableUtils::align<4>(len)); ++ + return true; + } + diff --git a/Patches/LineageOS-14.1/android_frameworks_native/355869.patch b/Patches/LineageOS-14.1/android_frameworks_native/355869.patch new file mode 100644 index 00000000..22bd382b --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_native/355869.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ivan Lozano +Date: Tue, 7 Nov 2017 12:23:26 -0800 +Subject: [PATCH] Fix sanitizer in ISensorService list functions. + +The integer overflow sanitizer is throwing unsigned integer overflow +errors in the list functions in ISensorService. This refactors the loops +to prevent the overflow on the last iteration. + +Test: Compiles and device boots without sanitizer errors. +Bug: 30969751 +Change-Id: I6a7993024fdc71702e8e4e8ae535cfaf999e9dab +--- + libs/gui/ISensorServer.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libs/gui/ISensorServer.cpp b/libs/gui/ISensorServer.cpp +index 3a4c7e4edc..23682e33d8 100644 +--- a/libs/gui/ISensorServer.cpp ++++ b/libs/gui/ISensorServer.cpp +@@ -59,7 +59,8 @@ public: + Vector v; + uint32_t n = reply.readUint32(); + v.setCapacity(n); +- while (n--) { ++ while (n) { ++ n--; + reply.read(s); + v.add(s); + } +@@ -76,7 +77,8 @@ public: + Vector v; + uint32_t n = reply.readUint32(); + v.setCapacity(n); +- while (n--) { ++ while (n) { ++ n--; + reply.read(s); + v.add(s); + } diff --git a/Patches/LineageOS-14.1/android_frameworks_native/355870.patch b/Patches/LineageOS-14.1/android_frameworks_native/355870.patch new file mode 100644 index 00000000..2dbcc2e0 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_native/355870.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Fri, 17 Feb 2023 19:35:25 +0000 +Subject: [PATCH] Remove some new memory leaks from SensorManager + +After catching an error in Sensor::unflatten, there are memory leaks +caught by the fuzzer in the same test case. + +Test: libsensorserviceaidl_fuzzer with testcase from bug +Bug: 269014004 +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +Change-Id: I509cceb41f56ca117d9475f6f6674244560fe582 +(cherry picked from commit c95fa0f0e7c7b73746ff850b85a79fc5f92b784e) +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +(cherry picked from commit on googleplex-android-review.googlesource.com host: ceb0d52273256c6a5c5622bf81b0ac4ba106faa1) +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +--- + libs/gui/ISensorServer.cpp | 12 ++++++++++-- + libs/gui/SensorManager.cpp | 5 +++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/libs/gui/ISensorServer.cpp b/libs/gui/ISensorServer.cpp +index 23682e33d8..82ece230c7 100644 +--- a/libs/gui/ISensorServer.cpp ++++ b/libs/gui/ISensorServer.cpp +@@ -61,7 +61,11 @@ public: + v.setCapacity(n); + while (n) { + n--; +- reply.read(s); ++ if(reply.read(s) != OK) { ++ ALOGE("Failed to read reply from getSensorList"); ++ v.clear(); ++ break; ++ } + v.add(s); + } + return v; +@@ -79,7 +83,11 @@ public: + v.setCapacity(n); + while (n) { + n--; +- reply.read(s); ++ if(reply.read(s) != OK) { ++ ALOGE("Failed to read reply from getDynamicSensorList"); ++ v.clear(); ++ break; ++ } + v.add(s); + } + return v; +diff --git a/libs/gui/SensorManager.cpp b/libs/gui/SensorManager.cpp +index f49dd6e703..5a94279ee8 100644 +--- a/libs/gui/SensorManager.cpp ++++ b/libs/gui/SensorManager.cpp +@@ -149,6 +149,11 @@ status_t SensorManager::assertStateLocked() { + + mSensors = mSensorServer->getSensorList(mOpPackageName); + size_t count = mSensors.size(); ++ if (count == 0) { ++ ALOGE("Failed to get Sensor list"); ++ mSensorServer.clear(); ++ return UNKNOWN_ERROR; ++ } + mSensorList = + static_cast(malloc(count * sizeof(Sensor*))); + LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL"); diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 1c4a6cc3..5e27000f 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-04 #XXX +sed -i 's/2021-06-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-05 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -188,6 +188,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/353756.patch"; #n-asb-2023-04 C applyPatch "$DOS_PATCHES/android_frameworks_base/353757.patch"; #n-asb-2023-04 Checking if package belongs to UID before registering broadcast receiver applyPatch "$DOS_PATCHES/android_frameworks_base/353758.patch"; #n-asb-2023-04 Fix checkKeyIntentParceledCorrectly's bypass applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 Encode Intent scheme when serializing to URI string +applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path +applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size. +applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -211,6 +214,9 @@ fi; if enterAndClear "frameworks/native"; then applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters +applyPatch "$DOS_PATCHES/android_frameworks_native/355868.patch"; #n-asb-2023-05 Check for malformed Sensor Flattenable +applyPatch "$DOS_PATCHES/android_frameworks_native/355869.patch"; #n-asb-2023-05 Fix sanitizer in ISensorService list functions. +applyPatch "$DOS_PATCHES/android_frameworks_native/355870.patch"; #n-asb-2023-05 Remove some new memory leaks from SensorManager if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969) fi; diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 9fbbd3ff..f1192d1b 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -114,10 +114,11 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -it eleven-firewall; #repopick -i 314453; #TaskViewTouchController: Null check current animation on drag #repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default + repopick -it R_asb_2023-05; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index a94d2436..7c9e9a08 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -73,9 +73,10 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -ift twelve-bt-sbc-hd-dualchannel; #repopick -it twelve-colors; + repopick -it S_asb_2023-05; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";