mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-18 12:24:21 -05:00
16.0 September ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
aa4464d1c4
commit
033c600eac
32
Patches/LineageOS-16.0/android_frameworks_av/365962.patch
Normal file
32
Patches/LineageOS-16.0/android_frameworks_av/365962.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Shruti Bihani <shrutibihani@google.com>
|
||||
Date: Thu, 6 Jul 2023 08:41:56 +0000
|
||||
Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test.
|
||||
|
||||
The error is thrown when the destructor tries to free pointer memory.
|
||||
This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.
|
||||
|
||||
Bug: 245135112
|
||||
Test: Build mtp_host_property_fuzzer and run on the target device
|
||||
(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
|
||||
Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
|
||||
Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
|
||||
---
|
||||
media/mtp/MtpProperty.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h
|
||||
index bfd5f7f59a..1eb8874af1 100644
|
||||
--- a/media/mtp/MtpProperty.h
|
||||
+++ b/media/mtp/MtpProperty.h
|
||||
@@ -26,6 +26,9 @@ namespace android {
|
||||
class MtpDataPacket;
|
||||
|
||||
struct MtpPropertyValue {
|
||||
+ // pointer str initialized to NULL so that free operation
|
||||
+ // is not called for pre-assigned value
|
||||
+ MtpPropertyValue() : str (NULL) {}
|
||||
union {
|
||||
int8_t i8;
|
||||
uint8_t u8;
|
@ -0,0 +1,109 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
|
||||
Date: Thu, 15 Jun 2023 18:31:34 +0200
|
||||
Subject: [PATCH] Forbid granting access to NLSes with too-long component names
|
||||
|
||||
This makes the limitation, which was previously only checked on the Settings UI, enforced everywhere.
|
||||
|
||||
Fixes: 260570119
|
||||
Fixes: 286043036
|
||||
Test: atest + manually
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc71156a29427c8b228129f5b1368392f297835b)
|
||||
Merged-In: I4c25d80978cb37a8fa1531f5045259d25ac64692
|
||||
Change-Id: I4c25d80978cb37a8fa1531f5045259d25ac64692
|
||||
---
|
||||
.../java/android/app/NotificationManager.java | 6 ++++
|
||||
.../NotificationManagerService.java | 5 ++++
|
||||
.../android/server/vr/VrManagerService.java | 6 +++-
|
||||
.../NotificationManagerServiceTest.java | 28 +++++++++++++++++++
|
||||
4 files changed, 44 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java
|
||||
index f6dc5d15f385..32f40a805502 100644
|
||||
--- a/core/java/android/app/NotificationManager.java
|
||||
+++ b/core/java/android/app/NotificationManager.java
|
||||
@@ -308,6 +308,12 @@ public class NotificationManager {
|
||||
*/
|
||||
public static final int IMPORTANCE_MAX = 5;
|
||||
|
||||
+ /**
|
||||
+ * Maximum length of the component name of a registered NotificationListenerService.
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static int MAX_SERVICE_COMPONENT_NAME_LENGTH = 500;
|
||||
+
|
||||
private static INotificationManager sService;
|
||||
|
||||
/** @hide */
|
||||
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
|
||||
index 0ac51524a648..ca0ec012fb60 100755
|
||||
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
|
||||
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
|
||||
@@ -3540,6 +3540,11 @@ public class NotificationManagerService extends SystemService {
|
||||
boolean granted) throws RemoteException {
|
||||
Preconditions.checkNotNull(listener);
|
||||
checkCallerIsSystemOrShell();
|
||||
+ if (granted && listener.flattenToString().length()
|
||||
+ > NotificationManager.MAX_SERVICE_COMPONENT_NAME_LENGTH) {
|
||||
+ throw new IllegalArgumentException(
|
||||
+ "Component name too long: " + listener.flattenToString());
|
||||
+ }
|
||||
final long identity = Binder.clearCallingIdentity();
|
||||
try {
|
||||
if (mAllowedManagedServicePackages.test(listener.getPackageName())) {
|
||||
diff --git a/services/core/java/com/android/server/vr/VrManagerService.java b/services/core/java/com/android/server/vr/VrManagerService.java
|
||||
index faa197e984cf..87f66de5c704 100644
|
||||
--- a/services/core/java/com/android/server/vr/VrManagerService.java
|
||||
+++ b/services/core/java/com/android/server/vr/VrManagerService.java
|
||||
@@ -1055,7 +1055,11 @@ public class VrManagerService extends SystemService
|
||||
|
||||
for (ComponentName c : possibleServices) {
|
||||
if (Objects.equals(c.getPackageName(), pkg)) {
|
||||
- nm.setNotificationListenerAccessGrantedForUser(c, userId, true);
|
||||
+ try {
|
||||
+ nm.setNotificationListenerAccessGrantedForUser(c, userId, true);
|
||||
+ } catch (Exception e) {
|
||||
+ Slog.w(TAG, "Could not grant NLS access to package " + pkg, e);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
index 9592e1905b54..e073e6767da6 100644
|
||||
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
@@ -2021,6 +2021,34 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
|
||||
any(), anyInt(), anyBoolean(), anyBoolean());
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void testSetListenerAccessForUser_grantWithNameTooLong_throws() throws Exception {
|
||||
+ UserHandle user = UserHandle.of(mContext.getUserId() + 10);
|
||||
+ ComponentName c = new ComponentName("com.example.package",
|
||||
+ com.google.common.base.Strings.repeat("Blah", 150));
|
||||
+
|
||||
+ try {
|
||||
+ mBinderService.setNotificationListenerAccessGrantedForUser(c, user.getIdentifier(),
|
||||
+ /* enabled= */ true);
|
||||
+ fail("Should've thrown IllegalArgumentException");
|
||||
+ } catch (IllegalArgumentException e) {
|
||||
+ // Good!
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void testSetListenerAccessForUser_revokeWithNameTooLong_okay() throws Exception {
|
||||
+ UserHandle user = UserHandle.of(mContext.getUserId() + 10);
|
||||
+ ComponentName c = new ComponentName("com.example.package",
|
||||
+ com.google.common.base.Strings.repeat("Blah", 150));
|
||||
+
|
||||
+ mBinderService.setNotificationListenerAccessGrantedForUser(
|
||||
+ c, user.getIdentifier(), /* enabled= */ false);
|
||||
+
|
||||
+ verify(mListeners).setPackageOrComponentEnabled(
|
||||
+ c.flattenToString(), user.getIdentifier(), true, /* enabled= */ false);
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void testSetAssistantAccessForUser() throws Exception {
|
||||
UserHandle user = UserHandle.of(10);
|
28
Patches/LineageOS-16.0/android_frameworks_base/365967.patch
Normal file
28
Patches/LineageOS-16.0/android_frameworks_base/365967.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Dementyev <dementyev@google.com>
|
||||
Date: Fri, 30 Jun 2023 14:36:44 -0700
|
||||
Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly.
|
||||
|
||||
Bug: 265798288
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1)
|
||||
Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
|
||||
Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
|
||||
---
|
||||
.../com/android/server/accounts/AccountManagerService.java | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
index 36732273ab6f..ec15113c2c78 100644
|
||||
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||
@@ -4827,6 +4827,9 @@ public class AccountManagerService
|
||||
Bundle simulateBundle = p.readBundle();
|
||||
p.recycle();
|
||||
Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
|
||||
+ if (intent != null && intent.getClass() != Intent.class) {
|
||||
+ return false;
|
||||
+ }
|
||||
Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
|
||||
if (intent == null) {
|
||||
return (simulateIntent == null);
|
@ -0,0 +1,34 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Devin Moore <devinmoore@google.com>
|
||||
Date: Tue, 25 Apr 2023 00:17:13 +0000
|
||||
Subject: [PATCH] Allow sensors list to be empty
|
||||
|
||||
Test: atest VtsHalSensorManagerV1_0TargetTest
|
||||
Bug: 278013275
|
||||
Bug: 269014004
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9)
|
||||
Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
|
||||
Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
|
||||
---
|
||||
libs/sensor/SensorManager.cpp | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp
|
||||
index d7210b10e0..35802db95c 100644
|
||||
--- a/libs/sensor/SensorManager.cpp
|
||||
+++ b/libs/sensor/SensorManager.cpp
|
||||
@@ -172,11 +172,8 @@ status_t SensorManager::assertStateLocked() {
|
||||
|
||||
mSensors = mSensorServer->getSensorList(mOpPackageName);
|
||||
size_t count = mSensors.size();
|
||||
- if (count == 0) {
|
||||
- ALOGE("Failed to get Sensor list");
|
||||
- mSensorServer.clear();
|
||||
- return UNKNOWN_ERROR;
|
||||
- }
|
||||
+ // If count is 0, mSensorList will be non-null. This is old
|
||||
+ // existing behavior and callers expect this.
|
||||
mSensorList =
|
||||
static_cast<Sensor const**>(malloc(count * sizeof(Sensor*)));
|
||||
LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL");
|
@ -0,0 +1,48 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Thu, 1 Jun 2023 13:44:28 -0700
|
||||
Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed
|
||||
|
||||
Bug: 268038643
|
||||
Test: ctsverifier
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0)
|
||||
Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
|
||||
Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
|
||||
---
|
||||
src/com/android/nfc/NfcService.java | 6 ++++++
|
||||
src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
|
||||
index 059d1826..a92e0456 100644
|
||||
--- a/src/com/android/nfc/NfcService.java
|
||||
+++ b/src/com/android/nfc/NfcService.java
|
||||
@@ -830,6 +830,12 @@ public class NfcService implements DeviceHostListener {
|
||||
}
|
||||
}
|
||||
|
||||
+ public boolean isSecureNfcEnabled() {
|
||||
+ synchronized (NfcService.this) {
|
||||
+ return mIsSecureNfcEnabled;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
final class NfcAdapterService extends INfcAdapter.Stub {
|
||||
/**
|
||||
* An interface for vendor specific extensions
|
||||
diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
index 0a5ce363..739b3ffd 100644
|
||||
--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
+++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
@@ -169,8 +169,9 @@ public class HostEmulationManager {
|
||||
// Resolve to default
|
||||
// Check if resolvedService requires unlock
|
||||
ApduServiceInfo defaultServiceInfo = resolveInfo.defaultService;
|
||||
- if (defaultServiceInfo.requiresUnlock() &&
|
||||
- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
|
||||
+ if ((defaultServiceInfo.requiresUnlock()
|
||||
+ || NfcService.getInstance().isSecureNfcEnabled())
|
||||
+ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
|
||||
// Just ignore all future APDUs until next tap
|
||||
mState = STATE_W4_DEACTIVATE;
|
||||
launchTapAgain(resolveInfo.defaultService, resolveInfo.category);
|
@ -0,0 +1,209 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Taran Singh <tarandeep@google.com>
|
||||
Date: Fri, 19 May 2023 23:17:47 +0000
|
||||
Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device
|
||||
admin
|
||||
|
||||
Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
|
||||
activate itself as device admin and cause various DoS attacks.
|
||||
|
||||
This CL ensures KeyEvent on "Activate" button can only come from system
|
||||
apps.
|
||||
|
||||
Bug: 280793427
|
||||
Test: atest DeviceAdminActivationTest
|
||||
(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b)
|
||||
Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
|
||||
Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
|
||||
---
|
||||
src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++---------
|
||||
1 file changed, 64 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java
|
||||
index fb21deb661..10d170ab6b 100644
|
||||
--- a/src/com/android/settings/DeviceAdminAdd.java
|
||||
+++ b/src/com/android/settings/DeviceAdminAdd.java
|
||||
@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt;
|
||||
import android.util.EventLog;
|
||||
import android.util.Log;
|
||||
import android.view.Display;
|
||||
+import android.view.KeyEvent;
|
||||
+import android.view.LayoutInflater;
|
||||
import android.view.View;
|
||||
import android.view.ViewGroup;
|
||||
import android.view.ViewTreeObserver;
|
||||
@@ -133,7 +135,7 @@ public class DeviceAdminAdd extends Activity {
|
||||
mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE);
|
||||
PackageManager packageManager = getPackageManager();
|
||||
|
||||
- if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
|
||||
+ if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
|
||||
Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task");
|
||||
finish();
|
||||
return;
|
||||
@@ -143,7 +145,7 @@ public class DeviceAdminAdd extends Activity {
|
||||
EXTRA_CALLED_FROM_SUPPORT_DIALOG, false);
|
||||
|
||||
String action = getIntent().getAction();
|
||||
- ComponentName who = (ComponentName)getIntent().getParcelableExtra(
|
||||
+ ComponentName who = (ComponentName) getIntent().getParcelableExtra(
|
||||
DevicePolicyManager.EXTRA_DEVICE_ADMIN);
|
||||
if (who == null) {
|
||||
String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME);
|
||||
@@ -201,7 +203,7 @@ public class DeviceAdminAdd extends Activity {
|
||||
PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS);
|
||||
int count = avail == null ? 0 : avail.size();
|
||||
boolean found = false;
|
||||
- for (int i=0; i<count; i++) {
|
||||
+ for (int i = 0; i < count; i++) {
|
||||
ResolveInfo ri = avail.get(i);
|
||||
if (ai.packageName.equals(ri.activityInfo.packageName)
|
||||
&& ai.name.equals(ri.activityInfo.name)) {
|
||||
@@ -284,12 +286,12 @@ public class DeviceAdminAdd extends Activity {
|
||||
|
||||
setContentView(R.layout.device_admin_add);
|
||||
|
||||
- mAdminIcon = (ImageView)findViewById(R.id.admin_icon);
|
||||
- mAdminName = (TextView)findViewById(R.id.admin_name);
|
||||
- mAdminDescription = (TextView)findViewById(R.id.admin_description);
|
||||
+ mAdminIcon = (ImageView) findViewById(R.id.admin_icon);
|
||||
+ mAdminName = (TextView) findViewById(R.id.admin_name);
|
||||
+ mAdminDescription = (TextView) findViewById(R.id.admin_description);
|
||||
mProfileOwnerWarning = (TextView) findViewById(R.id.profile_owner_warning);
|
||||
|
||||
- mAddMsg = (TextView)findViewById(R.id.add_msg);
|
||||
+ mAddMsg = (TextView) findViewById(R.id.add_msg);
|
||||
mAddMsgExpander = (ImageView) findViewById(R.id.add_msg_expander);
|
||||
final View.OnClickListener onClickListener = new View.OnClickListener() {
|
||||
@Override
|
||||
@@ -312,7 +314,7 @@ public class DeviceAdminAdd extends Activity {
|
||||
mAddMsgExpander.setVisibility(hideMsgExpander ? View.GONE : View.VISIBLE);
|
||||
if (hideMsgExpander) {
|
||||
mAddMsg.setOnClickListener(null);
|
||||
- ((View)mAddMsgExpander.getParent()).invalidate();
|
||||
+ ((View) mAddMsgExpander.getParent()).invalidate();
|
||||
}
|
||||
mAddMsg.getViewTreeObserver().removeOnGlobalLayoutListener(this);
|
||||
}
|
||||
@@ -330,7 +332,7 @@ public class DeviceAdminAdd extends Activity {
|
||||
mCancelButton.setOnClickListener(new View.OnClickListener() {
|
||||
public void onClick(View v) {
|
||||
EventLog.writeEvent(EventLogTags.EXP_DET_DEVICE_ADMIN_DECLINED_BY_USER,
|
||||
- mDeviceAdmin.getActivityInfo().applicationInfo.uid);
|
||||
+ mDeviceAdmin.getActivityInfo().applicationInfo.uid);
|
||||
finish();
|
||||
}
|
||||
});
|
||||
@@ -350,58 +352,64 @@ public class DeviceAdminAdd extends Activity {
|
||||
|
||||
final View restrictedAction = findViewById(R.id.restricted_action);
|
||||
restrictedAction.setFilterTouchesWhenObscured(true);
|
||||
- restrictedAction.setOnClickListener(new View.OnClickListener() {
|
||||
- public void onClick(View v) {
|
||||
- if (!mActionButton.isEnabled()) {
|
||||
- showPolicyTransparencyDialogIfRequired();
|
||||
- return;
|
||||
- }
|
||||
- if (mAdding) {
|
||||
- addAndFinish();
|
||||
- } else if (isManagedProfile(mDeviceAdmin)
|
||||
- && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
|
||||
- final int userId = UserHandle.myUserId();
|
||||
- UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
|
||||
- new DialogInterface.OnClickListener() {
|
||||
- @Override
|
||||
- public void onClick(DialogInterface dialog, int which) {
|
||||
- UserManager um = UserManager.get(DeviceAdminAdd.this);
|
||||
- um.removeUser(userId);
|
||||
- finish();
|
||||
- }
|
||||
+
|
||||
+ final View.OnClickListener restrictedActionClickListener = v -> {
|
||||
+ if (!mActionButton.isEnabled()) {
|
||||
+ showPolicyTransparencyDialogIfRequired();
|
||||
+ return;
|
||||
+ }
|
||||
+ if (mAdding) {
|
||||
+ addAndFinish();
|
||||
+ } else if (isManagedProfile(mDeviceAdmin)
|
||||
+ && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
|
||||
+ final int userId = UserHandle.myUserId();
|
||||
+ UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
|
||||
+ new DialogInterface.OnClickListener() {
|
||||
+ @Override
|
||||
+ public void onClick(DialogInterface dialog, int which) {
|
||||
+ UserManager um = UserManager.get(DeviceAdminAdd.this);
|
||||
+ um.removeUser(userId);
|
||||
+ finish();
|
||||
}
|
||||
- ).show();
|
||||
- } else if (mUninstalling) {
|
||||
- mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
|
||||
- finish();
|
||||
- } else if (!mWaitingForRemoveMsg) {
|
||||
- try {
|
||||
- // Don't allow the admin to put a dialog up in front
|
||||
- // of us while we interact with the user.
|
||||
- ActivityManager.getService().stopAppSwitches();
|
||||
- } catch (RemoteException e) {
|
||||
- }
|
||||
- mWaitingForRemoveMsg = true;
|
||||
- mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
|
||||
- new RemoteCallback(new RemoteCallback.OnResultListener() {
|
||||
- @Override
|
||||
- public void onResult(Bundle result) {
|
||||
- CharSequence msg = result != null
|
||||
- ? result.getCharSequence(
|
||||
- DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
|
||||
- : null;
|
||||
- continueRemoveAction(msg);
|
||||
- }
|
||||
- }, mHandler));
|
||||
- // Don't want to wait too long.
|
||||
- getWindow().getDecorView().getHandler().postDelayed(new Runnable() {
|
||||
- @Override public void run() {
|
||||
- continueRemoveAction(null);
|
||||
}
|
||||
- }, 2*1000);
|
||||
+ ).show();
|
||||
+ } else if (mUninstalling) {
|
||||
+ mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
|
||||
+ finish();
|
||||
+ } else if (!mWaitingForRemoveMsg) {
|
||||
+ try {
|
||||
+ // Don't allow the admin to put a dialog up in front
|
||||
+ // of us while we interact with the user.
|
||||
+ ActivityManager.getService().stopAppSwitches();
|
||||
+ } catch (RemoteException e) {
|
||||
}
|
||||
+ mWaitingForRemoveMsg = true;
|
||||
+ mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
|
||||
+ new RemoteCallback(new RemoteCallback.OnResultListener() {
|
||||
+ @Override
|
||||
+ public void onResult(Bundle result) {
|
||||
+ CharSequence msg = result != null
|
||||
+ ? result.getCharSequence(
|
||||
+ DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
|
||||
+ : null;
|
||||
+ continueRemoveAction(msg);
|
||||
+ }
|
||||
+ }, mHandler));
|
||||
+ // Don't want to wait too long.
|
||||
+ getWindow().getDecorView().getHandler().postDelayed(
|
||||
+ () -> continueRemoveAction(null), 2 * 1000);
|
||||
+ }
|
||||
+ };
|
||||
+ restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> {
|
||||
+ if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) {
|
||||
+ Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app.");
|
||||
+ // Consume event to suppress click.
|
||||
+ return true;
|
||||
}
|
||||
+ // Fallback to view click handler.
|
||||
+ return false;
|
||||
});
|
||||
+ restrictedAction.setOnClickListener(restrictedActionClickListener);
|
||||
}
|
||||
|
||||
/**
|
@ -0,0 +1,48 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pinyao Ting <pinyaoting@google.com>
|
||||
Date: Thu, 1 Jun 2023 18:12:44 -0700
|
||||
Subject: [PATCH] Fix permission issue in legacy shortcut
|
||||
|
||||
When building legacy shortcut, Launcher calls
|
||||
PackageManager#resolveActivity to retrieve necessary permission to
|
||||
launch the intent.
|
||||
|
||||
However, when the source app wraps an arbitrary intent within
|
||||
Intent#createChooser, the existing logic will fail because launching
|
||||
Chooser doesn't require additional permission.
|
||||
|
||||
This CL fixes the security vulnerability by performing the permission
|
||||
check against the intent that is wrapped within.
|
||||
|
||||
Bug: 270152142
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)
|
||||
Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0
|
||||
Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0
|
||||
---
|
||||
.../android/launcher3/util/PackageManagerHelper.java | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
index 0b3b632c02..4eac947fd0 100644
|
||||
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
@@ -116,6 +116,18 @@ public class PackageManagerHelper {
|
||||
* any permissions
|
||||
*/
|
||||
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
|
||||
+ // b/270152142
|
||||
+ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
|
||||
+ final Bundle extras = intent.getExtras();
|
||||
+ if (extras == null) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
|
||||
+ intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
|
||||
+ if (intent == null) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
ResolveInfo target = mPm.resolveActivity(intent, 0);
|
||||
if (target == null) {
|
||||
// Not a valid target
|
@ -0,0 +1,138 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ashish Kumar <akgaurav@google.com>
|
||||
Date: Fri, 26 May 2023 14:18:46 +0000
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple
|
||||
settings.
|
||||
|
||||
- Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.
|
||||
- Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.
|
||||
|
||||
Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.
|
||||
|
||||
Bug: b/256591023 , b/256819787
|
||||
|
||||
Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.
|
||||
Test2: Able to import contact from the primary user or uri with no user id
|
||||
(These settings are not available for secondary users)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d)
|
||||
Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
|
||||
Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
|
||||
---
|
||||
.../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++
|
||||
.../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++
|
||||
.../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++
|
||||
3 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||
index 77cc6cca6..aa1c797d4 100644
|
||||
--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||
+++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||
@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface;
|
||||
import com.android.internal.telephony.Phone;
|
||||
|
||||
import android.app.ActionBar;
|
||||
+import android.content.ContentProvider;
|
||||
import android.content.Intent;
|
||||
import android.database.Cursor;
|
||||
import android.os.Bundle;
|
||||
+import android.os.Process;
|
||||
+import android.os.UserHandle;
|
||||
import android.preference.Preference;
|
||||
import android.preference.PreferenceScreen;
|
||||
import android.telephony.CarrierConfigManager;
|
||||
@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity {
|
||||
}
|
||||
Cursor cursor = null;
|
||||
try {
|
||||
+ // check if the URI returned by the user belongs to the user
|
||||
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||
+ if (currentUser
|
||||
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
|
||||
+
|
||||
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
|
||||
+ + "cannot access");
|
||||
+ return;
|
||||
+ }
|
||||
cursor = getContentResolver().query(data.getData(),
|
||||
NUM_PROJECTION, null, null, null);
|
||||
if ((cursor == null) || (!cursor.moveToFirst())) {
|
||||
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
index 0f58d195b..af9a746ed 100644
|
||||
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
@@ -17,6 +17,7 @@
|
||||
package com.android.phone.settings;
|
||||
|
||||
import android.app.Dialog;
|
||||
+import android.content.ContentProvider;
|
||||
import android.content.DialogInterface;
|
||||
import android.content.Intent;
|
||||
import android.database.Cursor;
|
||||
@@ -25,6 +26,8 @@ import android.os.Bundle;
|
||||
import android.os.Handler;
|
||||
import android.os.Message;
|
||||
import android.os.PersistableBundle;
|
||||
+import android.os.Process;
|
||||
+import android.os.UserHandle;
|
||||
import android.os.UserManager;
|
||||
import android.preference.Preference;
|
||||
import android.preference.PreferenceActivity;
|
||||
@@ -522,6 +525,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity
|
||||
|
||||
Cursor cursor = null;
|
||||
try {
|
||||
+ // check if the URI returned by the user belongs to the user
|
||||
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||
+ if (currentUser
|
||||
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
|
||||
+
|
||||
+ if (DBG) {
|
||||
+ log("onActivityResult: Contact data of different user, "
|
||||
+ + "cannot access");
|
||||
+ }
|
||||
+ return;
|
||||
+ }
|
||||
cursor = getContentResolver().query(data.getData(),
|
||||
new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);
|
||||
if ((cursor == null) || (!cursor.moveToFirst())) {
|
||||
diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||
index 921e947e4..e733e82bb 100644
|
||||
--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||
+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||
@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn;
|
||||
|
||||
import static android.view.Window.PROGRESS_VISIBILITY_OFF;
|
||||
import static android.view.Window.PROGRESS_VISIBILITY_ON;
|
||||
+import static android.app.Activity.RESULT_OK;
|
||||
+
|
||||
|
||||
import android.app.Activity;
|
||||
import android.content.AsyncQueryHandler;
|
||||
+import android.content.ContentProvider;
|
||||
import android.content.ContentResolver;
|
||||
import android.content.ContentValues;
|
||||
import android.content.Intent;
|
||||
@@ -29,6 +32,8 @@ import android.database.Cursor;
|
||||
import android.net.Uri;
|
||||
import android.os.Bundle;
|
||||
import android.os.Handler;
|
||||
+import android.os.Process;
|
||||
+import android.os.UserHandle;
|
||||
import android.provider.Contacts.PeopleColumns;
|
||||
import android.provider.Contacts.PhonesColumns;
|
||||
import android.provider.ContactsContract.CommonDataKinds;
|
||||
@@ -154,6 +159,14 @@ public class EditFdnContactScreen extends Activity {
|
||||
}
|
||||
Cursor cursor = null;
|
||||
try {
|
||||
+ // check if the URI returned by the user belongs to the user
|
||||
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||
+ if (currentUser
|
||||
+ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
|
||||
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
|
||||
+ + "cannot access");
|
||||
+ return;
|
||||
+ }
|
||||
cursor = getContentResolver().query(intent.getData(),
|
||||
NUM_PROJECTION, null, null, null);
|
||||
if ((cursor == null) || (!cursor.moveToFirst())) {
|
41
Patches/LineageOS-16.0/android_system_bt/365979.patch
Normal file
41
Patches/LineageOS-16.0/android_system_bt/365979.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Tue, 16 May 2023 21:24:07 +0000
|
||||
Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
|
||||
|
||||
This is a backport of
|
||||
Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||
to rvc-dev
|
||||
|
||||
Bug: 280633699
|
||||
Test: manual
|
||||
Ignore-AOSP-First: security
|
||||
Tag: #security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639)
|
||||
Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||
---
|
||||
stack/avdt/avdt_msg.cc | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
|
||||
index 453e18642..3576b74e6 100644
|
||||
--- a/stack/avdt/avdt_msg.cc
|
||||
+++ b/stack/avdt/avdt_msg.cc
|
||||
@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
|
||||
* NOTE: The buffer is allocated above at the beginning of the
|
||||
* reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
|
||||
*/
|
||||
- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
|
||||
+ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
|
||||
|
||||
/* adjust offset and len of fragment for header byte */
|
||||
p_buf->offset += AVDT_LEN_TYPE_CONT;
|
||||
p_buf->len -= AVDT_LEN_TYPE_CONT;
|
||||
|
||||
/* verify length */
|
||||
- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
|
||||
+ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
|
||||
/* won't fit; free everything */
|
||||
AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
|
||||
osi_free_and_reset((void**)&p_ccb->p_rx_msg);
|
64
Patches/LineageOS-16.0/android_system_bt/365980.patch
Normal file
64
Patches/LineageOS-16.0/android_system_bt/365980.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Fri, 19 May 2023 19:17:16 +0000
|
||||
Subject: [PATCH] Fix integer overflow in build_read_multi_rsp
|
||||
|
||||
Local variables tracking structure size in build_read_multi_rsp are of
|
||||
uint16 type but accept a full uint16 range from function arguments while
|
||||
appending a fixed-length offset. This can lead to an integer overflow
|
||||
and unexpected behavior.
|
||||
|
||||
Change the locals to size_t, and add a check during reasssignment.
|
||||
|
||||
Bug: 273966636
|
||||
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0)
|
||||
Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
|
||||
Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index b9921fee6..d4e3c046b 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -113,7 +113,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) {
|
||||
******************************************************************************/
|
||||
static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
tGATTS_RSP* p_msg, uint16_t mtu) {
|
||||
- uint16_t ii, total_len, len;
|
||||
+ uint16_t ii;
|
||||
+ size_t total_len, len;
|
||||
uint8_t* p;
|
||||
bool is_overflow = false;
|
||||
|
||||
@@ -168,16 +169,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
len = p_rsp->attr_value.len - (total_len - mtu);
|
||||
is_overflow = true;
|
||||
VLOG(1) << StringPrintf(
|
||||
- "multi read overflow available len=%d val_len=%d", len,
|
||||
+ "multi read overflow available len=%zu val_len=%d", len,
|
||||
p_rsp->attr_value.len);
|
||||
} else {
|
||||
len = p_rsp->attr_value.len;
|
||||
}
|
||||
|
||||
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
|
||||
- memcpy(p, p_rsp->attr_value.value, len);
|
||||
- if (!is_overflow) p += len;
|
||||
- p_buf->len += len;
|
||||
+ // check for possible integer overflow
|
||||
+ if (p_buf->len + len <= UINT16_MAX) {
|
||||
+ memcpy(p, p_rsp->attr_value.value, len);
|
||||
+ if (!is_overflow) p += len;
|
||||
+ p_buf->len += len;
|
||||
+ } else {
|
||||
+ p_cmd->status = GATT_NOT_FOUND;
|
||||
+ break;
|
||||
+ }
|
||||
} else {
|
||||
p_cmd->status = GATT_NOT_FOUND;
|
||||
break;
|
40
Patches/LineageOS-16.0/android_system_bt/365981.patch
Normal file
40
Patches/LineageOS-16.0/android_system_bt/365981.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Thu, 27 Apr 2023 20:43:58 +0000
|
||||
Subject: [PATCH] Fix potential abort in btu_av_act.cc
|
||||
|
||||
Partner analysis shows that bta_av_rc_msg does not respect handling
|
||||
established for a null browse packet, instead dispatching the null
|
||||
pointer to bta_av_rc_free_browse_msg. Strictly speaking this does
|
||||
not cause a UAF, as osi_free_and_reset will find the null and abort,
|
||||
but it will lead to improper program termination.
|
||||
|
||||
Handle the case instead.
|
||||
|
||||
Bug: 269253349
|
||||
Test: atest bluetooth_test_gd_unit
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
|
||||
Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
|
||||
Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
|
||||
---
|
||||
bta/av/bta_av_act.cc | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
|
||||
index 112645ecf..0cd7b5d00 100644
|
||||
--- a/bta/av/bta_av_act.cc
|
||||
+++ b/bta/av/bta_av_act.cc
|
||||
@@ -997,7 +997,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
|
||||
av.remote_cmd.rc_handle = p_data->rc_msg.handle;
|
||||
(*p_cb->p_cback)(evt, &av);
|
||||
/* If browsing message, then free the browse message buffer */
|
||||
- bta_av_rc_free_browse_msg(p_cb, p_data);
|
||||
+ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
|
||||
+ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
|
||||
+ bta_av_rc_free_browse_msg(p_cb, p_data);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,39 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Thu, 1 Jun 2023 23:57:58 +0000
|
||||
Subject: [PATCH] Fix UAF in gatt_cl.cc
|
||||
|
||||
gatt_cl.cc accesses a header field after the buffer holding it may have
|
||||
been freed.
|
||||
|
||||
Track the relevant state as a local variable instead.
|
||||
|
||||
Bug: 274617156
|
||||
Test: atest: bluetooth, validated against fuzzer
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
|
||||
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
||||
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
||||
---
|
||||
stack/gatt/gatt_cl.cc | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
|
||||
index f8d5bab92..ef77f590d 100644
|
||||
--- a/stack/gatt/gatt_cl.cc
|
||||
+++ b/stack/gatt/gatt_cl.cc
|
||||
@@ -587,7 +587,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
||||
|
||||
memcpy(value.value, p, value.len);
|
||||
|
||||
- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
|
||||
+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
|
||||
+
|
||||
+ // We now know that we have not terminated, or else we would have returned
|
||||
+ // early. We free the buffer only if the subtype is not equal to
|
||||
+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
|
||||
+ if (subtype_is_write_prepare) {
|
||||
p_clcb->status = GATT_SUCCESS;
|
||||
/* application should verify handle offset
|
||||
and value are matched or not */
|
@ -0,0 +1,50 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Thu, 1 Jun 2023 13:44:28 -0700
|
||||
Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed
|
||||
|
||||
Bug: 268038643
|
||||
Test: ctsverifier
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0)
|
||||
Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
|
||||
Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
|
||||
|
||||
Change-Id: Ib0baa833fe31c72825889b729c83a1d70a5a6a72
|
||||
---
|
||||
src/com/android/nfc/NfcService.java | 6 ++++++
|
||||
src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
|
||||
index 28a1b92c..63cbed97 100644
|
||||
--- a/src/com/android/nfc/NfcService.java
|
||||
+++ b/src/com/android/nfc/NfcService.java
|
||||
@@ -1768,6 +1768,12 @@ public class NfcService implements DeviceHostListener {
|
||||
}
|
||||
}
|
||||
|
||||
+ public boolean isSecureNfcEnabled() {
|
||||
+ synchronized (NfcService.this) {
|
||||
+ return mIsSecureNfcEnabled;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
final class NfcAdapterService extends INfcAdapter.Stub {
|
||||
@Override
|
||||
public boolean enable() throws RemoteException {
|
||||
diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
index 91001582..ad4a3bd7 100644
|
||||
--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
+++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java
|
||||
@@ -209,8 +209,9 @@ public class HostEmulationManager {
|
||||
// Resolve to default
|
||||
// Check if resolvedService requires unlock
|
||||
NQApduServiceInfo defaultServiceInfo = resolveInfo.defaultService;
|
||||
- if (defaultServiceInfo.requiresUnlock() &&
|
||||
- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
|
||||
+ if ((defaultServiceInfo.requiresUnlock()
|
||||
+ || NfcService.getInstance().isSecureNfcEnabled())
|
||||
+ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
|
||||
// Just ignore all future APDUs until next tap
|
||||
mState = STATE_W4_DEACTIVATE;
|
||||
launchTapAgain(resolveInfo.defaultService, resolveInfo.category);
|
@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2022-01-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-08 #XXX
|
||||
sed -i 's/2022-01-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-09 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -158,6 +158,7 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/av"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -177,6 +178,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364035-backport.patch"; #R_asb_
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/365966-backport.patch"; #R_asb_2023-09 Forbid granting access to NLSes with too-long component names
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
|
||||
@ -221,6 +224,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/native"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_native/365969-backport.patch"; #R_asb_2023-09 Allow sensors list to be empty
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -311,6 +315,7 @@ cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update cont
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Nfc"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/365970.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed
|
||||
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -322,6 +327,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Per
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Settings"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
|
||||
git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
||||
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work
|
||||
@ -340,6 +346,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Trebuchet"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
|
||||
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
|
||||
fi;
|
||||
|
||||
@ -369,6 +376,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patc
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/services/Telephony"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/365978-backport.patch"; #R_asb_2023-09 Fixed leak of cross user data in multiple settings.
|
||||
git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55;
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
|
||||
@ -376,6 +384,10 @@ fi;
|
||||
|
||||
if enterAndClear "system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/365979.patch"; #R_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix integer overflow in build_read_multi_rsp
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/365982-backport.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -410,6 +422,10 @@ if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc/"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
||||
|
@ -150,7 +150,6 @@ if enterAndClear "frameworks/av"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
|
||||
fi;
|
||||
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360952-backport.patch"; #R_asb_2023-07 Passpoint Add more check to limit the config size
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection
|
||||
|
Loading…
Reference in New Issue
Block a user