From 033c600eacdf0fc432a572c364b121507b4643f0 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 11 Sep 2023 15:53:11 -0400 Subject: [PATCH] 16.0 September ASB work Signed-off-by: Tad --- .../android_frameworks_av/365962.patch | 32 +++ .../365966-backport.patch | 109 +++++++++ .../android_frameworks_base/365967.patch | 28 +++ .../365969-backport.patch | 34 +++ .../android_packages_apps_Nfc/365970.patch | 48 ++++ .../365973-backport.patch | 209 ++++++++++++++++++ .../365974.patch | 48 ++++ .../365978-backport.patch | 138 ++++++++++++ .../android_system_bt/365979.patch | 41 ++++ .../android_system_bt/365980.patch | 64 ++++++ .../android_system_bt/365981.patch | 40 ++++ .../android_system_bt/365982-backport.patch | 39 ++++ .../365983-backport.patch | 50 +++++ Scripts/LineageOS-16.0/Patch.sh | 18 +- Scripts/LineageOS-17.1/Patch.sh | 1 - 15 files changed, 897 insertions(+), 2 deletions(-) create mode 100644 Patches/LineageOS-16.0/android_frameworks_av/365962.patch create mode 100644 Patches/LineageOS-16.0/android_frameworks_base/365966-backport.patch create mode 100644 Patches/LineageOS-16.0/android_frameworks_base/365967.patch create mode 100644 Patches/LineageOS-16.0/android_frameworks_native/365969-backport.patch create mode 100644 Patches/LineageOS-16.0/android_packages_apps_Nfc/365970.patch create mode 100644 Patches/LineageOS-16.0/android_packages_apps_Settings/365973-backport.patch create mode 100644 Patches/LineageOS-16.0/android_packages_apps_Trebuchet/365974.patch create mode 100644 Patches/LineageOS-16.0/android_packages_services_Telephony/365978-backport.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/365979.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/365980.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/365981.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/365982-backport.patch create mode 100644 Patches/LineageOS-16.0/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch diff --git a/Patches/LineageOS-16.0/android_frameworks_av/365962.patch b/Patches/LineageOS-16.0/android_frameworks_av/365962.patch new file mode 100644 index 00000000..77074939 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/365962.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shruti Bihani +Date: Thu, 6 Jul 2023 08:41:56 +0000 +Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test. + +The error is thrown when the destructor tries to free pointer memory. +This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error. + +Bug: 245135112 +Test: Build mtp_host_property_fuzzer and run on the target device +(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972) +Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580 +Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580 +--- + media/mtp/MtpProperty.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h +index bfd5f7f59a..1eb8874af1 100644 +--- a/media/mtp/MtpProperty.h ++++ b/media/mtp/MtpProperty.h +@@ -26,6 +26,9 @@ namespace android { + class MtpDataPacket; + + struct MtpPropertyValue { ++ // pointer str initialized to NULL so that free operation ++ // is not called for pre-assigned value ++ MtpPropertyValue() : str (NULL) {} + union { + int8_t i8; + uint8_t u8; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/365966-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/365966-backport.patch new file mode 100644 index 00000000..086d1d86 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/365966-backport.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= +Date: Thu, 15 Jun 2023 18:31:34 +0200 +Subject: [PATCH] Forbid granting access to NLSes with too-long component names + +This makes the limitation, which was previously only checked on the Settings UI, enforced everywhere. + +Fixes: 260570119 +Fixes: 286043036 +Test: atest + manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc71156a29427c8b228129f5b1368392f297835b) +Merged-In: I4c25d80978cb37a8fa1531f5045259d25ac64692 +Change-Id: I4c25d80978cb37a8fa1531f5045259d25ac64692 +--- + .../java/android/app/NotificationManager.java | 6 ++++ + .../NotificationManagerService.java | 5 ++++ + .../android/server/vr/VrManagerService.java | 6 +++- + .../NotificationManagerServiceTest.java | 28 +++++++++++++++++++ + 4 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java +index f6dc5d15f385..32f40a805502 100644 +--- a/core/java/android/app/NotificationManager.java ++++ b/core/java/android/app/NotificationManager.java +@@ -308,6 +308,12 @@ public class NotificationManager { + */ + public static final int IMPORTANCE_MAX = 5; + ++ /** ++ * Maximum length of the component name of a registered NotificationListenerService. ++ * @hide ++ */ ++ public static int MAX_SERVICE_COMPONENT_NAME_LENGTH = 500; ++ + private static INotificationManager sService; + + /** @hide */ +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 0ac51524a648..ca0ec012fb60 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -3540,6 +3540,11 @@ public class NotificationManagerService extends SystemService { + boolean granted) throws RemoteException { + Preconditions.checkNotNull(listener); + checkCallerIsSystemOrShell(); ++ if (granted && listener.flattenToString().length() ++ > NotificationManager.MAX_SERVICE_COMPONENT_NAME_LENGTH) { ++ throw new IllegalArgumentException( ++ "Component name too long: " + listener.flattenToString()); ++ } + final long identity = Binder.clearCallingIdentity(); + try { + if (mAllowedManagedServicePackages.test(listener.getPackageName())) { +diff --git a/services/core/java/com/android/server/vr/VrManagerService.java b/services/core/java/com/android/server/vr/VrManagerService.java +index faa197e984cf..87f66de5c704 100644 +--- a/services/core/java/com/android/server/vr/VrManagerService.java ++++ b/services/core/java/com/android/server/vr/VrManagerService.java +@@ -1055,7 +1055,11 @@ public class VrManagerService extends SystemService + + for (ComponentName c : possibleServices) { + if (Objects.equals(c.getPackageName(), pkg)) { +- nm.setNotificationListenerAccessGrantedForUser(c, userId, true); ++ try { ++ nm.setNotificationListenerAccessGrantedForUser(c, userId, true); ++ } catch (Exception e) { ++ Slog.w(TAG, "Could not grant NLS access to package " + pkg, e); ++ } + } + } + } +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index 9592e1905b54..e073e6767da6 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -2021,6 +2021,34 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + any(), anyInt(), anyBoolean(), anyBoolean()); + } + ++ @Test ++ public void testSetListenerAccessForUser_grantWithNameTooLong_throws() throws Exception { ++ UserHandle user = UserHandle.of(mContext.getUserId() + 10); ++ ComponentName c = new ComponentName("com.example.package", ++ com.google.common.base.Strings.repeat("Blah", 150)); ++ ++ try { ++ mBinderService.setNotificationListenerAccessGrantedForUser(c, user.getIdentifier(), ++ /* enabled= */ true); ++ fail("Should've thrown IllegalArgumentException"); ++ } catch (IllegalArgumentException e) { ++ // Good! ++ } ++ } ++ ++ @Test ++ public void testSetListenerAccessForUser_revokeWithNameTooLong_okay() throws Exception { ++ UserHandle user = UserHandle.of(mContext.getUserId() + 10); ++ ComponentName c = new ComponentName("com.example.package", ++ com.google.common.base.Strings.repeat("Blah", 150)); ++ ++ mBinderService.setNotificationListenerAccessGrantedForUser( ++ c, user.getIdentifier(), /* enabled= */ false); ++ ++ verify(mListeners).setPackageOrComponentEnabled( ++ c.flattenToString(), user.getIdentifier(), true, /* enabled= */ false); ++ } ++ + @Test + public void testSetAssistantAccessForUser() throws Exception { + UserHandle user = UserHandle.of(10); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/365967.patch b/Patches/LineageOS-16.0/android_frameworks_base/365967.patch new file mode 100644 index 00000000..02e2c7d5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/365967.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Fri, 30 Jun 2023 14:36:44 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly. + +Bug: 265798288 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1) +Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb +Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 36732273ab6f..ec15113c2c78 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4827,6 +4827,9 @@ public class AccountManagerService + Bundle simulateBundle = p.readBundle(); + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ if (intent != null && intent.getClass() != Intent.class) { ++ return false; ++ } + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); + if (intent == null) { + return (simulateIntent == null); diff --git a/Patches/LineageOS-16.0/android_frameworks_native/365969-backport.patch b/Patches/LineageOS-16.0/android_frameworks_native/365969-backport.patch new file mode 100644 index 00000000..6f19c8f7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_native/365969-backport.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Tue, 25 Apr 2023 00:17:13 +0000 +Subject: [PATCH] Allow sensors list to be empty + +Test: atest VtsHalSensorManagerV1_0TargetTest +Bug: 278013275 +Bug: 269014004 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9) +Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 +Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 +--- + libs/sensor/SensorManager.cpp | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp +index d7210b10e0..35802db95c 100644 +--- a/libs/sensor/SensorManager.cpp ++++ b/libs/sensor/SensorManager.cpp +@@ -172,11 +172,8 @@ status_t SensorManager::assertStateLocked() { + + mSensors = mSensorServer->getSensorList(mOpPackageName); + size_t count = mSensors.size(); +- if (count == 0) { +- ALOGE("Failed to get Sensor list"); +- mSensorServer.clear(); +- return UNKNOWN_ERROR; +- } ++ // If count is 0, mSensorList will be non-null. This is old ++ // existing behavior and callers expect this. + mSensorList = + static_cast(malloc(count * sizeof(Sensor*))); + LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL"); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Nfc/365970.patch b/Patches/LineageOS-16.0/android_packages_apps_Nfc/365970.patch new file mode 100644 index 00000000..0c62ae51 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Nfc/365970.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 1 Jun 2023 13:44:28 -0700 +Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed + +Bug: 268038643 +Test: ctsverifier +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0) +Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f +Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f +--- + src/com/android/nfc/NfcService.java | 6 ++++++ + src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java +index 059d1826..a92e0456 100644 +--- a/src/com/android/nfc/NfcService.java ++++ b/src/com/android/nfc/NfcService.java +@@ -830,6 +830,12 @@ public class NfcService implements DeviceHostListener { + } + } + ++ public boolean isSecureNfcEnabled() { ++ synchronized (NfcService.this) { ++ return mIsSecureNfcEnabled; ++ } ++ } ++ + final class NfcAdapterService extends INfcAdapter.Stub { + /** + * An interface for vendor specific extensions +diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java +index 0a5ce363..739b3ffd 100644 +--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java ++++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java +@@ -169,8 +169,9 @@ public class HostEmulationManager { + // Resolve to default + // Check if resolvedService requires unlock + ApduServiceInfo defaultServiceInfo = resolveInfo.defaultService; +- if (defaultServiceInfo.requiresUnlock() && +- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) { ++ if ((defaultServiceInfo.requiresUnlock() ++ || NfcService.getInstance().isSecureNfcEnabled()) ++ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) { + // Just ignore all future APDUs until next tap + mState = STATE_W4_DEACTIVATE; + launchTapAgain(resolveInfo.defaultService, resolveInfo.category); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/365973-backport.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/365973-backport.patch new file mode 100644 index 00000000..f00b64fd --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/365973-backport.patch @@ -0,0 +1,209 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Taran Singh +Date: Fri, 19 May 2023 23:17:47 +0000 +Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device + admin + +Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to +activate itself as device admin and cause various DoS attacks. + +This CL ensures KeyEvent on "Activate" button can only come from system +apps. + +Bug: 280793427 +Test: atest DeviceAdminActivationTest +(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b) +Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188 +Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188 +--- + src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++--------- + 1 file changed, 64 insertions(+), 56 deletions(-) + +diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java +index fb21deb661..10d170ab6b 100644 +--- a/src/com/android/settings/DeviceAdminAdd.java ++++ b/src/com/android/settings/DeviceAdminAdd.java +@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt; + import android.util.EventLog; + import android.util.Log; + import android.view.Display; ++import android.view.KeyEvent; ++import android.view.LayoutInflater; + import android.view.View; + import android.view.ViewGroup; + import android.view.ViewTreeObserver; +@@ -133,7 +135,7 @@ public class DeviceAdminAdd extends Activity { + mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE); + PackageManager packageManager = getPackageManager(); + +- if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) { ++ if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) { + Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task"); + finish(); + return; +@@ -143,7 +145,7 @@ public class DeviceAdminAdd extends Activity { + EXTRA_CALLED_FROM_SUPPORT_DIALOG, false); + + String action = getIntent().getAction(); +- ComponentName who = (ComponentName)getIntent().getParcelableExtra( ++ ComponentName who = (ComponentName) getIntent().getParcelableExtra( + DevicePolicyManager.EXTRA_DEVICE_ADMIN); + if (who == null) { + String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME); +@@ -201,7 +203,7 @@ public class DeviceAdminAdd extends Activity { + PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS); + int count = avail == null ? 0 : avail.size(); + boolean found = false; +- for (int i=0; i { ++ if (!mActionButton.isEnabled()) { ++ showPolicyTransparencyDialogIfRequired(); ++ return; ++ } ++ if (mAdding) { ++ addAndFinish(); ++ } else if (isManagedProfile(mDeviceAdmin) ++ && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) { ++ final int userId = UserHandle.myUserId(); ++ UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId, ++ new DialogInterface.OnClickListener() { ++ @Override ++ public void onClick(DialogInterface dialog, int which) { ++ UserManager um = UserManager.get(DeviceAdminAdd.this); ++ um.removeUser(userId); ++ finish(); + } +- ).show(); +- } else if (mUninstalling) { +- mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName()); +- finish(); +- } else if (!mWaitingForRemoveMsg) { +- try { +- // Don't allow the admin to put a dialog up in front +- // of us while we interact with the user. +- ActivityManager.getService().stopAppSwitches(); +- } catch (RemoteException e) { +- } +- mWaitingForRemoveMsg = true; +- mDPM.getRemoveWarning(mDeviceAdmin.getComponent(), +- new RemoteCallback(new RemoteCallback.OnResultListener() { +- @Override +- public void onResult(Bundle result) { +- CharSequence msg = result != null +- ? result.getCharSequence( +- DeviceAdminReceiver.EXTRA_DISABLE_WARNING) +- : null; +- continueRemoveAction(msg); +- } +- }, mHandler)); +- // Don't want to wait too long. +- getWindow().getDecorView().getHandler().postDelayed(new Runnable() { +- @Override public void run() { +- continueRemoveAction(null); + } +- }, 2*1000); ++ ).show(); ++ } else if (mUninstalling) { ++ mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName()); ++ finish(); ++ } else if (!mWaitingForRemoveMsg) { ++ try { ++ // Don't allow the admin to put a dialog up in front ++ // of us while we interact with the user. ++ ActivityManager.getService().stopAppSwitches(); ++ } catch (RemoteException e) { + } ++ mWaitingForRemoveMsg = true; ++ mDPM.getRemoveWarning(mDeviceAdmin.getComponent(), ++ new RemoteCallback(new RemoteCallback.OnResultListener() { ++ @Override ++ public void onResult(Bundle result) { ++ CharSequence msg = result != null ++ ? result.getCharSequence( ++ DeviceAdminReceiver.EXTRA_DISABLE_WARNING) ++ : null; ++ continueRemoveAction(msg); ++ } ++ }, mHandler)); ++ // Don't want to wait too long. ++ getWindow().getDecorView().getHandler().postDelayed( ++ () -> continueRemoveAction(null), 2 * 1000); ++ } ++ }; ++ restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> { ++ if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) { ++ Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app."); ++ // Consume event to suppress click. ++ return true; + } ++ // Fallback to view click handler. ++ return false; + }); ++ restrictedAction.setOnClickListener(restrictedActionClickListener); + } + + /** diff --git a/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/365974.patch b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/365974.patch new file mode 100644 index 00000000..b2c9716c --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/365974.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 1 Jun 2023 18:12:44 -0700 +Subject: [PATCH] Fix permission issue in legacy shortcut + +When building legacy shortcut, Launcher calls +PackageManager#resolveActivity to retrieve necessary permission to +launch the intent. + +However, when the source app wraps an arbitrary intent within +Intent#createChooser, the existing logic will fail because launching +Chooser doesn't require additional permission. + +This CL fixes the security vulnerability by performing the permission +check against the intent that is wrapped within. + +Bug: 270152142 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442) +Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0 +Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0 +--- + .../android/launcher3/util/PackageManagerHelper.java | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java +index 0b3b632c02..4eac947fd0 100644 +--- a/src/com/android/launcher3/util/PackageManagerHelper.java ++++ b/src/com/android/launcher3/util/PackageManagerHelper.java +@@ -116,6 +116,18 @@ public class PackageManagerHelper { + * any permissions + */ + public boolean hasPermissionForActivity(Intent intent, String srcPackage) { ++ // b/270152142 ++ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { ++ final Bundle extras = intent.getExtras(); ++ if (extras == null) { ++ return true; ++ } ++ // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT ++ intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); ++ if (intent == null) { ++ return true; ++ } ++ } + ResolveInfo target = mPm.resolveActivity(intent, 0); + if (target == null) { + // Not a valid target diff --git a/Patches/LineageOS-16.0/android_packages_services_Telephony/365978-backport.patch b/Patches/LineageOS-16.0/android_packages_services_Telephony/365978-backport.patch new file mode 100644 index 00000000..369aaed8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telephony/365978-backport.patch @@ -0,0 +1,138 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ashish Kumar +Date: Fri, 26 May 2023 14:18:46 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple + settings. + + - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user. + - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user. + +Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not. + +Bug: b/256591023 , b/256819787 + +Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data. +Test2: Able to import contact from the primary user or uri with no user id +(These settings are not available for secondary users) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d) +Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 +Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 +--- + .../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++ + .../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++ + .../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++ + 3 files changed, 39 insertions(+) + +diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java +index 77cc6cca6..aa1c797d4 100644 +--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java ++++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java +@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface; + import com.android.internal.telephony.Phone; + + import android.app.ActionBar; ++import android.content.ContentProvider; + import android.content.Intent; + import android.database.Cursor; + import android.os.Bundle; ++import android.os.Process; ++import android.os.UserHandle; + import android.preference.Preference; + import android.preference.PreferenceScreen; + import android.telephony.CarrierConfigManager; +@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity { + } + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { ++ ++ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ return; ++ } + cursor = getContentResolver().query(data.getData(), + NUM_PROJECTION, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { +diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java +index 0f58d195b..af9a746ed 100644 +--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java ++++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java +@@ -17,6 +17,7 @@ + package com.android.phone.settings; + + import android.app.Dialog; ++import android.content.ContentProvider; + import android.content.DialogInterface; + import android.content.Intent; + import android.database.Cursor; +@@ -25,6 +26,8 @@ import android.os.Bundle; + import android.os.Handler; + import android.os.Message; + import android.os.PersistableBundle; ++import android.os.Process; ++import android.os.UserHandle; + import android.os.UserManager; + import android.preference.Preference; + import android.preference.PreferenceActivity; +@@ -522,6 +525,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity + + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { ++ ++ if (DBG) { ++ log("onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ } ++ return; ++ } + cursor = getContentResolver().query(data.getData(), + new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { +diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +index 921e947e4..e733e82bb 100644 +--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java ++++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn; + + import static android.view.Window.PROGRESS_VISIBILITY_OFF; + import static android.view.Window.PROGRESS_VISIBILITY_ON; ++import static android.app.Activity.RESULT_OK; ++ + + import android.app.Activity; + import android.content.AsyncQueryHandler; ++import android.content.ContentProvider; + import android.content.ContentResolver; + import android.content.ContentValues; + import android.content.Intent; +@@ -29,6 +32,8 @@ import android.database.Cursor; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; ++import android.os.Process; ++import android.os.UserHandle; + import android.provider.Contacts.PeopleColumns; + import android.provider.Contacts.PhonesColumns; + import android.provider.ContactsContract.CommonDataKinds; +@@ -154,6 +159,14 @@ public class EditFdnContactScreen extends Activity { + } + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) { ++ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ return; ++ } + cursor = getContentResolver().query(intent.getData(), + NUM_PROJECTION, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/Patches/LineageOS-16.0/android_system_bt/365979.patch b/Patches/LineageOS-16.0/android_system_bt/365979.patch new file mode 100644 index 00000000..c1572aa0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/365979.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 16 May 2023 21:24:07 +0000 +Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl + +This is a backport of +Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +to rvc-dev + +Bug: 280633699 +Test: manual +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639) +Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +--- + stack/avdt/avdt_msg.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc +index 453e18642..3576b74e6 100644 +--- a/stack/avdt/avdt_msg.cc ++++ b/stack/avdt/avdt_msg.cc +@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { + * NOTE: The buffer is allocated above at the beginning of the + * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE. + */ +- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); ++ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); + + /* adjust offset and len of fragment for header byte */ + p_buf->offset += AVDT_LEN_TYPE_CONT; + p_buf->len -= AVDT_LEN_TYPE_CONT; + + /* verify length */ +- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) { ++ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) { + /* won't fit; free everything */ + AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__); + osi_free_and_reset((void**)&p_ccb->p_rx_msg); diff --git a/Patches/LineageOS-16.0/android_system_bt/365980.patch b/Patches/LineageOS-16.0/android_system_bt/365980.patch new file mode 100644 index 00000000..e07747c5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/365980.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 19 May 2023 19:17:16 +0000 +Subject: [PATCH] Fix integer overflow in build_read_multi_rsp + +Local variables tracking structure size in build_read_multi_rsp are of +uint16 type but accept a full uint16 range from function arguments while +appending a fixed-length offset. This can lead to an integer overflow +and unexpected behavior. + +Change the locals to size_t, and add a check during reasssignment. + +Bug: 273966636 +Test: atest bluetooth_test_gd_unit, net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0) +Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9 +Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9 +--- + stack/gatt/gatt_sr.cc | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index b9921fee6..d4e3c046b 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -113,7 +113,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) { + ******************************************************************************/ + static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + tGATTS_RSP* p_msg, uint16_t mtu) { +- uint16_t ii, total_len, len; ++ uint16_t ii; ++ size_t total_len, len; + uint8_t* p; + bool is_overflow = false; + +@@ -168,16 +169,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + len = p_rsp->attr_value.len - (total_len - mtu); + is_overflow = true; + VLOG(1) << StringPrintf( +- "multi read overflow available len=%d val_len=%d", len, ++ "multi read overflow available len=%zu val_len=%d", len, + p_rsp->attr_value.len); + } else { + len = p_rsp->attr_value.len; + } + + if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { +- memcpy(p, p_rsp->attr_value.value, len); +- if (!is_overflow) p += len; +- p_buf->len += len; ++ // check for possible integer overflow ++ if (p_buf->len + len <= UINT16_MAX) { ++ memcpy(p, p_rsp->attr_value.value, len); ++ if (!is_overflow) p += len; ++ p_buf->len += len; ++ } else { ++ p_cmd->status = GATT_NOT_FOUND; ++ break; ++ } + } else { + p_cmd->status = GATT_NOT_FOUND; + break; diff --git a/Patches/LineageOS-16.0/android_system_bt/365981.patch b/Patches/LineageOS-16.0/android_system_bt/365981.patch new file mode 100644 index 00000000..21cf69d7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/365981.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 27 Apr 2023 20:43:58 +0000 +Subject: [PATCH] Fix potential abort in btu_av_act.cc + +Partner analysis shows that bta_av_rc_msg does not respect handling +established for a null browse packet, instead dispatching the null +pointer to bta_av_rc_free_browse_msg. Strictly speaking this does +not cause a UAF, as osi_free_and_reset will find the null and abort, +but it will lead to improper program termination. + +Handle the case instead. + +Bug: 269253349 +Test: atest bluetooth_test_gd_unit +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9) +Merged-In: I4df7045798b663fbefd7434288dc9383216171a7 +Change-Id: I4df7045798b663fbefd7434288dc9383216171a7 +--- + bta/av/bta_av_act.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc +index 112645ecf..0cd7b5d00 100644 +--- a/bta/av/bta_av_act.cc ++++ b/bta/av/bta_av_act.cc +@@ -997,7 +997,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) { + av.remote_cmd.rc_handle = p_data->rc_msg.handle; + (*p_cb->p_cback)(evt, &av); + /* If browsing message, then free the browse message buffer */ +- bta_av_rc_free_browse_msg(p_cb, p_data); ++ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE && ++ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) { ++ bta_av_rc_free_browse_msg(p_cb, p_data); ++ } + } + } + diff --git a/Patches/LineageOS-16.0/android_system_bt/365982-backport.patch b/Patches/LineageOS-16.0/android_system_bt/365982-backport.patch new file mode 100644 index 00000000..f5e26865 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/365982-backport.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 1 Jun 2023 23:57:58 +0000 +Subject: [PATCH] Fix UAF in gatt_cl.cc + +gatt_cl.cc accesses a header field after the buffer holding it may have +been freed. + +Track the relevant state as a local variable instead. + +Bug: 274617156 +Test: atest: bluetooth, validated against fuzzer +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244) +Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 +Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 +--- + stack/gatt/gatt_cl.cc | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc +index f8d5bab92..ef77f590d 100644 +--- a/stack/gatt/gatt_cl.cc ++++ b/stack/gatt/gatt_cl.cc +@@ -587,7 +587,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + + memcpy(value.value, p, value.len); + +- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) { ++ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE); ++ ++ // We now know that we have not terminated, or else we would have returned ++ // early. We free the buffer only if the subtype is not equal to ++ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF. ++ if (subtype_is_write_prepare) { + p_clcb->status = GATT_SUCCESS; + /* application should verify handle offset + and value are matched or not */ diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch new file mode 100644 index 00000000..1bb3ebeb --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 1 Jun 2023 13:44:28 -0700 +Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed + +Bug: 268038643 +Test: ctsverifier +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0) +Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f +Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f + +Change-Id: Ib0baa833fe31c72825889b729c83a1d70a5a6a72 +--- + src/com/android/nfc/NfcService.java | 6 ++++++ + src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java +index 28a1b92c..63cbed97 100644 +--- a/src/com/android/nfc/NfcService.java ++++ b/src/com/android/nfc/NfcService.java +@@ -1768,6 +1768,12 @@ public class NfcService implements DeviceHostListener { + } + } + ++ public boolean isSecureNfcEnabled() { ++ synchronized (NfcService.this) { ++ return mIsSecureNfcEnabled; ++ } ++ } ++ + final class NfcAdapterService extends INfcAdapter.Stub { + @Override + public boolean enable() throws RemoteException { +diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java +index 91001582..ad4a3bd7 100644 +--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java ++++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java +@@ -209,8 +209,9 @@ public class HostEmulationManager { + // Resolve to default + // Check if resolvedService requires unlock + NQApduServiceInfo defaultServiceInfo = resolveInfo.defaultService; +- if (defaultServiceInfo.requiresUnlock() && +- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) { ++ if ((defaultServiceInfo.requiresUnlock() ++ || NfcService.getInstance().isSecureNfcEnabled()) ++ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) { + // Just ignore all future APDUs until next tap + mState = STATE_W4_DEACTIVATE; + launchTapAgain(resolveInfo.defaultService, resolveInfo.category); diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 0072840e..404bb413 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-08 #XXX +sed -i 's/2022-01-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-09 #XXX fi; if enterAndClear "build/soong"; then @@ -158,6 +158,7 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav fi; if enterAndClear "frameworks/av"; then +applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS) fi; @@ -177,6 +178,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364035-backport.patch"; #R_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user. +applyPatch "$DOS_PATCHES/android_frameworks_base/365966-backport.patch"; #R_asb_2023-09 Forbid granting access to NLSes with too-long component names +applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly. applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -221,6 +224,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta fi; if enterAndClear "frameworks/native"; then +applyPatch "$DOS_PATCHES/android_frameworks_native/365969-backport.patch"; #R_asb_2023-09 Allow sensors list to be empty applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) fi; @@ -311,6 +315,7 @@ cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update cont fi; if enterAndClear "packages/apps/Nfc"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/365970.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -322,6 +327,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Per fi; if enterAndClear "packages/apps/Settings"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work @@ -340,6 +346,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics fi; if enterAndClear "packages/apps/Trebuchet"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed fi; @@ -369,6 +376,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patc fi; if enterAndClear "packages/services/Telephony"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/365978-backport.patch"; #R_asb_2023-09 Fixed leak of cross user data in multiple settings. git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55; applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS) applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; @@ -376,6 +384,10 @@ fi; if enterAndClear "system/bt"; then applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow +applyPatch "$DOS_PATCHES/android_system_bt/365979.patch"; #R_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl +applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix integer overflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/365982-backport.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi; @@ -410,6 +422,10 @@ if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper() fi; +if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc/"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed +fi; + if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 4f42640a..41a4cd43 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -150,7 +150,6 @@ if enterAndClear "frameworks/av"; then applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. fi; - if enterAndClear "frameworks/base"; then applyPatch "$DOS_PATCHES/android_frameworks_base/360952-backport.patch"; #R_asb_2023-07 Passpoint Add more check to limit the config size applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection