16.0 September ASB work

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-09-11 15:53:11 -04:00
parent aa4464d1c4
commit 033c600eac
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
15 changed files with 897 additions and 2 deletions

View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shruti Bihani <shrutibihani@google.com>
Date: Thu, 6 Jul 2023 08:41:56 +0000
Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test.
The error is thrown when the destructor tries to free pointer memory.
This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.
Bug: 245135112
Test: Build mtp_host_property_fuzzer and run on the target device
(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
---
media/mtp/MtpProperty.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h
index bfd5f7f59a..1eb8874af1 100644
--- a/media/mtp/MtpProperty.h
+++ b/media/mtp/MtpProperty.h
@@ -26,6 +26,9 @@ namespace android {
class MtpDataPacket;
struct MtpPropertyValue {
+ // pointer str initialized to NULL so that free operation
+ // is not called for pre-assigned value
+ MtpPropertyValue() : str (NULL) {}
union {
int8_t i8;
uint8_t u8;

View File

@ -0,0 +1,109 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
Date: Thu, 15 Jun 2023 18:31:34 +0200
Subject: [PATCH] Forbid granting access to NLSes with too-long component names
This makes the limitation, which was previously only checked on the Settings UI, enforced everywhere.
Fixes: 260570119
Fixes: 286043036
Test: atest + manually
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc71156a29427c8b228129f5b1368392f297835b)
Merged-In: I4c25d80978cb37a8fa1531f5045259d25ac64692
Change-Id: I4c25d80978cb37a8fa1531f5045259d25ac64692
---
.../java/android/app/NotificationManager.java | 6 ++++
.../NotificationManagerService.java | 5 ++++
.../android/server/vr/VrManagerService.java | 6 +++-
.../NotificationManagerServiceTest.java | 28 +++++++++++++++++++
4 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java
index f6dc5d15f385..32f40a805502 100644
--- a/core/java/android/app/NotificationManager.java
+++ b/core/java/android/app/NotificationManager.java
@@ -308,6 +308,12 @@ public class NotificationManager {
*/
public static final int IMPORTANCE_MAX = 5;
+ /**
+ * Maximum length of the component name of a registered NotificationListenerService.
+ * @hide
+ */
+ public static int MAX_SERVICE_COMPONENT_NAME_LENGTH = 500;
+
private static INotificationManager sService;
/** @hide */
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 0ac51524a648..ca0ec012fb60 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -3540,6 +3540,11 @@ public class NotificationManagerService extends SystemService {
boolean granted) throws RemoteException {
Preconditions.checkNotNull(listener);
checkCallerIsSystemOrShell();
+ if (granted && listener.flattenToString().length()
+ > NotificationManager.MAX_SERVICE_COMPONENT_NAME_LENGTH) {
+ throw new IllegalArgumentException(
+ "Component name too long: " + listener.flattenToString());
+ }
final long identity = Binder.clearCallingIdentity();
try {
if (mAllowedManagedServicePackages.test(listener.getPackageName())) {
diff --git a/services/core/java/com/android/server/vr/VrManagerService.java b/services/core/java/com/android/server/vr/VrManagerService.java
index faa197e984cf..87f66de5c704 100644
--- a/services/core/java/com/android/server/vr/VrManagerService.java
+++ b/services/core/java/com/android/server/vr/VrManagerService.java
@@ -1055,7 +1055,11 @@ public class VrManagerService extends SystemService
for (ComponentName c : possibleServices) {
if (Objects.equals(c.getPackageName(), pkg)) {
- nm.setNotificationListenerAccessGrantedForUser(c, userId, true);
+ try {
+ nm.setNotificationListenerAccessGrantedForUser(c, userId, true);
+ } catch (Exception e) {
+ Slog.w(TAG, "Could not grant NLS access to package " + pkg, e);
+ }
}
}
}
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
index 9592e1905b54..e073e6767da6 100644
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
@@ -2021,6 +2021,34 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
any(), anyInt(), anyBoolean(), anyBoolean());
}
+ @Test
+ public void testSetListenerAccessForUser_grantWithNameTooLong_throws() throws Exception {
+ UserHandle user = UserHandle.of(mContext.getUserId() + 10);
+ ComponentName c = new ComponentName("com.example.package",
+ com.google.common.base.Strings.repeat("Blah", 150));
+
+ try {
+ mBinderService.setNotificationListenerAccessGrantedForUser(c, user.getIdentifier(),
+ /* enabled= */ true);
+ fail("Should've thrown IllegalArgumentException");
+ } catch (IllegalArgumentException e) {
+ // Good!
+ }
+ }
+
+ @Test
+ public void testSetListenerAccessForUser_revokeWithNameTooLong_okay() throws Exception {
+ UserHandle user = UserHandle.of(mContext.getUserId() + 10);
+ ComponentName c = new ComponentName("com.example.package",
+ com.google.common.base.Strings.repeat("Blah", 150));
+
+ mBinderService.setNotificationListenerAccessGrantedForUser(
+ c, user.getIdentifier(), /* enabled= */ false);
+
+ verify(mListeners).setPackageOrComponentEnabled(
+ c.flattenToString(), user.getIdentifier(), true, /* enabled= */ false);
+ }
+
@Test
public void testSetAssistantAccessForUser() throws Exception {
UserHandle user = UserHandle.of(10);

View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Fri, 30 Jun 2023 14:36:44 -0700
Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly.
Bug: 265798288
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1)
Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
---
.../com/android/server/accounts/AccountManagerService.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 36732273ab6f..ec15113c2c78 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -4827,6 +4827,9 @@ public class AccountManagerService
Bundle simulateBundle = p.readBundle();
p.recycle();
Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+ if (intent != null && intent.getClass() != Intent.class) {
+ return false;
+ }
Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
if (intent == null) {
return (simulateIntent == null);

View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Tue, 25 Apr 2023 00:17:13 +0000
Subject: [PATCH] Allow sensors list to be empty
Test: atest VtsHalSensorManagerV1_0TargetTest
Bug: 278013275
Bug: 269014004
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9)
Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
---
libs/sensor/SensorManager.cpp | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp
index d7210b10e0..35802db95c 100644
--- a/libs/sensor/SensorManager.cpp
+++ b/libs/sensor/SensorManager.cpp
@@ -172,11 +172,8 @@ status_t SensorManager::assertStateLocked() {
mSensors = mSensorServer->getSensorList(mOpPackageName);
size_t count = mSensors.size();
- if (count == 0) {
- ALOGE("Failed to get Sensor list");
- mSensorServer.clear();
- return UNKNOWN_ERROR;
- }
+ // If count is 0, mSensorList will be non-null. This is old
+ // existing behavior and callers expect this.
mSensorList =
static_cast<Sensor const**>(malloc(count * sizeof(Sensor*)));
LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL");

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 1 Jun 2023 13:44:28 -0700
Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed
Bug: 268038643
Test: ctsverifier
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0)
Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
---
src/com/android/nfc/NfcService.java | 6 ++++++
src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
index 059d1826..a92e0456 100644
--- a/src/com/android/nfc/NfcService.java
+++ b/src/com/android/nfc/NfcService.java
@@ -830,6 +830,12 @@ public class NfcService implements DeviceHostListener {
}
}
+ public boolean isSecureNfcEnabled() {
+ synchronized (NfcService.this) {
+ return mIsSecureNfcEnabled;
+ }
+ }
+
final class NfcAdapterService extends INfcAdapter.Stub {
/**
* An interface for vendor specific extensions
diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java
index 0a5ce363..739b3ffd 100644
--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java
+++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java
@@ -169,8 +169,9 @@ public class HostEmulationManager {
// Resolve to default
// Check if resolvedService requires unlock
ApduServiceInfo defaultServiceInfo = resolveInfo.defaultService;
- if (defaultServiceInfo.requiresUnlock() &&
- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
+ if ((defaultServiceInfo.requiresUnlock()
+ || NfcService.getInstance().isSecureNfcEnabled())
+ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
// Just ignore all future APDUs until next tap
mState = STATE_W4_DEACTIVATE;
launchTapAgain(resolveInfo.defaultService, resolveInfo.category);

View File

@ -0,0 +1,209 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Taran Singh <tarandeep@google.com>
Date: Fri, 19 May 2023 23:17:47 +0000
Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device
admin
Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
activate itself as device admin and cause various DoS attacks.
This CL ensures KeyEvent on "Activate" button can only come from system
apps.
Bug: 280793427
Test: atest DeviceAdminActivationTest
(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b)
Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
---
src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++---------
1 file changed, 64 insertions(+), 56 deletions(-)
diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java
index fb21deb661..10d170ab6b 100644
--- a/src/com/android/settings/DeviceAdminAdd.java
+++ b/src/com/android/settings/DeviceAdminAdd.java
@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt;
import android.util.EventLog;
import android.util.Log;
import android.view.Display;
+import android.view.KeyEvent;
+import android.view.LayoutInflater;
import android.view.View;
import android.view.ViewGroup;
import android.view.ViewTreeObserver;
@@ -133,7 +135,7 @@ public class DeviceAdminAdd extends Activity {
mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE);
PackageManager packageManager = getPackageManager();
- if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
+ if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task");
finish();
return;
@@ -143,7 +145,7 @@ public class DeviceAdminAdd extends Activity {
EXTRA_CALLED_FROM_SUPPORT_DIALOG, false);
String action = getIntent().getAction();
- ComponentName who = (ComponentName)getIntent().getParcelableExtra(
+ ComponentName who = (ComponentName) getIntent().getParcelableExtra(
DevicePolicyManager.EXTRA_DEVICE_ADMIN);
if (who == null) {
String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME);
@@ -201,7 +203,7 @@ public class DeviceAdminAdd extends Activity {
PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS);
int count = avail == null ? 0 : avail.size();
boolean found = false;
- for (int i=0; i<count; i++) {
+ for (int i = 0; i < count; i++) {
ResolveInfo ri = avail.get(i);
if (ai.packageName.equals(ri.activityInfo.packageName)
&& ai.name.equals(ri.activityInfo.name)) {
@@ -284,12 +286,12 @@ public class DeviceAdminAdd extends Activity {
setContentView(R.layout.device_admin_add);
- mAdminIcon = (ImageView)findViewById(R.id.admin_icon);
- mAdminName = (TextView)findViewById(R.id.admin_name);
- mAdminDescription = (TextView)findViewById(R.id.admin_description);
+ mAdminIcon = (ImageView) findViewById(R.id.admin_icon);
+ mAdminName = (TextView) findViewById(R.id.admin_name);
+ mAdminDescription = (TextView) findViewById(R.id.admin_description);
mProfileOwnerWarning = (TextView) findViewById(R.id.profile_owner_warning);
- mAddMsg = (TextView)findViewById(R.id.add_msg);
+ mAddMsg = (TextView) findViewById(R.id.add_msg);
mAddMsgExpander = (ImageView) findViewById(R.id.add_msg_expander);
final View.OnClickListener onClickListener = new View.OnClickListener() {
@Override
@@ -312,7 +314,7 @@ public class DeviceAdminAdd extends Activity {
mAddMsgExpander.setVisibility(hideMsgExpander ? View.GONE : View.VISIBLE);
if (hideMsgExpander) {
mAddMsg.setOnClickListener(null);
- ((View)mAddMsgExpander.getParent()).invalidate();
+ ((View) mAddMsgExpander.getParent()).invalidate();
}
mAddMsg.getViewTreeObserver().removeOnGlobalLayoutListener(this);
}
@@ -330,7 +332,7 @@ public class DeviceAdminAdd extends Activity {
mCancelButton.setOnClickListener(new View.OnClickListener() {
public void onClick(View v) {
EventLog.writeEvent(EventLogTags.EXP_DET_DEVICE_ADMIN_DECLINED_BY_USER,
- mDeviceAdmin.getActivityInfo().applicationInfo.uid);
+ mDeviceAdmin.getActivityInfo().applicationInfo.uid);
finish();
}
});
@@ -350,58 +352,64 @@ public class DeviceAdminAdd extends Activity {
final View restrictedAction = findViewById(R.id.restricted_action);
restrictedAction.setFilterTouchesWhenObscured(true);
- restrictedAction.setOnClickListener(new View.OnClickListener() {
- public void onClick(View v) {
- if (!mActionButton.isEnabled()) {
- showPolicyTransparencyDialogIfRequired();
- return;
- }
- if (mAdding) {
- addAndFinish();
- } else if (isManagedProfile(mDeviceAdmin)
- && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
- final int userId = UserHandle.myUserId();
- UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
- new DialogInterface.OnClickListener() {
- @Override
- public void onClick(DialogInterface dialog, int which) {
- UserManager um = UserManager.get(DeviceAdminAdd.this);
- um.removeUser(userId);
- finish();
- }
+
+ final View.OnClickListener restrictedActionClickListener = v -> {
+ if (!mActionButton.isEnabled()) {
+ showPolicyTransparencyDialogIfRequired();
+ return;
+ }
+ if (mAdding) {
+ addAndFinish();
+ } else if (isManagedProfile(mDeviceAdmin)
+ && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
+ final int userId = UserHandle.myUserId();
+ UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
+ new DialogInterface.OnClickListener() {
+ @Override
+ public void onClick(DialogInterface dialog, int which) {
+ UserManager um = UserManager.get(DeviceAdminAdd.this);
+ um.removeUser(userId);
+ finish();
}
- ).show();
- } else if (mUninstalling) {
- mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
- finish();
- } else if (!mWaitingForRemoveMsg) {
- try {
- // Don't allow the admin to put a dialog up in front
- // of us while we interact with the user.
- ActivityManager.getService().stopAppSwitches();
- } catch (RemoteException e) {
- }
- mWaitingForRemoveMsg = true;
- mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
- new RemoteCallback(new RemoteCallback.OnResultListener() {
- @Override
- public void onResult(Bundle result) {
- CharSequence msg = result != null
- ? result.getCharSequence(
- DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
- : null;
- continueRemoveAction(msg);
- }
- }, mHandler));
- // Don't want to wait too long.
- getWindow().getDecorView().getHandler().postDelayed(new Runnable() {
- @Override public void run() {
- continueRemoveAction(null);
}
- }, 2*1000);
+ ).show();
+ } else if (mUninstalling) {
+ mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
+ finish();
+ } else if (!mWaitingForRemoveMsg) {
+ try {
+ // Don't allow the admin to put a dialog up in front
+ // of us while we interact with the user.
+ ActivityManager.getService().stopAppSwitches();
+ } catch (RemoteException e) {
}
+ mWaitingForRemoveMsg = true;
+ mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
+ new RemoteCallback(new RemoteCallback.OnResultListener() {
+ @Override
+ public void onResult(Bundle result) {
+ CharSequence msg = result != null
+ ? result.getCharSequence(
+ DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
+ : null;
+ continueRemoveAction(msg);
+ }
+ }, mHandler));
+ // Don't want to wait too long.
+ getWindow().getDecorView().getHandler().postDelayed(
+ () -> continueRemoveAction(null), 2 * 1000);
+ }
+ };
+ restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> {
+ if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) {
+ Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app.");
+ // Consume event to suppress click.
+ return true;
}
+ // Fallback to view click handler.
+ return false;
});
+ restrictedAction.setOnClickListener(restrictedActionClickListener);
}
/**

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Thu, 1 Jun 2023 18:12:44 -0700
Subject: [PATCH] Fix permission issue in legacy shortcut
When building legacy shortcut, Launcher calls
PackageManager#resolveActivity to retrieve necessary permission to
launch the intent.
However, when the source app wraps an arbitrary intent within
Intent#createChooser, the existing logic will fail because launching
Chooser doesn't require additional permission.
This CL fixes the security vulnerability by performing the permission
check against the intent that is wrapped within.
Bug: 270152142
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)
Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0
Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0
---
.../android/launcher3/util/PackageManagerHelper.java | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
index 0b3b632c02..4eac947fd0 100644
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
@@ -116,6 +116,18 @@ public class PackageManagerHelper {
* any permissions
*/
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
+ // b/270152142
+ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+ final Bundle extras = intent.getExtras();
+ if (extras == null) {
+ return true;
+ }
+ // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
+ intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
+ if (intent == null) {
+ return true;
+ }
+ }
ResolveInfo target = mPm.resolveActivity(intent, 0);
if (target == null) {
// Not a valid target

View File

@ -0,0 +1,138 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ashish Kumar <akgaurav@google.com>
Date: Fri, 26 May 2023 14:18:46 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple
settings.
- Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.
- Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.
Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.
Bug: b/256591023 , b/256819787
Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.
Test2: Able to import contact from the primary user or uri with no user id
(These settings are not available for secondary users)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d)
Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
---
.../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++
.../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++
.../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++
3 files changed, 39 insertions(+)
diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java
index 77cc6cca6..aa1c797d4 100644
--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java
+++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java
@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface;
import com.android.internal.telephony.Phone;
import android.app.ActionBar;
+import android.content.ContentProvider;
import android.content.Intent;
import android.database.Cursor;
import android.os.Bundle;
+import android.os.Process;
+import android.os.UserHandle;
import android.preference.Preference;
import android.preference.PreferenceScreen;
import android.telephony.CarrierConfigManager;
@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity {
}
Cursor cursor = null;
try {
+ // check if the URI returned by the user belongs to the user
+ final int currentUser = UserHandle.getUserId(Process.myUid());
+ if (currentUser
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
+
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
+ + "cannot access");
+ return;
+ }
cursor = getContentResolver().query(data.getData(),
NUM_PROJECTION, null, null, null);
if ((cursor == null) || (!cursor.moveToFirst())) {
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
index 0f58d195b..af9a746ed 100644
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
@@ -17,6 +17,7 @@
package com.android.phone.settings;
import android.app.Dialog;
+import android.content.ContentProvider;
import android.content.DialogInterface;
import android.content.Intent;
import android.database.Cursor;
@@ -25,6 +26,8 @@ import android.os.Bundle;
import android.os.Handler;
import android.os.Message;
import android.os.PersistableBundle;
+import android.os.Process;
+import android.os.UserHandle;
import android.os.UserManager;
import android.preference.Preference;
import android.preference.PreferenceActivity;
@@ -522,6 +525,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity
Cursor cursor = null;
try {
+ // check if the URI returned by the user belongs to the user
+ final int currentUser = UserHandle.getUserId(Process.myUid());
+ if (currentUser
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
+
+ if (DBG) {
+ log("onActivityResult: Contact data of different user, "
+ + "cannot access");
+ }
+ return;
+ }
cursor = getContentResolver().query(data.getData(),
new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);
if ((cursor == null) || (!cursor.moveToFirst())) {
diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
index 921e947e4..e733e82bb 100644
--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn;
import static android.view.Window.PROGRESS_VISIBILITY_OFF;
import static android.view.Window.PROGRESS_VISIBILITY_ON;
+import static android.app.Activity.RESULT_OK;
+
import android.app.Activity;
import android.content.AsyncQueryHandler;
+import android.content.ContentProvider;
import android.content.ContentResolver;
import android.content.ContentValues;
import android.content.Intent;
@@ -29,6 +32,8 @@ import android.database.Cursor;
import android.net.Uri;
import android.os.Bundle;
import android.os.Handler;
+import android.os.Process;
+import android.os.UserHandle;
import android.provider.Contacts.PeopleColumns;
import android.provider.Contacts.PhonesColumns;
import android.provider.ContactsContract.CommonDataKinds;
@@ -154,6 +159,14 @@ public class EditFdnContactScreen extends Activity {
}
Cursor cursor = null;
try {
+ // check if the URI returned by the user belongs to the user
+ final int currentUser = UserHandle.getUserId(Process.myUid());
+ if (currentUser
+ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
+ + "cannot access");
+ return;
+ }
cursor = getContentResolver().query(intent.getData(),
NUM_PROJECTION, null, null, null);
if ((cursor == null) || (!cursor.moveToFirst())) {

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 16 May 2023 21:24:07 +0000
Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
This is a backport of
Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
to rvc-dev
Bug: 280633699
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639)
Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
---
stack/avdt/avdt_msg.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index 453e18642..3576b74e6 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
* NOTE: The buffer is allocated above at the beginning of the
* reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
*/
- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
+ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
/* adjust offset and len of fragment for header byte */
p_buf->offset += AVDT_LEN_TYPE_CONT;
p_buf->len -= AVDT_LEN_TYPE_CONT;
/* verify length */
- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
+ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
/* won't fit; free everything */
AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
osi_free_and_reset((void**)&p_ccb->p_rx_msg);

View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Fri, 19 May 2023 19:17:16 +0000
Subject: [PATCH] Fix integer overflow in build_read_multi_rsp
Local variables tracking structure size in build_read_multi_rsp are of
uint16 type but accept a full uint16 range from function arguments while
appending a fixed-length offset. This can lead to an integer overflow
and unexpected behavior.
Change the locals to size_t, and add a check during reasssignment.
Bug: 273966636
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0)
Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
---
stack/gatt/gatt_sr.cc | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index b9921fee6..d4e3c046b 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -113,7 +113,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) {
******************************************************************************/
static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
tGATTS_RSP* p_msg, uint16_t mtu) {
- uint16_t ii, total_len, len;
+ uint16_t ii;
+ size_t total_len, len;
uint8_t* p;
bool is_overflow = false;
@@ -168,16 +169,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
len = p_rsp->attr_value.len - (total_len - mtu);
is_overflow = true;
VLOG(1) << StringPrintf(
- "multi read overflow available len=%d val_len=%d", len,
+ "multi read overflow available len=%zu val_len=%d", len,
p_rsp->attr_value.len);
} else {
len = p_rsp->attr_value.len;
}
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow) p += len;
- p_buf->len += len;
+ // check for possible integer overflow
+ if (p_buf->len + len <= UINT16_MAX) {
+ memcpy(p, p_rsp->attr_value.value, len);
+ if (!is_overflow) p += len;
+ p_buf->len += len;
+ } else {
+ p_cmd->status = GATT_NOT_FOUND;
+ break;
+ }
} else {
p_cmd->status = GATT_NOT_FOUND;
break;

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 27 Apr 2023 20:43:58 +0000
Subject: [PATCH] Fix potential abort in btu_av_act.cc
Partner analysis shows that bta_av_rc_msg does not respect handling
established for a null browse packet, instead dispatching the null
pointer to bta_av_rc_free_browse_msg. Strictly speaking this does
not cause a UAF, as osi_free_and_reset will find the null and abort,
but it will lead to improper program termination.
Handle the case instead.
Bug: 269253349
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
---
bta/av/bta_av_act.cc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index 112645ecf..0cd7b5d00 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -997,7 +997,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
av.remote_cmd.rc_handle = p_data->rc_msg.handle;
(*p_cb->p_cback)(evt, &av);
/* If browsing message, then free the browse message buffer */
- bta_av_rc_free_browse_msg(p_cb, p_data);
+ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
+ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
+ bta_av_rc_free_browse_msg(p_cb, p_data);
+ }
}
}

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 1 Jun 2023 23:57:58 +0000
Subject: [PATCH] Fix UAF in gatt_cl.cc
gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.
Track the relevant state as a local variable instead.
Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
---
stack/gatt/gatt_cl.cc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index f8d5bab92..ef77f590d 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -587,7 +587,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
memcpy(value.value, p, value.len);
- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
+
+ // We now know that we have not terminated, or else we would have returned
+ // early. We free the buffer only if the subtype is not equal to
+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
+ if (subtype_is_write_prepare) {
p_clcb->status = GATT_SUCCESS;
/* application should verify handle offset
and value are matched or not */

View File

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 1 Jun 2023 13:44:28 -0700
Subject: [PATCH] Ensure that SecureNFC setting cannot be bypassed
Bug: 268038643
Test: ctsverifier
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6d8f79fd8d605b3cb460895a8e3a11bcf0c22b0)
Merged-In: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
Change-Id: Ic408b3ef9e35b646b728f9b76a0ba8922ed6e25f
Change-Id: Ib0baa833fe31c72825889b729c83a1d70a5a6a72
---
src/com/android/nfc/NfcService.java | 6 ++++++
src/com/android/nfc/cardemulation/HostEmulationManager.java | 5 +++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
index 28a1b92c..63cbed97 100644
--- a/src/com/android/nfc/NfcService.java
+++ b/src/com/android/nfc/NfcService.java
@@ -1768,6 +1768,12 @@ public class NfcService implements DeviceHostListener {
}
}
+ public boolean isSecureNfcEnabled() {
+ synchronized (NfcService.this) {
+ return mIsSecureNfcEnabled;
+ }
+ }
+
final class NfcAdapterService extends INfcAdapter.Stub {
@Override
public boolean enable() throws RemoteException {
diff --git a/src/com/android/nfc/cardemulation/HostEmulationManager.java b/src/com/android/nfc/cardemulation/HostEmulationManager.java
index 91001582..ad4a3bd7 100644
--- a/src/com/android/nfc/cardemulation/HostEmulationManager.java
+++ b/src/com/android/nfc/cardemulation/HostEmulationManager.java
@@ -209,8 +209,9 @@ public class HostEmulationManager {
// Resolve to default
// Check if resolvedService requires unlock
NQApduServiceInfo defaultServiceInfo = resolveInfo.defaultService;
- if (defaultServiceInfo.requiresUnlock() &&
- mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
+ if ((defaultServiceInfo.requiresUnlock()
+ || NfcService.getInstance().isSecureNfcEnabled())
+ && mKeyguard.isKeyguardLocked() && mKeyguard.isKeyguardSecure()) {
// Just ignore all future APDUs until next tap
mState = STATE_W4_DEACTIVATE;
launchTapAgain(resolveInfo.defaultService, resolveInfo.category);

View File

@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2022-01-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-08 #XXX sed -i 's/2022-01-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-09 #XXX
fi; fi;
if enterAndClear "build/soong"; then if enterAndClear "build/soong"; then
@ -158,6 +158,7 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
fi; fi;
if enterAndClear "frameworks/av"; then if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
fi; fi;
@ -177,6 +178,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364035-backport.patch"; #R_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user. applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
applyPatch "$DOS_PATCHES/android_frameworks_base/365966-backport.patch"; #R_asb_2023-09 Forbid granting access to NLSes with too-long component names
applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -221,6 +224,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
fi; fi;
if enterAndClear "frameworks/native"; then if enterAndClear "frameworks/native"; then
applyPatch "$DOS_PATCHES/android_frameworks_native/365969-backport.patch"; #R_asb_2023-09 Allow sensors list to be empty
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
fi; fi;
@ -311,6 +315,7 @@ cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update cont
fi; fi;
if enterAndClear "packages/apps/Nfc"; then if enterAndClear "packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/365970.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi; fi;
@ -322,6 +327,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Per
fi; fi;
if enterAndClear "packages/apps/Settings"; then if enterAndClear "packages/apps/Settings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work
@ -340,6 +346,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics
fi; fi;
if enterAndClear "packages/apps/Trebuchet"; then if enterAndClear "packages/apps/Trebuchet"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
fi; fi;
@ -369,6 +376,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patc
fi; fi;
if enterAndClear "packages/services/Telephony"; then if enterAndClear "packages/services/Telephony"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/365978-backport.patch"; #R_asb_2023-09 Fixed leak of cross user data in multiple settings.
git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55; git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55;
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS) applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
@ -376,6 +384,10 @@ fi;
if enterAndClear "system/bt"; then if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
applyPatch "$DOS_PATCHES/android_system_bt/365979.patch"; #R_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix integer overflow in build_read_multi_rsp
applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
applyPatch "$DOS_PATCHES/android_system_bt/365982-backport.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi; fi;
@ -410,6 +422,10 @@ if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper() applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
fi; fi;
if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc/"; then
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_packages_apps_Nfc/365983-backport.patch"; #R_asb_2023-09 Ensure that SecureNFC setting cannot be bypassed
fi;
if enterAndClear "system/sepolicy"; then if enterAndClear "system/sepolicy"; then
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)

View File

@ -150,7 +150,6 @@ if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
fi; fi;
if enterAndClear "frameworks/base"; then if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/360952-backport.patch"; #R_asb_2023-07 Passpoint Add more check to limit the config size applyPatch "$DOS_PATCHES/android_frameworks_base/360952-backport.patch"; #R_asb_2023-07 Passpoint Add more check to limit the config size
applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection