diff --git a/Misc/pick-imports/16-asbs-download.sh b/Misc/pick-imports/16-asbs-download.sh new file mode 100644 index 00000000..057669fd --- /dev/null +++ b/Misc/pick-imports/16-asbs-download.sh @@ -0,0 +1,271 @@ +wget https://github.com/LineageOS/android_frameworks_base/commit/ea52854b208d2a8e367c65068edbdff741b9eb80.patch -O android_frameworks_base/330961.patch; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority +wget https://github.com/LineageOS/android_frameworks_base/commit/6bc4a89b9680b780768ee2b92a01f979b708c00b.patch -O android_frameworks_base/330962.patch; #P_asb_2022-05 Verify caller before auto granting slice permission +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/e298920fbeb8714698c6e96beaff71383640878b.patch -O android_packages_services_Telecomm/330959.patch; #P_asb_2022-05 Handle null bindings returned from ConnectionService. +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/cfe47c5ab58c17fe9e2b580874878347461d8695.patch -O android_packages_apps_Settings/330960.patch; #P_asb_2022-05 Hide private DNS settings UI in Guest mode +wget https://github.com/LineageOS/android_frameworks_base/commit/a1c1383a08e17e14273e0f2e7d1c250fb4e3b7f2.patch -O android_frameworks_base/330963.patch; #P_asb_2022-05 Always restart apps if base.apk gets updated. +wget https://github.com/LineageOS/android_external_aac/commit/e40800a613eb89b5b4c701774c3cecc1c2b7dd6c.patch -O android_external_aac/332775.patch; #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation. +wget https://github.com/LineageOS/android_frameworks_base/commit/4005549db2fa7e1524fc0dbbe22c774fb00b6cb3.patch -O android_frameworks_base/332779.patch; #P_asb_2022-06 Prevent non-admin users from deleting system apps. +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/526bbbb30625c4b2728d4c461137413dbd1a96f6.patch -O android_packages_services_Telecomm/332764.patch; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +wget https://github.com/LineageOS/android_system_core/commit/976019d07ad1c007043b78450857f428a1440f06.patch -O android_system_core/332765.patch; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. +wget https://github.com/LineageOS/android_frameworks_base/commit/c8da70733ac6be9b209b27b8bd72f9b0f0a2ee44.patch -O android_frameworks_base/332778.patch; #P_asb_2022-06 Fix security hole in GateKeeperResponse +wget https://github.com/LineageOS/android_frameworks_base/commit/e7f0f7bac948a3deb2ef9139ef4fd9ad9eb1215a.patch -O android_frameworks_base/332777.patch; #P_asb_2022-06 Add an OEM configurable limit for zen rules +wget https://github.com/LineageOS/android_frameworks_base/commit/c6a97af0e9b22c303d13ad573e96eb4b06c0bfa3.patch -O android_frameworks_base/332776.patch; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. +wget https://github.com/LineageOS/android_frameworks_base/commit/76c531e222779ae68047010f42f7a36100010f4c.patch -O android_frameworks_base/332757.patch; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update +wget https://github.com/LineageOS/android_frameworks_base/commit/258ab4cfd77e49b087f4b3333c21ecb23d4c2a9f.patch -O android_frameworks_base/332756.patch; #P_asb_2022-06 Add finalizeWorkProfileProvisioning. +wget https://github.com/LineageOS/android_packages_apps_Nfc/commit/d7722eaa4defeaea88dce9f3c644e038af3f637d.patch -O android_packages_apps_Nfc/332762.patch; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ecf8fd5a9aa4976ace98fe9a4986f1de3ff77c1d.patch -O android_packages_apps_Settings/332763.patch; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +wget https://github.com/LineageOS/android_packages_apps_Dialer/commit/71701cfc7511cd3ad2e8a0f0f12dd78ea8db2517.patch -O android_packages_apps_Dialer/332761.patch; #P_asb_2022-06 No longer export CallSubjectDialog +wget https://github.com/LineageOS/android_packages_apps_Contacts/commit/5055718d99866a7783cf72199b3f385e68bc7a53.patch -O android_packages_apps_Contacts/332760.patch; #P_asb_2022-06 No longer export CallSubjectDialog +wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/6ff1c1f2e637e0dc3fc803f8028c7b89bae74937.patch -O android_packages_apps_Bluetooth/332759.patch; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/eb31965a73439dc8638d03b23f4648774a05df57.patch -O android_packages_apps_Bluetooth/332758.patch; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. +wget https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/08fbee6160c576d2d9feff91af2ed3ce0bff2cb7.patch -O android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +wget https://github.com/LineageOS/android_system_nfc/commit/318f09ce7e384809e3ab68c0294be96da6bf5141.patch -O android_system_nfc/332766.patch; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +wget https://github.com/LineageOS/android_system_nfc/commit/af0a965cd72fa6cab442fc46068fe4e556ca14c3.patch -O android_system_nfc/332767.patch; #P_asb_2022-06 Double Free in ce_t4t_data_cback +wget https://github.com/LineageOS/android_system_nfc/commit/09dd85730f6c7ea4e2da2a9bf51de5d45a3b1061.patch -O android_system_nfc/332768.patch; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/a6c1507a0fa5a844514ecae89d0758ccb8724585.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332769.patch; #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/9dd0310855fa8889217e4e077bcfc7822abdbdc2.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332770.patch; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/84a8c1e3350174c25da59c7c6479b0dca37df111.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332771.patch; #P_asb_2022-06 Double Free in ce_t4t_data_cback +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/d5b6e36b4d5585d3e003d16ba6aa73929ae7255d.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332772.patch; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/82c9270c2cf11b9a2ac4b5942f3ec086bc02099c.patch -O android_packages_apps_EmergencyInfo/342101.patch; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +wget https://github.com/LineageOS/android_frameworks_base/commit/862a9ed37b4cc89f450e6159cec65552e6e9fd38.patch -O android_frameworks_base/334256.patch; #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage +wget https://github.com/LineageOS/android_frameworks_base/commit/10600c7c0cb582877cae6d3a28c9e39a73add1e1.patch -O android_frameworks_base/334257.patch; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails +wget https://github.com/LineageOS/android_frameworks_base/commit/44130eac9f128dbea908171de1fa0743f2dda709.patch -O android_frameworks_base/334258.patch; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only +wget https://github.com/LineageOS/android_frameworks_base/commit/8b1d16f79b125ea356d7af582fc6ceac297afa04.patch -O android_frameworks_base/334259.patch; #P_asb_2022-07 Ignore errors preparing user storage for existing users +wget https://github.com/LineageOS/android_frameworks_base/commit/2688ed5ff6c1c637444ba776d730940769b2ee1d.patch -O android_frameworks_base/334260.patch; #P_asb_2022-07 Log to EventLog on prepareUserStorage failure +wget https://github.com/LineageOS/android_frameworks_base/commit/bcede32d6c0c192b00fa745e522d50b817ea969b.patch -O android_frameworks_base/334262.patch; #P_asb_2022-07 Crash invalid FGS notifications +wget https://github.com/LineageOS/android_packages_apps_KeyChain/commit/5e04f66b9db71a74b7dbf6ca9a43b602d5fca122.patch -O android_packages_apps_KeyChain/334264.patch; #P_asb_2022-07 Encode authority part of uri before showing in UI +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/1fee30e9946eec7ec5b0c95481317cd1647c92a7.patch -O android_packages_apps_Settings/334265.patch; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +wget https://github.com/LineageOS/android_system_bt/commit/b15c9cc55faddbdb36df6af086762adfef028bbe.patch -O android_system_bt/334266.patch; #P_asb_2022-07 Security: Fix out of bound write in HFP client +wget https://github.com/LineageOS/android_system_bt/commit/5d7b97ac9aa45287bf57d061b7e1e0287c7c513a.patch -O android_system_bt/334267.patch; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length +wget https://github.com/LineageOS/android_frameworks_opt_telephony/commit/4e3e190ff664797f23039da13a45a70ddf615489.patch -O android_frameworks_opt_telephony/334263.patch; #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID) +wget https://github.com/LineageOS/android_system_bt/commit/f41d68b53f669b96787f5fde38bdc5fe73e795b8.patch -O android_system_bt/334268.patch; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST +wget https://github.com/LineageOS/android_frameworks_base/commit/35c2fc9116afdd6fe2dcca6e4fb59466a317b342.patch -O android_frameworks_base/335117.patch; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity +wget https://github.com/LineageOS/android_system_bt/commit/8bfd408fa1ebf3d8dc2fc9906672c7cfe7dc0144.patch -O android_system_bt/335109.patch; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys +wget https://github.com/LineageOS/android_packages_providers_ContactsProvider/commit/3b27f760484b42cc1ea25af7bdeb68b40cdfa455.patch -O android_packages_providers_ContactsProvider/335110.patch; #P_asb_2022-08 enforce stricter CallLogProvider query +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/9dfc928466d7709c968adcba7f22378e243b99f2.patch -O android_packages_apps_Settings/335111.patch; #P_asb_2022-08 Verify ringtone from ringtone picker is audio +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/539f79473852aab2bebcc7374404f47eccb297b1.patch -O android_packages_apps_Settings/335112.patch; #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/b8e381a8e5b104a455efb6b4352eee04b1fb4a5c.patch -O android_packages_apps_Settings/335113.patch; #P_asb_2022-08 Fix: policy enforcement for location wifi scanning +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/83ce5e4d8f0bb352ed433e711acacdd1a51130fe.patch -O android_packages_apps_Settings/335114.patch; #P_asb_2022-08 Fix Settings crash when setting a null ringtone +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/91b6470dde8a9b2586273796c183a29000a82ce5.patch -O android_packages_apps_Settings/335115.patch; #P_asb_2022-08 Fix can't change notification sound for work profile. +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ccebafea047fef8ab93c4e748ab1b9a15280702b.patch -O android_packages_apps_Settings/335116.patch; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI +wget https://github.com/LineageOS/android_frameworks_base/commit/a532c1aeec285ebd601ceb266f0af8553ccef5df.patch -O android_frameworks_base/335118.patch; #P_asb_2022-08 Suppress notifications when device enter lockdown +wget https://github.com/LineageOS/android_frameworks_base/commit/017b9b6b000693a5e48ba7431bf638c257833ec3.patch -O android_frameworks_base/335119.patch; #P_asb_2022-08 Remove package title from notification access confirmation intent +wget https://github.com/LineageOS/android_frameworks_base/commit/53f3e590ac533cacdf7e78ec701a8e365c89901b.patch -O android_frameworks_base/335121.patch; #P_asb_2022-08 Only allow the system server to connect to sync adapters +wget https://github.com/LineageOS/android_frameworks_base/commit/cb2cb0520dd1f4c7e19e806cde02fc3da6a355d2.patch -O android_frameworks_base/335120.patch; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash +wget https://github.com/LineageOS/android_frameworks_base/commit/26e3268f3cac1d120d8b4683e8d5201b70f44fc2.patch -O android_frameworks_base/338346.patch; #P_asb_2022-09 Fix duplicate permission privilege escalation +wget https://github.com/LineageOS/android_frameworks_base/commit/b98ed505d5c477f5d6e1f88433a5c9f1cb03025e.patch -O android_frameworks_base/338347.patch; #P_asb_2022-09 Parcel: recycle recycles +wget https://github.com/LineageOS/android_frameworks_base/commit/3a1887eb6147d7e51a79c387aaed38c08056c789.patch -O android_frameworks_base/338348.patch; #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable +wget https://github.com/LineageOS/android_frameworks_base/commit/031578d71058c6400ea91b1806b467aca2de54b1.patch -O android_frameworks_base/338349.patch; #P_asb_2022-09 Remove package name from SafetyNet logs +wget https://github.com/LineageOS/android_external_expat/commit/31f7a33a236a574c7c4bea5de648c349fa1e7508.patch -O android_external_expat/338353.patch; #P_asb_2022-09 Prevent integer overflow in copyString +wget https://github.com/LineageOS/android_external_expat/commit/5c70aa4e573cf46f6127aa6713c09877a246bf6b.patch -O android_external_expat/338354.patch; #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow +wget https://github.com/LineageOS/android_external_expat/commit/68116f18efee226636fdc2ecf518f3de589c98a8.patch -O android_external_expat/338355.patch; #P_asb_2022-09 Prevent integer overflow in function doProlog +wget https://github.com/LineageOS/android_external_expat/commit/883c4901f5ca13cf202c9c234612e117f0ef092e.patch -O android_external_expat/338356.patch; #P_asb_2022-09 Prevent more integer overflows +wget https://github.com/LineageOS/android_system_bt/commit/a940244a653c0c20e5d08aaf40484da93300dc3f.patch -O android_system_bt/338350.patch; #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed +wget https://github.com/LineageOS/android_system_bt/commit/de882ad1be24fa351ad8ba483b89c2b0b1e615c6.patch -O android_system_bt/338351.patch; #P_asb_2022-09 Fix OOB in BNEP_Write +wget https://github.com/LineageOS/android_system_bt/commit/88b4c659bc53971605a5cdde56f94b2d90677d20.patch -O android_system_bt/338352.patch; #P_asb_2022-09 Fix OOB in reassemble_and_dispatch +wget https://github.com/LineageOS/android_external_dtc/commit/d8ff0456cbe3b32b5f71dd0740f9a6cca6de27b9.patch -O android_external_dtc/342096.patch; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings +wget https://github.com/LineageOS/android_system_bt/commit/024bd7b32e3298ceaf70443e9224aff56cf8de4b.patch -O android_system_bt/342097.patch; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response +wget https://github.com/LineageOS/android_system_nfc/commit/f7eb9ba0755d2ab170d7fa7f46d67ebed4690426.patch -O android_system_nfc/342098.patch; #P_asb_2022-10 The length of a packet should be non-zero +wget https://github.com/LineageOS/android_frameworks_base/commit/950c44f0e7229672ea093e86d7f05df00b33844d.patch -O android_frameworks_base/342100.patch; #P_asb_2022-10 Limit the number of concurrently snoozed notifications +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c5cae87d66c3b8d459677da775cc61e550bba993.patch -O android_vendor_nxp_opensource_external_libnfc-nci/342099.patch; #P_asb_2022-10 The length of a packet should be non-zero +wget https://github.com/LineageOS/android_packages_apps_PackageInstaller/commit/79fbc97fa9030bc872c26dde69d3d6b5ca50d42c.patch -O android_packages_apps_PackageInstaller/344181.patch; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity +wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/915289305d5bd55c3a9e5667acab9cfec8f68d31.patch -O android_packages_providers_TelephonyProvider/344182.patch; #P_asb_2022-11 Check dir path before updating permissions. +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/9bd081d4162ee1bd99eed4a2f8c144255a3b7a41.patch -O android_packages_services_Telecomm/344183.patch; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +wget https://github.com/LineageOS/android_system_bt/commit/b8332ffa326c412c7952bcae1ad924a8542caa8e.patch -O android_system_bt/344184.patch; #P_asb_2022-11 Add negative length check in process_service_search_rsp +wget https://github.com/LineageOS/android_system_bt/commit/9e3a7208a794cb350b5b1565db4e1120d7b1373d.patch -O android_system_bt/344185.patch; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc +wget https://github.com/LineageOS/android_frameworks_base/commit/fcd8dc4d686c362b7353f9d7c6a3b05994cc0565.patch -O android_frameworks_base/344168.patch; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +wget https://github.com/LineageOS/android_frameworks_base/commit/bad61936167d1d7eca8dc155e8c0c8a248a2bc5c.patch -O android_frameworks_base/344169.patch; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +wget https://github.com/LineageOS/android_frameworks_base/commit/e72558a547d48190469c0763a9e317d1792a9f53.patch -O android_frameworks_base/344170.patch; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo +wget https://github.com/LineageOS/android_frameworks_base/commit/6a42e12de4cf0f2de93cbd8bb4506de8a83dd88a.patch -O android_frameworks_base/344171.patch; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user. +wget https://github.com/LineageOS/android_frameworks_base/commit/36b533a308ced7203f515daed97d0f15bb65587f.patch -O android_frameworks_base/344172.patch; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule +wget https://github.com/LineageOS/android_frameworks_base/commit/114dcf0b5836c0c982a560e85350f408c8640bdf.patch -O android_frameworks_base/344173.patch; #P_asb_2022-11 Check permission for VoiceInteraction +wget https://github.com/LineageOS/android_frameworks_base/commit/22e363c319e6fddeea39f00f7ef5e63395a45dc5.patch -O android_frameworks_base/344174.patch; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock +wget https://github.com/LineageOS/android_hardware_nxp_nfc/commit/70c3eef94c74e78d9bf9e9119d58ca0a5082cf2f.patch -O android_hardware_nxp_nfc/344180.patch; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +wget https://github.com/LineageOS/android_external_dtc/commit/c34b2c464b0900d3e79aa1c64c25137fd09c4762.patch -O android_external_dtc/344161.patch; #P_asb_2022-11 Fix integer wrap sanitisation. +wget https://github.com/LineageOS/android_frameworks_av/commit/2692e4bcdba06eec20424291acaac5669acf581f.patch -O android_frameworks_av/344167.patch; #P_asb_2022-11 setSecurityLevel in clearkey +wget https://github.com/LineageOS/android_vendor_nxp_opensource_halimpl/commit/9d9f191dd2522aa286bdc3c42d6777b6e503356b.patch -O android_vendor_nxp_opensource_halimpl/344190.patch; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +wget https://github.com/LineageOS/android_system_bt/commit/cea94f7ab0d36254a99d5854b9c2e83afd4584bc.patch -O android_system_bt/345915.patch; #P_asb_2022-12 Added max buffer length check +wget https://github.com/LineageOS/android_system_bt/commit/56ea90b69d6715e7e1f0ddd35fd5ca7e19d93dc6.patch -O android_system_bt/345916.patch; #P_asb_2022-12 Add missing increment in bnep_api.cc +wget https://github.com/LineageOS/android_system_bt/commit/da6430bd4b319f8398deaef8d74341234fb79624.patch -O android_system_bt/345917.patch; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet +wget https://github.com/LineageOS/android_system_bt/commit/222fad2e71f159e3d6e0bc0aef36f83cbf3fcdfa.patch -O android_system_bt/345918.patch; #P_asb_2022-12 Fix integer overflow when parsing avrc response +wget https://github.com/LineageOS/android_frameworks_base/commit/16da2229db1aa80499b296bc8c384fe78add0e30.patch -O android_frameworks_base/345892.patch; #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps." +wget https://github.com/LineageOS/android_frameworks_base/commit/921f748f4dd12465721dc7e8ed86f89c0718da57.patch -O android_frameworks_base/345893.patch; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup +wget https://github.com/LineageOS/android_frameworks_base/commit/4bdaa78394c95a864f1d34ec1997c6494dbece15.patch -O android_frameworks_base/345894.patch; #P_asb_2022-12 Prevent non-admin users from deleting system apps. +wget https://github.com/LineageOS/android_frameworks_base/commit/c8ac5b6a05bb584e196b4c1bd4b819914c4018b6.patch -O android_frameworks_base/345895.patch; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions. +wget https://github.com/LineageOS/android_frameworks_base/commit/9e0a825e2ca0cf102fc462af55f5a471d6d5836d.patch -O android_frameworks_base/345896.patch; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK. +wget https://github.com/LineageOS/android_frameworks_base/commit/8d88ee0de3b9e474fcc70ab121186df93bf75456.patch -O android_frameworks_base/345897.patch; #P_asb_2022-12 [pm] forbid deletion of protected packages +wget https://github.com/LineageOS/android_frameworks_base/commit/c4763f78a2ab695992cf63709b665c7478d43891.patch -O android_frameworks_base/345898.patch; #P_asb_2022-12 Fix NPE +wget https://github.com/LineageOS/android_frameworks_base/commit/08605e9ee1e96336fe3202066a6cdba21cf377ad.patch -O android_frameworks_base/345899.patch; #P_asb_2022-12 Fix a security issue in app widget service. +wget https://github.com/LineageOS/android_frameworks_base/commit/4d5e30ccea8cc4dec6359f004173d896c4b01556.patch -O android_frameworks_base/345900.patch; #P_asb_2022-12 Ignore malformed shortcuts +wget https://github.com/LineageOS/android_frameworks_base/commit/58e177ca589576cacfd1ed016bdd5d0bf4cb9a5d.patch -O android_frameworks_base/345901.patch; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting +wget https://github.com/LineageOS/android_frameworks_base/commit/be00f79f1148a27fd9161e65ebaa2eedb7fca4c7.patch -O android_frameworks_base/345902.patch; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch. +wget https://github.com/LineageOS/android_frameworks_minikin/commit/4f583889fcc90883fa3ec86befa20c671ec8774e.patch -O android_frameworks_minikin/345903.patch; #P_asb_2022-12 Fix OOB read for registerLocaleList +wget https://github.com/LineageOS/android_frameworks_minikin/commit/89b513681269399b4d2621f0c1750daa48f77681.patch -O android_frameworks_minikin/345904.patch; #P_asb_2022-12 Fix OOB crash for registerLocaleList +wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/f7624d5f831e8576a816feaebb120974e54c23b6.patch -O android_packages_apps_Bluetooth/345907.patch; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java +wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/c6cd624a87b1b8f586ef83b2a810c36669b55a0b.patch -O android_packages_apps_EmergencyInfo/345908.patch; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/d25bc7d14e791a049698ac2c7cbd9c72e6e7592d.patch -O android_packages_apps_EmergencyInfo/345909.patch; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/06242790f0f2b20e1f0caa0548924d1fcddfca93.patch -O android_packages_apps_Settings/345910.patch; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/090473035dd448e96138844bfec0c88952acf3d1.patch -O android_packages_apps_Settings/345911.patch; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/6f9c13de0a620203fe7d6bcdfd6d94c74e22706b.patch -O android_packages_apps_Settings/345912.patch; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +wget https://github.com/LineageOS/android_external_dtc/commit/77e6d383cde91d7ac8bbb159de215ec198e9f1aa.patch -O android_external_dtc/345891.patch; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/fae9a71b822b913e7516333484e8efd513e1640d.patch -O android_packages_services_Telecomm/345913.patch; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen. +wget https://github.com/LineageOS/android_system_bt/commit/210fe2c41c04d50c7a82a6415d7708ff5d055b3e.patch -O android_system_bt/345914.patch; #P_asb_2022-12 Add length check when copy AVDTP packet +wget https://github.com/LineageOS/android_frameworks_base/commit/7f7b42f83fd7aef7570450b82c5931aa81f1e66d.patch -O android_frameworks_base/347044.patch; #P_asb_2023-01 Limit lengths of fields in Condition to a max length. +wget https://github.com/LineageOS/android_frameworks_base/commit/91726ddbd32c8b5226991492354f1d93616c6cfd.patch -O android_frameworks_base/347045.patch; #P_asb_2023-01 Disable all A11yServices from an uninstalled package. +wget https://github.com/LineageOS/android_frameworks_base/commit/2dc4e2467dcebfc827d68f573570cd04e6ea6244.patch -O android_frameworks_base/347046.patch; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule +wget https://github.com/LineageOS/android_frameworks_base/commit/9b5407d68859e615a2ee7a229f486fc5365682da.patch -O android_frameworks_base/347047.patch; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated +wget https://github.com/LineageOS/android_frameworks_base/commit/66a9e8fc457e7257b78dfef3f18eab01c63efc12.patch -O android_frameworks_base/347048.patch; #P_asb_2023-01 Revert "Revert "Validate permission tree size..." +wget https://github.com/LineageOS/android_frameworks_base/commit/c8892a45db45ee79085b0ee620b3d8f69f560d03.patch -O android_frameworks_base/347049.patch; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings +wget https://github.com/LineageOS/android_frameworks_base/commit/9e7745eeedc6066e91e0c508d49c8db15a8ae6bf.patch -O android_frameworks_base/347050.patch; #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23 +wget https://github.com/LineageOS/android_frameworks_base/commit/be4c10b9f70b5033bc6f75649265a12f65ad0bc3.patch -O android_frameworks_base/347051.patch; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed. +wget https://github.com/LineageOS/android_packages_services_Telephony/commit/d596467cc3b161beca194ce4c8f96efcd0d6a340.patch -O android_packages_services_Telephony/347041.patch; #P_asb_2023-01 prevent overlays on the phone settings +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/7636df9f0dcff2d9b272f925b956348fc8dc384b.patch -O android_packages_services_Telecomm/347042.patch; #P_asb_2023-01 Fix security vulnerability when register phone accounts. +wget https://github.com/LineageOS/android_packages_apps_Nfc/commit/48b3f34578cd9757a11c1cd694527b45c5915ae8.patch -O android_packages_apps_Nfc/347043.patch; #P_asb_2023-01 OOBW in Mfc_Transceive() +wget https://github.com/LineageOS/android_system_bt/commit/deb080bb11eadef601ec11633317090f060e50bb.patch -O android_system_bt/347127.patch; #P_asb_2023-01 BT: Once AT command is retrieved, return from method. +wget https://github.com/LineageOS/android_system_bt/commit/0c74f58652259adde281b7d8b13732a8f0e9ab92.patch -O android_system_bt/347128.patch; #P_asb_2023-01 AVRC: Validating msg size before accessing fields +wget https://github.com/LineageOS/android_frameworks_base/commit/a9d49368cb13ba9d98af67ae9a96b82ae7fc4e46.patch -O android_frameworks_base/349330.patch; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED +wget https://github.com/LineageOS/android_frameworks_base/commit/7780547c156f34020ba7316e8c8cbea6c7985818.patch -O android_frameworks_base/349331.patch; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity +wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/90e0fb025afa7bfe3600b79c2e0e563b5d6124bb.patch -O android_packages_apps_Bluetooth/349332.patch; #P_asb_2023-02 Fix OPP comparison +wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/eeb60967a52197d04d331b8e87beb5f1fb9e92aa.patch -O android_packages_apps_EmergencyInfo/349333.patch; #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app. +wget https://github.com/LineageOS/android_system_bt/commit/12b2d2eeb63246e85e30389d2e885608e9209cc1.patch -O android_system_bt/349334.patch; #P_asb_2023-02 Report failure when not able to connect to AVRCP +wget https://github.com/LineageOS/android_system_bt/commit/8e81bb1e80ccbba0724e12dabac61b9ac36d4b0f.patch -O android_system_bt/349335.patch; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc +wget https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/35299f9e605257a17257c5da0064c3f7cc3dce4a.patch -O android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch; #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr +wget https://github.com/LineageOS/android_external_expat/commit/281fc3aeb520277460014a8c398ba083d167f284.patch -O android_external_expat/349328.patch; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes +wget https://github.com/LineageOS/android_frameworks_av/commit/994d95501928153cb7b8f04587e3160bc17ce2a5.patch -O android_frameworks_av/349329.patch; #P_asb_2023-02 move MediaCodec metrics processing to looper thread +wget https://github.com/LineageOS/android_external_zlib/commit/d6e0dec5307a69aa6381246221803bdc050e5b96.patch -O android_external_zlib/351909.patch; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate(). +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/5f84b1609065c5b26f2b5278d83fdd791597a69f.patch -O android_packages_apps_Settings/351914.patch; #P_asb_2023-03 FRP bypass defense in the settings app +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/718126925dc2e00c268f49d006231eb3edd5778a.patch -O android_packages_apps_Settings/351915.patch; #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users +wget https://github.com/LineageOS/android_system_bt/commit/b7dfbbdf4dc9ae5761816ad0a4875d46244ed25a.patch -O android_system_bt/351916.patch; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate +wget https://github.com/LineageOS/android_system_bt/commit/b433704453d59946be0f5b30346cf0dd3e42ec09.patch -O android_system_bt/351917.patch; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc +wget https://github.com/LineageOS/android_system_bt/commit/fcd19451fa2e3da35c3e0f5db0961b994ed1b49f.patch -O android_system_bt/351918.patch; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute +wget https://github.com/LineageOS/android_frameworks_base/commit/3f8c0e9c4ad48b37c44e132a7a8e3fd157a83e00.patch -O android_frameworks_base/351910.patch; #P_asb_2023-03 Move service initialization +wget https://github.com/LineageOS/android_frameworks_base/commit/11c799795be7c8bafedbc4eb3d940b4a1f93a308.patch -O android_frameworks_base/351911.patch; #P_asb_2023-03 Enable user graularity for lockdown mode +wget https://github.com/LineageOS/android_frameworks_base/commit/d6401e37da9afb99f647b09fd3ce9aa38bb84016.patch -O android_frameworks_base/351912.patch; #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag +wget https://github.com/LineageOS/android_frameworks_base/commit/7d63c11542c202467f035e03644962a263cfdc19.patch -O android_frameworks_base/351913.patch; #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code. +wget https://github.com/LineageOS/android_frameworks_base/commit/7ed39484667b94b738b7d1d7717ef5b640a7a405.patch -O android_frameworks_base/354243.patch; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +wget https://github.com/LineageOS/android_frameworks_base/commit/34184bc31e77a8db5b967ca275f6e4841bd5e3ff.patch -O android_frameworks_base/354244.patch; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +wget https://github.com/LineageOS/android_frameworks_base/commit/9cade5349e44f2b48ed6408e3b05a1272ff2a3ef.patch -O android_frameworks_base/354245.patch; #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE +wget https://github.com/LineageOS/android_frameworks_base/commit/1dc0540d7b8918a6043c0863b2bea0946b100b8e.patch -O android_frameworks_base/354242.patch; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +wget https://github.com/LineageOS/android_system_bt/commit/a883a17a9e05d87bfb1547d8b812522c771c971c.patch -O android_system_bt/354246.patch; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +wget https://github.com/LineageOS/android_system_bt/commit/d9472b7fba9c3a366e768ff4c28225d264aa6ad1.patch -O android_system_bt/354247.patch; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/5ad6edf34e69b9bd0334bb0b0a3592b8d5ded5b4.patch -O android_vendor_nxp_opensource_external_libnfc-nci/354249.patch; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +wget https://github.com/LineageOS/android_system_nfc/commit/d751463856e968430d4859a55a97f12b2553de19.patch -O android_system_nfc/354248.patch; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/ffd36f517fae838fe836d6f189b2de6355e6814c.patch -O android_packages_services_Telecomm/356150.patch; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +wget https://github.com/LineageOS/android_frameworks_native/commit/09ece8aee9246ba8ef5408e074165c9bbc2d6bc1.patch -O android_frameworks_native/356151.patch; #P_asb_2023-05 Check for malformed Sensor Flattenable +wget https://github.com/LineageOS/android_frameworks_native/commit/c62382dd2192444ca7a81a0318521b03e852c355.patch -O android_frameworks_native/356152.patch; #P_asb_2023-05 Remove some new memory leaks from SensorManager +wget https://github.com/LineageOS/android_frameworks_native/commit/30348a31e1c0eb604f1a2de40b57d734f71cb9e8.patch -O android_frameworks_native/356153.patch; #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager +wget https://github.com/LineageOS/android_frameworks_base/commit/e0f219e675b2a36304db2f163783fe82937c1d41.patch -O android_frameworks_base/356156.patch; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +wget https://github.com/LineageOS/android_frameworks_base/commit/18025b2a135d7e7063201054b7f4409fe562ee56.patch -O android_frameworks_base/356154.patch; #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size. +wget https://github.com/LineageOS/android_frameworks_base/commit/0cfc7a41aa5b741452316b19bc100be58bbe3cc7.patch -O android_frameworks_base/356155.patch; #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path +wget https://github.com/LineageOS/android_frameworks_av/commit/d4f4cbe1d4eb1e80f64676cb07e84a6409cd095f.patch -O android_frameworks_av/359729.patch; #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ed20a91b473462e14f7cea5dd1b8cbff4d0feab5.patch -O android_packages_apps_Settings/359734.patch; #P_asb_2023-06 Convert argument to intent in AddAccountSettings. +wget https://github.com/LineageOS/android_packages_apps_TvSettings/commit/3f8f5d733659d15eb78d0a3de97442c1c33259b8.patch -O android_packages_apps_TvSettings/359735.patch; #P_asb_2023-06 Convert argument to intent in addAccount TvSettings. +wget https://github.com/LineageOS/android_system_bt/commit/5f6f48a784284a9220ae70d9f99d96a25bd3adce.patch -O android_system_bt/359736.patch; #P_asb_2023-06 Prevent use-after-free of HID reports +wget https://github.com/LineageOS/android_system_bt/commit/969a3c9aba7e8060f1bcf341375263d67fec01d2.patch -O android_system_bt/359737.patch; #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" +wget https://github.com/LineageOS/android_system_bt/commit/d50fdc03f066f2b1bdb3bcb21d627a0e3ac9e268.patch -O android_system_bt/359738.patch; #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +wget https://github.com/LineageOS/android_frameworks_base/commit/c45ee6ab3ee0b8e4f16cc88d098fb9200b3a109a.patch -O android_frameworks_base/359730.patch; #P_asb_2023-06 Check key intent for selectors and prohibited flags +wget https://github.com/LineageOS/android_frameworks_base/commit/22bac442d2249f6e02608f9994cf761bfdf90d80.patch -O android_frameworks_base/359731.patch; #P_asb_2023-06 Handle invalid data during job loading. +wget https://github.com/LineageOS/android_frameworks_base/commit/24a90436bb260a64b427efb98f3aa40f0c27fe32.patch -O android_frameworks_base/359732.patch; #P_asb_2023-06 Allow filtering of services +wget https://github.com/LineageOS/android_frameworks_base/commit/4974a8613d776dcd0dff6c8950b3dd1a7dbec465.patch -O android_frameworks_base/359733.patch; #P_asb_2023-06 Prevent RemoteViews crashing SystemUi +wget https://github.com/LineageOS/android_packages_apps_Traceur/commit/43b23418ed73d1b64bb198a79c5825666c95684d.patch -O android_packages_apps_Traceur/378475.patch; #P_asb_2023-06 Update Traceur to check admin user status +wget https://github.com/LineageOS/android_packages_apps_Traceur/commit/55e506621081e4e092a4434a763561d2a2f0859e.patch -O android_packages_apps_Traceur/378476.patch; #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check +wget https://github.com/LineageOS/android_external_freetype/commit/31e8900c4e35a5b82ee19449830c87f8c1593504.patch -O android_external_freetype/361250.patch; #P_asb_2023-07 Cherry-pick two upstream changes +wget https://github.com/LineageOS/android_system_nfc/commit/6ea4e00c886e05116d1d6058fb4cf40e0ccdb70b.patch -O android_system_nfc/361251.patch; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +wget https://github.com/LineageOS/android_system_bt/commit/c4a3cf60380376537eefcce41eec053677c7732c.patch -O android_system_bt/361252.patch; #P_asb_2023-07 Fix gatt_end_operation buffer overflow +wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c2ad40e96300f65c3e16b06eccba282003385956.patch -O android_vendor_nxp_opensource_external_libnfc-nci/361253.patch; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +wget https://github.com/LineageOS/android_frameworks_base/commit/c1741be24b21788051c95fafb20f889f15c7b8a8.patch -O android_frameworks_base/361254.patch; #P_asb_2023-07 Sanitize VPN label to prevent HTML injection +wget https://github.com/LineageOS/android_frameworks_base/commit/63ef19bd0f36f043fa72acbb8484cae2e48a07b1.patch -O android_frameworks_base/361256.patch; #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE +wget https://github.com/LineageOS/android_frameworks_base/commit/626a9919d79ad7584e30496f8b990a1a4e20ec40.patch -O android_frameworks_base/361257.patch; #P_asb_2023-07 Dismiss keyguard when simpin auth'd and... +wget https://github.com/LineageOS/android_frameworks_base/commit/cfab4afce18c49c6abe6e25fce9add4b57bb65e4.patch -O android_frameworks_base/361259.patch; #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views. +wget https://github.com/LineageOS/android_tools_apksig/commit/011adec1a494974102930bf65a8d2fdfa8b375b5.patch -O android_tools_apksig/361280.patch; #P_asb_2023-07 Create source stamp verifier +wget https://github.com/LineageOS/android_tools_apksig/commit/9a80527425030dae7f962ab95eda500a720cde47.patch -O android_tools_apksig/361281.patch; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +wget https://github.com/LineageOS/android_frameworks_base/commit/3f7975447006b2246dd1b8722064ca26e40aae25.patch -O android_frameworks_base/361258.patch; #P_asb_2023-07 Truncate ShortcutInfo Id +wget https://github.com/LineageOS/android_frameworks_base/commit/68f08d51b66b8336aeec2e01bcfa72ae5fbfb81d.patch -O android_frameworks_base/361255.patch; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +wget https://github.com/LineageOS/android_external_aac/commit/c263e21d9cd270283c0fabddeb710798b6fe56aa.patch -O android_external_aac/364605.patch; #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). +wget https://github.com/LineageOS/android_external_freetype/commit/ef28d3d7460a814efef8174c44fde7aab4341db5.patch -O android_external_freetype/364606.patch; #P_asb_2023-08 Cherrypick following three changes +wget https://github.com/LineageOS/android_frameworks_base/commit/6adafe39c32f8236e18c57bc834caa88a09ad8cc.patch -O android_frameworks_base/364608.patch; #P_asb_2023-08 Verify URI permissions for notification shortcutIcon. +wget https://github.com/LineageOS/android_frameworks_base/commit/0b2c705c891a44ac854cb5ec123fb869669ae5fe.patch -O android_frameworks_base/364609.patch; #P_asb_2023-08 On device lockdown, always show the keyguard +wget https://github.com/LineageOS/android_frameworks_base/commit/84be6e930a60f855a318c41a446b92849b50087a.patch -O android_frameworks_base/364610.patch; #P_asb_2023-08 Ensure policy has no absurdly long strings +wget https://github.com/LineageOS/android_frameworks_base/commit/aa0fb47602bd6bc95404d5a5468ba4db577c418f.patch -O android_frameworks_base/364611.patch; #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd. +wget https://github.com/LineageOS/android_frameworks_base/commit/42d2f7a7ac4004754050ddd53f2e5b626ae28c02.patch -O android_frameworks_base/364612.patch; #P_asb_2023-08 Check URIs in notification public version. +wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/8e5a42af29838bd09b62ec199d744c4592258eeb.patch -O android_packages_providers_TelephonyProvider/364616.patch; #P_asb_2023-08 Update file permissions using canonical path +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/6428c62b978aefd829bf4e91493a356c3675e5c0.patch -O android_packages_services_Telecomm/364617.patch; #P_asb_2023-08 Resolve StatusHints image exploit across user. +wget https://github.com/LineageOS/android_system_ca-certificates/commit/4c6994b1a05d435e40947a7315aae1a128984957.patch -O android_system_ca-certificates/365328.patch; #P_asb_2023-08 Drop TrustCor certificates +wget https://github.com/LineageOS/android_frameworks_base/commit/19dc7642fe849e85abe886b9340b5dda52e21885.patch -O android_frameworks_base/364607.patch; #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only +wget https://github.com/LineageOS/android_frameworks_base/commit/1537cadd2966e0ea2d188cd3e96af6287bb473c6.patch -O android_frameworks_base/364613.patch; #P_asb_2023-08 Verify URI permissions in MediaMetadata +wget https://github.com/LineageOS/android_frameworks_base/commit/507937f96405b8530f24c7625b5f5f18f7a0df55.patch -O android_frameworks_base/364614.patch; #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used +wget https://github.com/LineageOS/android_frameworks_base/commit/2e64cb078e9e11e8310c0b589a6edd429b9c2f16.patch -O android_frameworks_base/364615.patch; #P_asb_2023-08 Resolve StatusHints image exploit across user. +wget https://github.com/LineageOS/android_frameworks_av/commit/7e0adcb2073a2549aa901ecc40de254202a1eded.patch -O android_frameworks_av/366126.patch; #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. +wget https://github.com/LineageOS/android_frameworks_base/commit/383b016298865df13c1d1ead7049a9c0a73cb973.patch -O android_frameworks_base/366127.patch; #P_asb_2023-09 Forbid granting access to NLSes with too-long component names +wget https://github.com/LineageOS/android_frameworks_native/commit/4d3c579105e1a98abc2868723928dea280a93076.patch -O android_frameworks_native/366129.patch; #P_asb_2023-09 Allow sensors list to be empty +wget https://github.com/LineageOS/android_packages_services_Telephony/commit/114c9d5475962cd63ebf8f246c2c2f4a9c7fddf1.patch -O android_packages_services_Telephony/366130.patch; #P_asb_2023-09 Fixed leak of cross user data in multiple settings. +wget https://github.com/LineageOS/android_system_bt/commit/f9ba876145b612b684f5b966ab524d7b5b7a783c.patch -O android_system_bt/366131.patch; #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl +wget https://github.com/LineageOS/android_system_bt/commit/862350fa3b8fc51bcdd8331352f28cd6cac4bf1d.patch -O android_system_bt/366132.patch; #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp +wget https://github.com/LineageOS/android_system_bt/commit/db6c02ecbc377437585b56c310e2847661dd557c.patch -O android_system_bt/366133.patch; #P_asb_2023-09 Fix potential abort in btu_av_act.cc +wget https://github.com/LineageOS/android_system_bt/commit/9b06f046f58bd82f9df6592c1a45ade8075608f9.patch -O android_system_bt/366134.patch; #P_asb_2023-09 Fix reliable write. +wget https://github.com/LineageOS/android_system_bt/commit/9ac8d616f369513b0ef4f466eded252a4511898d.patch -O android_system_bt/366135.patch; #P_asb_2023-09 Fix UAF in gatt_cl.cc +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/acfa0cd4e0551d07fab0511cfb84462e70a48b53.patch -O android_packages_apps_Settings/366136.patch; #P_asb_2023-09 Prevent non-system IME from becoming device admin +wget https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/0c9ab1418476b9aab2830f5b3f9d4ee7be3714fd.patch -O android_packages_apps_Trebuchet/366137.patch; #P_asb_2023-09 Fix permission issue in legacy shortcut +wget https://github.com/LineageOS/android_frameworks_base/commit/3f429c322504732c25e1d92bd57fecdd8a7e5d5b.patch -O android_frameworks_base/366128.patch; #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly. +wget https://github.com/LineageOS/android_frameworks_base/commit/8489bb9206314ce3be439f374704204626bd40ca.patch -O android_frameworks_base/370695.patch; #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews +wget https://github.com/LineageOS/android_frameworks_base/commit/aecf51e67aa3b540f86d12164be8d66e12ca47f2.patch -O android_frameworks_base/370697.patch; #P_asb_2023-10 Disallow loading icon from content URI to PipMenu +wget https://github.com/LineageOS/android_frameworks_base/commit/71c5804bc372c58c4f7a1b01905618cb5edb2dda.patch -O android_frameworks_base/370699.patch; #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..." +wget https://github.com/LineageOS/android_packages_apps_Settings/commit/e7401f49ebfc563aa5fcd9aaa9981a235557d1b4.patch -O android_packages_apps_Settings/370700.patch; #P_asb_2023-10 Restrict ApnEditor settings +wget https://github.com/LineageOS/android_external_libxml2/commit/2bd551871a645e43a75ce6065598d22b89b80a21.patch -O android_external_libxml2/370701.patch; #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +wget https://github.com/LineageOS/android_frameworks_base/commit/ae25f45e664b47e74fc9d73bc1b4292e6721dd7a.patch -O android_frameworks_base/370693.patch; #P_asb_2023-10 RingtoneManager: verify default ringtone is audio +wget https://github.com/LineageOS/android_frameworks_base/commit/7adb3e0e1d591aeabccc5edfa624a591a3428a3d.patch -O android_frameworks_base/370694.patch; #P_asb_2023-10 Do not share key mappings with JNI object +wget https://github.com/LineageOS/android_frameworks_base/commit/0fb320aef79861cb612fcd48585571f1715616fe.patch -O android_frameworks_base/370696.patch; #P_asb_2023-10 Fix KCM key mapping cloning +wget https://github.com/LineageOS/android_frameworks_base/commit/48e0cbe76661b6b4c8edb2950a572694947b5641.patch -O android_frameworks_base/370698.patch; #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings +wget https://github.com/LineageOS/android_system_ca-certificates/commit/6f06eccd9ef3d37a2d9d52d1c925c3e71f525b14.patch -O android_system_ca-certificates/374916.patch; #P_asb_2023-11 Remove E-Tugra certificates. +wget https://github.com/LineageOS/android_packages_services_BuiltInPrintService/commit/4302a583e82fa5bd76315077688818e53df98f20.patch -O android_packages_services_BuiltInPrintService/374919.patch; #P_asb_2023-11 Adjust APIs for CUPS 2.3.3 +wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/3d07f3a1821c0953d156206e288bb484a0c0f399.patch -O android_packages_providers_TelephonyProvider/374920.patch; #P_asb_2023-11 Block access to sms/mms db from work profile. +wget https://github.com/LineageOS/android_frameworks_base/commit/e696b2932c41ab89f4910abc5a626c8e9b8d8543.patch -O android_frameworks_base/374921.patch; #P_asb_2023-11 Fix BAL via notification.publicVersion +wget https://github.com/LineageOS/android_frameworks_av/commit/62ae30fad8c644b492393eb8c1eec2867cc73b07.patch -O android_frameworks_av/374924.patch; #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. +wget https://github.com/LineageOS/android_external_libcups/commit/383806fb90e7246d31241ab11332f3c0172e2f17.patch -O android_external_libcups/374932.patch; #P_asb_2023-11 Upgrade libcups to v2.3.1 +wget https://github.com/LineageOS/android_external_libcups/commit/af78634c7babca00f4a5b1650b817b36be4e94dd.patch -O android_external_libcups/374933.patch; #P_asb_2023-11 Upgrade libcups to v2.3.3 +wget https://github.com/LineageOS/android_frameworks_base/commit/1c5bf358397ad6a337d375fbc8dba4d98a50eca8.patch -O android_frameworks_base/374922.patch; #P_asb_2023-11 Use type safe API of readParcelableArray +wget https://github.com/LineageOS/android_frameworks_base/commit/64de82f91e01d8d7d4224c737efe915397a904d2.patch -O android_frameworks_base/374923.patch; #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting +wget https://github.com/LineageOS/android_frameworks_av/commit/5e50aa57f52b08f4cb07a6a3f98698f2077a9cbf.patch -O android_frameworks_av/377765.patch; #P_asb_2023-12 httplive: fix use-after-free +wget https://github.com/LineageOS/android_frameworks_base/commit/73913dfae62f0c93147896ab07232417cff467ee.patch -O android_frameworks_base/377766.patch; #P_asb_2023-12 Visit Uris added by WearableExtender +wget https://github.com/LineageOS/android_frameworks_base/commit/ac1ed7557b197952a6e00eb36da31e79d7bf78a4.patch -O android_frameworks_base/377769.patch; #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service +wget https://github.com/LineageOS/android_frameworks_base/commit/4ca5de2bda12925a28a59a1dffaccba045b0f9cb.patch -O android_frameworks_base/377771.patch; #P_asb_2023-12 Revert "On device lockdown, always show the keyguard" +wget https://github.com/LineageOS/android_frameworks_base/commit/059ed6a3d856caee5896d94d9ea26f90c6117c93.patch -O android_frameworks_base/377773.patch; #P_asb_2023-12 Updated: always show the keyguard on device lockdown +wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/3b53fae30442369bda8cd858f5b0ac697b9cd4ec.patch -O android_packages_apps_Bluetooth/377774.patch; #P_asb_2023-12 Fix UAF in ~CallbackEnv +wget https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/02e99b157f05f8fbabb9c2457e387842ccad0bed.patch -O android_packages_apps_Trebuchet/377775.patch; #P_asb_2023-12 Fix permission bypass in legacy shortcut +wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/7ef90cb74da31eb165fc624f479b02cf6df2ebda.patch -O android_packages_services_Telecomm/377776.patch; #P_asb_2023-12 Resolve account image icon profile boundary exploit. +wget https://github.com/LineageOS/android_system_bt/commit/26fe8da32584d6f639124e3ca8a7cbdbe5c60d89.patch -O android_system_bt/377777.patch; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +wget https://github.com/LineageOS/android_system_bt/commit/6b208d0624e05bb96bffbca43e18a03dc37d21dd.patch -O android_system_bt/377778.patch; #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +wget https://github.com/LineageOS/android_system_bt/commit/66a09ccfd76de30e03a843df140d7851be013052.patch -O android_system_bt/377779.patch; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +wget https://github.com/LineageOS/android_system_bt/commit/95161565e5bf426333102097a92a8f654c10e74a.patch -O android_system_bt/377780.patch; #P_asb_2023-12 Reorganize the code for checking auth requirement +wget https://github.com/LineageOS/android_system_bt/commit/037c9934224eabab778ee4cc197a46b64396633c.patch -O android_system_bt/377781.patch; #P_asb_2023-12Enforce authentication if encryption is required +wget https://github.com/LineageOS/android_system_bt/commit/80a300fa626f6c5e8e7a595469f09adc307aee40.patch -O android_system_bt/377782.patch; #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +wget https://github.com/LineageOS/android_frameworks_base/commit/c78cee7f1c921860ac3253812548f46663383a37.patch -O android_frameworks_base/377767.patch; #P_asb_2023-12 Drop invalid data. +wget https://github.com/LineageOS/android_frameworks_base/commit/c58b86b918ab7085f17215883cc110ca3362235f.patch -O android_frameworks_base/377768.patch; #P_asb_2023-12 Require permission to unlock keyguard +wget https://github.com/LineageOS/android_frameworks_base/commit/b18f4518109c2f7a4c936321db87f5245b3143f3.patch -O android_frameworks_base/377770.patch; #P_asb_2023-12 Validate userId when publishing shortcuts +wget https://github.com/LineageOS/android_frameworks_base/commit/98fc501deb893768aeff55006ce445f688a88203.patch -O android_frameworks_base/377772.patch; #P_asb_2023-12 Adding in verification of calling UID in onShellCommand +wget https://github.com/LineageOS/android_system_netd/commit/02458b0a19ce2d3214a00f9779bd36868541b7ca.patch -O android_system_netd/378480.patch; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run +wget https://github.com/LineageOS/android_frameworks_av/commit/978191d5fc0ede5bc11b8af2cfa2469a30ad919d.patch -O android_frameworks_av/379788.patch; #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth. +wget https://github.com/LineageOS/android_frameworks_base/commit/44ce07024742aaae46a7191cd15e5ac68d209049.patch -O android_frameworks_base/379789.patch; #P_asb_2024-01 Dismiss keyguard when simpin auth'd and... +wget https://github.com/LineageOS/android_frameworks_base/commit/63e443bfb107da3df0e37863e34c4b947052a6c1.patch -O android_frameworks_base/379790.patch; #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete +wget https://github.com/LineageOS/android_frameworks_base/commit/70f50825ec98cd35d38e45eea69aa7ed8f51556a.patch -O android_frameworks_base/379791.patch; #P_asb_2024-01 Truncate user data to a limit of 500 characters +wget https://github.com/LineageOS/android_frameworks_base/commit/9001132c18c0eb2a6478939e1bdbbe6778af1ae3.patch -O android_frameworks_base/379792.patch; #P_asb_2024-01 Validate component name length before requesting notification access. +wget https://github.com/LineageOS/android_frameworks_base/commit/1cf5c05eaaff574e8dceb0c1a75ad02d0c669891.patch -O android_frameworks_base/379793.patch; #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target +wget https://github.com/LineageOS/android_frameworks_base/commit/5948fb2aef0547db38f2f9df47b6fad736ba72b0.patch -O android_frameworks_base/379794.patch; #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +wget https://github.com/LineageOS/android_system_bt/commit/e65eb2fdab8644f2e7885a628f6af9244ceed813.patch -O android_system_bt/379796.patch; #P_asb_2024-01 Fix some OOB errors in BTM parsing +wget https://github.com/LineageOS/android_frameworks_base/commit/309033664a4fbb6200b3fe48d33e8f63becee810.patch -O android_frameworks_base/379980.patch; #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions +wget https://github.com/LineageOS/android_frameworks_av/commit/a42e0fc335d448e646309745a8d412d984748479.patch -O android_frameworks_av/383562.patch; #P_asb_2024-02 Update mtp packet buffer +wget https://github.com/LineageOS/android_frameworks_base/commit/6f5e6f86263c3db753c6d58f516070a45e30b619.patch -O android_frameworks_base/383563.patch; #P_asb_2024-02 Unbind TileService onNullBinding +wget https://github.com/LineageOS/android_system_bt/commit/14e35c7cf40595a6b1ff1d2e92f8b53fb356b3dc.patch -O android_system_bt/383565.patch; #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +wget https://github.com/LineageOS/android_system_bt/commit/37ce9a968b579a87640d40e50ec91abe04101f3c.patch -O android_system_bt/383566.patch; #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd +wget https://github.com/LineageOS/android_packages_providers_DownloadProvider/commit/d1a6862647428e9c973f4c21adc83656c5ac98f9.patch -O android_packages_providers_DownloadProvider/383567.patch; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations +wget https://github.com/LineageOS/android_frameworks_av/commit/cc12a31fcbd0deddd5a74b7be121baf835ecf6dc.patch -O android_frameworks_av/385670.patch; #P_asb_2024-03 Validate OMX Params for VPx encoders +wget https://github.com/LineageOS/android_frameworks_av/commit/ed62ccd9520a671d2fb900d236f5bc5ad16a1e7c.patch -O android_frameworks_av/385671.patch; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue +wget https://github.com/LineageOS/android_frameworks_base/commit/0254ee96d60cd80a52ce583c90486d6ca1549fb6.patch -O android_frameworks_base/385672.patch; #P_asb_2024-03 Resolve custom printer icon boundary exploit. +wget https://github.com/LineageOS/android_frameworks_base/commit/3cbbcd611ff83ef7a0f811d04f0478f2760ae891.patch -O android_frameworks_base/385673.patch; #P_asb_2024-03 Disallow system apps to be installed/updated as instant. +wget https://github.com/LineageOS/android_frameworks_base/commit/8befe29745f94a8d80f59f0d644315c5424c8eb6.patch -O android_frameworks_base/385674.patch; #P_asb_2024-03 Close AccountManagerService.session after timeout. +wget https://github.com/LineageOS/android_system_bt/commit/fbf12851fa55267f8b654f0cd1337f9f98f83c4b.patch -O android_system_bt/385675.patch; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length +wget https://github.com/LineageOS/android_system_bt/commit/73c18d6ce8333f787a4cedb24d247b071bdbf078.patch -O android_system_bt/385676.patch; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req +wget https://github.com/LineageOS/android_system_bt/commit/42ede61231b6b1a507cbc254827ff10dd5ae8c20.patch -O android_system_bt/385677.patch; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd +wget https://github.com/LineageOS/android_system_bt/commit/3683c921ab4afd4f2f6bef8a49cbfda227ce081f.patch -O android_system_bt/385678.patch; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond +wget https://github.com/LineageOS/android_frameworks_base/commit/e3d632959e2606a909427e4f717cd3a6cc14d4c6.patch -O android_frameworks_base/389269.patch; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements +wget https://github.com/LineageOS/android_frameworks_base/commit/1010f9aae741c4b5e8400709a273910b9818f4ba.patch -O android_frameworks_base/389270.patch; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. diff --git a/Misc/pick-imports/16-asbs-patch.sh b/Misc/pick-imports/16-asbs-patch.sh new file mode 100644 index 00000000..5ee1670b --- /dev/null +++ b/Misc/pick-imports/16-asbs-patch.sh @@ -0,0 +1,271 @@ +applyPatch "$DOS_PATCHES/android_external_aac/332775.patch"; #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation. +applyPatch "$DOS_PATCHES/android_external_aac/364605.patch"; #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). +applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings +applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation. +applyPatch "$DOS_PATCHES/android_external_dtc/345891.patch"; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths +applyPatch "$DOS_PATCHES/android_external_expat/338353.patch"; #P_asb_2022-09 Prevent integer overflow in copyString +applyPatch "$DOS_PATCHES/android_external_expat/338354.patch"; #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow +applyPatch "$DOS_PATCHES/android_external_expat/338355.patch"; #P_asb_2022-09 Prevent integer overflow in function doProlog +applyPatch "$DOS_PATCHES/android_external_expat/338356.patch"; #P_asb_2022-09 Prevent more integer overflows +applyPatch "$DOS_PATCHES/android_external_expat/349328.patch"; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes +applyPatch "$DOS_PATCHES/android_external_freetype/361250.patch"; #P_asb_2023-07 Cherry-pick two upstream changes +applyPatch "$DOS_PATCHES/android_external_freetype/364606.patch"; #P_asb_2023-08 Cherrypick following three changes +applyPatch "$DOS_PATCHES/android_external_libcups/374932.patch"; #P_asb_2023-11 Upgrade libcups to v2.3.1 +applyPatch "$DOS_PATCHES/android_external_libcups/374933.patch"; #P_asb_2023-11 Upgrade libcups to v2.3.3 +applyPatch "$DOS_PATCHES/android_external_libxml2/370701.patch"; #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate(). +applyPatch "$DOS_PATCHES/android_frameworks_av/344167.patch"; #P_asb_2022-11 setSecurityLevel in clearkey +applyPatch "$DOS_PATCHES/android_frameworks_av/349329.patch"; #P_asb_2023-02 move MediaCodec metrics processing to looper thread +applyPatch "$DOS_PATCHES/android_frameworks_av/359729.patch"; #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling +applyPatch "$DOS_PATCHES/android_frameworks_av/366126.patch"; #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. +applyPatch "$DOS_PATCHES/android_frameworks_av/374924.patch"; #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. +applyPatch "$DOS_PATCHES/android_frameworks_av/377765.patch"; #P_asb_2023-12 httplive: fix use-after-free +applyPatch "$DOS_PATCHES/android_frameworks_av/379788.patch"; #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth. +applyPatch "$DOS_PATCHES/android_frameworks_av/383562.patch"; #P_asb_2024-02 Update mtp packet buffer +applyPatch "$DOS_PATCHES/android_frameworks_av/385670.patch"; #P_asb_2024-03 Validate OMX Params for VPx encoders +applyPatch "$DOS_PATCHES/android_frameworks_av/385671.patch"; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue +applyPatch "$DOS_PATCHES/android_frameworks_base/330961.patch"; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority +applyPatch "$DOS_PATCHES/android_frameworks_base/330962.patch"; #P_asb_2022-05 Verify caller before auto granting slice permission +applyPatch "$DOS_PATCHES/android_frameworks_base/330963.patch"; #P_asb_2022-05 Always restart apps if base.apk gets updated. +applyPatch "$DOS_PATCHES/android_frameworks_base/332756.patch"; #P_asb_2022-06 Add finalizeWorkProfileProvisioning. +applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update +applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. +applyPatch "$DOS_PATCHES/android_frameworks_base/332777.patch"; #P_asb_2022-06 Add an OEM configurable limit for zen rules +applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse +applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/334256.patch"; #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage +applyPatch "$DOS_PATCHES/android_frameworks_base/334257.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails +applyPatch "$DOS_PATCHES/android_frameworks_base/334258.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only +applyPatch "$DOS_PATCHES/android_frameworks_base/334259.patch"; #P_asb_2022-07 Ignore errors preparing user storage for existing users +applyPatch "$DOS_PATCHES/android_frameworks_base/334260.patch"; #P_asb_2022-07 Log to EventLog on prepareUserStorage failure +applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications +applyPatch "$DOS_PATCHES/android_frameworks_base/335117.patch"; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity +applyPatch "$DOS_PATCHES/android_frameworks_base/335118.patch"; #P_asb_2022-08 Suppress notifications when device enter lockdown +applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent +applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash +applyPatch "$DOS_PATCHES/android_frameworks_base/335121.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters +applyPatch "$DOS_PATCHES/android_frameworks_base/338346.patch"; #P_asb_2022-09 Fix duplicate permission privilege escalation +applyPatch "$DOS_PATCHES/android_frameworks_base/338347.patch"; #P_asb_2022-09 Parcel: recycle recycles +applyPatch "$DOS_PATCHES/android_frameworks_base/338348.patch"; #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable +applyPatch "$DOS_PATCHES/android_frameworks_base/338349.patch"; #P_asb_2022-09 Remove package name from SafetyNet logs +applyPatch "$DOS_PATCHES/android_frameworks_base/342100.patch"; #P_asb_2022-10 Limit the number of concurrently snoozed notifications +applyPatch "$DOS_PATCHES/android_frameworks_base/344168.patch"; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/344169.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_frameworks_base/344170.patch"; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo +applyPatch "$DOS_PATCHES/android_frameworks_base/344171.patch"; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user. +applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction +applyPatch "$DOS_PATCHES/android_frameworks_base/344174.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock +applyPatch "$DOS_PATCHES/android_frameworks_base/345892.patch"; #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps." +applyPatch "$DOS_PATCHES/android_frameworks_base/345893.patch"; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup +applyPatch "$DOS_PATCHES/android_frameworks_base/345894.patch"; #P_asb_2022-12 Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/345895.patch"; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions. +applyPatch "$DOS_PATCHES/android_frameworks_base/345896.patch"; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK. +applyPatch "$DOS_PATCHES/android_frameworks_base/345897.patch"; #P_asb_2022-12 [pm] forbid deletion of protected packages +applyPatch "$DOS_PATCHES/android_frameworks_base/345898.patch"; #P_asb_2022-12 Fix NPE +applyPatch "$DOS_PATCHES/android_frameworks_base/345899.patch"; #P_asb_2022-12 Fix a security issue in app widget service. +applyPatch "$DOS_PATCHES/android_frameworks_base/345900.patch"; #P_asb_2022-12 Ignore malformed shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting +applyPatch "$DOS_PATCHES/android_frameworks_base/345902.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch. +applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length. +applyPatch "$DOS_PATCHES/android_frameworks_base/347045.patch"; #P_asb_2023-01 Disable all A11yServices from an uninstalled package. +applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/347047.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated +applyPatch "$DOS_PATCHES/android_frameworks_base/347048.patch"; #P_asb_2023-01 Revert "Revert "Validate permission tree size..." +applyPatch "$DOS_PATCHES/android_frameworks_base/347049.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings +applyPatch "$DOS_PATCHES/android_frameworks_base/347050.patch"; #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23 +applyPatch "$DOS_PATCHES/android_frameworks_base/347051.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed. +applyPatch "$DOS_PATCHES/android_frameworks_base/349330.patch"; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED +applyPatch "$DOS_PATCHES/android_frameworks_base/349331.patch"; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity +applyPatch "$DOS_PATCHES/android_frameworks_base/351910.patch"; #P_asb_2023-03 Move service initialization +applyPatch "$DOS_PATCHES/android_frameworks_base/351911.patch"; #P_asb_2023-03 Enable user graularity for lockdown mode +applyPatch "$DOS_PATCHES/android_frameworks_base/351912.patch"; #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag +applyPatch "$DOS_PATCHES/android_frameworks_base/351913.patch"; #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code. +applyPatch "$DOS_PATCHES/android_frameworks_base/354242.patch"; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +applyPatch "$DOS_PATCHES/android_frameworks_base/354243.patch"; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +applyPatch "$DOS_PATCHES/android_frameworks_base/354244.patch"; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +applyPatch "$DOS_PATCHES/android_frameworks_base/354245.patch"; #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE +applyPatch "$DOS_PATCHES/android_frameworks_base/356154.patch"; #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size. +applyPatch "$DOS_PATCHES/android_frameworks_base/356155.patch"; #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path +applyPatch "$DOS_PATCHES/android_frameworks_base/356156.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +applyPatch "$DOS_PATCHES/android_frameworks_base/359730.patch"; #P_asb_2023-06 Check key intent for selectors and prohibited flags +applyPatch "$DOS_PATCHES/android_frameworks_base/359731.patch"; #P_asb_2023-06 Handle invalid data during job loading. +applyPatch "$DOS_PATCHES/android_frameworks_base/359732.patch"; #P_asb_2023-06 Allow filtering of services +applyPatch "$DOS_PATCHES/android_frameworks_base/359733.patch"; #P_asb_2023-06 Prevent RemoteViews crashing SystemUi +applyPatch "$DOS_PATCHES/android_frameworks_base/361254.patch"; #P_asb_2023-07 Sanitize VPN label to prevent HTML injection +applyPatch "$DOS_PATCHES/android_frameworks_base/361255.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +applyPatch "$DOS_PATCHES/android_frameworks_base/361256.patch"; #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE +applyPatch "$DOS_PATCHES/android_frameworks_base/361257.patch"; #P_asb_2023-07 Dismiss keyguard when simpin auth'd and... +applyPatch "$DOS_PATCHES/android_frameworks_base/361258.patch"; #P_asb_2023-07 Truncate ShortcutInfo Id +applyPatch "$DOS_PATCHES/android_frameworks_base/361259.patch"; #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views. +applyPatch "$DOS_PATCHES/android_frameworks_base/364607.patch"; #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only +applyPatch "$DOS_PATCHES/android_frameworks_base/364608.patch"; #P_asb_2023-08 Verify URI permissions for notification shortcutIcon. +applyPatch "$DOS_PATCHES/android_frameworks_base/364609.patch"; #P_asb_2023-08 On device lockdown, always show the keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/364610.patch"; #P_asb_2023-08 Ensure policy has no absurdly long strings +applyPatch "$DOS_PATCHES/android_frameworks_base/364611.patch"; #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd. +applyPatch "$DOS_PATCHES/android_frameworks_base/364612.patch"; #P_asb_2023-08 Check URIs in notification public version. +applyPatch "$DOS_PATCHES/android_frameworks_base/364613.patch"; #P_asb_2023-08 Verify URI permissions in MediaMetadata +applyPatch "$DOS_PATCHES/android_frameworks_base/364614.patch"; #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used +applyPatch "$DOS_PATCHES/android_frameworks_base/364615.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user. +applyPatch "$DOS_PATCHES/android_frameworks_base/366127.patch"; #P_asb_2023-09 Forbid granting access to NLSes with too-long component names +applyPatch "$DOS_PATCHES/android_frameworks_base/366128.patch"; #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly. +applyPatch "$DOS_PATCHES/android_frameworks_base/370693.patch"; #P_asb_2023-10 RingtoneManager: verify default ringtone is audio +applyPatch "$DOS_PATCHES/android_frameworks_base/370694.patch"; #P_asb_2023-10 Do not share key mappings with JNI object +applyPatch "$DOS_PATCHES/android_frameworks_base/370695.patch"; #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews +applyPatch "$DOS_PATCHES/android_frameworks_base/370696.patch"; #P_asb_2023-10 Fix KCM key mapping cloning +applyPatch "$DOS_PATCHES/android_frameworks_base/370697.patch"; #P_asb_2023-10 Disallow loading icon from content URI to PipMenu +applyPatch "$DOS_PATCHES/android_frameworks_base/370698.patch"; #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings +applyPatch "$DOS_PATCHES/android_frameworks_base/370699.patch"; #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..." +applyPatch "$DOS_PATCHES/android_frameworks_base/374921.patch"; #P_asb_2023-11 Fix BAL via notification.publicVersion +applyPatch "$DOS_PATCHES/android_frameworks_base/374922.patch"; #P_asb_2023-11 Use type safe API of readParcelableArray +applyPatch "$DOS_PATCHES/android_frameworks_base/374923.patch"; #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting +applyPatch "$DOS_PATCHES/android_frameworks_base/377766.patch"; #P_asb_2023-12 Visit Uris added by WearableExtender +applyPatch "$DOS_PATCHES/android_frameworks_base/377767.patch"; #P_asb_2023-12 Drop invalid data. +applyPatch "$DOS_PATCHES/android_frameworks_base/377768.patch"; #P_asb_2023-12 Require permission to unlock keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/377769.patch"; #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service +applyPatch "$DOS_PATCHES/android_frameworks_base/377770.patch"; #P_asb_2023-12 Validate userId when publishing shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/377771.patch"; #P_asb_2023-12 Revert "On device lockdown, always show the keyguard" +applyPatch "$DOS_PATCHES/android_frameworks_base/377772.patch"; #P_asb_2023-12 Adding in verification of calling UID in onShellCommand +applyPatch "$DOS_PATCHES/android_frameworks_base/377773.patch"; #P_asb_2023-12 Updated: always show the keyguard on device lockdown +applyPatch "$DOS_PATCHES/android_frameworks_base/379789.patch"; #P_asb_2024-01 Dismiss keyguard when simpin auth'd and... +applyPatch "$DOS_PATCHES/android_frameworks_base/379790.patch"; #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete +applyPatch "$DOS_PATCHES/android_frameworks_base/379791.patch"; #P_asb_2024-01 Truncate user data to a limit of 500 characters +applyPatch "$DOS_PATCHES/android_frameworks_base/379792.patch"; #P_asb_2024-01 Validate component name length before requesting notification access. +applyPatch "$DOS_PATCHES/android_frameworks_base/379793.patch"; #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target +applyPatch "$DOS_PATCHES/android_frameworks_base/379794.patch"; #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +applyPatch "$DOS_PATCHES/android_frameworks_base/379980.patch"; #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions +applyPatch "$DOS_PATCHES/android_frameworks_base/383563.patch"; #P_asb_2024-02 Unbind TileService onNullBinding +applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit. +applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant. +applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout. +applyPatch "$DOS_PATCHES/android_frameworks_base/389269.patch"; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements +applyPatch "$DOS_PATCHES/android_frameworks_base/389270.patch"; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345903.patch"; #P_asb_2022-12 Fix OOB read for registerLocaleList +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345904.patch"; #P_asb_2022-12 Fix OOB crash for registerLocaleList +applyPatch "$DOS_PATCHES/android_frameworks_native/356151.patch"; #P_asb_2023-05 Check for malformed Sensor Flattenable +applyPatch "$DOS_PATCHES/android_frameworks_native/356152.patch"; #P_asb_2023-05 Remove some new memory leaks from SensorManager +applyPatch "$DOS_PATCHES/android_frameworks_native/356153.patch"; #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager +applyPatch "$DOS_PATCHES/android_frameworks_native/366129.patch"; #P_asb_2023-09 Allow sensors list to be empty +applyPatch "$DOS_PATCHES/android_frameworks_opt_telephony/334263.patch"; #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID) +applyPatch "$DOS_PATCHES/android_hardware_nxp_nfc/344180.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332.patch"; #P_asb_2023-02 Fix OPP comparison +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377774.patch"; #P_asb_2023-12 Fix UAF in ~CallbackEnv +applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332760.patch"; #P_asb_2022-06 No longer export CallSubjectDialog +applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332761.patch"; #P_asb_2022-06 No longer export CallSubjectDialog +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/342101.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345908.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345909.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/349333.patch"; #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app. +applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334264.patch"; #P_asb_2022-07 Encode authority part of uri before showing in UI +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332762.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/347043.patch"; #P_asb_2023-01 OOBW in Mfc_Transceive() +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/344181.patch"; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/330960.patch"; #P_asb_2022-05 Hide private DNS settings UI in Guest mode +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335112.patch"; #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335113.patch"; #P_asb_2022-08 Fix: policy enforcement for location wifi scanning +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345910.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914.patch"; #P_asb_2023-03 FRP bypass defense in the settings app +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351915.patch"; #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/359734.patch"; #P_asb_2023-06 Convert argument to intent in AddAccountSettings. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/366136.patch"; #P_asb_2023-09 Prevent non-system IME from becoming device admin +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/370700.patch"; #P_asb_2023-10 Restrict ApnEditor settings +applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378475.patch"; #P_asb_2023-06 Update Traceur to check admin user status +applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378476.patch"; #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/366137.patch"; #P_asb_2023-09 Fix permission issue in legacy shortcut +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377775.patch"; #P_asb_2023-12 Fix permission bypass in legacy shortcut +applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/359735.patch"; #P_asb_2023-06 Convert argument to intent in addAccount TvSettings. +applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query +applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/383567.patch"; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/344182.patch"; #P_asb_2022-11 Check dir path before updating permissions. +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364616.patch"; #P_asb_2023-08 Update file permissions using canonical path +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/374920.patch"; #P_asb_2023-11 Block access to sms/mms db from work profile. +applyPatch "$DOS_PATCHES/android_packages_services_BuiltInPrintService/374919.patch"; #P_asb_2023-11 Adjust APIs for CUPS 2.3.3 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/330959.patch"; #P_asb_2022-05 Handle null bindings returned from ConnectionService. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/356150.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364617.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377776.patch"; #P_asb_2023-12 Resolve account image icon profile boundary exploit. +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041.patch"; #P_asb_2023-01 prevent overlays on the phone settings +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/366130.patch"; #P_asb_2023-09 Fixed leak of cross user data in multiple settings. +applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Security: Fix out of bound write in HFP client +applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length +applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST +applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys +applyPatch "$DOS_PATCHES/android_system_bt/338350.patch"; #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed +applyPatch "$DOS_PATCHES/android_system_bt/338351.patch"; #P_asb_2022-09 Fix OOB in BNEP_Write +applyPatch "$DOS_PATCHES/android_system_bt/338352.patch"; #P_asb_2022-09 Fix OOB in reassemble_and_dispatch +applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response +applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp +applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_system_bt/345914.patch"; #P_asb_2022-12 Add length check when copy AVDTP packet +applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added max buffer length check +applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc +applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet +applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response +applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 BT: Once AT command is retrieved, return from method. +applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields +applyPatch "$DOS_PATCHES/android_system_bt/349334.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP +applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate +applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc +applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute +applyPatch "$DOS_PATCHES/android_system_bt/354246.patch"; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp +applyPatch "$DOS_PATCHES/android_system_bt/359736.patch"; #P_asb_2023-06 Prevent use-after-free of HID reports +applyPatch "$DOS_PATCHES/android_system_bt/359737.patch"; #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" +applyPatch "$DOS_PATCHES/android_system_bt/359738.patch"; #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +applyPatch "$DOS_PATCHES/android_system_bt/361252.patch"; #P_asb_2023-07 Fix gatt_end_operation buffer overflow +applyPatch "$DOS_PATCHES/android_system_bt/366131.patch"; #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl +applyPatch "$DOS_PATCHES/android_system_bt/366132.patch"; #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_system_bt/366133.patch"; #P_asb_2023-09 Fix potential abort in btu_av_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/366134.patch"; #P_asb_2023-09 Fix reliable write. +applyPatch "$DOS_PATCHES/android_system_bt/366135.patch"; #P_asb_2023-09 Fix UAF in gatt_cl.cc +applyPatch "$DOS_PATCHES/android_system_bt/377777.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +applyPatch "$DOS_PATCHES/android_system_bt/377778.patch"; #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +applyPatch "$DOS_PATCHES/android_system_bt/377779.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +applyPatch "$DOS_PATCHES/android_system_bt/377780.patch"; #P_asb_2023-12 Reorganize the code for checking auth requirement +applyPatch "$DOS_PATCHES/android_system_bt/377781.patch"; #P_asb_2023-12Enforce authentication if encryption is required +applyPatch "$DOS_PATCHES/android_system_bt/377782.patch"; #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +applyPatch "$DOS_PATCHES/android_system_bt/379796.patch"; #P_asb_2024-01 Fix some OOB errors in BTM parsing +applyPatch "$DOS_PATCHES/android_system_bt/383565.patch"; #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/383566.patch"; #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/385675.patch"; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length +applyPatch "$DOS_PATCHES/android_system_bt/385676.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req +applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond +applyPatch "$DOS_PATCHES/android_system_ca-certificates/365328.patch"; #P_asb_2023-08 Drop TrustCor certificates +applyPatch "$DOS_PATCHES/android_system_ca-certificates/374916.patch"; #P_asb_2023-11 Remove E-Tugra certificates. +applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. +applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run +applyPatch "$DOS_PATCHES/android_system_nfc/332766.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_system_nfc/332768.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +applyPatch "$DOS_PATCHES/android_system_nfc/342098.patch"; #P_asb_2022-10 The length of a packet should be non-zero +applyPatch "$DOS_PATCHES/android_system_nfc/354248.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_system_nfc/361251.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +applyPatch "$DOS_PATCHES/android_tools_apksig/361280.patch"; #P_asb_2023-07 Create source stamp verifier +applyPatch "$DOS_PATCHES/android_tools_apksig/361281.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch"; #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch"; #P_asb_2022-10 The length of a packet should be non-zero +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_halimpl/344190.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch"; #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr diff --git a/Misc/pick-imports/16-asbs.txt b/Misc/pick-imports/16-asbs.txt new file mode 100644 index 00000000..30dfc133 --- /dev/null +++ b/Misc/pick-imports/16-asbs.txt @@ -0,0 +1,438 @@ +https://github.com/LineageOS/android_frameworks_base/commit/ea52854b208d2a8e367c65068edbdff741b9eb80 330961 #P_asb_2022-05 Keyguard - Treat messsages to lock with priority +https://github.com/LineageOS/android_frameworks_base/commit/6bc4a89b9680b780768ee2b92a01f979b708c00b 330962 #P_asb_2022-05 Verify caller before auto granting slice permission +https://github.com/LineageOS/android_packages_services_Telecomm/commit/e298920fbeb8714698c6e96beaff71383640878b 330959 #P_asb_2022-05 Handle null bindings returned from ConnectionService. +https://github.com/LineageOS/android_packages_apps_Settings/commit/cfe47c5ab58c17fe9e2b580874878347461d8695 330960 #P_asb_2022-05 Hide private DNS settings UI in Guest mode +https://github.com/LineageOS/android_frameworks_base/commit/a1c1383a08e17e14273e0f2e7d1c250fb4e3b7f2 330963 #P_asb_2022-05 Always restart apps if base.apk gets updated. + + + + +https://github.com/LineageOS/android_external_aac/commit/e40800a613eb89b5b4c701774c3cecc1c2b7dd6c 332775 #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation. +https://github.com/LineageOS/android_frameworks_base/commit/4005549db2fa7e1524fc0dbbe22c774fb00b6cb3 332779 #P_asb_2022-06 Prevent non-admin users from deleting system apps. +https://github.com/LineageOS/android_packages_services_Telecomm/commit/526bbbb30625c4b2728d4c461137413dbd1a96f6 332764 #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +https://github.com/LineageOS/android_system_core/commit/976019d07ad1c007043b78450857f428a1440f06 332765 #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. +https://github.com/LineageOS/android_frameworks_base/commit/c8da70733ac6be9b209b27b8bd72f9b0f0a2ee44 332778 #P_asb_2022-06 Fix security hole in GateKeeperResponse +https://github.com/LineageOS/android_frameworks_base/commit/e7f0f7bac948a3deb2ef9139ef4fd9ad9eb1215a 332777 #P_asb_2022-06 Add an OEM configurable limit for zen rules +https://github.com/LineageOS/android_frameworks_base/commit/c6a97af0e9b22c303d13ad573e96eb4b06c0bfa3 332776 #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. +https://github.com/LineageOS/android_frameworks_base/commit/76c531e222779ae68047010f42f7a36100010f4c 332757 #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update +https://github.com/LineageOS/android_frameworks_base/commit/258ab4cfd77e49b087f4b3333c21ecb23d4c2a9f 332756 #P_asb_2022-06 Add finalizeWorkProfileProvisioning. +https://github.com/LineageOS/android_packages_apps_Nfc/commit/d7722eaa4defeaea88dce9f3c644e038af3f637d 332762 #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +https://github.com/LineageOS/android_packages_apps_Settings/commit/ecf8fd5a9aa4976ace98fe9a4986f1de3ff77c1d 332763 #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +https://github.com/LineageOS/android_packages_apps_Dialer/commit/71701cfc7511cd3ad2e8a0f0f12dd78ea8db2517 332761 #P_asb_2022-06 No longer export CallSubjectDialog +https://github.com/LineageOS/android_packages_apps_Contacts/commit/5055718d99866a7783cf72199b3f385e68bc7a53 332760 #P_asb_2022-06 No longer export CallSubjectDialog +https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/6ff1c1f2e637e0dc3fc803f8028c7b89bae74937 332759 #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/eb31965a73439dc8638d03b23f4648774a05df57 332758 #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. +https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/08fbee6160c576d2d9feff91af2ed3ce0bff2cb7 332773 #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +https://github.com/LineageOS/android_system_nfc/commit/318f09ce7e384809e3ab68c0294be96da6bf5141 332766 #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +https://github.com/LineageOS/android_system_nfc/commit/af0a965cd72fa6cab442fc46068fe4e556ca14c3 332767 #P_asb_2022-06 Double Free in ce_t4t_data_cback +https://github.com/LineageOS/android_system_nfc/commit/09dd85730f6c7ea4e2da2a9bf51de5d45a3b1061 332768 #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/a6c1507a0fa5a844514ecae89d0758ccb8724585 332769 #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/9dd0310855fa8889217e4e077bcfc7822abdbdc2 332770 #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/84a8c1e3350174c25da59c7c6479b0dca37df111 332771 #P_asb_2022-06 Double Free in ce_t4t_data_cback +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/d5b6e36b4d5585d3e003d16ba6aa73929ae7255d 332772 #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/82c9270c2cf11b9a2ac4b5942f3ec086bc02099c 342101 #P_asb_2022-06 Prevent exfiltration of system files via user image settings. + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/862a9ed37b4cc89f450e6159cec65552e6e9fd38 334256 #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage +https://github.com/LineageOS/android_frameworks_base/commit/10600c7c0cb582877cae6d3a28c9e39a73add1e1 334257 #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails +https://github.com/LineageOS/android_frameworks_base/commit/44130eac9f128dbea908171de1fa0743f2dda709 334258 #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only +https://github.com/LineageOS/android_frameworks_base/commit/8b1d16f79b125ea356d7af582fc6ceac297afa04 334259 #P_asb_2022-07 Ignore errors preparing user storage for existing users +https://github.com/LineageOS/android_frameworks_base/commit/2688ed5ff6c1c637444ba776d730940769b2ee1d 334260 #P_asb_2022-07 Log to EventLog on prepareUserStorage failure +https://github.com/LineageOS/android_frameworks_base/commit/bcede32d6c0c192b00fa745e522d50b817ea969b 334262 #P_asb_2022-07 Crash invalid FGS notifications +https://github.com/LineageOS/android_packages_apps_KeyChain/commit/5e04f66b9db71a74b7dbf6ca9a43b602d5fca122 334264 #P_asb_2022-07 Encode authority part of uri before showing in UI +https://github.com/LineageOS/android_packages_apps_Settings/commit/1fee30e9946eec7ec5b0c95481317cd1647c92a7 334265 #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +https://github.com/LineageOS/android_system_bt/commit/b15c9cc55faddbdb36df6af086762adfef028bbe 334266 #P_asb_2022-07 Security: Fix out of bound write in HFP client +https://github.com/LineageOS/android_system_bt/commit/5d7b97ac9aa45287bf57d061b7e1e0287c7c513a 334267 #P_asb_2022-07 Check Avrcp packet vendor length before extracting length +https://github.com/LineageOS/android_frameworks_opt_telephony/commit/4e3e190ff664797f23039da13a45a70ddf615489 334263 #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID) +https://github.com/LineageOS/android_system_bt/commit/f41d68b53f669b96787f5fde38bdc5fe73e795b8 334268 #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/35c2fc9116afdd6fe2dcca6e4fb59466a317b342 335117 #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity +https://github.com/LineageOS/android_system_bt/commit/8bfd408fa1ebf3d8dc2fc9906672c7cfe7dc0144 335109 #P_asb_2022-08 Removing bonded device when auth fails due to missing keys +https://github.com/LineageOS/android_packages_providers_ContactsProvider/commit/3b27f760484b42cc1ea25af7bdeb68b40cdfa455 335110 #P_asb_2022-08 enforce stricter CallLogProvider query +https://github.com/LineageOS/android_packages_apps_Settings/commit/9dfc928466d7709c968adcba7f22378e243b99f2 335111 #P_asb_2022-08 Verify ringtone from ringtone picker is audio +https://github.com/LineageOS/android_packages_apps_Settings/commit/539f79473852aab2bebcc7374404f47eccb297b1 335112 #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline +https://github.com/LineageOS/android_packages_apps_Settings/commit/b8e381a8e5b104a455efb6b4352eee04b1fb4a5c 335113 #P_asb_2022-08 Fix: policy enforcement for location wifi scanning +https://github.com/LineageOS/android_packages_apps_Settings/commit/83ce5e4d8f0bb352ed433e711acacdd1a51130fe 335114 #P_asb_2022-08 Fix Settings crash when setting a null ringtone +https://github.com/LineageOS/android_packages_apps_Settings/commit/91b6470dde8a9b2586273796c183a29000a82ce5 335115 #P_asb_2022-08 Fix can't change notification sound for work profile. +https://github.com/LineageOS/android_packages_apps_Settings/commit/ccebafea047fef8ab93c4e748ab1b9a15280702b 335116 #P_asb_2022-08 Extract app label from component name in notification access confirmation UI +https://github.com/LineageOS/android_frameworks_base/commit/a532c1aeec285ebd601ceb266f0af8553ccef5df 335118 #P_asb_2022-08 Suppress notifications when device enter lockdown +https://github.com/LineageOS/android_frameworks_base/commit/017b9b6b000693a5e48ba7431bf638c257833ec3 335119 #P_asb_2022-08 Remove package title from notification access confirmation intent +https://github.com/LineageOS/android_frameworks_base/commit/53f3e590ac533cacdf7e78ec701a8e365c89901b 335121 #P_asb_2022-08 Only allow the system server to connect to sync adapters +https://github.com/LineageOS/android_frameworks_base/commit/cb2cb0520dd1f4c7e19e806cde02fc3da6a355d2 335120 #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/26e3268f3cac1d120d8b4683e8d5201b70f44fc2 338346 #P_asb_2022-09 Fix duplicate permission privilege escalation +https://github.com/LineageOS/android_frameworks_base/commit/b98ed505d5c477f5d6e1f88433a5c9f1cb03025e 338347 #P_asb_2022-09 Parcel: recycle recycles +https://github.com/LineageOS/android_frameworks_base/commit/3a1887eb6147d7e51a79c387aaed38c08056c789 338348 #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable +https://github.com/LineageOS/android_frameworks_base/commit/031578d71058c6400ea91b1806b467aca2de54b1 338349 #P_asb_2022-09 Remove package name from SafetyNet logs +https://github.com/LineageOS/android_external_expat/commit/31f7a33a236a574c7c4bea5de648c349fa1e7508 338353 #P_asb_2022-09 Prevent integer overflow in copyString +https://github.com/LineageOS/android_external_expat/commit/5c70aa4e573cf46f6127aa6713c09877a246bf6b 338354 #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow +https://github.com/LineageOS/android_external_expat/commit/68116f18efee226636fdc2ecf518f3de589c98a8 338355 #P_asb_2022-09 Prevent integer overflow in function doProlog +https://github.com/LineageOS/android_external_expat/commit/883c4901f5ca13cf202c9c234612e117f0ef092e 338356 #P_asb_2022-09 Prevent more integer overflows +https://github.com/LineageOS/android_system_bt/commit/a940244a653c0c20e5d08aaf40484da93300dc3f 338350 #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed +https://github.com/LineageOS/android_system_bt/commit/de882ad1be24fa351ad8ba483b89c2b0b1e615c6 338351 #P_asb_2022-09 Fix OOB in BNEP_Write +https://github.com/LineageOS/android_system_bt/commit/88b4c659bc53971605a5cdde56f94b2d90677d20 338352 #P_asb_2022-09 Fix OOB in reassemble_and_dispatch + + + + + + + +https://github.com/LineageOS/android_external_dtc/commit/d8ff0456cbe3b32b5f71dd0740f9a6cca6de27b9 342096 #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings +https://github.com/LineageOS/android_system_bt/commit/024bd7b32e3298ceaf70443e9224aff56cf8de4b 342097 #P_asb_2022-10 Fix potential interger overflow when parsing vendor response +https://github.com/LineageOS/android_system_nfc/commit/f7eb9ba0755d2ab170d7fa7f46d67ebed4690426 342098 #P_asb_2022-10 The length of a packet should be non-zero +https://github.com/LineageOS/android_frameworks_base/commit/950c44f0e7229672ea093e86d7f05df00b33844d 342100 #P_asb_2022-10 Limit the number of concurrently snoozed notifications +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c5cae87d66c3b8d459677da775cc61e550bba993 342099 #P_asb_2022-10 The length of a packet should be non-zero + + + + + + + +https://github.com/LineageOS/android_packages_apps_PackageInstaller/commit/79fbc97fa9030bc872c26dde69d3d6b5ca50d42c 344181 #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity +https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/915289305d5bd55c3a9e5667acab9cfec8f68d31 344182 #P_asb_2022-11 Check dir path before updating permissions. +https://github.com/LineageOS/android_packages_services_Telecomm/commit/9bd081d4162ee1bd99eed4a2f8c144255a3b7a41 344183 #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +https://github.com/LineageOS/android_system_bt/commit/b8332ffa326c412c7952bcae1ad924a8542caa8e 344184 #P_asb_2022-11 Add negative length check in process_service_search_rsp +https://github.com/LineageOS/android_system_bt/commit/9e3a7208a794cb350b5b1565db4e1120d7b1373d 344185 #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc +https://github.com/LineageOS/android_frameworks_base/commit/fcd8dc4d686c362b7353f9d7c6a3b05994cc0565 344168 #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +https://github.com/LineageOS/android_frameworks_base/commit/bad61936167d1d7eca8dc155e8c0c8a248a2bc5c 344169 #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +https://github.com/LineageOS/android_frameworks_base/commit/e72558a547d48190469c0763a9e317d1792a9f53 344170 #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo +https://github.com/LineageOS/android_frameworks_base/commit/6a42e12de4cf0f2de93cbd8bb4506de8a83dd88a 344171 #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user. +https://github.com/LineageOS/android_frameworks_base/commit/36b533a308ced7203f515daed97d0f15bb65587f 344172 #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule +https://github.com/LineageOS/android_frameworks_base/commit/114dcf0b5836c0c982a560e85350f408c8640bdf 344173 #P_asb_2022-11 Check permission for VoiceInteraction +https://github.com/LineageOS/android_frameworks_base/commit/22e363c319e6fddeea39f00f7ef5e63395a45dc5 344174 #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock +https://github.com/LineageOS/android_hardware_nxp_nfc/commit/70c3eef94c74e78d9bf9e9119d58ca0a5082cf2f 344180 #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +https://github.com/LineageOS/android_external_dtc/commit/c34b2c464b0900d3e79aa1c64c25137fd09c4762 344161 #P_asb_2022-11 Fix integer wrap sanitisation. +https://github.com/LineageOS/android_frameworks_av/commit/2692e4bcdba06eec20424291acaac5669acf581f 344167 #P_asb_2022-11 setSecurityLevel in clearkey +https://github.com/LineageOS/android_vendor_nxp_opensource_halimpl/commit/9d9f191dd2522aa286bdc3c42d6777b6e503356b 344190 #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() + + + + + + + + + +https://github.com/LineageOS/android_system_bt/commit/cea94f7ab0d36254a99d5854b9c2e83afd4584bc 345915 #P_asb_2022-12 Added max buffer length check +https://github.com/LineageOS/android_system_bt/commit/56ea90b69d6715e7e1f0ddd35fd5ca7e19d93dc6 345916 #P_asb_2022-12 Add missing increment in bnep_api.cc +https://github.com/LineageOS/android_system_bt/commit/da6430bd4b319f8398deaef8d74341234fb79624 345917 #P_asb_2022-12 Add length check when copy AVDT and AVCT packet +https://github.com/LineageOS/android_system_bt/commit/222fad2e71f159e3d6e0bc0aef36f83cbf3fcdfa 345918 #P_asb_2022-12 Fix integer overflow when parsing avrc response +https://github.com/LineageOS/android_frameworks_base/commit/16da2229db1aa80499b296bc8c384fe78add0e30 345892 #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps." +https://github.com/LineageOS/android_frameworks_base/commit/921f748f4dd12465721dc7e8ed86f89c0718da57 345893 #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup +https://github.com/LineageOS/android_frameworks_base/commit/4bdaa78394c95a864f1d34ec1997c6494dbece15 345894 #P_asb_2022-12 Prevent non-admin users from deleting system apps. +https://github.com/LineageOS/android_frameworks_base/commit/c8ac5b6a05bb584e196b4c1bd4b819914c4018b6 345895 #P_asb_2022-12 Validate package name passed to setApplicationRestrictions. +https://github.com/LineageOS/android_frameworks_base/commit/9e0a825e2ca0cf102fc462af55f5a471d6d5836d 345896 #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK. +https://github.com/LineageOS/android_frameworks_base/commit/8d88ee0de3b9e474fcc70ab121186df93bf75456 345897 #P_asb_2022-12 [pm] forbid deletion of protected packages +https://github.com/LineageOS/android_frameworks_base/commit/c4763f78a2ab695992cf63709b665c7478d43891 345898 #P_asb_2022-12 Fix NPE +https://github.com/LineageOS/android_frameworks_base/commit/08605e9ee1e96336fe3202066a6cdba21cf377ad 345899 #P_asb_2022-12 Fix a security issue in app widget service. +https://github.com/LineageOS/android_frameworks_base/commit/4d5e30ccea8cc4dec6359f004173d896c4b01556 345900 #P_asb_2022-12 Ignore malformed shortcuts +https://github.com/LineageOS/android_frameworks_base/commit/58e177ca589576cacfd1ed016bdd5d0bf4cb9a5d 345901 #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting +https://github.com/LineageOS/android_frameworks_base/commit/be00f79f1148a27fd9161e65ebaa2eedb7fca4c7 345902 #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch. +https://github.com/LineageOS/android_frameworks_minikin/commit/4f583889fcc90883fa3ec86befa20c671ec8774e 345903 #P_asb_2022-12 Fix OOB read for registerLocaleList +https://github.com/LineageOS/android_frameworks_minikin/commit/89b513681269399b4d2621f0c1750daa48f77681 345904 #P_asb_2022-12 Fix OOB crash for registerLocaleList +https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/f7624d5f831e8576a816feaebb120974e54c23b6 345907 #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java +https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/c6cd624a87b1b8f586ef83b2a810c36669b55a0b 345908 #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/d25bc7d14e791a049698ac2c7cbd9c72e6e7592d 345909 #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +https://github.com/LineageOS/android_packages_apps_Settings/commit/06242790f0f2b20e1f0caa0548924d1fcddfca93 345910 #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +https://github.com/LineageOS/android_packages_apps_Settings/commit/090473035dd448e96138844bfec0c88952acf3d1 345911 #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +https://github.com/LineageOS/android_packages_apps_Settings/commit/6f9c13de0a620203fe7d6bcdfd6d94c74e22706b 345912 #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +https://github.com/LineageOS/android_external_dtc/commit/77e6d383cde91d7ac8bbb159de215ec198e9f1aa 345891 #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths +https://github.com/LineageOS/android_packages_services_Telecomm/commit/fae9a71b822b913e7516333484e8efd513e1640d 345913 #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen. +https://github.com/LineageOS/android_system_bt/commit/210fe2c41c04d50c7a82a6415d7708ff5d055b3e 345914 #P_asb_2022-12 Add length check when copy AVDTP packet + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/7f7b42f83fd7aef7570450b82c5931aa81f1e66d 347044 #P_asb_2023-01 Limit lengths of fields in Condition to a max length. +https://github.com/LineageOS/android_frameworks_base/commit/91726ddbd32c8b5226991492354f1d93616c6cfd 347045 #P_asb_2023-01 Disable all A11yServices from an uninstalled package. +https://github.com/LineageOS/android_frameworks_base/commit/2dc4e2467dcebfc827d68f573570cd04e6ea6244 347046 #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule +https://github.com/LineageOS/android_frameworks_base/commit/9b5407d68859e615a2ee7a229f486fc5365682da 347047 #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated +https://github.com/LineageOS/android_frameworks_base/commit/66a9e8fc457e7257b78dfef3f18eab01c63efc12 347048 #P_asb_2023-01 Revert "Revert "Validate permission tree size..." +https://github.com/LineageOS/android_frameworks_base/commit/c8892a45db45ee79085b0ee620b3d8f69f560d03 347049 #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings +https://github.com/LineageOS/android_frameworks_base/commit/9e7745eeedc6066e91e0c508d49c8db15a8ae6bf 347050 #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23 +https://github.com/LineageOS/android_frameworks_base/commit/be4c10b9f70b5033bc6f75649265a12f65ad0bc3 347051 #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed. +https://github.com/LineageOS/android_packages_services_Telephony/commit/d596467cc3b161beca194ce4c8f96efcd0d6a340 347041 #P_asb_2023-01 prevent overlays on the phone settings +https://github.com/LineageOS/android_packages_services_Telecomm/commit/7636df9f0dcff2d9b272f925b956348fc8dc384b 347042 #P_asb_2023-01 Fix security vulnerability when register phone accounts. +https://github.com/LineageOS/android_packages_apps_Nfc/commit/48b3f34578cd9757a11c1cd694527b45c5915ae8 347043 #P_asb_2023-01 OOBW in Mfc_Transceive() +https://github.com/LineageOS/android_system_bt/commit/deb080bb11eadef601ec11633317090f060e50bb 347127 #P_asb_2023-01 BT: Once AT command is retrieved, return from method. +https://github.com/LineageOS/android_system_bt/commit/0c74f58652259adde281b7d8b13732a8f0e9ab92 347128 #P_asb_2023-01 AVRC: Validating msg size before accessing fields + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/a9d49368cb13ba9d98af67ae9a96b82ae7fc4e46 349330 #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED +https://github.com/LineageOS/android_frameworks_base/commit/7780547c156f34020ba7316e8c8cbea6c7985818 349331 #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity +https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/90e0fb025afa7bfe3600b79c2e0e563b5d6124bb 349332 #P_asb_2023-02 Fix OPP comparison +https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/eeb60967a52197d04d331b8e87beb5f1fb9e92aa 349333 #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app. +https://github.com/LineageOS/android_system_bt/commit/12b2d2eeb63246e85e30389d2e885608e9209cc1 349334 #P_asb_2023-02 Report failure when not able to connect to AVRCP +https://github.com/LineageOS/android_system_bt/commit/8e81bb1e80ccbba0724e12dabac61b9ac36d4b0f 349335 #P_asb_2023-02 Add bounds check in avdt_scb_act.cc +https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/35299f9e605257a17257c5da0064c3f7cc3dce4a 349336 #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr +https://github.com/LineageOS/android_external_expat/commit/281fc3aeb520277460014a8c398ba083d167f284 349328 #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) +https://github.com/LineageOS/android_frameworks_av/commit/994d95501928153cb7b8f04587e3160bc17ce2a5 349329 #P_asb_2023-02 move MediaCodec metrics processing to looper thread + + + + + + + +https://github.com/LineageOS/android_external_zlib/commit/d6e0dec5307a69aa6381246221803bdc050e5b96 351909 #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate(). +https://github.com/LineageOS/android_packages_apps_Settings/commit/5f84b1609065c5b26f2b5278d83fdd791597a69f 351914 #P_asb_2023-03 FRP bypass defense in the settings app +https://github.com/LineageOS/android_packages_apps_Settings/commit/718126925dc2e00c268f49d006231eb3edd5778a 351915 #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users +https://github.com/LineageOS/android_system_bt/commit/b7dfbbdf4dc9ae5761816ad0a4875d46244ed25a 351916 #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate +https://github.com/LineageOS/android_system_bt/commit/b433704453d59946be0f5b30346cf0dd3e42ec09 351917 #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc +https://github.com/LineageOS/android_system_bt/commit/fcd19451fa2e3da35c3e0f5db0961b994ed1b49f 351918 #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute +https://github.com/LineageOS/android_frameworks_base/commit/3f8c0e9c4ad48b37c44e132a7a8e3fd157a83e00 351910 #P_asb_2023-03 Move service initialization +https://github.com/LineageOS/android_frameworks_base/commit/11c799795be7c8bafedbc4eb3d940b4a1f93a308 351911 #P_asb_2023-03 Enable user graularity for lockdown mode +https://github.com/LineageOS/android_frameworks_base/commit/d6401e37da9afb99f647b09fd3ce9aa38bb84016 351912 #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag +https://github.com/LineageOS/android_frameworks_base/commit/7d63c11542c202467f035e03644962a263cfdc19 351913 #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code. + + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/7ed39484667b94b738b7d1d7717ef5b640a7a405 354243 #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +https://github.com/LineageOS/android_frameworks_base/commit/34184bc31e77a8db5b967ca275f6e4841bd5e3ff 354244 #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +https://github.com/LineageOS/android_frameworks_base/commit/9cade5349e44f2b48ed6408e3b05a1272ff2a3ef 354245 #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE +https://github.com/LineageOS/android_frameworks_base/commit/1dc0540d7b8918a6043c0863b2bea0946b100b8e 354242 #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +https://github.com/LineageOS/android_system_bt/commit/a883a17a9e05d87bfb1547d8b812522c771c971c 354246 #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +https://github.com/LineageOS/android_system_bt/commit/d9472b7fba9c3a366e768ff4c28225d264aa6ad1 354247 #P_asb_2023-04 Fix an OOB bug in register_notification_rsp +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/5ad6edf34e69b9bd0334bb0b0a3592b8d5ded5b4 354249 #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +https://github.com/LineageOS/android_system_nfc/commit/d751463856e968430d4859a55a97f12b2553de19 354248 #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() + + + + + + +https://github.com/LineageOS/android_packages_services_Telecomm/commit/ffd36f517fae838fe836d6f189b2de6355e6814c 356150 #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +https://github.com/LineageOS/android_frameworks_native/commit/09ece8aee9246ba8ef5408e074165c9bbc2d6bc1 356151 #P_asb_2023-05 Check for malformed Sensor Flattenable +https://github.com/LineageOS/android_frameworks_native/commit/c62382dd2192444ca7a81a0318521b03e852c355 356152 #P_asb_2023-05 Remove some new memory leaks from SensorManager +https://github.com/LineageOS/android_frameworks_native/commit/30348a31e1c0eb604f1a2de40b57d734f71cb9e8 356153 #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager +https://github.com/LineageOS/android_frameworks_base/commit/e0f219e675b2a36304db2f163783fe82937c1d41 356156 #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +https://github.com/LineageOS/android_frameworks_base/commit/18025b2a135d7e7063201054b7f4409fe562ee56 356154 #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size. +https://github.com/LineageOS/android_frameworks_base/commit/0cfc7a41aa5b741452316b19bc100be58bbe3cc7 356155 #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path + + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/d4f4cbe1d4eb1e80f64676cb07e84a6409cd095f 359729 #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling +https://github.com/LineageOS/android_packages_apps_Settings/commit/ed20a91b473462e14f7cea5dd1b8cbff4d0feab5 359734 #P_asb_2023-06 Convert argument to intent in AddAccountSettings. +https://github.com/LineageOS/android_packages_apps_TvSettings/commit/3f8f5d733659d15eb78d0a3de97442c1c33259b8 359735 #P_asb_2023-06 Convert argument to intent in addAccount TvSettings. +https://github.com/LineageOS/android_system_bt/commit/5f6f48a784284a9220ae70d9f99d96a25bd3adce 359736 #P_asb_2023-06 Prevent use-after-free of HID reports +https://github.com/LineageOS/android_system_bt/commit/969a3c9aba7e8060f1bcf341375263d67fec01d2 359737 #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" +https://github.com/LineageOS/android_system_bt/commit/d50fdc03f066f2b1bdb3bcb21d627a0e3ac9e268 359738 #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +https://github.com/LineageOS/android_frameworks_base/commit/c45ee6ab3ee0b8e4f16cc88d098fb9200b3a109a 359730 #P_asb_2023-06 Check key intent for selectors and prohibited flags +https://github.com/LineageOS/android_frameworks_base/commit/22bac442d2249f6e02608f9994cf761bfdf90d80 359731 #P_asb_2023-06 Handle invalid data during job loading. +https://github.com/LineageOS/android_frameworks_base/commit/24a90436bb260a64b427efb98f3aa40f0c27fe32 359732 #P_asb_2023-06 Allow filtering of services +https://github.com/LineageOS/android_frameworks_base/commit/4974a8613d776dcd0dff6c8950b3dd1a7dbec465 359733 #P_asb_2023-06 Prevent RemoteViews crashing SystemUi +https://github.com/LineageOS/android_packages_apps_Traceur/commit/43b23418ed73d1b64bb198a79c5825666c95684d 378475 #P_asb_2023-06 Update Traceur to check admin user status +https://github.com/LineageOS/android_packages_apps_Traceur/commit/55e506621081e4e092a4434a763561d2a2f0859e 378476 #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check + + + + + + + + +https://github.com/LineageOS/android_external_freetype/commit/31e8900c4e35a5b82ee19449830c87f8c1593504 361250 #P_asb_2023-07 Cherry-pick two upstream changes +https://github.com/LineageOS/android_system_nfc/commit/6ea4e00c886e05116d1d6058fb4cf40e0ccdb70b 361251 #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +https://github.com/LineageOS/android_system_bt/commit/c4a3cf60380376537eefcce41eec053677c7732c 361252 #P_asb_2023-07 Fix gatt_end_operation buffer overflow +https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c2ad40e96300f65c3e16b06eccba282003385956 361253 #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +https://github.com/LineageOS/android_frameworks_base/commit/c1741be24b21788051c95fafb20f889f15c7b8a8 361254 #P_asb_2023-07 Sanitize VPN label to prevent HTML injection +https://github.com/LineageOS/android_frameworks_base/commit/63ef19bd0f36f043fa72acbb8484cae2e48a07b1 361256 #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE +https://github.com/LineageOS/android_frameworks_base/commit/626a9919d79ad7584e30496f8b990a1a4e20ec40 361257 #P_asb_2023-07 Dismiss keyguard when simpin auth'd and... +https://github.com/LineageOS/android_frameworks_base/commit/cfab4afce18c49c6abe6e25fce9add4b57bb65e4 361259 #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views. +https://github.com/LineageOS/android_tools_apksig/commit/011adec1a494974102930bf65a8d2fdfa8b375b5 361280 #P_asb_2023-07 Create source stamp verifier +https://github.com/LineageOS/android_tools_apksig/commit/9a80527425030dae7f962ab95eda500a720cde47 361281 #P_asb_2023-07 Limit the number of supported v1 and v2 signers +https://github.com/LineageOS/android_frameworks_base/commit/3f7975447006b2246dd1b8722064ca26e40aae25 361258 #P_asb_2023-07 Truncate ShortcutInfo Id +https://github.com/LineageOS/android_frameworks_base/commit/68f08d51b66b8336aeec2e01bcfa72ae5fbfb81d 361255 #P_asb_2023-07 Limit the number of supported v1 and v2 signers + + + + + + + +https://github.com/LineageOS/android_external_aac/commit/c263e21d9cd270283c0fabddeb710798b6fe56aa 364605 #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). +https://github.com/LineageOS/android_external_freetype/commit/ef28d3d7460a814efef8174c44fde7aab4341db5 364606 #P_asb_2023-08 Cherrypick following three changes +https://github.com/LineageOS/android_frameworks_base/commit/6adafe39c32f8236e18c57bc834caa88a09ad8cc 364608 #P_asb_2023-08 Verify URI permissions for notification shortcutIcon. +https://github.com/LineageOS/android_frameworks_base/commit/0b2c705c891a44ac854cb5ec123fb869669ae5fe 364609 #P_asb_2023-08 On device lockdown, always show the keyguard +https://github.com/LineageOS/android_frameworks_base/commit/84be6e930a60f855a318c41a446b92849b50087a 364610 #P_asb_2023-08 Ensure policy has no absurdly long strings +https://github.com/LineageOS/android_frameworks_base/commit/aa0fb47602bd6bc95404d5a5468ba4db577c418f 364611 #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd. +https://github.com/LineageOS/android_frameworks_base/commit/42d2f7a7ac4004754050ddd53f2e5b626ae28c02 364612 #P_asb_2023-08 Check URIs in notification public version. +https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/8e5a42af29838bd09b62ec199d744c4592258eeb 364616 #P_asb_2023-08 Update file permissions using canonical path +https://github.com/LineageOS/android_packages_services_Telecomm/commit/6428c62b978aefd829bf4e91493a356c3675e5c0 364617 #P_asb_2023-08 Resolve StatusHints image exploit across user. +https://github.com/LineageOS/android_system_ca-certificates/commit/4c6994b1a05d435e40947a7315aae1a128984957 365328 #P_asb_2023-08 Drop TrustCor certificates +https://github.com/LineageOS/android_frameworks_base/commit/19dc7642fe849e85abe886b9340b5dda52e21885 364607 #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only +https://github.com/LineageOS/android_frameworks_base/commit/1537cadd2966e0ea2d188cd3e96af6287bb473c6 364613 #P_asb_2023-08 Verify URI permissions in MediaMetadata +https://github.com/LineageOS/android_frameworks_base/commit/507937f96405b8530f24c7625b5f5f18f7a0df55 364614 #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used +https://github.com/LineageOS/android_frameworks_base/commit/2e64cb078e9e11e8310c0b589a6edd429b9c2f16 364615 #P_asb_2023-08 Resolve StatusHints image exploit across user. + + + + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/7e0adcb2073a2549aa901ecc40de254202a1eded 366126 #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. +https://github.com/LineageOS/android_frameworks_base/commit/383b016298865df13c1d1ead7049a9c0a73cb973 366127 #P_asb_2023-09 Forbid granting access to NLSes with too-long component names +https://github.com/LineageOS/android_frameworks_native/commit/4d3c579105e1a98abc2868723928dea280a93076 366129 #P_asb_2023-09 Allow sensors list to be empty +https://github.com/LineageOS/android_packages_services_Telephony/commit/114c9d5475962cd63ebf8f246c2c2f4a9c7fddf1 366130 #P_asb_2023-09 Fixed leak of cross user data in multiple settings. +https://github.com/LineageOS/android_system_bt/commit/f9ba876145b612b684f5b966ab524d7b5b7a783c 366131 #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl +https://github.com/LineageOS/android_system_bt/commit/862350fa3b8fc51bcdd8331352f28cd6cac4bf1d 366132 #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp +https://github.com/LineageOS/android_system_bt/commit/db6c02ecbc377437585b56c310e2847661dd557c 366133 #P_asb_2023-09 Fix potential abort in btu_av_act.cc +https://github.com/LineageOS/android_system_bt/commit/9b06f046f58bd82f9df6592c1a45ade8075608f9 366134 #P_asb_2023-09 Fix reliable write. +https://github.com/LineageOS/android_system_bt/commit/9ac8d616f369513b0ef4f466eded252a4511898d 366135 #P_asb_2023-09 Fix UAF in gatt_cl.cc +https://github.com/LineageOS/android_packages_apps_Settings/commit/acfa0cd4e0551d07fab0511cfb84462e70a48b53 366136 #P_asb_2023-09 Prevent non-system IME from becoming device admin +https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/0c9ab1418476b9aab2830f5b3f9d4ee7be3714fd 366137 #P_asb_2023-09 Fix permission issue in legacy shortcut +https://github.com/LineageOS/android_frameworks_base/commit/3f429c322504732c25e1d92bd57fecdd8a7e5d5b 366128 #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly. + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/8489bb9206314ce3be439f374704204626bd40ca 370695 #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews +https://github.com/LineageOS/android_frameworks_base/commit/aecf51e67aa3b540f86d12164be8d66e12ca47f2 370697 #P_asb_2023-10 Disallow loading icon from content URI to PipMenu +https://github.com/LineageOS/android_frameworks_base/commit/71c5804bc372c58c4f7a1b01905618cb5edb2dda 370699 #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..." +https://github.com/LineageOS/android_packages_apps_Settings/commit/e7401f49ebfc563aa5fcd9aaa9981a235557d1b4 370700 #P_asb_2023-10 Restrict ApnEditor settings +https://github.com/LineageOS/android_external_libxml2/commit/2bd551871a645e43a75ce6065598d22b89b80a21 370701 #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +https://github.com/LineageOS/android_frameworks_base/commit/ae25f45e664b47e74fc9d73bc1b4292e6721dd7a 370693 #P_asb_2023-10 RingtoneManager: verify default ringtone is audio +https://github.com/LineageOS/android_frameworks_base/commit/7adb3e0e1d591aeabccc5edfa624a591a3428a3d 370694 #P_asb_2023-10 Do not share key mappings with JNI object +https://github.com/LineageOS/android_frameworks_base/commit/0fb320aef79861cb612fcd48585571f1715616fe 370696 #P_asb_2023-10 Fix KCM key mapping cloning +https://github.com/LineageOS/android_frameworks_base/commit/48e0cbe76661b6b4c8edb2950a572694947b5641 370698 #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings + + + + + + + + +https://github.com/LineageOS/android_system_ca-certificates/commit/6f06eccd9ef3d37a2d9d52d1c925c3e71f525b14 374916 #P_asb_2023-11 Remove E-Tugra certificates. +https://github.com/LineageOS/android_packages_services_BuiltInPrintService/commit/4302a583e82fa5bd76315077688818e53df98f20 374919 #P_asb_2023-11 Adjust APIs for CUPS 2.3.3 +https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/3d07f3a1821c0953d156206e288bb484a0c0f399 374920 #P_asb_2023-11 Block access to sms/mms db from work profile. +https://github.com/LineageOS/android_frameworks_base/commit/e696b2932c41ab89f4910abc5a626c8e9b8d8543 374921 #P_asb_2023-11 Fix BAL via notification.publicVersion +https://github.com/LineageOS/android_frameworks_av/commit/62ae30fad8c644b492393eb8c1eec2867cc73b07 374924 #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. +https://github.com/LineageOS/android_external_libcups/commit/383806fb90e7246d31241ab11332f3c0172e2f17 374932 #P_asb_2023-11 Upgrade libcups to v2.3.1 +https://github.com/LineageOS/android_external_libcups/commit/af78634c7babca00f4a5b1650b817b36be4e94dd 374933 #P_asb_2023-11 Upgrade libcups to v2.3.3 +https://github.com/LineageOS/android_frameworks_base/commit/1c5bf358397ad6a337d375fbc8dba4d98a50eca8 374922 #P_asb_2023-11 Use type safe API of readParcelableArray +https://github.com/LineageOS/android_frameworks_base/commit/64de82f91e01d8d7d4224c737efe915397a904d2 374923 #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting + + + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/5e50aa57f52b08f4cb07a6a3f98698f2077a9cbf 377765 #P_asb_2023-12 httplive: fix use-after-free +https://github.com/LineageOS/android_frameworks_base/commit/73913dfae62f0c93147896ab07232417cff467ee 377766 #P_asb_2023-12 Visit Uris added by WearableExtender +https://github.com/LineageOS/android_frameworks_base/commit/ac1ed7557b197952a6e00eb36da31e79d7bf78a4 377769 #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service +https://github.com/LineageOS/android_frameworks_base/commit/4ca5de2bda12925a28a59a1dffaccba045b0f9cb 377771 #P_asb_2023-12 Revert "On device lockdown, always show the keyguard" +https://github.com/LineageOS/android_frameworks_base/commit/059ed6a3d856caee5896d94d9ea26f90c6117c93 377773 #P_asb_2023-12 Updated: always show the keyguard on device lockdown +https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/3b53fae30442369bda8cd858f5b0ac697b9cd4ec 377774 #P_asb_2023-12 Fix UAF in ~CallbackEnv +https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/02e99b157f05f8fbabb9c2457e387842ccad0bed 377775 #P_asb_2023-12 Fix permission bypass in legacy shortcut +https://github.com/LineageOS/android_packages_services_Telecomm/commit/7ef90cb74da31eb165fc624f479b02cf6df2ebda 377776 #P_asb_2023-12 Resolve account image icon profile boundary exploit. +https://github.com/LineageOS/android_system_bt/commit/26fe8da32584d6f639124e3ca8a7cbdbe5c60d89 377777 #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +https://github.com/LineageOS/android_system_bt/commit/6b208d0624e05bb96bffbca43e18a03dc37d21dd 377778 #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +https://github.com/LineageOS/android_system_bt/commit/66a09ccfd76de30e03a843df140d7851be013052 377779 #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +https://github.com/LineageOS/android_system_bt/commit/95161565e5bf426333102097a92a8f654c10e74a 377780 #P_asb_2023-12 Reorganize the code for checking auth requirement +https://github.com/LineageOS/android_system_bt/commit/037c9934224eabab778ee4cc197a46b64396633c 377781 #P_asb_2023-12Enforce authentication if encryption is required +https://github.com/LineageOS/android_system_bt/commit/80a300fa626f6c5e8e7a595469f09adc307aee40 377782 #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +https://github.com/LineageOS/android_frameworks_base/commit/c78cee7f1c921860ac3253812548f46663383a37 377767 #P_asb_2023-12 Drop invalid data. +https://github.com/LineageOS/android_frameworks_base/commit/c58b86b918ab7085f17215883cc110ca3362235f 377768 #P_asb_2023-12 Require permission to unlock keyguard +https://github.com/LineageOS/android_frameworks_base/commit/b18f4518109c2f7a4c936321db87f5245b3143f3 377770 #P_asb_2023-12 Validate userId when publishing shortcuts +https://github.com/LineageOS/android_frameworks_base/commit/98fc501deb893768aeff55006ce445f688a88203 377772 #P_asb_2023-12 Adding in verification of calling UID in onShellCommand +https://github.com/LineageOS/android_system_netd/commit/02458b0a19ce2d3214a00f9779bd36868541b7ca 378480 #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run + + + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/978191d5fc0ede5bc11b8af2cfa2469a30ad919d 379788 #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth. +https://github.com/LineageOS/android_frameworks_base/commit/44ce07024742aaae46a7191cd15e5ac68d209049 379789 #P_asb_2024-01 Dismiss keyguard when simpin auth'd and... +https://github.com/LineageOS/android_frameworks_base/commit/63e443bfb107da3df0e37863e34c4b947052a6c1 379790 #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete +https://github.com/LineageOS/android_frameworks_base/commit/70f50825ec98cd35d38e45eea69aa7ed8f51556a 379791 #P_asb_2024-01 Truncate user data to a limit of 500 characters +https://github.com/LineageOS/android_frameworks_base/commit/9001132c18c0eb2a6478939e1bdbbe6778af1ae3 379792 #P_asb_2024-01 Validate component name length before requesting notification access. +https://github.com/LineageOS/android_frameworks_base/commit/1cf5c05eaaff574e8dceb0c1a75ad02d0c669891 379793 #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target +https://github.com/LineageOS/android_frameworks_base/commit/5948fb2aef0547db38f2f9df47b6fad736ba72b0 379794 #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +https://github.com/LineageOS/android_system_bt/commit/e65eb2fdab8644f2e7885a628f6af9244ceed813 379796 #P_asb_2024-01 Fix some OOB errors in BTM parsing +https://github.com/LineageOS/android_frameworks_base/commit/309033664a4fbb6200b3fe48d33e8f63becee810 379980 #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/a42e0fc335d448e646309745a8d412d984748479 383562 #P_asb_2024-02 Update mtp packet buffer +https://github.com/LineageOS/android_frameworks_base/commit/6f5e6f86263c3db753c6d58f516070a45e30b619 383563 #P_asb_2024-02 Unbind TileService onNullBinding +https://github.com/LineageOS/android_system_bt/commit/14e35c7cf40595a6b1ff1d2e92f8b53fb356b3dc 383565 #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +https://github.com/LineageOS/android_system_bt/commit/37ce9a968b579a87640d40e50ec91abe04101f3c 383566 #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd +https://github.com/LineageOS/android_packages_providers_DownloadProvider/commit/d1a6862647428e9c973f4c21adc83656c5ac98f9 383567 #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations + + + + + + + + +https://github.com/LineageOS/android_frameworks_av/commit/cc12a31fcbd0deddd5a74b7be121baf835ecf6dc 385670 #P_asb_2024-03 Validate OMX Params for VPx encoders +https://github.com/LineageOS/android_frameworks_av/commit/ed62ccd9520a671d2fb900d236f5bc5ad16a1e7c 385671 #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue +https://github.com/LineageOS/android_frameworks_base/commit/0254ee96d60cd80a52ce583c90486d6ca1549fb6 385672 #P_asb_2024-03 Resolve custom printer icon boundary exploit. +https://github.com/LineageOS/android_frameworks_base/commit/3cbbcd611ff83ef7a0f811d04f0478f2760ae891 385673 #P_asb_2024-03 Disallow system apps to be installed/updated as instant. +https://github.com/LineageOS/android_frameworks_base/commit/8befe29745f94a8d80f59f0d644315c5424c8eb6 385674 #P_asb_2024-03 Close AccountManagerService.session after timeout. +https://github.com/LineageOS/android_system_bt/commit/fbf12851fa55267f8b654f0cd1337f9f98f83c4b 385675 #P_asb_2024-03 Fix OOB caused by invalid SMP packet length +https://github.com/LineageOS/android_system_bt/commit/73c18d6ce8333f787a4cedb24d247b071bdbf078 385676 #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req +https://github.com/LineageOS/android_system_bt/commit/42ede61231b6b1a507cbc254827ff10dd5ae8c20 385677 #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd +https://github.com/LineageOS/android_system_bt/commit/3683c921ab4afd4f2f6bef8a49cbfda227ce081f 385678 #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond + + + + + + + +https://github.com/LineageOS/android_frameworks_base/commit/e3d632959e2606a909427e4f717cd3a6cc14d4c6 389269 #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements +https://github.com/LineageOS/android_frameworks_base/commit/1010f9aae741c4b5e8400709a273910b9818f4ba 389270 #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. + + diff --git a/Misc/pick-imports/importer.java b/Misc/pick-imports/importer.java new file mode 100644 index 00000000..eafefebe --- /dev/null +++ b/Misc/pick-imports/importer.java @@ -0,0 +1,44 @@ +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.Scanner; + +public class asb { + + public static void main(String[] args) { + try { + Scanner s = new Scanner(System.in); + ArrayList patchers = new ArrayList<>(); + while (s.hasNextLine()) { + String line = s.nextLine(); + if(line.trim().length() > 0 && line.contains("github.com")) { + String[] lineS = line.split(" "); + String url = lineS[0]; + String project = url.split("/")[4]; + String id = lineS[1]; + String comment = "#" + line.split(" #")[1]; + + //Print the folders only + //System.out.println(project); + + //Print the downloader + //System.out.println("wget " + url + ".patch" + " -O " + project + "/" + id + ".patch; " + comment); + + //Print the patcher + patchers.add("applyPatch \"$DOS_PATCHES/" + project + "/" + id + ".patch\"; " + comment); + } + if(line.equals("COMPLETE")) { + break; + } + } + + Collections.sort(patchers); + for(String patcher : patchers) { + System.out.println(patcher); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + +} diff --git a/Patches/LineageOS-16.0/android_external_aac/332775.patch b/Patches/LineageOS-16.0/android_external_aac/332775.patch new file mode 100644 index 00000000..7a264e67 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_aac/332775.patch @@ -0,0 +1,45 @@ +From e40800a613eb89b5b4c701774c3cecc1c2b7dd6c Mon Sep 17 00:00:00 2001 +From: Fraunhofer IIS FDK +Date: Tue, 5 Apr 2022 18:53:20 +0200 +Subject: [PATCH] Reject invalid out of band config in + transportDec_OutOfBandConfig() and skip re-allocation. + +Bug: 224314979 +Bug: 221734266 +Test: adb shell /data/fuzz/arm64/C2FuzzerAacDec/C2FuzzerAacDec /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerAacDec-5461414938804224 +Test: adb shell /data/fuzz/arm64/C2FuzzerAacDec/C2FuzzerAacDec /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerAacDec-5062403589275648 + +Change-Id: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6 +Merged-In: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6 +(cherry picked from commit eb07c22519d94e573f2a02947094acd2219dc07a) +Merged-In: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6 +--- + libMpegTPDec/src/tpdec_lib.cpp | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp +index 1d8b7b3..c2dc964 100644 +--- a/libMpegTPDec/src/tpdec_lib.cpp ++++ b/libMpegTPDec/src/tpdec_lib.cpp +@@ -1,7 +1,7 @@ + /* ----------------------------------------------------------------------------- + Software License for The Fraunhofer FDK AAC Codec Library for Android + +-© Copyright 1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten ++© Copyright 1995 - 2022 Fraunhofer-Gesellschaft zur Förderung der angewandten + Forschung e.V. All rights reserved. + + 1. INTRODUCTION +@@ -351,6 +351,12 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp, + } + } + } ++ ++ /* if an error is detected terminate config parsing to avoid that an invalid ++ * config is accepted in the second pass */ ++ if (err != TRANSPORTDEC_OK) { ++ break; ++ } + } + + if (err == TRANSPORTDEC_OK && fConfigFound) { diff --git a/Patches/LineageOS-16.0/android_external_aac/364027.patch b/Patches/LineageOS-16.0/android_external_aac/364605.patch similarity index 100% rename from Patches/LineageOS-16.0/android_external_aac/364027.patch rename to Patches/LineageOS-16.0/android_external_aac/364605.patch diff --git a/Patches/LineageOS-16.0/android_external_dtc/342096.patch b/Patches/LineageOS-16.0/android_external_dtc/342096.patch new file mode 100644 index 00000000..8e951b67 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_dtc/342096.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Mon, 21 Sep 2020 17:52:50 +0100 +Subject: [PATCH] FROMGIT: libfdt: fdt_offset_ptr(): Fix comparison warnings + +With -Wsign-compare, compilers warn about mismatching signedness in +comparisons in fdt_offset_ptr(). + +This mostly stems from "offset" being passed in as a signed integer, +even though the function would not really tolerate negative values. + +Short of changing the prototype, check that offset is not negative, and +use an unsigned type internally. + +Bug: 230794395 +Test: manual - see bug +Signed-off-by: Andre Przywara +Message-Id: <20200921165303.9115-2-andre.przywara@arm.com> +Signed-off-by: David Gibson +Change-Id: I33c4ac27780d6bdd46c5504a839c0827c9c76bfc +Merged-In: Idb30ae90e2b263d1dd2e931ef1d3662a23812120 +Merged-In: Ice02ecc84d6e9ab30773d039a54664b259979521 +(cherry picked from commit 35c4c2b27acf66c217865451eeecf09bc82dae66) +Merged-In: I33c4ac27780d6bdd46c5504a839c0827c9c76bfc +--- + libfdt/fdt.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libfdt/fdt.c b/libfdt/fdt.c +index 22286a1..5baaed3 100644 +--- a/libfdt/fdt.c ++++ b/libfdt/fdt.c +@@ -76,15 +76,19 @@ int fdt_check_header(const void *fdt) + + const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) + { +- unsigned absoffset = offset + fdt_off_dt_struct(fdt); ++ unsigned int uoffset = offset; ++ unsigned int absoffset = offset + fdt_off_dt_struct(fdt); + +- if ((absoffset < offset) ++ if (offset < 0) ++ return NULL; ++ ++ if ((absoffset < uoffset) + || ((absoffset + len) < absoffset) + || (absoffset + len) > fdt_totalsize(fdt)) + return NULL; + + if (fdt_version(fdt) >= 0x11) +- if (((offset + len) < offset) ++ if (((uoffset + len) < uoffset) + || ((offset + len) > fdt_size_dt_struct(fdt))) + return NULL; + diff --git a/Patches/LineageOS-16.0/android_external_dtc/344161.patch b/Patches/LineageOS-16.0/android_external_dtc/344161.patch new file mode 100644 index 00000000..cc27b645 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_dtc/344161.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mike McTernan +Date: Fri, 22 Jul 2022 11:44:33 +0100 +Subject: [PATCH] Fix integer wrap sanitisation. + +Test: make check +Bug: 239630493 +Bug: 242096164 +Change-Id: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +(cherry picked from commit 05dec6d1827dc7016cad11c4ddfe8f965bceddb7) +(cherry picked from commit 61e10c9c53b170ff8a5612ba4ec79e51d58e5eb3) +Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +--- + libfdt/fdt.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/libfdt/fdt.c b/libfdt/fdt.c +index 5baaed3..ed7e947 100644 +--- a/libfdt/fdt.c ++++ b/libfdt/fdt.c +@@ -124,9 +124,15 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); + if (!lenp) + return FDT_END; /* premature end */ +- /* skip-name offset, length and value */ +- offset += sizeof(struct fdt_property) - FDT_TAGSIZE +- + fdt32_to_cpu(*lenp); ++ ++ /* skip-name offset, length */ ++ offset += sizeof(struct fdt_property) - FDT_TAGSIZE; ++ ++ if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) ++ return FDT_END; /* premature end */ ++ ++ /* skip value */ ++ offset += fdt32_to_cpu(*lenp); + break; + + case FDT_END: +@@ -138,7 +144,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) + return FDT_END; + } + +- if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) ++ if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)) + return FDT_END; /* premature end */ + + *nextoffset = FDT_TAGALIGN(offset); diff --git a/Patches/LineageOS-16.0/android_external_dtc/345891.patch b/Patches/LineageOS-16.0/android_external_dtc/345891.patch new file mode 100644 index 00000000..13972fbc --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_dtc/345891.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pierre-Cl=C3=A9ment=20Tosi?= +Date: Tue, 13 Sep 2022 16:58:15 +0100 +Subject: [PATCH] libfdt: fdt_path_offset_namelen: Reject empty paths + +Make empty paths result in FDT_ERR_BADPATH. + +Per the specification (v0.4-rc4): + +> The convention for specifying a device path is: +> /node-name-1/node-name-2/node-name-N +> +> The path to the root node is /. +> +> A unit address may be omitted if the full path to the +> node is unambiguous. + +Bug: 246465319 +Test: libfdt_fuzzer # clusterfuzz/testcase-detail/4530863420604416 +Change-Id: I14ab0a074ab994c1f598243d2d5795d2cd9a853a +(cherry picked from commit 3c28f3e3a1724c288d19f1b1a139cf57bfe1af33) +(cherry picked from commit d10c84c4bc78e8ebd8c6ebf70126ad3cb0ba1c46) +Merged-In: I14ab0a074ab994c1f598243d2d5795d2cd9a853a +--- + libfdt/fdt_ro.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c +index 08de2cc..3b65f16 100644 +--- a/libfdt/fdt_ro.c ++++ b/libfdt/fdt_ro.c +@@ -188,6 +188,9 @@ int fdt_path_offset_namelen(const void *fdt, const char *path, int namelen) + + FDT_CHECK_HEADER(fdt); + ++ if (namelen < 1) ++ return -FDT_ERR_BADPATH; ++ + /* see if we have an alias */ + if (*path != '/') { + const char *q = memchr(path, '/', end - p); diff --git a/Patches/LineageOS-16.0/android_external_expat/338353.patch b/Patches/LineageOS-16.0/android_external_expat/338353.patch new file mode 100644 index 00000000..920c23b3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_expat/338353.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Mon, 23 May 2022 22:34:43 +0000 +Subject: [PATCH] Prevent integer overflow in copyString + +Bug: http://b/221384482 +Change-Id: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad +(cherry picked from commit e25c84037506951dfe74a5fae1627fe22bc0ebf4) +Merged-In: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad +--- + lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 90a237f3..67f661b5 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7175,7 +7175,7 @@ static XML_Char * + copyString(const XML_Char *s, + const XML_Memory_Handling_Suite *memsuite) + { +- int charsRequired = 0; ++ size_t charsRequired = 0; + XML_Char *result; + + /* First determine how long the string is */ diff --git a/Patches/LineageOS-16.0/android_external_expat/338354.patch b/Patches/LineageOS-16.0/android_external_expat/338354.patch new file mode 100644 index 00000000..93e56a23 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_expat/338354.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Thu, 2 Jun 2022 19:32:22 +0000 +Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow + +Bug: http://b/221255869 +Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29 +(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3) +Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29 +--- + lib/xmlparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 67f661b5..1d6e722d 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len) + keep = (int)(parser->m_bufferPtr - parser->m_buffer); + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; ++ /* Detect and prevent integer overflow */ ++ if (keep > INT_MAX - neededSize) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize <= parser->m_bufferLim - parser->m_buffer) { diff --git a/Patches/LineageOS-16.0/android_external_expat/338355.patch b/Patches/LineageOS-16.0/android_external_expat/338355.patch new file mode 100644 index 00000000..0e487bb5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_expat/338355.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Fri, 3 Jun 2022 03:40:21 +0000 +Subject: [PATCH] Prevent integer overflow in function doProlog + +Bug: http://b/221256678 +Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4 +(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3) +Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4 +--- + lib/xmlparse.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 1d6e722d..7d91ed2b 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5187,23 +5187,29 @@ doProlog(XML_Parser parser, + if (dtd->in_eldecl) { + ELEMENT_TYPE *el; + const XML_Char *name; +- int nameLen; +- const char *nxt = (quant == XML_CQUANT_NONE +- ? next +- : next - enc->minBytesPerChar); ++ size_t nameLen; ++ const char *nxt ++ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); + int myindex = nextScaffoldPart(parser); + if (myindex < 0) + return XML_ERROR_NO_MEMORY; + dtd->scaffold[myindex].type = XML_CTYPE_NAME; + dtd->scaffold[myindex].quant = quant; + el = getElementType(parser, enc, s, nxt); +- if (!el) ++ if (! el) + return XML_ERROR_NO_MEMORY; + name = el->name; + dtd->scaffold[myindex].name = name; + nameLen = 0; +- for (; name[nameLen++]; ); +- dtd->contentStringLen += nameLen; ++ for (; name[nameLen++];) ++ ; ++ ++ /* Detect and prevent integer overflow */ ++ if (nameLen > UINT_MAX - dtd->contentStringLen) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ dtd->contentStringLen += (unsigned)nameLen; + if (parser->m_elementDeclHandler) + handleDefault = XML_FALSE; + } diff --git a/Patches/LineageOS-16.0/android_external_expat/338356.patch b/Patches/LineageOS-16.0/android_external_expat/338356.patch new file mode 100644 index 00000000..b89d4790 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_expat/338356.patch @@ -0,0 +1,247 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Wed, 15 Jun 2022 04:14:33 +0000 +Subject: [PATCH] Prevent more integer overflows + +Bug: http://b/219942275 +Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d +Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d +(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a) +Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d +--- + lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 150 insertions(+), 2 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 7d91ed2b..121b63f7 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3187,13 +3187,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + + /* get the attributes from the tokenizer */ + n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - nDefaultAtts) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + if (n + nDefaultAtts > parser->m_attsSize) { + int oldAttsSize = parser->m_attsSize; + ATTRIBUTE *temp; + #ifdef XML_ATTR_INFO + XML_AttrInfo *temp2; + #endif ++ ++ /* Detect and prevent integer overflow */ ++ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) ++ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE)); + if (temp == NULL) { + parser->m_attsSize = oldAttsSize; +@@ -3201,6 +3226,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + } + parser->m_atts = temp; + #ifdef XML_ATTR_INFO ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++# if UINT_MAX >= SIZE_MAX ++ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) { ++ parser->m_attsSize = oldAttsSize; ++ return XML_ERROR_NO_MEMORY; ++ } ++# endif ++ + temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo)); + if (temp2 == NULL) { + parser->m_attsSize = oldAttsSize; +@@ -3509,9 +3545,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + tagNamePtr->prefixLen = prefixLen; + for (i = 0; localPart[i++];) + ; /* i includes null terminator */ ++ ++ /* Detect and prevent integer overflow */ ++ if (binding->uriLen > INT_MAX - prefixLen ++ || i > INT_MAX - (binding->uriLen + prefixLen)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ + n = i + binding->uriLen + prefixLen; + if (n > binding->uriAlloc) { + TAG *p; ++ ++ /* Detect and prevent integer overflow */ ++ if (n > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); + if (!uri) + return XML_ERROR_NO_MEMORY; +@@ -3612,6 +3670,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + if (parser->m_freeBindingList) { + b = parser->m_freeBindingList; + if (len > b->uriAlloc) { ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + XML_Char *temp = (XML_Char *)REALLOC(parser, b->uri, + sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (temp == NULL) +@@ -3625,6 +3698,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + b = (BINDING *)MALLOC(parser, sizeof(BINDING)); + if (!b) + return XML_ERROR_NO_MEMORY; ++ ++ /* Detect and prevent integer overflow */ ++ if (len > INT_MAX - EXPAND_SPARE) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); + if (!b->uri) { + FREE(parser, b); +@@ -6025,7 +6113,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, + } + else { + DEFAULT_ATTRIBUTE *temp; ++ ++ /* Detect and prevent integer overflow */ ++ if (type->allocDefaultAtts > INT_MAX / 2) { ++ return 0; ++ } ++ + int count = type->allocDefaultAtts * 2; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { ++ return 0; ++ } ++#endif ++ + temp = (DEFAULT_ATTRIBUTE *) + REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE))); + if (temp == NULL) +@@ -6700,8 +6805,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) + /* check for overflow (table is half full) */ + if (table->used >> (table->power - 1)) { + unsigned char newPower = table->power + 1; ++ ++ /* Detect and prevent invalid shift */ ++ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { ++ return NULL; ++ } ++ + size_t newSize = (size_t)1 << newPower; + unsigned long newMask = (unsigned long)newSize - 1; ++ ++ /* Detect and prevent integer overflow */ ++ if (newSize > (size_t)(-1) / sizeof(NAMED *)) { ++ return NULL; ++ } ++ + size_t tsize = newSize * sizeof(NAMED *); + NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); + if (!newV) +@@ -7067,6 +7184,20 @@ nextScaffoldPart(XML_Parser parser) + if (dtd->scaffCount >= dtd->scaffSize) { + CONTENT_SCAFFOLD *temp; + if (dtd->scaffold) { ++ /* Detect and prevent integer overflow */ ++ if (dtd->scaffSize > UINT_MAX / 2u) { ++ return -1; ++ } ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { ++ return -1; ++ } ++#endif ++ + temp = (CONTENT_SCAFFOLD *) + REALLOC(parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); + if (temp == NULL) +@@ -7143,9 +7274,26 @@ build_model (XML_Parser parser) + XML_Content *ret; + XML_Content *cpos; + XML_Char * str; +- int allocsize = (dtd->scaffCount * sizeof(XML_Content) +- + (dtd->contentStringLen * sizeof(XML_Char))); + ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { ++ return NULL; ++ } ++ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { ++ return NULL; ++ } ++#endif ++ if (dtd->scaffCount * sizeof(XML_Content) ++ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { ++ return NULL; ++ } ++ ++ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) ++ + (dtd->contentStringLen * sizeof(XML_Char))); + ret = (XML_Content *)MALLOC(parser, allocsize); + if (!ret) + return NULL; diff --git a/Patches/LineageOS-16.0/android_external_expat/349328.patch b/Patches/LineageOS-16.0/android_external_expat/349328.patch new file mode 100644 index 00000000..a2c2699f --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_expat/349328.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Wed, 16 Nov 2022 16:31:05 +0000 +Subject: [PATCH] Fix overeager DTD destruction (fixes #649) + +Bug: http://b/255449293 +Test: TreeHugger +Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 +(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a) +Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6 +--- + lib/xmlparse.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 121b63f7..90089ab7 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1013,7 +1013,15 @@ parserCreate(const XML_Char *encodingName, + poolInit(&parser->m_temp2Pool, &(parser->m_mem)); + parserInit(parser, encodingName); + +- if (encodingName && !parser->m_protocolEncodingName) { ++ if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } diff --git a/Patches/LineageOS-16.0/android_external_libxml2/368053.patch b/Patches/LineageOS-16.0/android_external_libxml2/370701.patch similarity index 100% rename from Patches/LineageOS-16.0/android_external_libxml2/368053.patch rename to Patches/LineageOS-16.0/android_external_libxml2/370701.patch diff --git a/Patches/LineageOS-16.0/android_external_zlib/351909.patch b/Patches/LineageOS-16.0/android_external_zlib/351909.patch new file mode 100644 index 00000000..16250bae --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_zlib/351909.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Tue, 22 Nov 2022 22:00:13 +0000 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. + +Bug: http://b/242299736 +Test: TreeHugger + +Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140 +(cherry picked from commit 1c4806afd7ae034aa9f86df35d4341a0b175a90a) +Merged-In: I4eabb3e135c1568e06b2b9740651a3ae11b21140 +--- + src/inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/inflate.c b/src/inflate.c +index ac333e8..cd01857 100644 +--- a/src/inflate.c ++++ b/src/inflate.c +@@ -759,8 +759,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/Patches/LineageOS-16.0/android_frameworks_av/344167.patch b/Patches/LineageOS-16.0/android_frameworks_av/344167.patch new file mode 100644 index 00000000..2be828fc --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/344167.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Edwin Wong +Date: Tue, 21 Jun 2022 01:36:43 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE - [Fix vulnerability] setSecurityLevel in + clearkey + +Potential race condition in clearkey setSecurityLevel. + +POC test in http://go/ag/19083795 + +Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209 + +Bug: 235601882 +Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b +(cherry picked from commit dab37c25e3337387809fd35c7cd46abf76088b83) +Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b +--- + drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp | 2 ++ + drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h | 8 +++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +index 0737851acc..923e4d500e 100644 +--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp ++++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp +@@ -381,6 +381,7 @@ Return DrmPlugin::getSecurityLevel(const hidl_vec& sessionId, + return Void(); + } + ++ Mutex::Autolock lock(mSecurityLevelLock); + std::map, SecurityLevel>::iterator itr = + mSecurityLevel.find(sid); + if (itr == mSecurityLevel.end()) { +@@ -411,6 +412,7 @@ Return DrmPlugin::setSecurityLevel(const hidl_vec& sessionId, + return Status::ERROR_DRM_SESSION_NOT_OPENED; + } + ++ Mutex::Autolock lock(mSecurityLevelLock); + std::map, SecurityLevel>::iterator itr = + mSecurityLevel.find(sid); + if (itr != mSecurityLevel.end()) { +diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h +index 7d9650f4bf..5360623aef 100644 +--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h ++++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h +@@ -323,7 +323,8 @@ private: + std::vector mPlayPolicy; + std::map mStringProperties; + std::map > mByteArrayProperties; +- std::map, SecurityLevel> mSecurityLevel; ++ std::map, SecurityLevel> mSecurityLevel ++ GUARDED_BY(mSecurityLevelLock); + sp mListener; + SessionLibrary *mSessionLibrary; + int64_t mOpenSessionOkCount; +@@ -332,6 +333,11 @@ private: + uint32_t mNextSecureStopId; + android::Mutex mPlayPolicyLock; + ++ DeviceFiles mFileHandle GUARDED_BY(mFileHandleLock); ++ Mutex mFileHandleLock; ++ Mutex mSecureStopLock; ++ Mutex mSecurityLevelLock; ++ + CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin); + }; + diff --git a/Patches/LineageOS-16.0/android_frameworks_av/349329.patch b/Patches/LineageOS-16.0/android_frameworks_av/349329.patch new file mode 100644 index 00000000..5623a57e --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/349329.patch @@ -0,0 +1,242 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ray Essick +Date: Thu, 1 Dec 2022 21:02:09 -0600 +Subject: [PATCH] move MediaCodec metrics processing to looper thread + +consolidate to avoid concurrency/mutex problems. + +Bug: 256087846 +Bug: 245860753 +Test: atest CtsMediaV2TestCases +Test: atest CtsMediaCodecTestCases +Merged-In: Ie77f0028cab8091edd97d3a60ad4c80da3092cfe +Merged-In: I56eceb6b12ce14348d3f9f2944968e70c6086aa8 +Merged-In: I94b0a2ac029dc0b90a93e9ed844768e9da5259b9 +Merged-In: I739248436a4801a4b9a96395f481640f2956cedf +Change-Id: If5269d3efcd7c262020e580fe84fe89261a1af60 +(cherry picked from commit 0ccdce19f669cd628ab6d116c131efc8d15707ee) +Merged-In: If5269d3efcd7c262020e580fe84fe89261a1af60 +--- + media/libstagefright/MediaCodec.cpp | 102 ++++++++++++++---- + .../include/media/stagefright/MediaCodec.h | 3 + + 2 files changed, 86 insertions(+), 19 deletions(-) + +diff --git a/media/libstagefright/MediaCodec.cpp b/media/libstagefright/MediaCodec.cpp +index 353e40702f..cd1d24b06b 100644 +--- a/media/libstagefright/MediaCodec.cpp ++++ b/media/libstagefright/MediaCodec.cpp +@@ -40,6 +40,7 @@ + #include + #include + #include ++// RBE do i need to add this? #include // RBE + #include + #include + #include +@@ -546,6 +547,14 @@ MediaCodec::~MediaCodec() { + mResourceManagerService->removeResource(getId(mResourceManagerClient)); + + flushAnalyticsItem(); ++ ++ // clean up any saved AnalyticsItem stored in the configuration message ++ if (mConfigureMsg != nullptr) { ++ MediaAnalyticsItem *oldItem = nullptr; ++ if (mConfigureMsg->findPointer("metrics", (void**) &oldItem)) { ++ delete oldItem; ++ } ++ } + } + + void MediaCodec::initAnalyticsItem() { +@@ -570,6 +579,8 @@ void MediaCodec::updateAnalyticsItem() { + return; + } + ++ Mutex::Autolock _lock(mMetricsLock); ++ + if (mLatencyHist.getCount() != 0 ) { + mAnalyticsItem->setInt64(kCodecLatencyMax, mLatencyHist.getMax()); + mAnalyticsItem->setInt64(kCodecLatencyMin, mLatencyHist.getMin()); +@@ -632,7 +643,10 @@ void MediaCodec::updateEphemeralAnalytics(MediaAnalyticsItem *item) { + } + + void MediaCodec::flushAnalyticsItem() { ++ // update does its own mutex locking + updateAnalyticsItem(); ++ ++ Mutex::Autolock _lock(mMetricsLock); + if (mAnalyticsItem != NULL) { + // don't log empty records + if (mAnalyticsItem->count() > 0) { +@@ -1018,16 +1032,22 @@ status_t MediaCodec::configure( + uint32_t flags) { + sp msg = new AMessage(kWhatConfigure, this); + +- if (mAnalyticsItem != NULL) { ++ MediaAnalyticsItem *newItem = new MediaAnalyticsItem(kCodecKeyName); ++ ++ if (newItem != NULL) { + int32_t profile = 0; + if (format->findInt32("profile", &profile)) { +- mAnalyticsItem->setInt32(kCodecProfile, profile); ++ newItem->setInt32(kCodecProfile, profile); + } + int32_t level = 0; + if (format->findInt32("level", &level)) { +- mAnalyticsItem->setInt32(kCodecLevel, level); ++ newItem->setInt32(kCodecLevel, level); + } +- mAnalyticsItem->setInt32(kCodecEncoder, (flags & CONFIGURE_FLAG_ENCODE) ? 1 : 0); ++ newItem->setInt32(kCodecEncoder, (flags & CONFIGURE_FLAG_ENCODE) ? 1 : 0); ++ ++ newItem->setCString(kCodecCodec, mInitName.c_str()); ++ newItem->setCString(kCodecMode, mIsVideo ? kCodecModeVideo : kCodecModeAudio); ++ + } + + if (mIsVideo) { +@@ -1037,17 +1057,17 @@ status_t MediaCodec::configure( + mRotationDegrees = 0; + } + +- if (mAnalyticsItem != NULL) { +- mAnalyticsItem->setInt32(kCodecWidth, mVideoWidth); +- mAnalyticsItem->setInt32(kCodecHeight, mVideoHeight); +- mAnalyticsItem->setInt32(kCodecRotation, mRotationDegrees); ++ if (newItem != NULL) { ++ newItem->setInt32(kCodecWidth, mVideoWidth); ++ newItem->setInt32(kCodecHeight, mVideoHeight); ++ newItem->setInt32(kCodecRotation, mRotationDegrees); + int32_t maxWidth = 0; + if (format->findInt32("max-width", &maxWidth)) { +- mAnalyticsItem->setInt32(kCodecMaxWidth, maxWidth); ++ newItem->setInt32(kCodecMaxWidth, maxWidth); + } + int32_t maxHeight = 0; + if (format->findInt32("max-height", &maxHeight)) { +- mAnalyticsItem->setInt32(kCodecMaxHeight, maxHeight); ++ newItem->setInt32(kCodecMaxHeight, maxHeight); + } + } + +@@ -1075,6 +1095,15 @@ status_t MediaCodec::configure( + ALOGW("Crypto or descrambler should be given for secure codec"); + } + ++ // recover space of any previous saved baseline analytics info ++ if (mConfigureMsg != nullptr) { ++ MediaAnalyticsItem *oldItem = nullptr; ++ if (mConfigureMsg->findPointer("metrics", (void **) &oldItem)) { ++ delete oldItem; ++ } ++ } ++ msg->setPointer("metrics", newItem); ++ + // save msg for reset + mConfigureMsg = msg; + +@@ -1530,20 +1559,36 @@ status_t MediaCodec::getMetrics(MediaAnalyticsItem * &reply) { + + reply = NULL; + +- // shouldn't happen, but be safe +- if (mAnalyticsItem == NULL) { +- return UNKNOWN_ERROR; ++ sp msg = new AMessage(kWhatGetMetrics, this); ++ sp response; ++ status_t err; ++ if ((err = PostAndAwaitResponse(msg, &response)) != OK) { ++ return err; + } + +- // update any in-flight data that's not carried within the record +- updateAnalyticsItem(); ++ CHECK(response->findPointer("metrics", (void **) &reply)); + +- // send it back to the caller. +- reply = mAnalyticsItem->dup(); ++ return OK; ++} + +- updateEphemeralAnalytics(reply); ++// runs on the looper thread (for mutex purposes) ++void MediaCodec::onGetMetrics(const sp& msg) { + +- return OK; ++ MediaAnalyticsItem *results = nullptr; ++ ++ sp replyID; ++ CHECK(msg->senderAwaitsResponse(&replyID)); ++ ++ // RBE is it always non-null at this point? ++ if (mAnalyticsItem != nullptr) { ++ updateAnalyticsItem(); ++ results = mAnalyticsItem->dup(); ++ updateEphemeralAnalytics(results); ++ } ++ ++ sp response = new AMessage; ++ response->setPointer("metrics", results); ++ response->postReply(replyID); + } + + status_t MediaCodec::getInputBuffers(Vector > *buffers) const { +@@ -2381,6 +2426,13 @@ void MediaCodec::onMessageReceived(const sp &msg) { + break; + } + ++ case kWhatGetMetrics: ++ { ++ onGetMetrics(msg); ++ break; ++ } ++ ++ + case kWhatConfigure: + { + sp replyID; +@@ -2397,6 +2449,18 @@ void MediaCodec::onMessageReceived(const sp &msg) { + sp format; + CHECK(msg->findMessage("format", &format)); + ++ // start with a copy of the passed metrics info for use in this run ++ MediaAnalyticsItem *handle; ++ CHECK(msg->findPointer("metrics", (void **) &handle)); ++ if (handle != nullptr) { ++ if (mAnalyticsItem != nullptr) { ++ flushAnalyticsItem(); ++ } ++ mAnalyticsItem = handle->dup(); ++ // and set some additional metrics values ++ initAnalyticsItem(); ++ } ++ + int32_t push; + if (msg->findInt32("push-blank-buffers-on-shutdown", &push) && push != 0) { + mFlags |= kFlagPushBlankBuffersOnShutdown; +diff --git a/media/libstagefright/include/media/stagefright/MediaCodec.h b/media/libstagefright/include/media/stagefright/MediaCodec.h +index 7f6aae6281..b9f5c0b239 100644 +--- a/media/libstagefright/include/media/stagefright/MediaCodec.h ++++ b/media/libstagefright/include/media/stagefright/MediaCodec.h +@@ -257,6 +257,7 @@ private: + kWhatSetCallback = 'setC', + kWhatSetNotification = 'setN', + kWhatDrmReleaseCrypto = 'rDrm', ++ kWhatGetMetrics = 'getM', + }; + + enum { +@@ -320,11 +321,13 @@ private: + sp mSurface; + SoftwareRenderer *mSoftRenderer; + ++ Mutex mMetricsLock; + MediaAnalyticsItem *mAnalyticsItem; + void initAnalyticsItem(); + void updateAnalyticsItem(); + void flushAnalyticsItem(); + void updateEphemeralAnalytics(MediaAnalyticsItem *item); ++ void onGetMetrics(const sp& msg); + + sp mOutputFormat; + sp mInputFormat; diff --git a/Patches/LineageOS-16.0/android_frameworks_av/359729.patch b/Patches/LineageOS-16.0/android_frameworks_av/359729.patch new file mode 100644 index 00000000..45469fb1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/359729.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ray Essick +Date: Mon, 27 Mar 2023 18:16:46 -0500 +Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling + +readSampleData() did not initialize buffer before filling it, +leading to OOB memory references. Correct and clarify the book +keeping around output buffer management. + +Bug: 275418191 +Test: CtsMediaExtractorTestCases w/debug messages +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786) +Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d +Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d +--- + media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp +index 4a7d6ca7ad..90ddcb81c3 100644 +--- a/media/libstagefright/NuMediaExtractor.cpp ++++ b/media/libstagefright/NuMediaExtractor.cpp +@@ -607,9 +607,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples( + numPageSamples = -1; + } + ++ // insert, including accounting for the space used. + memcpy((uint8_t *)buffer->data() + mbuf->range_length(), + &numPageSamples, + sizeof(numPageSamples)); ++ buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples)); + + uint32_t type; + const void *data; +@@ -658,6 +660,8 @@ status_t NuMediaExtractor::readSampleData(const sp &buffer) { + + ssize_t minIndex = fetchAllTrackSamples(); + ++ buffer->setRange(0, 0); // start with an empty buffer ++ + if (minIndex < 0) { + return ERROR_END_OF_STREAM; + } +@@ -673,25 +677,25 @@ status_t NuMediaExtractor::readSampleData(const sp &buffer) { + sampleSize += sizeof(int32_t); + } + ++ // capacity() is ok since we cleared out the buffer + if (buffer->capacity() < sampleSize) { + return -ENOMEM; + } + ++ const size_t srclen = it->mBuffer->range_length(); + const uint8_t *src = + (const uint8_t *)it->mBuffer->data() + + it->mBuffer->range_offset(); + +- memcpy((uint8_t *)buffer->data(), src, it->mBuffer->range_length()); ++ memcpy((uint8_t *)buffer->data(), src, srclen); ++ buffer->setRange(0, srclen); + + status_t err = OK; + if (info->mTrackFlags & kIsVorbis) { ++ // adjusts range when it inserts the extra bits + err = appendVorbisNumPageSamples(it->mBuffer, buffer); + } + +- if (err == OK) { +- buffer->setRange(0, sampleSize); +- } +- + return err; + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_av/366126.patch b/Patches/LineageOS-16.0/android_frameworks_av/366126.patch new file mode 100644 index 00000000..77074939 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/366126.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shruti Bihani +Date: Thu, 6 Jul 2023 08:41:56 +0000 +Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test. + +The error is thrown when the destructor tries to free pointer memory. +This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error. + +Bug: 245135112 +Test: Build mtp_host_property_fuzzer and run on the target device +(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972) +Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580 +Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580 +--- + media/mtp/MtpProperty.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h +index bfd5f7f59a..1eb8874af1 100644 +--- a/media/mtp/MtpProperty.h ++++ b/media/mtp/MtpProperty.h +@@ -26,6 +26,9 @@ namespace android { + class MtpDataPacket; + + struct MtpPropertyValue { ++ // pointer str initialized to NULL so that free operation ++ // is not called for pre-assigned value ++ MtpPropertyValue() : str (NULL) {} + union { + int8_t i8; + uint8_t u8; diff --git a/Patches/LineageOS-16.0/android_frameworks_av/374924.patch b/Patches/LineageOS-16.0/android_frameworks_av/374924.patch new file mode 100644 index 00000000..bcde2adf --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/374924.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shruti Bihani +Date: Mon, 10 Jul 2023 08:53:42 +0000 +Subject: [PATCH] Fix for heap buffer overflow issue flagged by fuzzer test. + +OOB write occurs when a value is assigned to a buffer index which is greater than the buffer size. Adding a check on buffer bounds fixes the issue. + +Similar checks have been added wherever applicable on other such methods of the class. + +Bug: 243463593 +Test: Build mtp_packet_fuzzer and run on the target device +(cherry picked from commit a669e34bb8e6f0f7b5d7a35144bd342271a24712) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1401a723899766632363129265b30d433ac69c44) +Merged-In: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b +Change-Id: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b +--- + media/mtp/MtpPacket.cpp | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp +index 3dd4248e4c..917967cf17 100644 +--- a/media/mtp/MtpPacket.cpp ++++ b/media/mtp/MtpPacket.cpp +@@ -92,24 +92,46 @@ void MtpPacket::copyFrom(const MtpPacket& src) { + } + + uint16_t MtpPacket::getUInt16(int offset) const { +- return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset]; ++ if ((unsigned long)(offset+2) <= mBufferSize) { ++ return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset]; ++ } ++ else { ++ ALOGE("offset for buffer read is greater than buffer size!"); ++ abort(); ++ } + } + + uint32_t MtpPacket::getUInt32(int offset) const { +- return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) | +- ((uint32_t)mBuffer[offset + 1] << 8) | (uint32_t)mBuffer[offset]; ++ if ((unsigned long)(offset+4) <= mBufferSize) { ++ return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) | ++ ((uint32_t)mBuffer[offset + 1] << 8) | (uint32_t)mBuffer[offset]; ++ } ++ else { ++ ALOGE("offset for buffer read is greater than buffer size!"); ++ abort(); ++ } + } + + void MtpPacket::putUInt16(int offset, uint16_t value) { +- mBuffer[offset++] = (uint8_t)(value & 0xFF); +- mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF); ++ if ((unsigned long)(offset+2) <= mBufferSize) { ++ mBuffer[offset++] = (uint8_t)(value & 0xFF); ++ mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF); ++ } ++ else { ++ ALOGE("offset for buffer write is greater than buffer size!"); ++ } + } + + void MtpPacket::putUInt32(int offset, uint32_t value) { +- mBuffer[offset++] = (uint8_t)(value & 0xFF); +- mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF); +- mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF); +- mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF); ++ if ((unsigned long)(offset+4) <= mBufferSize) { ++ mBuffer[offset++] = (uint8_t)(value & 0xFF); ++ mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF); ++ mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF); ++ mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF); ++ } ++ else { ++ ALOGE("offset for buffer write is greater than buffer size!"); ++ } + } + + uint16_t MtpPacket::getContainerCode() const { diff --git a/Patches/LineageOS-16.0/android_frameworks_av/377765.patch b/Patches/LineageOS-16.0/android_frameworks_av/377765.patch new file mode 100644 index 00000000..8b26216c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/377765.patch @@ -0,0 +1,106 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Toni Heidenreich +Date: Wed, 6 Sep 2023 12:49:33 +0000 +Subject: [PATCH] httplive: fix use-after-free + +Implement a mutex to ensure secure multi-threaded +access to the KeyedVector in MetaDataBase. +Concurrent access by different threads can lead +to accessing the wrong memory location due to +potential changes in the vector + +Bug: 298057702 +Test: HTTP Live Streaming test +(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) +Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a +Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a + +Change-Id: Ibad99da2ee0d9259844c32f954e6db290043e45b +--- + media/libmediaextractor/MetaDataBase.cpp | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/media/libmediaextractor/MetaDataBase.cpp b/media/libmediaextractor/MetaDataBase.cpp +index bfea6f1537..a3c623e354 100644 +--- a/media/libmediaextractor/MetaDataBase.cpp ++++ b/media/libmediaextractor/MetaDataBase.cpp +@@ -24,6 +24,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -75,6 +77,7 @@ struct MetaDataBase::Rect { + + + struct MetaDataBase::MetaDataInternal { ++ std::mutex mLock; + KeyedVector mItems; + }; + +@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() { + } + + void MetaDataBase::clear() { ++ std::lock_guard guard(mInternalData->mLock); + mInternalData->mItems.clear(); + } + + bool MetaDataBase::remove(uint32_t key) { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -249,6 +254,7 @@ bool MetaDataBase::setData( + uint32_t key, uint32_t type, const void *data, size_t size) { + bool overwrote_existing = true; + ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + if (i < 0) { + typed_data item; +@@ -266,6 +272,7 @@ bool MetaDataBase::setData( + + bool MetaDataBase::findData(uint32_t key, uint32_t *type, + const void **data, size_t *size) const { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, + } + + bool MetaDataBase::hasData(uint32_t key) const { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) { + + String8 MetaDataBase::toString() const { + String8 s; ++ std::lock_guard guard(mInternalData->mLock); + for (int i = mInternalData->mItems.size(); --i >= 0;) { + int32_t key = mInternalData->mItems.keyAt(i); + char cc[5]; +@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const { + } + + void MetaDataBase::dumpToLog() const { ++ std::lock_guard guard(mInternalData->mLock); + for (int i = mInternalData->mItems.size(); --i >= 0;) { + int32_t key = mInternalData->mItems.keyAt(i); + char cc[5]; +@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const { + + status_t MetaDataBase::writeToParcel(Parcel &parcel) { + status_t ret; ++ std::lock_guard guard(mInternalData->mLock); + size_t numItems = mInternalData->mItems.size(); + ret = parcel.writeUint32(uint32_t(numItems)); + if (ret) { diff --git a/Patches/LineageOS-16.0/android_frameworks_av/379788.patch b/Patches/LineageOS-16.0/android_frameworks_av/379788.patch new file mode 100644 index 00000000..e6d917e1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/379788.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songyue Han +Date: Tue, 3 Oct 2023 22:40:14 +0000 +Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for + unsupported cropwidth. + +Bug: 300476626 +Test: color_conversion_fuzzer +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c) +Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733 +Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733 +--- + media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp +index a1873bc5c4..94356b0b0c 100644 +--- a/media/libstagefright/colorconversion/ColorConverter.cpp ++++ b/media/libstagefright/colorconversion/ColorConverter.cpp +@@ -592,7 +592,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410( + + uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1; + size_t x = 0; +- for (; x < src.cropWidth() - 3; x += 4) { ++ // x % 4 is always 0 so x + 3 will never overflow. ++ for (; x + 3 < src.cropWidth(); x += 4) { + u01 = *((uint32_t*)ptr_u); ptr_u += 2; + v01 = *((uint32_t*)ptr_v); ptr_v += 2; + diff --git a/Patches/LineageOS-16.0/android_frameworks_av/383562.patch b/Patches/LineageOS-16.0/android_frameworks_av/383562.patch new file mode 100644 index 00000000..0fd71ace --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/383562.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ashish Kumar Gupta +Date: Tue, 21 Nov 2023 08:48:43 +0530 +Subject: [PATCH] Update mtp packet buffer + +Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet. + +Bug: 300007708 +Test: build and flash the device. Check MTP works +Test: run fuzzer locally +(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd) +Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 +Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 +--- + media/mtp/MtpPacket.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp +index 917967cf17..d7567141d6 100644 +--- a/media/mtp/MtpPacket.cpp ++++ b/media/mtp/MtpPacket.cpp +@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) { + return; + } + int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t); +- if (mPacketSize < offset + sizeof(uint32_t)) ++ if (mPacketSize < offset + sizeof(uint32_t)) { + mPacketSize = offset + sizeof(uint32_t); ++ allocate(mPacketSize); ++ } + putUInt32(offset, value); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_av/385670.patch b/Patches/LineageOS-16.0/android_frameworks_av/385670.patch new file mode 100644 index 00000000..ca4f7fbe --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/385670.patch @@ -0,0 +1,105 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Haripriya Deshmukh +Date: Tue, 19 Sep 2023 20:42:45 +0000 +Subject: [PATCH] Validate OMX Params for VPx encoders + +Bug: 273936274 +Bug: 273937171 +Bug: 273937136 +Bug: 273936553 +Bug: 273936601 +Test: POC in bug descriptions +(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7) +(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6) +Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757 +Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757 +--- + media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp | 10 ++++++++++ + media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp | 10 ++++++++++ + media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp | 9 +++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp +index 04737a9ccf..9198b7c327 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp +@@ -120,6 +120,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalSetParameter(OMX_INDEXTYPE index, + + OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( + OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { ++ if (!isValidOMXParam(vp8Params)) { ++ android_errorWriteLog(0x534e4554, "273936274"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( + + OMX_ERRORTYPE SoftVP8Encoder::internalSetVp8Params( + const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { ++ if (!isValidOMXParam(vp8Params)) { ++ android_errorWriteLog(0x534e4554, "273937171"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +diff --git a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp +index 1ea1c85f76..f8495c2da4 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp +@@ -119,6 +119,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalSetParameter( + + OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( + OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { ++ if (!isValidOMXParam(vp9Params)) { ++ android_errorWriteLog(0x534e4554, "273936553"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp9Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( + + OMX_ERRORTYPE SoftVP9Encoder::internalSetVp9Params( + const OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { ++ if (!isValidOMXParam(vp9Params)) { ++ android_errorWriteLog(0x534e4554, "273937136"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp9Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +index f6257b1556..173bbe37d6 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +@@ -484,6 +484,11 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetBitrateParams( + + OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( + OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { ++ if (!isValidOMXParam(vpxAndroidParams)) { ++ android_errorWriteLog(0x534e4554, "273936601"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -500,6 +505,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( + + OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVpxParams( + const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { ++ if (!isValidOMXParam(vpxAndroidParams)) { ++ android_errorWriteLog(0x534e4554, "273937551"); ++ return OMX_ErrorBadParameter; ++ } + if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } diff --git a/Patches/LineageOS-16.0/android_frameworks_av/385671.patch b/Patches/LineageOS-16.0/android_frameworks_av/385671.patch new file mode 100644 index 00000000..680f190a --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_av/385671.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Haripriya Deshmukh +Date: Tue, 5 Dec 2023 18:32:38 +0000 +Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue + +Bug: 276442130 +Test: POC in bug descriptions +(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643) +(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47) +Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1 +Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1 +--- + media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +index fda70280a7..b78ac4325a 100644 +--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp ++++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +@@ -308,8 +308,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { + outHeader->nFilledLen = frameSize; + + List::iterator it = outQueue.begin(); +- while ((*it)->mHeader != outHeader) { +- ++it; ++ while (it != outQueue.end() && (*it)->mHeader != outHeader) { ++ ++it; ++ } ++ if (it == outQueue.end()) { ++ return; + } + + BufferInfo *outInfo = *it; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/330961.patch b/Patches/LineageOS-16.0/android_frameworks_base/330961.patch new file mode 100644 index 00000000..a36cbe4c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/330961.patch @@ -0,0 +1,146 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Matt Pietal +Date: Fri, 1 Oct 2021 11:03:16 -0400 +Subject: [PATCH] Keyguard - Treat messsages to lock with priority + +When switching users and attempting to lock the device, the sysui main +thread becomes overwhelmed with events, creating a significant lag +between the time a message is posted and processed on the main +thread. This can be dangerous when these events are critical for +security, such as calls coming from PhoneWindowManager#lockNow() that +call KeyguardViewMediator#doKeyguardTimeout(). On older devices with +slower CPUs and less memory, the delay in processing can be +significant (15 - 30s). + +The result of not prioritizing these events leads to a window of time +where a guest user can switch back to the owner, and gain access to +the owner's homescreen without needing to unlock the device with the +owner's credentials. + +As a mitigation, prioritize two events originating in two specific +methods to make sure the device locks as soon as possible as well as +have the system server preemptively update its local cache. + +Bug: 151095871 +Test: Very manual race condition - follow steps listed in bug +Change-Id: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +(cherry picked from commit 28c53ab8bca26af58b45625c1ebba8b9051c107d) +(cherry picked from commit 563fdf4259d0e28fd960acbb63431e146707d11b) +Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda +--- + .../internal/policy/IKeyguardStateCallback.aidl | 2 +- + .../systemui/keyguard/KeyguardViewMediator.java | 16 +++++++++++----- + .../policy/keyguard/KeyguardServiceWrapper.java | 6 ++++++ + .../policy/keyguard/KeyguardStateMonitor.java | 8 +++++++- + 4 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl +index 8e454db4cb04..a8003a1169e9 100644 +--- a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl ++++ b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl +@@ -16,7 +16,7 @@ + package com.android.internal.policy; + + interface IKeyguardStateCallback { +- void onShowingStateChanged(boolean showing); ++ void onShowingStateChanged(boolean showing, int userId); + void onSimSecureStateChanged(boolean simSecure); + void onInputRestrictedStateChanged(boolean inputRestricted); + void onTrustedChanged(boolean trusted); +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index 305370d5964b..bac481c8e478 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -1291,7 +1291,9 @@ public class KeyguardViewMediator extends SystemUI { + public void doKeyguardTimeout(Bundle options) { + mHandler.removeMessages(KEYGUARD_TIMEOUT); + Message msg = mHandler.obtainMessage(KEYGUARD_TIMEOUT, options); +- mHandler.sendMessage(msg); ++ // Treat these messages with priority - A call to timeout means the device should lock ++ // as soon as possible and not wait for other messages on the thread to process first. ++ mHandler.sendMessageAtFrontOfQueue(msg); + } + + /** +@@ -1488,12 +1490,15 @@ public class KeyguardViewMediator extends SystemUI { + * @see #handleShow + */ + private void showLocked(Bundle options) { +- Trace.beginSection("KeyguardViewMediator#showLocked aqcuiring mShowKeyguardWakeLock"); ++ Trace.beginSection("KeyguardViewMediator#showLocked acquiring mShowKeyguardWakeLock"); + if (DEBUG) Log.d(TAG, "showLocked"); + // ensure we stay awake until we are finished displaying the keyguard + mShowKeyguardWakeLock.acquire(); + Message msg = mHandler.obtainMessage(SHOW, options); +- mHandler.sendMessage(msg); ++ // Treat these messages with priority - This call can originate from #doKeyguardTimeout, ++ // meaning the device should lock as soon as possible and not wait for other messages on ++ // the thread to process first. ++ mHandler.sendMessageAtFrontOfQueue(msg); + Trace.endSection(); + } + +@@ -1652,6 +1657,7 @@ public class KeyguardViewMediator extends SystemUI { + case KEYGUARD_TIMEOUT: + synchronized (KeyguardViewMediator.this) { + doKeyguardLocked((Bundle) msg.obj); ++ notifyDefaultDisplayCallbacks(mShowing); + } + break; + case DISMISS: +@@ -2213,7 +2219,7 @@ public class KeyguardViewMediator extends SystemUI { + for (int i = size - 1; i >= 0; i--) { + IKeyguardStateCallback callback = mKeyguardStateCallbacks.get(i); + try { +- callback.onShowingStateChanged(showing); ++ callback.onShowingStateChanged(showing, KeyguardUpdateMonitor.getCurrentUser()); + } catch (RemoteException e) { + Slog.w(TAG, "Failed to call onShowingStateChanged", e); + if (e instanceof DeadObjectException) { +@@ -2261,7 +2267,7 @@ public class KeyguardViewMediator extends SystemUI { + mKeyguardStateCallbacks.add(callback); + try { + callback.onSimSecureStateChanged(mUpdateMonitor.isSimPinSecure()); +- callback.onShowingStateChanged(mShowing); ++ callback.onShowingStateChanged(mShowing, KeyguardUpdateMonitor.getCurrentUser()); + callback.onInputRestrictedStateChanged(mInputRestricted); + callback.onTrustedChanged(mUpdateMonitor.getUserHasTrust( + KeyguardUpdateMonitor.getCurrentUser())); +diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java +index 4e848686254a..cf5c587e0494 100644 +--- a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java ++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java +@@ -192,6 +192,12 @@ public class KeyguardServiceWrapper implements IKeyguardService { + + @Override // Binder interface + public void doKeyguardTimeout(Bundle options) { ++ int userId = mKeyguardStateMonitor.getCurrentUser(); ++ if (mKeyguardStateMonitor.isSecure(userId)) { ++ // Preemptively inform the cache that the keyguard will soon be showing, as calls to ++ // doKeyguardTimeout are a signal to lock the device as soon as possible. ++ mKeyguardStateMonitor.onShowingStateChanged(true, userId); ++ } + try { + mService.doKeyguardTimeout(options); + } catch (RemoteException e) { +diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +index dbf96aa9eee6..c49c31d2ce07 100644 +--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java ++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +@@ -92,8 +92,14 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { + return mHasLockscreenWallpaper; + } + ++ public int getCurrentUser() { ++ return mCurrentUserId; ++ } ++ + @Override // Binder interface +- public void onShowingStateChanged(boolean showing) { ++ public void onShowingStateChanged(boolean showing, int userId) { ++ if (userId != mCurrentUserId) return; ++ + mIsShowing = showing; + + mCallback.onShowingChanged(); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/330962.patch b/Patches/LineageOS-16.0/android_frameworks_base/330962.patch new file mode 100644 index 00000000..41701a0c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/330962.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 3 Mar 2022 18:24:37 +0000 +Subject: [PATCH] Verify caller before auto granting slice permission + +Currently SliceManagerService#checkSlicePermission does not verify the +caller's identity. This leads to a security vulnerability because +checkSlicePermission does more than checking the permission as opposed +to simply return a boolean value -- it additionally grants slice access +under a certain condition. A malicious app can spoof the calling package +to acquire slice access. + +This CL verifies the caller before granting slice access. + +Bug: 208232850, 179699767 +Test: manual +Change-Id: I2539c9ff5ea977c91bb58185c95280b4d533a520 +Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520 +(cherry picked from commit 5bd2196c537ae42a5c1626bdc23c3c6db41fb97f) +(cherry picked from commit 3c92d74d7d74e1d781ae1b071da97b3b2cbc6be9) +Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520 +--- + .../core/java/com/android/server/slice/SliceManagerService.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/services/core/java/com/android/server/slice/SliceManagerService.java b/services/core/java/com/android/server/slice/SliceManagerService.java +index f5947ee35ea4..158e6a59ac48 100644 +--- a/services/core/java/com/android/server/slice/SliceManagerService.java ++++ b/services/core/java/com/android/server/slice/SliceManagerService.java +@@ -239,6 +239,8 @@ public class SliceManagerService extends ISliceManager.Stub { + if (autoGrantPermissions != null) { + // Need to own the Uri to call in with permissions to grant. + enforceOwner(pkg, uri, userId); ++ // b/208232850: Needs to verify caller before granting slice access ++ verifyCaller(pkg); + for (String perm : autoGrantPermissions) { + if (mContext.checkPermission(perm, pid, uid) == PERMISSION_GRANTED) { + int providerUser = ContentProvider.getUserIdFromUri(uri, userId); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/330963.patch b/Patches/LineageOS-16.0/android_frameworks_base/330963.patch new file mode 100644 index 00000000..5113ed10 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/330963.patch @@ -0,0 +1,88 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Buynytskyy +Date: Thu, 24 Feb 2022 21:40:13 -0800 +Subject: [PATCH] Always restart apps if base.apk gets updated. + +Bug: 219044664 +Fixes: 219044664 +Test: atest PackageManagerShellCommandTest +Change-Id: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +(cherry picked from commit a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2) +Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296 +--- + .../android/content/pm/IPackageInstallerSession.aidl | 2 ++ + core/java/android/content/pm/PackageInstaller.java | 12 ++++++++++++ + .../android/server/pm/PackageInstallerSession.java | 11 +++++++++++ + 3 files changed, 25 insertions(+) + +diff --git a/core/java/android/content/pm/IPackageInstallerSession.aidl b/core/java/android/content/pm/IPackageInstallerSession.aidl +index 8fddb99b35a8..4d91bdf93f16 100644 +--- a/core/java/android/content/pm/IPackageInstallerSession.aidl ++++ b/core/java/android/content/pm/IPackageInstallerSession.aidl +@@ -38,4 +38,6 @@ interface IPackageInstallerSession { + void commit(in IntentSender statusReceiver, boolean forTransferred); + void transfer(in String packageName); + void abandon(); ++ ++ int getInstallFlags(); + } +diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java +index b51fa6fc2b29..0d7ca9043ccd 100644 +--- a/core/java/android/content/pm/PackageInstaller.java ++++ b/core/java/android/content/pm/PackageInstaller.java +@@ -1059,6 +1059,18 @@ public class PackageInstaller { + throw e.rethrowFromSystemServer(); + } + } ++ ++ /** ++ * @return Session's {@link SessionParams#installFlags}. ++ * @hide ++ */ ++ public int getInstallFlags() { ++ try { ++ return mSession.getInstallFlags(); ++ } catch (RemoteException e) { ++ throw e.rethrowFromSystemServer(); ++ } ++ } + } + + /** +diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java +index edada326ee12..e6ec80ae1b76 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java +@@ -83,6 +83,7 @@ import android.system.OsConstants; + import android.system.StructStat; + import android.text.TextUtils; + import android.util.ArraySet; ++import android.util.EventLog; + import android.util.ExceptionUtils; + import android.util.MathUtils; + import android.util.Slog; +@@ -1285,6 +1286,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + if (baseDexMetadataFile != null) { + mResolvedInheritedFiles.add(baseDexMetadataFile); + } ++ } else if ((params.installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) { ++ EventLog.writeEvent(0x534e4554, "219044664"); ++ ++ // Installing base.apk. Make sure the app is restarted. ++ params.setDontKillApp(false); + } + + // Inherit splits if not overridden +@@ -1589,6 +1595,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + dispatchSessionFinished(INSTALL_FAILED_ABORTED, "Session was abandoned", null); + } + ++ @Override ++ public int getInstallFlags() { ++ return params.installFlags; ++ } ++ + private void dispatchSessionFinished(int returnCode, String msg, Bundle extras) { + final IPackageInstallObserver2 observer; + final String packageName; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332756.patch b/Patches/LineageOS-16.0/android_frameworks_base/332756.patch new file mode 100644 index 00000000..e2fe0064 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332756.patch @@ -0,0 +1,174 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jonathan Scott +Date: Tue, 5 Apr 2022 18:47:56 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning. + +Test: atest android.devicepolicy.cts.DevicePolicyManagerTest +Bug: 210469972 +Change-Id: I2de99f9ccd8b27ffdc2562fa451f132e73d54317 +(cherry picked from commit c5037ec63cdc72846082a66e72b34cf5067a6046) +Merged-In: I2de99f9ccd8b27ffdc2562fa451f132e73d54317 +--- + .../app/admin/DevicePolicyManager.java | 21 ++++++++++++ + .../app/admin/IDevicePolicyManager.aidl | 3 ++ + core/res/AndroidManifest.xml | 1 + + .../BaseIDevicePolicyManager.java | 6 ++++ + .../DevicePolicyManagerService.java | 33 +++++++++++++++++++ + 5 files changed, 64 insertions(+) + +diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java +index f298bc6992b0..485ce78c3320 100644 +--- a/core/java/android/app/admin/DevicePolicyManager.java ++++ b/core/java/android/app/admin/DevicePolicyManager.java +@@ -16,6 +16,7 @@ + + package android.app.admin; + ++import android.accounts.Account; + import android.annotation.CallbackExecutor; + import android.annotation.ColorInt; + import android.annotation.IntDef; +@@ -136,6 +137,26 @@ public class DevicePolicyManager { + this(context, service, false); + } + ++ /** ++ * Called when a managed profile has been provisioned. ++ * ++ * @throws SecurityException if the caller does not hold ++ * {@link android.Manifest.permission#MANAGE_PROFILE_AND_DEVICE_OWNERS}. ++ * @hide ++ */ ++ @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) ++ public void finalizeWorkProfileProvisioning( ++ @NonNull UserHandle managedProfileUser, @Nullable Account migratedAccount) { ++ if (mService == null) { ++ throw new IllegalStateException("Could not find DevicePolicyManagerService"); ++ } ++ try { ++ mService.finalizeWorkProfileProvisioning(managedProfileUser, migratedAccount); ++ } catch (RemoteException e) { ++ throw e.rethrowFromSystemServer(); ++ } ++ } ++ + /** @hide */ + @VisibleForTesting + protected DevicePolicyManager(Context context, IDevicePolicyManager service, +diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl +index 096427451662..64b8eaa359aa 100644 +--- a/core/java/android/app/admin/IDevicePolicyManager.aidl ++++ b/core/java/android/app/admin/IDevicePolicyManager.aidl +@@ -17,6 +17,7 @@ + + package android.app.admin; + ++import android.accounts.Account; + import android.app.admin.NetworkEvent; + import android.app.IApplicationThread; + import android.app.IServiceConnection; +@@ -85,6 +86,8 @@ interface IDevicePolicyManager { + int getCurrentFailedPasswordAttempts(int userHandle, boolean parent); + int getProfileWithMinimumFailedPasswordsForWipe(int userHandle, boolean parent); + ++ void finalizeWorkProfileProvisioning(in UserHandle managedProfileUser, in Account migratedAccount); ++ + void setMaximumFailedPasswordsForWipe(in ComponentName admin, int num, boolean parent); + int getMaximumFailedPasswordsForWipe(in ComponentName admin, int userHandle, boolean parent); + +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index af1a6fa9e3c5..0aafab66dabd 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -91,6 +91,7 @@ + + + ++ + + + +diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java b/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java +index 1c9782fa5565..af1735f6e26e 100644 +--- a/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java ++++ b/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java +@@ -15,10 +15,12 @@ + */ + package com.android.server.devicepolicy; + ++import android.accounts.Account; + import android.annotation.UserIdInt; + import android.app.admin.IDevicePolicyManager; + import android.content.ComponentName; + import android.os.PersistableBundle; ++import android.os.UserHandle; + import android.security.keymaster.KeymasterCertificateChain; + import android.security.keystore.ParcelableKeyGenParameterSpec; + import android.telephony.data.ApnSetting; +@@ -159,4 +161,8 @@ abstract class BaseIDevicePolicyManager extends IDevicePolicyManager.Stub { + @Override + public void setDefaultSmsApplication(ComponentName admin, String packageName) { + } ++ ++ public void finalizeWorkProfileProvisioning( ++ UserHandle managedProfileUser, Account migratedAccount) { ++ } + } +diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +index 3a183865ead3..d7539e11bea9 100644 +--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java ++++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +@@ -20,6 +20,7 @@ import static android.Manifest.permission.BIND_DEVICE_ADMIN; + import static android.Manifest.permission.MANAGE_CA_CERTIFICATES; + import static android.app.ActivityManager.LOCK_TASK_MODE_NONE; + import static android.app.admin.DeviceAdminReceiver.EXTRA_TRANSFER_OWNERSHIP_ADMIN_EXTRAS_BUNDLE; ++import static android.app.admin.DevicePolicyManager.ACTION_MANAGED_PROFILE_PROVISIONED; + import static android.app.admin.DevicePolicyManager.ACTION_PROVISION_MANAGED_USER; + import static android.app.admin.DevicePolicyManager.CODE_ACCOUNTS_NOT_EMPTY; + import static android.app.admin.DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED; +@@ -45,6 +46,7 @@ import static android.app.admin.DevicePolicyManager.DELEGATION_INSTALL_EXISTING_ + import static android.app.admin.DevicePolicyManager.DELEGATION_KEEP_UNINSTALLED_PACKAGES; + import static android.app.admin.DevicePolicyManager.DELEGATION_PACKAGE_ACCESS; + import static android.app.admin.DevicePolicyManager.DELEGATION_PERMISSION_GRANT; ++import static android.app.admin.DevicePolicyManager.EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE; + import static android.app.admin.DevicePolicyManager.ID_TYPE_BASE_INFO; + import static android.app.admin.DevicePolicyManager.ID_TYPE_IMEI; + import static android.app.admin.DevicePolicyManager.ID_TYPE_MEID; +@@ -8878,6 +8880,37 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + } + } + ++ @Override ++ public void finalizeWorkProfileProvisioning(UserHandle managedProfileUser, ++ Account migratedAccount) { ++ if (mContext.checkCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) ++ != PackageManager.PERMISSION_GRANTED) { ++ throw new SecurityException("Calling identity is not authorized"); ++ } ++ ++ if (!isManagedProfile(managedProfileUser.getIdentifier())) { ++ throw new IllegalStateException("Given user is not a managed profile"); ++ } ++ ComponentName profileOwnerComponent = ++ mOwners.getProfileOwnerComponent(managedProfileUser.getIdentifier()); ++ if (profileOwnerComponent == null) { ++ throw new IllegalStateException("There is no profile owner on the given profile"); ++ } ++ Intent primaryProfileSuccessIntent = new Intent(ACTION_MANAGED_PROFILE_PROVISIONED); ++ primaryProfileSuccessIntent.setPackage(profileOwnerComponent.getPackageName()); ++ primaryProfileSuccessIntent.addFlags(Intent.FLAG_INCLUDE_STOPPED_PACKAGES ++ | Intent.FLAG_RECEIVER_FOREGROUND); ++ primaryProfileSuccessIntent.putExtra(Intent.EXTRA_USER, managedProfileUser); ++ ++ if (migratedAccount != null) { ++ primaryProfileSuccessIntent.putExtra(EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE, ++ migratedAccount); ++ } ++ ++ mContext.sendBroadcastAsUser(primaryProfileSuccessIntent, ++ UserHandle.of(getProfileParentId(managedProfileUser.getIdentifier()))); ++ } ++ + @Override + public UserHandle createAndManageUser(ComponentName admin, String name, + ComponentName profileOwner, PersistableBundle adminExtras, int flags) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332757.patch b/Patches/LineageOS-16.0/android_frameworks_base/332757.patch new file mode 100644 index 00000000..aff2be94 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332757.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Mon, 31 Jan 2022 20:31:42 +0000 +Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10; api doc + update + +bug: 209814693 +Bug: 217934478 +Test: CTS +Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +(cherry picked from commit f0f67b5a319efedbf8693b436a641fa65bc2d8be) +Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57 +--- + telecomm/java/android/telecom/TelecomManager.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java +index 18c170a2e330..6b00a495668c 100644 +--- a/telecomm/java/android/telecom/TelecomManager.java ++++ b/telecomm/java/android/telecom/TelecomManager.java +@@ -1000,9 +1000,14 @@ public class TelecomManager { + * when placing calls. The user may still need to enable the {@link PhoneAccount} within + * the phone app settings before the account is usable. + *

++ * Note: Each package is limited to 10 {@link PhoneAccount} registrations. ++ *

+ * A {@link SecurityException} will be thrown if an app tries to register a + * {@link PhoneAccountHandle} where the package name specified within + * {@link PhoneAccountHandle#getComponentName()} does not match the package name of the app. ++ *

++ * A {@link IllegalArgumentException} will be thrown if an app tries to register a ++ * {@link PhoneAccount} when the upper bound limit, 10, has already been reached. + * + * @param account The complete {@link PhoneAccount}. + */ diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332776.patch b/Patches/LineageOS-16.0/android_frameworks_base/332776.patch new file mode 100644 index 00000000..164488bc --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332776.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: David Christie +Date: Fri, 11 Mar 2022 01:13:31 +0000 +Subject: [PATCH] Update GeofenceHardwareRequestParcelable to match + parcel/unparcel format. + +Test: manual +Bug: 216631962 + +Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3 +(cherry picked from commit 3e1ffdb29417f4fb994587a013fa56c83e157f6f) +Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3 +--- + .../location/GeofenceHardwareRequestParcelable.java | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java +index d3311f5c8c5e..fc27d1de6372 100644 +--- a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java ++++ b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java +@@ -16,9 +16,9 @@ + + package android.hardware.location; + ++import android.os.BadParcelableException; + import android.os.Parcel; + import android.os.Parcelable; +-import android.util.Log; + + /** + * Geofence Hardware Request used for internal location services communication. +@@ -139,11 +139,8 @@ public final class GeofenceHardwareRequestParcelable implements Parcelable { + @Override + public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) { + int geofenceType = parcel.readInt(); +- if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) { +- Log.e( +- "GeofenceHardwareRequest", +- String.format("Invalid Geofence type: %d", geofenceType)); +- return null; ++ if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) { ++ throw new BadParcelableException("Invalid Geofence type: " + geofenceType); + } + + GeofenceHardwareRequest request = GeofenceHardwareRequest.createCircularGeofence( diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332777.patch b/Patches/LineageOS-16.0/android_frameworks_base/332777.patch new file mode 100644 index 00000000..acfe6f3c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332777.patch @@ -0,0 +1,151 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Tue, 1 Mar 2022 10:30:27 -0500 +Subject: [PATCH] DO NOT MERGE Add an OEM configurable limit for zen rules + +Test: ZenModeHelperTest +Bug: 220735360 +Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36 +Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36 +(cherry picked from commit 3072d98c2dc2b709bd8ffc343c101557a53dd188) +Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36 +--- + .../server/notification/ZenModeHelper.java | 6 ++- + .../notification/ZenModeHelperTest.java | 52 ++++++++++++++++++- + 2 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java +index 0c42f8ab8345..90c7a874c2f4 100644 +--- a/services/core/java/com/android/server/notification/ZenModeHelper.java ++++ b/services/core/java/com/android/server/notification/ZenModeHelper.java +@@ -91,6 +91,7 @@ public class ZenModeHelper { + + // The amount of time rules instances can exist without their owning app being installed. + private static final int RULE_INSTANCE_GRACE_PERIOD = 1000 * 60 * 60 * 72; ++ static final int RULE_LIMIT_PER_PACKAGE = 100; + + private final Context mContext; + private final H mHandler; +@@ -294,8 +295,9 @@ public class ZenModeHelper { + ruleInstanceLimit = owner.metaData.getInt( + ConditionProviderService.META_DATA_RULE_INSTANCE_LIMIT, -1); + } +- if (ruleInstanceLimit > 0 && ruleInstanceLimit +- < (getCurrentInstanceCount(automaticZenRule.getOwner()) + 1)) { ++ int newRuleInstanceCount = getCurrentInstanceCount(automaticZenRule.getOwner()) + 1; ++ if (newRuleInstanceCount > RULE_LIMIT_PER_PACKAGE ++ || (ruleInstanceLimit > 0 && ruleInstanceLimit < newRuleInstanceCount)) { + throw new IllegalArgumentException("Rule instance limit exceeded"); + } + } +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java +index 8222c386c0d9..1d97b09853c3 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java +@@ -20,10 +20,13 @@ import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_BADGE; + import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_FULL_SCREEN_INTENT; + import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_LIGHTS; + import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_PEEK; ++import static com.android.server.notification.ZenModeHelper.RULE_LIMIT_PER_PACKAGE; + + import static junit.framework.Assert.assertFalse; + import static junit.framework.Assert.assertEquals; ++import static junit.framework.Assert.assertNotNull; + import static junit.framework.TestCase.assertTrue; ++import static junit.framework.TestCase.fail; + + import static org.mockito.ArgumentMatchers.any; + import static org.mockito.ArgumentMatchers.anyBoolean; +@@ -44,6 +47,9 @@ import android.app.NotificationManager; + import android.content.ComponentName; + import android.content.ContentResolver; + import android.content.Context; ++import android.content.pm.ActivityInfo; ++import android.content.pm.PackageManager; ++import android.content.pm.ResolveInfo; + import android.content.res.Resources; + import android.media.AudioAttributes; + import android.media.AudioManager; +@@ -69,6 +75,8 @@ import com.android.internal.util.FastXmlSerializer; + import com.android.server.UiServiceTestCase; + import android.util.Slog; + ++import com.google.common.collect.ImmutableList; ++ + import org.junit.Before; + import org.junit.Test; + import org.junit.runner.RunWith; +@@ -87,8 +95,12 @@ import java.io.ByteArrayOutputStream; + @TestableLooper.RunWithLooper + public class ZenModeHelperTest extends UiServiceTestCase { + ++ private static final String CUSTOM_PKG_NAME = "not.android"; ++ private static final int CUSTOM_PKG_UID = 1; ++ + ConditionProviders mConditionProviders; + @Mock NotificationManager mNotificationManager; ++ @Mock PackageManager mPackageManager; + @Mock private Resources mResources; + private TestableLooper mTestableLooper; + private ZenModeHelper mZenModeHelperSpy; +@@ -96,7 +108,7 @@ public class ZenModeHelperTest extends UiServiceTestCase { + private ContentResolver mContentResolver; + + @Before +- public void setUp() { ++ public void setUp() throws PackageManager.NameNotFoundException { + MockitoAnnotations.initMocks(this); + + mTestableLooper = TestableLooper.get(this); +@@ -112,6 +124,16 @@ public class ZenModeHelperTest extends UiServiceTestCase { + mConditionProviders.addSystemProvider(new CountdownConditionProvider()); + mZenModeHelperSpy = spy(new ZenModeHelper(mContext, mTestableLooper.getLooper(), + mConditionProviders)); ++ ++ ResolveInfo ri = new ResolveInfo(); ++ ri.activityInfo = new ActivityInfo(); ++ when(mPackageManager.queryIntentActivitiesAsUser(any(), anyInt(), anyInt())).thenReturn( ++ ImmutableList.of(ri)); ++ when(mPackageManager.getPackageUidAsUser(eq(CUSTOM_PKG_NAME), anyInt())) ++ .thenReturn(CUSTOM_PKG_UID); ++ when(mPackageManager.getPackagesForUid(anyInt())).thenReturn( ++ new String[] {getContext().getPackageName()}); ++ mZenModeHelperSpy.mPm = mPackageManager; + } + + private ByteArrayOutputStream writeXmlAndPurge(boolean forBackup, Integer version) +@@ -844,6 +866,34 @@ public class ZenModeHelperTest extends UiServiceTestCase { + assertEquals(1, mZenModeHelperSpy.mConditions.mSubscriptions.size()); + } + ++ @Test ++ public void testAddAutomaticZenRule_beyondSystemLimit() { ++ for (int i = 0; i < RULE_LIMIT_PER_PACKAGE; i++) { ++ ScheduleInfo si = new ScheduleInfo(); ++ si.startHour = i; ++ AutomaticZenRule zenRule = new AutomaticZenRule("name" + i, ++ null, ++ new ComponentName("android", "ScheduleConditionProvider"), ++ ZenModeConfig.toScheduleConditionId(si), ++ new ZenPolicy.Builder().build(), ++ NotificationManager.INTERRUPTION_FILTER_PRIORITY, true); ++ String id = mZenModeHelperSpy.addAutomaticZenRule(zenRule, "test"); ++ assertNotNull(id); ++ } ++ try { ++ AutomaticZenRule zenRule = new AutomaticZenRule("name", ++ null, ++ new ComponentName("android", "ScheduleConditionProvider"), ++ ZenModeConfig.toScheduleConditionId(new ScheduleInfo()), ++ new ZenPolicy.Builder().build(), ++ NotificationManager.INTERRUPTION_FILTER_PRIORITY, true); ++ String id = mZenModeHelperSpy.addAutomaticZenRule(zenRule, "test"); ++ fail("allowed too many rules to be created"); ++ } catch (IllegalArgumentException e) { ++ // yay ++ } ++ } ++ + private void setupZenConfig() { + mZenModeHelperSpy.mZenMode = Settings.Global.ZEN_MODE_IMPORTANT_INTERRUPTIONS; + mZenModeHelperSpy.mConfig.allowAlarms = false; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332778.patch b/Patches/LineageOS-16.0/android_frameworks_base/332778.patch new file mode 100644 index 00000000..e2c4d589 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332778.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ayush Sharma +Date: Wed, 16 Mar 2022 10:32:23 +0000 +Subject: [PATCH] Fix security hole in GateKeeperResponse + +GateKeeperResponse has inconsistent writeToParcel() and +createFromParcel() methods, making it possible for a malicious app to +create a Bundle that changes contents after reserialization. Such +Bundles can be used to execute Intents with system privileges. + +We fixed related issues previously for GateKeeperResponse class, but +one of the case was remaining when payload is byte array of size 0, +Fixing this case now. + +Bug: 220303465 +Test: With the POC provided in the bug. +Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586 +Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586 + +(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496) + +Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958 +(cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516) +Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958 +--- + core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java +index 9b529345851b..4502c0ef2898 100644 +--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java ++++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java +@@ -103,7 +103,7 @@ public final class GateKeeperResponse implements Parcelable { + dest.writeInt(mTimeout); + } else if (mResponseCode == RESPONSE_OK) { + dest.writeInt(mShouldReEnroll ? 1 : 0); +- if (mPayload != null) { ++ if (mPayload != null && mPayload.length > 0) { + dest.writeInt(mPayload.length); + dest.writeByteArray(mPayload); + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/332779.patch b/Patches/LineageOS-16.0/android_frameworks_base/332779.patch new file mode 100644 index 00000000..d956063c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/332779.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 25 Mar 2022 10:02:41 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting + system apps. + +This addresses a security issue where the guest user can remove updates +for system apps. + +With this CL, attempts to uninstall/downgrade system apps will fail if +attempted by a non-admin user. + +This is a backport of ag/17352264. + +Bug: 170646036 +Test: manual, try uninstalling system app update as guest +Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb +Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165 +(cherry picked from commit a7621e0ce00f1d140b375518e26cf75693314203) +Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb +--- + .../com/android/server/pm/PackageManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index dc44fe17722d..e8532ce4edd3 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -18476,6 +18476,16 @@ public class PackageManagerService extends IPackageManager.Stub + return PackageManager.DELETE_FAILED_INTERNAL_ERROR; + } + ++ if (isSystemApp(uninstalledPs)) { ++ UserInfo userInfo = sUserManager.getUserInfo(userId); ++ if (userInfo == null || !userInfo.isAdmin()) { ++ Slog.w(TAG, "Not removing package " + packageName ++ + " as only admin user may downgrade system apps"); ++ EventLog.writeEvent(0x534e4554, "170646036", -1, packageName); ++ return PackageManager.DELETE_FAILED_USER_RESTRICTED; ++ } ++ } ++ + // Static shared libs can be declared by any package, so let us not + // allow removing a package if it provides a lib others depend on. + pkg = mPackages.get(packageName); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334256.patch b/Patches/LineageOS-16.0/android_frameworks_base/334256.patch new file mode 100644 index 00000000..18a55508 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334256.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 13 Aug 2021 13:37:55 -0700 +Subject: [PATCH] StorageManagerService: don't ignore failures to prepare user + storage + +We must never leave directories unencrypted. + +Bug: 164488924 +Bug: 224585613 +Change-Id: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2 +(cherry picked from commit 50946dd15fd14cbf92b5c7e32ac7a0f088b8b302) +Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2 +(cherry picked from commit f80dd3ecd46db03005423e7fac28a0def49d0140) +Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2 +--- + .../core/java/com/android/server/StorageManagerService.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java +index 910e3e345f69..f6ca63a48a39 100644 +--- a/services/core/java/com/android/server/StorageManagerService.java ++++ b/services/core/java/com/android/server/StorageManagerService.java +@@ -2609,8 +2609,12 @@ class StorageManagerService extends IStorageManager.Stub + + try { + mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags); +- } catch (Exception e) { ++ } catch (RemoteException e) { + Slog.wtf(TAG, e); ++ // Make sure to re-throw this exception; we must not ignore failure ++ // to prepare the user storage as it could indicate that encryption ++ // wasn't successfully set up. ++ throw new RuntimeException(e); + } + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334257.patch b/Patches/LineageOS-16.0/android_frameworks_base/334257.patch new file mode 100644 index 00000000..35a1cb95 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334257.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 24 Jan 2022 20:33:11 +0000 +Subject: [PATCH] UserDataPreparer: reboot to recovery if preparing user + storage fails + +StorageManager.prepareUserStorage() can throw an exception if a +directory cannot be encrypted, for example due to already being +nonempty. In this case, usage of the directory must not be allowed to +proceed. UserDataPreparer currently handles this by deleting the user's +directories, but the error is still ultimately suppressed and starting +the user is still allowed to proceed. + +The correct behavior in this case is to reboot into recovery to ask the +user to factory reset the device. This is already what happens when +'init' fails to encrypt a directory with the system DE policy. However, +this was overlooked for the user directories. Start doing this. + +Bug: 164488924 +Bug: 224585613 +Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254) +Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +(cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6) +Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54 +--- + .../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java +index 045a295da965..504769064808 100644 +--- a/services/core/java/com/android/server/pm/UserDataPreparer.java ++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java +@@ -22,6 +22,7 @@ import android.content.Context; + import android.content.pm.UserInfo; + import android.os.Environment; + import android.os.FileUtils; ++import android.os.RecoverySystem; + import android.os.storage.StorageManager; + import android.os.storage.VolumeInfo; + import android.os.SystemProperties; +@@ -115,6 +116,13 @@ class UserDataPreparer { + // Try one last time; if we fail again we're really in trouble + prepareUserDataLI(volumeUuid, userId, userSerial, + flags | StorageManager.FLAG_STORAGE_DE, false); ++ } else { ++ try { ++ Log.e(TAG, "prepareUserData failed", e); ++ RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed"); ++ } catch (IOException e2) { ++ throw new RuntimeException("error rebooting into recovery", e2); ++ } + } + } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334258.patch b/Patches/LineageOS-16.0/android_frameworks_base/334258.patch new file mode 100644 index 00000000..af91f726 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334258.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 4 Mar 2022 00:07:29 +0000 +Subject: [PATCH] UserDataPreparer: reboot to recovery for system user only + +With the next CL, old devices might contain a combination of old users +with prepareUserStorage error checking disabled and new users with +prepareUserStorage error checking enabled. Factory resetting the whole +device when any user fails to prepare may be too aggressive. Also, +UserDataPreparer already destroys the affected user's storage when it +fails to prepare, which seems to be fairly effective at breaking things +for that user (absent proper error handling by upper layers). + +Therefore, let's only factory reset the device if the failing user is +the system user. + +Bug: 164488924 +Bug: 224585613 +Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7) +Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +(cherry picked from commit a296a2b724f3b7233952740231a49d432949276b) +Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97 +--- + .../core/java/com/android/server/pm/UserDataPreparer.java | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java +index 504769064808..95482d7c7f1a 100644 +--- a/services/core/java/com/android/server/pm/UserDataPreparer.java ++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java +@@ -118,8 +118,11 @@ class UserDataPreparer { + flags | StorageManager.FLAG_STORAGE_DE, false); + } else { + try { +- Log.e(TAG, "prepareUserData failed", e); +- RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed"); ++ Log.wtf(TAG, "prepareUserData failed for user " + userId, e); ++ if (userId == UserHandle.USER_SYSTEM) { ++ RecoverySystem.rebootPromptAndWipeUserData(mContext, ++ "prepareUserData failed for system user"); ++ } + } catch (IOException e2) { + throw new RuntimeException("error rebooting into recovery", e2); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334259.patch b/Patches/LineageOS-16.0/android_frameworks_base/334259.patch new file mode 100644 index 00000000..5d5fbedd --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334259.patch @@ -0,0 +1,198 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 4 Mar 2022 00:07:43 +0000 +Subject: [PATCH] Ignore errors preparing user storage for existing users + +Unfortunately we can't rule out the existence of devices where the user +storage wasn't properly prepared, due to StorageManagerService +previously ignoring errors from mVold.prepareUserStorage, combined with +OEMs potentially creating files in per-user directories too early. And +forcing these broken devices to be factory reset upon taking an OTA is +not currently considered to be acceptable. + +One option is to only check for prepareUserStorage errors on devices +that launched with T or later. However, this is a serious issue and it +would be strongly preferable to do more than that. + +Therefore, this CL makes it so that errors are checked for all new +users, rather than all new devices. A field ignorePrepareStorageErrors +is added to the user record; it is only ever set to true implicitly, +when reading a user record from disk that lacks this field. This field +is used by StorageManagerService to decide whether to check for errors. + +Bug: 164488924 +Bug: 224585613 +Test: Intentionally made a device affected by this issue by reverting + the CLs that introduced the error checks, and changing vold to + inject an error into prepareUserStorage. Then, flashed a build + with this CL without wiping userdata. The device still boots, as + expected, and the log shows that the error was intentionally + ignored. Tested that if a second user is added, the error is + *not* ignored and the second user's storage is destroyed before it + can be used. Finally, wiped the device and verified that it won't + boot up anymore, as expected since error checking is enabled for + the system user in that case. +Change-Id: I9bdd1a4bf5b14542adb901f264a91d489115c89b +(cherry picked from commit 60d8318c47b7b659716d71243d087b34ab327f64) +Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b +(cherry picked from commit 493aa93b84b4281378e6b767bf2df6139bd0975d) +Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b +--- + core/java/android/os/UserManagerInternal.java | 8 ++++ + .../android/server/StorageManagerService.java | 12 +++++- + .../android/server/pm/UserManagerService.java | 42 +++++++++++++++++++ + 3 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/os/UserManagerInternal.java b/core/java/android/os/UserManagerInternal.java +index 1f6c3cc76ddd..674dcc024ddc 100644 +--- a/core/java/android/os/UserManagerInternal.java ++++ b/core/java/android/os/UserManagerInternal.java +@@ -221,4 +221,12 @@ public abstract class UserManagerInternal { + */ + public abstract boolean isSettingRestrictedForUser(String setting, int userId, String value, + int callingUid); ++ ++ /** ++ * Returns {@code true} if the system should ignore errors when preparing ++ * the storage directories for the user with ID {@code userId}. This will ++ * return {@code false} for all new users; it will only return {@code true} ++ * for users that already existed on-disk from an older version of Android. ++ */ ++ public abstract boolean shouldIgnorePrepareStorageErrors(int userId); + } +diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java +index f6ca63a48a39..dc77f414c9e2 100644 +--- a/services/core/java/com/android/server/StorageManagerService.java ++++ b/services/core/java/com/android/server/StorageManagerService.java +@@ -86,6 +86,7 @@ import android.os.SystemClock; + import android.os.SystemProperties; + import android.os.UserHandle; + import android.os.UserManager; ++import android.os.UserManagerInternal; + import android.os.storage.DiskInfo; + import android.os.storage.IObbActionListener; + import android.os.storage.IStorageEventListener; +@@ -2609,11 +2610,20 @@ class StorageManagerService extends IStorageManager.Stub + + try { + mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags); +- } catch (RemoteException e) { ++ } catch (Exception e) { + Slog.wtf(TAG, e); + // Make sure to re-throw this exception; we must not ignore failure + // to prepare the user storage as it could indicate that encryption + // wasn't successfully set up. ++ // ++ // Very unfortunately, these errors need to be ignored for broken ++ // users that already existed on-disk from older Android versions. ++ UserManagerInternal umInternal = LocalServices.getService(UserManagerInternal.class); ++ if (umInternal.shouldIgnorePrepareStorageErrors(userId)) { ++ Slog.wtf(TAG, "ignoring error preparing storage for existing user " + userId ++ + "; device may be insecure!"); ++ return; ++ } + throw new RuntimeException(e); + } + } +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index 1a22a84908f8..56d737d50fbf 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -175,6 +175,8 @@ public class UserManagerService extends IUserManager.Stub { + private static final String TAG_ENTRY = "entry"; + private static final String TAG_VALUE = "value"; + private static final String TAG_SEED_ACCOUNT_OPTIONS = "seedAccountOptions"; ++ private static final String TAG_IGNORE_PREPARE_STORAGE_ERRORS = ++ "ignorePrepareStorageErrors"; + private static final String ATTR_KEY = "key"; + private static final String ATTR_VALUE_TYPE = "type"; + private static final String ATTR_MULTIPLE = "m"; +@@ -270,6 +272,22 @@ public class UserManagerService extends IUserManager.Stub { + /** Elapsed realtime since boot when the user was unlocked. */ + long unlockRealtime; + ++ /** ++ * {@code true} if the system should ignore errors when preparing the ++ * storage directories for this user. This is {@code false} for all new ++ * users; it will only be {@code true} for users that already existed ++ * on-disk from an older version of Android. ++ */ ++ private boolean mIgnorePrepareStorageErrors; ++ ++ boolean getIgnorePrepareStorageErrors() { ++ return mIgnorePrepareStorageErrors; ++ } ++ ++ void setIgnorePrepareStorageErrors() { ++ mIgnorePrepareStorageErrors = true; ++ } ++ + void clearSeedAccountData() { + seedAccountName = null; + seedAccountType = null; +@@ -2307,6 +2325,10 @@ public class UserManagerService extends IUserManager.Stub { + serializer.endTag(null, TAG_SEED_ACCOUNT_OPTIONS); + } + ++ serializer.startTag(/* namespace */ null, TAG_IGNORE_PREPARE_STORAGE_ERRORS); ++ serializer.text(String.valueOf(userData.getIgnorePrepareStorageErrors())); ++ serializer.endTag(/* namespace */ null, TAG_IGNORE_PREPARE_STORAGE_ERRORS); ++ + serializer.endTag(null, TAG_USER); + + serializer.endDocument(); +@@ -2413,6 +2435,7 @@ public class UserManagerService extends IUserManager.Stub { + Bundle baseRestrictions = null; + Bundle localRestrictions = null; + Bundle globalRestrictions = null; ++ boolean ignorePrepareStorageErrors = true; // default is true for old users + + XmlPullParser parser = Xml.newPullParser(); + parser.setInput(is, StandardCharsets.UTF_8.name()); +@@ -2486,6 +2509,11 @@ public class UserManagerService extends IUserManager.Stub { + } else if (TAG_SEED_ACCOUNT_OPTIONS.equals(tag)) { + seedAccountOptions = PersistableBundle.restoreFromXml(parser); + persistSeedData = true; ++ } else if (TAG_IGNORE_PREPARE_STORAGE_ERRORS.equals(tag)) { ++ type = parser.next(); ++ if (type == XmlPullParser.TEXT) { ++ ignorePrepareStorageErrors = Boolean.parseBoolean(parser.getText()); ++ } + } + } + } +@@ -2510,6 +2538,9 @@ public class UserManagerService extends IUserManager.Stub { + userData.seedAccountType = seedAccountType; + userData.persistSeedData = persistSeedData; + userData.seedAccountOptions = seedAccountOptions; ++ if (ignorePrepareStorageErrors) { ++ userData.setIgnorePrepareStorageErrors(); ++ } + + synchronized (mRestrictionsLock) { + if (baseRestrictions != null) { +@@ -3663,6 +3694,9 @@ public class UserManagerService extends IUserManager.Stub { + pw.println(); + } + } ++ ++ pw.println(" Ignore errors preparing storage: " ++ + userData.getIgnorePrepareStorageErrors()); + } + } + pw.println(); +@@ -4008,6 +4042,14 @@ public class UserManagerService extends IUserManager.Stub { + return UserRestrictionsUtils.isSettingRestrictedForUser(mContext, setting, userId, + value, callingUid); + } ++ ++ @Override ++ public boolean shouldIgnorePrepareStorageErrors(int userId) { ++ synchronized (mUsersLock) { ++ UserData userData = mUsers.get(userId); ++ return userData != null && userData.getIgnorePrepareStorageErrors(); ++ } ++ } + } + + /* Remove all the users except of the system one. */ diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334260.patch b/Patches/LineageOS-16.0/android_frameworks_base/334260.patch new file mode 100644 index 00000000..7c5dbae6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334260.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 26 Mar 2022 01:08:07 +0000 +Subject: [PATCH] Log to EventLog on prepareUserStorage failure + +Bug: 224585613 +Change-Id: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5 +(cherry picked from commit fbb632ea95ac5b6d9efa89e09d0988a9df4f19e4) +Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5 +(cherry picked from commit 2f2e7d84f8f856e897056064b64c6b7213ba5d86) +Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5 +--- + .../core/java/com/android/server/StorageManagerService.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java +index dc77f414c9e2..dcd1a7b03075 100644 +--- a/services/core/java/com/android/server/StorageManagerService.java ++++ b/services/core/java/com/android/server/StorageManagerService.java +@@ -105,6 +105,7 @@ import android.text.format.DateUtils; + import android.util.ArrayMap; + import android.util.AtomicFile; + import android.util.DataUnit; ++import android.util.EventLog; + import android.util.Log; + import android.util.Pair; + import android.util.Slog; +@@ -2611,6 +2612,7 @@ class StorageManagerService extends IStorageManager.Stub + try { + mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags); + } catch (Exception e) { ++ EventLog.writeEvent(0x534e4554, "224585613", -1, ""); + Slog.wtf(TAG, e); + // Make sure to re-throw this exception; we must not ignore failure + // to prepare the user storage as it could indicate that encryption diff --git a/Patches/LineageOS-16.0/android_frameworks_base/334262.patch b/Patches/LineageOS-16.0/android_frameworks_base/334262.patch new file mode 100644 index 00000000..774435ef --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/334262.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Wed, 7 Jul 2021 16:19:44 -0400 +Subject: [PATCH] DO NOT MERGE Crash invalid FGS notifications + +Test: CTS, ActivityManagerProcessStateTest +Fixes: 191981182 +Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392 +Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392 +(cherry picked from commit 6f657f8f5b7d41af426d6cd8d60bfda6e12057c0) +(cherry picked from commit b6b2906ea6472d182e6ae03c581a63802cd84f08) +Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392 + +Backport to P: +Make method Notification.isForegroundService() public, as it is the case +in Android 10 and later, see Ia13c1aac0cf91c400594df96ce267e768133f8d1 + +Change-Id: I214b6ab4f6ecab332fb8b3293fbc3b2212790b38 +--- + core/java/android/app/Notification.java | 3 ++- + .../server/notification/NotificationManagerService.java | 7 +++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index 78d23f368900..21bc17172b1f 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -5857,8 +5857,9 @@ public class Notification implements Parcelable + + /** + * @return whether this notification is a foreground service notification ++ * @hide + */ +- private boolean isForegroundService() { ++ public boolean isForegroundService() { + return (flags & Notification.FLAG_FOREGROUND_SERVICE) != 0; + } + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 3e34039548d3..dd202a172d66 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -4161,8 +4161,11 @@ public class NotificationManagerService extends SystemService { + notification.flags &= ~Notification.FLAG_CAN_COLORIZE; + } + +- } catch (NameNotFoundException e) { +- Slog.e(TAG, "Cannot create a context for sending app", e); ++ } catch (Exception e) { ++ if (notification.isForegroundService()) { ++ throw new SecurityException("Invalid FGS notification", e); ++ } ++ Slog.e(TAG, "Cannot fix notification", e); + return; + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/335117.patch b/Patches/LineageOS-16.0/android_frameworks_base/335117.patch new file mode 100644 index 00000000..4f36687f --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/335117.patch @@ -0,0 +1,137 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jeff Chang +Date: Wed, 29 Sep 2021 16:49:00 +0800 +Subject: [PATCH] Only allow system and same app to apply + relinquishTaskIdentity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Any malicious application could hijack tasks by +android:relinquishTaskIdentity. This vulnerability can perform UI +spoofing or spy on user’s activities. + +This CL limit the usage which only allow system and same app to apply +relinquishTaskIdentity + +Bug: 185810717 +Test: atest IntentTests + atest ActivityStarterTests +Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 +(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec) +Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 +--- + .../com/android/server/am/TaskRecord.java | 51 ++++++++++++++----- + 1 file changed, 39 insertions(+), 12 deletions(-) + +diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java +index 766cee3278ad..6b42918eddb6 100644 +--- a/services/core/java/com/android/server/am/TaskRecord.java ++++ b/services/core/java/com/android/server/am/TaskRecord.java +@@ -96,6 +96,7 @@ import android.content.pm.PackageManager; + import android.content.res.Configuration; + import android.graphics.Rect; + import android.os.Debug; ++import android.os.Process; + import android.os.RemoteException; + import android.os.SystemClock; + import android.os.Trace; +@@ -193,6 +194,11 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi + // Do not move the stack as a part of reparenting + static final int REPARENT_LEAVE_STACK_IN_PLACE = 2; + ++ /** ++ * Used to identify if the activity that is installed from device's system image. ++ */ ++ boolean mIsEffectivelySystemApp; ++ + /** + * The factory used to create {@link TaskRecord}. This allows OEM subclass {@link TaskRecord}. + */ +@@ -788,17 +794,25 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi + + /** Sets the original intent, and the calling uid and package. */ + void setIntent(ActivityRecord r) { +- mCallingUid = r.launchedFromUid; +- mCallingPackage = r.launchedFromPackage; +- setIntent(r.intent, r.info); ++ boolean updateIdentity = false; ++ if (this.intent == null) { ++ updateIdentity = true; ++ } else if (!mNeverRelinquishIdentity) { ++ updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp ++ || effectiveUid == r.info.applicationInfo.uid); ++ } ++ if (updateIdentity) { ++ mCallingUid = r.launchedFromUid; ++ mCallingPackage = r.launchedFromPackage; ++ setIntent(r.intent, r.info); ++ } + setLockTaskAuth(r); + } + + /** Sets the original intent, _without_ updating the calling uid or package. */ + private void setIntent(Intent _intent, ActivityInfo info) { + if (intent == null) { +- mNeverRelinquishIdentity = +- (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; ++ mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; + } else if (mNeverRelinquishIdentity) { + return; + } +@@ -811,6 +825,7 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi + rootAffinity = affinity; + } + effectiveUid = info.applicationInfo.uid; ++ mIsEffectivelySystemApp = info.applicationInfo.isSystemApp(); + stringName = null; + + if (info.targetActivity == null) { +@@ -1575,12 +1590,12 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi + // utility activities. + int activityNdx; + final int numActivities = mActivities.size(); +- final boolean relinquish = numActivities != 0 && +- (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0; +- for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities; +- ++activityNdx) { ++ for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) { + final ActivityRecord r = mActivities.get(activityNdx); +- if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { ++ if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 ++ || (r.info.applicationInfo.uid != Process.SYSTEM_UID ++ && !r.info.applicationInfo.isSystemApp() ++ && r.info.applicationInfo.uid != effectiveUid)) { + // This will be the top activity for determining taskDescription. Pre-inc to + // overcome initial decrement below. + ++activityNdx; +@@ -1645,15 +1660,27 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi + int findEffectiveRootIndex() { + int effectiveNdx = 0; + final int topActivityNdx = mActivities.size() - 1; ++ ActivityRecord root = null; + for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) { + final ActivityRecord r = mActivities.get(activityNdx); + if (r.finishing) { + continue; + } +- effectiveNdx = activityNdx; +- if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { ++ ++ if (root == null) { ++ // Set this as the candidate root since it isn't finishing. ++ root = r; ++ effectiveNdx = activityNdx; ++ } ++ final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid; ++ if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 ++ || (root.info.applicationInfo.uid != Process.SYSTEM_UID ++ && !root.info.applicationInfo.isSystemApp() ++ && root.info.applicationInfo.uid != uid)) { + break; + } ++ effectiveNdx = activityNdx; ++ root = r; + } + return effectiveNdx; + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/335118.patch b/Patches/LineageOS-16.0/android_frameworks_base/335118.patch new file mode 100644 index 00000000..2c094797 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/335118.patch @@ -0,0 +1,496 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wenhao Wang +Date: Wed, 2 Feb 2022 10:56:44 -0800 +Subject: [PATCH] DO NOT MERGE Suppress notifications when device enter + lockdown + +This CL makes the following modifcations: +1. Add LockPatternUtils.StrongAuthTracker to monitor +the lockdown mode status of the phone. +2. Call mListeners.notifyRemovedLocked with all the +notifications in the mNotificationList when entering +the lockdown mode. +3. Call mListeners.notifyPostedLocked with all the +notifications in the mNotificationList when exiting +the lockdown mode. +4. Dismiss the function calls of notifyPostedLocked, +notifyRemovedLocked, and notifyRankingUpdateLocked +during the lockdown mode. + +The CL also adds corresponding tests. + +Bug: 173721373 +Test: atest NotificationManagerServiceTest +Test: atest NotificationListenersTest +Test: manually verify the paired device cannot receive +notifications when the host phone is in lockdown mode. +Ignore-AOSP-First: pending fix for a security issue. + +Change-Id: I7e83544863eeadf8272b6ff8a9bb8136d6466203 +Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203 +(cherry picked from commit 3cb6842a053e236cc98d7616ba4433c31ffda3ac) +(cherry picked from commit 85c00b98a6cac8d7286a70300ceff509693818f2) +Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203 +--- + .../NotificationManagerService.java | 109 +++++++++++++- + .../tests/uiservicestests/AndroidManifest.xml | 1 + + .../NotificationListenersTest.java | 135 ++++++++++++++++++ + .../NotificationManagerServiceTest.java | 66 +++++++++ + 4 files changed, 305 insertions(+), 6 deletions(-) + create mode 100644 services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index dd202a172d66..0dfc0ab0c3e0 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -181,6 +181,7 @@ import android.util.AtomicFile; + import android.util.Log; + import android.util.Slog; + import android.util.SparseArray; ++import android.util.SparseBooleanArray; + import android.util.TimeUtils; + import android.util.Xml; + import android.util.proto.ProtoOutputStream; +@@ -202,6 +203,7 @@ import com.android.internal.util.DumpUtils; + import com.android.internal.util.FastXmlSerializer; + import com.android.internal.util.Preconditions; + import com.android.internal.util.XmlUtils; ++import com.android.internal.widget.LockPatternUtils; + import com.android.server.DeviceIdleController; + import com.android.server.EventLogTags; + import com.android.server.LocalServices; +@@ -1272,6 +1274,54 @@ public class NotificationManagerService extends SystemService { + return out; + } + ++ protected class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker { ++ ++ SparseBooleanArray mUserInLockDownMode = new SparseBooleanArray(); ++ boolean mIsInLockDownMode = false; ++ ++ StrongAuthTracker(Context context) { ++ super(context); ++ } ++ ++ private boolean containsFlag(int haystack, int needle) { ++ return (haystack & needle) != 0; ++ } ++ ++ public boolean isInLockDownMode() { ++ return mIsInLockDownMode; ++ } ++ ++ @Override ++ public synchronized void onStrongAuthRequiredChanged(int userId) { ++ boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId), ++ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN); ++ mUserInLockDownMode.put(userId, userInLockDownModeNext); ++ boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1; ++ ++ if (mIsInLockDownMode == isInLockDownModeNext) { ++ return; ++ } ++ ++ if (isInLockDownModeNext) { ++ cancelNotificationsWhenEnterLockDownMode(); ++ } ++ ++ // When the mIsInLockDownMode is true, both notifyPostedLocked and ++ // notifyRemovedLocked will be dismissed. So we shall call ++ // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode ++ // as true and call postNotificationsWhenExitLockDownMode after we set ++ // mIsInLockDownMode as false. ++ mIsInLockDownMode = isInLockDownModeNext; ++ ++ if (!isInLockDownModeNext) { ++ postNotificationsWhenExitLockDownMode(); ++ } ++ } ++ } ++ ++ private LockPatternUtils mLockPatternUtils; ++ private StrongAuthTracker mStrongAuthTracker; ++ + public NotificationManagerService(Context context) { + super(context); + Notification.processWhitelistToken = WHITELIST_TOKEN; +@@ -1283,6 +1333,11 @@ public class NotificationManagerService extends SystemService { + mAudioManager = audioMananger; + } + ++ @VisibleForTesting ++ void setStrongAuthTracker(StrongAuthTracker strongAuthTracker) { ++ mStrongAuthTracker = strongAuthTracker; ++ } ++ + @VisibleForTesting + void setHints(int hints) { + mListenerHints = hints; +@@ -1435,6 +1490,8 @@ public class NotificationManagerService extends SystemService { + + mHandler = new WorkerHandler(looper); + mRankingThread.start(); ++ mLockPatternUtils = new LockPatternUtils(getContext()); ++ mStrongAuthTracker = new StrongAuthTracker(getContext()); + String[] extractorNames; + try { + extractorNames = resources.getStringArray(R.array.config_notificationSignalExtractors); +@@ -1563,7 +1620,8 @@ public class NotificationManagerService extends SystemService { + init(Looper.myLooper(), + AppGlobals.getPackageManager(), getContext().getPackageManager(), + getLocalService(LightsManager.class), +- new NotificationListeners(AppGlobals.getPackageManager()), ++ new NotificationListeners(getContext(), mNotificationLock, mUserProfiles, ++ AppGlobals.getPackageManager()), + new NotificationAssistants(getContext(), mNotificationLock, mUserProfiles, + AppGlobals.getPackageManager()), + new ConditionProviders(getContext(), mUserProfiles, AppGlobals.getPackageManager()), +@@ -1679,6 +1737,7 @@ public class NotificationManagerService extends SystemService { + mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class); + mKeyguardManager = getContext().getSystemService(KeyguardManager.class); + mZenModeHelper.onSystemReady(); ++ mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker); + } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) { + // This observer will force an update when observe is called, causing us to + // bind to listener services. +@@ -6342,6 +6401,29 @@ public class NotificationManagerService extends SystemService { + } + } + ++ private void cancelNotificationsWhenEnterLockDownMode() { ++ synchronized (mNotificationLock) { ++ int numNotifications = mNotificationList.size(); ++ for (int i = 0; i < numNotifications; i++) { ++ NotificationRecord rec = mNotificationList.get(i); ++ mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL, ++ rec.getStats()); ++ } ++ ++ } ++ } ++ ++ private void postNotificationsWhenExitLockDownMode() { ++ synchronized (mNotificationLock) { ++ int numNotifications = mNotificationList.size(); ++ for (int i = 0; i < numNotifications; i++) { ++ NotificationRecord rec = mNotificationList.get(i); ++ mListeners.notifyPostedLocked(rec, rec); ++ } ++ ++ } ++ } ++ + private void updateNotificationPulse() { + synchronized (mNotificationLock) { + updateLightsLocked(); +@@ -6502,6 +6584,10 @@ public class NotificationManagerService extends SystemService { + channels, overridePeople, snoozeCriteria, showBadge, userSentiment, hidden); + } + ++ boolean isInLockDownMode() { ++ return mStrongAuthTracker.isInLockDownMode(); ++ } ++ + boolean hasCompanionDevice(ManagedServiceInfo info) { + if (mCompanionManager == null) { + mCompanionManager = getCompanionManager(); +@@ -6730,9 +6816,9 @@ public class NotificationManagerService extends SystemService { + + private final ArraySet mLightTrimListeners = new ArraySet<>(); + +- public NotificationListeners(IPackageManager pm) { +- super(getContext(), mNotificationLock, mUserProfiles, pm); +- ++ public NotificationListeners(Context context, Object lock, UserProfiles userProfiles, ++ IPackageManager pm) { ++ super(context, lock, userProfiles, pm); + } + + @Override +@@ -6822,8 +6908,12 @@ public class NotificationManagerService extends SystemService { + * targetting <= O_MR1 + */ + @GuardedBy("mNotificationLock") +- private void notifyPostedLocked(NotificationRecord r, NotificationRecord old, ++ void notifyPostedLocked(NotificationRecord r, NotificationRecord old, + boolean notifyAllListeners) { ++ if (isInLockDownMode()) { ++ return; ++ } ++ + // Lazily initialized snapshots of the notification. + StatusBarNotification sbn = r.sbn; + StatusBarNotification oldSbn = (old != null) ? old.sbn : null; +@@ -6886,8 +6976,11 @@ public class NotificationManagerService extends SystemService { + @GuardedBy("mNotificationLock") + public void notifyRemovedLocked(NotificationRecord r, int reason, + NotificationStats notificationStats) { +- final StatusBarNotification sbn = r.sbn; ++ if (isInLockDownMode()) { ++ return; ++ } + ++ final StatusBarNotification sbn = r.sbn; + // make a copy in case changes are made to the underlying Notification object + // NOTE: this copy is lightweight: it doesn't include heavyweight parts of the + // notification +@@ -6938,6 +7031,10 @@ public class NotificationManagerService extends SystemService { + */ + @GuardedBy("mNotificationLock") + public void notifyRankingUpdateLocked(List changedHiddenNotifications) { ++ if (isInLockDownMode()) { ++ return; ++ } ++ + boolean isHiddenRankingUpdate = changedHiddenNotifications != null + && changedHiddenNotifications.size() > 0; + +diff --git a/services/tests/uiservicestests/AndroidManifest.xml b/services/tests/uiservicestests/AndroidManifest.xml +index aa3135ff18da..4f81bfae9a7c 100644 +--- a/services/tests/uiservicestests/AndroidManifest.xml ++++ b/services/tests/uiservicestests/AndroidManifest.xml +@@ -29,6 +29,7 @@ + + + ++ + + + +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java +new file mode 100644 +index 000000000000..793739bfe8f5 +--- /dev/null ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java +@@ -0,0 +1,135 @@ ++/* ++ * Copyright (C) 2022 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package com.android.server.notification; ++ ++import static org.mockito.ArgumentMatchers.any; ++import static org.mockito.Mockito.doNothing; ++import static org.mockito.Mockito.mock; ++import static org.mockito.Mockito.never; ++import static org.mockito.Mockito.reset; ++import static org.mockito.Mockito.spy; ++import static org.mockito.Mockito.times; ++import static org.mockito.Mockito.verify; ++import static org.mockito.Mockito.when; ++ ++import android.app.INotificationManager; ++import android.content.pm.IPackageManager; ++import android.content.pm.PackageManager; ++import android.service.notification.NotificationStats; ++import android.service.notification.StatusBarNotification; ++import android.testing.TestableContext; ++ ++import com.android.server.UiServiceTestCase; ++ ++import org.junit.Before; ++import org.junit.Test; ++import org.mockito.Mock; ++import org.mockito.MockitoAnnotations; ++import org.mockito.internal.util.reflection.FieldSetter; ++ ++import java.util.List; ++ ++public class NotificationListenersTest extends UiServiceTestCase { ++ ++ @Mock ++ private PackageManager mPm; ++ @Mock ++ private IPackageManager miPm; ++ ++ @Mock ++ NotificationManagerService mNm; ++ @Mock ++ private INotificationManager mINm; ++ private TestableContext mContext = spy(getContext()); ++ ++ NotificationManagerService.NotificationListeners mListeners; ++ ++ @Before ++ public void setUp() throws Exception { ++ MockitoAnnotations.initMocks(this); ++ getContext().setMockPackageManager(mPm); ++ doNothing().when(mContext).sendBroadcastAsUser(any(), any(), any()); ++ ++ mListeners = spy(mNm.new NotificationListeners( ++ mContext, new Object(), mock(ManagedServices.UserProfiles.class), miPm)); ++ when(mNm.getBinderService()).thenReturn(mINm); ++ } ++ ++ @Test ++ public void testNotifyPostedLockedInLockdownMode() { ++ NotificationRecord r = mock(NotificationRecord.class); ++ NotificationRecord old = mock(NotificationRecord.class); ++ ++ // before the lockdown mode ++ when(mNm.isInLockDownMode()).thenReturn(false); ++ mListeners.notifyPostedLocked(r, old, true); ++ mListeners.notifyPostedLocked(r, old, false); ++ verify(mListeners, times(2)).getServices(); ++ ++ // in the lockdown mode ++ reset(r); ++ reset(old); ++ reset(mListeners); ++ when(mNm.isInLockDownMode()).thenReturn(true); ++ mListeners.notifyPostedLocked(r, old, true); ++ mListeners.notifyPostedLocked(r, old, false); ++ verify(mListeners, never()).getServices(); ++ } ++ ++ @Test ++ public void testnotifyRankingUpdateLockedInLockdownMode() { ++ List chn = mock(List.class); ++ ++ // before the lockdown mode ++ when(mNm.isInLockDownMode()).thenReturn(false); ++ mListeners.notifyRankingUpdateLocked(chn); ++ verify(chn, times(1)).size(); ++ ++ // in the lockdown mode ++ reset(chn); ++ when(mNm.isInLockDownMode()).thenReturn(true); ++ mListeners.notifyRankingUpdateLocked(chn); ++ verify(chn, never()).size(); ++ } ++ ++ @Test ++ public void testNotifyRemovedLockedInLockdownMode() throws NoSuchFieldException { ++ StatusBarNotification sbn = mock(StatusBarNotification.class); ++ NotificationRecord r = mock(NotificationRecord.class); ++ NotificationStats rs = mock(NotificationStats.class); ++ FieldSetter.setField(r, ++ NotificationRecord.class.getDeclaredField("sbn"), ++ sbn); ++ FieldSetter.setField(mNm, ++ NotificationManagerService.class.getDeclaredField("mHandler"), ++ mock(NotificationManagerService.WorkerHandler.class)); ++ ++ // before the lockdown mode ++ when(mNm.isInLockDownMode()).thenReturn(false); ++ mListeners.notifyRemovedLocked(r, 0, rs); ++ mListeners.notifyRemovedLocked(r, 0, rs); ++ verify(sbn, times(2)).cloneLight(); ++ ++ // in the lockdown mode ++ reset(sbn); ++ reset(r); ++ reset(rs); ++ when(mNm.isInLockDownMode()).thenReturn(true); ++ mListeners.notifyRemovedLocked(r, 0, rs); ++ mListeners.notifyRemovedLocked(r, 0, rs); ++ verify(sbn, never()).cloneLight(); ++ } ++} +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index 420bfbc042ff..ed3406fc95b4 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -37,6 +37,9 @@ import static android.content.pm.PackageManager.PERMISSION_DENIED; + import static android.content.pm.PackageManager.PERMISSION_GRANTED; + import static android.os.Build.VERSION_CODES.O_MR1; + import static android.os.Build.VERSION_CODES.P; ++import static android.service.notification.NotificationListenerService.REASON_CANCEL_ALL; ++ ++import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN; + + import static junit.framework.Assert.assertEquals; + import static junit.framework.Assert.assertFalse; +@@ -233,6 +236,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + protected void reportUserInteraction(NotificationRecord r) { + return; + } ++ ++ class StrongAuthTrackerFake extends NotificationManagerService.StrongAuthTracker { ++ private int mGetStrongAuthForUserReturnValue = 0; ++ StrongAuthTrackerFake(Context context) { ++ super(context); ++ } ++ ++ public void setGetStrongAuthForUserReturnValue(int val) { ++ mGetStrongAuthForUserReturnValue = val; ++ } ++ ++ @Override ++ public int getStrongAuthForUser(int userId) { ++ return mGetStrongAuthForUserReturnValue; ++ } ++ } ++ } ++ ++ TestableNotificationManagerService.StrongAuthTrackerFake mStrongAuthTracker; ++ + } + + @Before +@@ -304,6 +327,9 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + } + mService.setAudioManager(mAudioManager); + ++ mStrongAuthTracker = mService.new StrongAuthTrackerFake(mContext); ++ mService.setStrongAuthTracker(mStrongAuthTracker); ++ + // Tests call directly into the Binder. + mBinderService = mService.getBinderService(); + mInternalService = mService.getInternalService(); +@@ -3261,4 +3287,44 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + mBinderService.areNotificationsEnabledForPackage(mContext.getPackageName(), + mUid + UserHandle.PER_USER_RANGE); + } ++ ++ @Test ++ public void testStrongAuthTracker_isInLockDownMode() { ++ mStrongAuthTracker.setGetStrongAuthForUserReturnValue( ++ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN); ++ mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId()); ++ assertTrue(mStrongAuthTracker.isInLockDownMode()); ++ mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0); ++ mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId()); ++ assertFalse(mStrongAuthTracker.isInLockDownMode()); ++ } ++ ++ @Test ++ public void testCancelAndPostNotificationsWhenEnterAndExitLockDownMode() { ++ // post 2 notifications from 2 packages ++ NotificationRecord pkgA = new NotificationRecord(mContext, ++ generateSbn("a", 1000, 9, 0), mTestNotificationChannel); ++ mService.addNotification(pkgA); ++ NotificationRecord pkgB = new NotificationRecord(mContext, ++ generateSbn("b", 1001, 9, 0), mTestNotificationChannel); ++ mService.addNotification(pkgB); ++ ++ // when entering the lockdown mode, cancel the 2 notifications. ++ mStrongAuthTracker.setGetStrongAuthForUserReturnValue( ++ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN); ++ mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId()); ++ assertTrue(mStrongAuthTracker.isInLockDownMode()); ++ ++ // the notifyRemovedLocked function is called twice due to REASON_LOCKDOWN. ++ ArgumentCaptor captor = ArgumentCaptor.forClass(Integer.class); ++ verify(mListeners, times(2)).notifyRemovedLocked(any(), captor.capture(), any()); ++ assertEquals(REASON_CANCEL_ALL, captor.getValue().intValue()); ++ ++ // exit lockdown mode. ++ mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0); ++ mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId()); ++ ++ // the notifyPostedLocked function is called twice. ++ verify(mListeners, times(2)).notifyPostedLocked(any(), any()); ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/335119.patch b/Patches/LineageOS-16.0/android_frameworks_base/335119.patch new file mode 100644 index 00000000..d50a18df --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/335119.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Fri, 22 Apr 2022 00:32:08 +0000 +Subject: [PATCH] Remove package title from notification access confirmation + intent + +Bug: 228178437 +Test: Manually confirmed on an application +Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +(cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d) +Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184 +--- + ...NotificationAccessConfirmationActivityContract.java | 10 ++++++---- + .../companion/CompanionDeviceManagerService.java | 9 ++------- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java +index 4ce6f609ef73..fdf0e9046eef 100644 +--- a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java ++++ b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java +@@ -17,6 +17,7 @@ + package com.android.internal.notification; + + import android.content.ComponentName; ++import android.content.Context; + import android.content.Intent; + + public final class NotificationAccessConfirmationActivityContract { +@@ -25,13 +26,14 @@ public final class NotificationAccessConfirmationActivityContract { + "com.android.settings.notification.NotificationAccessConfirmationActivity"); + public static final String EXTRA_USER_ID = "user_id"; + public static final String EXTRA_COMPONENT_NAME = "component_name"; +- public static final String EXTRA_PACKAGE_TITLE = "package_title"; + +- public static Intent launcherIntent(int userId, ComponentName component, String packageTitle) { ++ /** ++ * Creates a launcher intent for NotificationAccessConfirmationActivity. ++ */ ++ public static Intent launcherIntent(Context context, int userId, ComponentName component) { + return new Intent() + .setComponent(COMPONENT_NAME) + .putExtra(EXTRA_USER_ID, userId) +- .putExtra(EXTRA_COMPONENT_NAME, component) +- .putExtra(EXTRA_PACKAGE_TITLE, packageTitle); ++ .putExtra(EXTRA_COMPONENT_NAME, component); + } + } +diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +index 0e77715e1563..e39652d77b7a 100644 +--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java ++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +@@ -290,17 +290,12 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + String callingPackage = component.getPackageName(); + checkCanCallNotificationApi(callingPackage); + int userId = getCallingUserId(); +- String packageTitle = BidiFormatter.getInstance().unicodeWrap( +- getPackageInfo(callingPackage, userId) +- .applicationInfo +- .loadSafeLabel(getContext().getPackageManager()) +- .toString()); +- long identity = Binder.clearCallingIdentity(); ++ final long identity = Binder.clearCallingIdentity(); + try { + return PendingIntent.getActivity(getContext(), + 0 /* request code */, + NotificationAccessConfirmationActivityContract.launcherIntent( +- userId, component, packageTitle), ++ getContext(), userId, component), + PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_ONE_SHOT + | PendingIntent.FLAG_CANCEL_CURRENT); + } finally { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/335120.patch b/Patches/LineageOS-16.0/android_frameworks_base/335120.patch new file mode 100644 index 00000000..d8c115aa --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/335120.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: chiachangwang +Date: Thu, 2 Jun 2022 10:22:20 +0000 +Subject: [PATCH] Stop using invalid URL to prevent unexpected crash + +Verify the input PAC Uri before performing follow-up actions. + +Check if the URL is a valid URL to filter some invalid URLs since +these invalid URLs could not fall into any subclass of existing +URLConnections. When the PAC Uri is other invalid URL scheme, it +will cause an UnsupportedOperationException if there is no proper +subclass that implements the openConnection() method. +A malformed URL may crash the system. + +Even it's a valid URL, some subclasses(e.g. JarURLConnection) +may not have openConnection() implemented. It will also hit the +problem, so convert the possbile exception from openConnection() +to re-throw it to IOException which is handled in the existing +code. + +Bug: 219498290 +Test: atest FrameworksNetTests CtsNetTestCases +Test: Test with malformed URL +Merged-In: I22903414380b62051f514e43b93af992f45740b4 +Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076 +Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3 +(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f) +(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4) +Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3 +--- + .../server/connectivity/PacManager.java | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/connectivity/PacManager.java b/services/core/java/com/android/server/connectivity/PacManager.java +index 3a27fcb352aa..f597c8135701 100644 +--- a/services/core/java/com/android/server/connectivity/PacManager.java ++++ b/services/core/java/com/android/server/connectivity/PacManager.java +@@ -37,6 +37,7 @@ import android.os.SystemClock; + import android.os.SystemProperties; + import android.provider.Settings; + import android.util.Log; ++import android.webkit.URLUtil; + + import com.android.internal.annotations.GuardedBy; + import com.android.net.IProxyCallback; +@@ -211,8 +212,22 @@ public class PacManager { + * @throws IOException + */ + private static String get(Uri pacUri) throws IOException { +- URL url = new URL(pacUri.toString()); +- URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY); ++ if (!URLUtil.isValidUrl(pacUri.toString())) { ++ throw new IOException("Malformed URL:" + pacUri); ++ } ++ ++ final URL url = new URL(pacUri.toString()); ++ URLConnection urlConnection; ++ try { ++ urlConnection = url.openConnection(java.net.Proxy.NO_PROXY); ++ // Catch the possible exceptions and rethrow as IOException to not to crash the system ++ // for illegal input. ++ } catch (IllegalArgumentException e) { ++ throw new IOException("Incorrect proxy type for " + pacUri); ++ } catch (UnsupportedOperationException e) { ++ throw new IOException("Unsupported URL connection type for " + pacUri); ++ } ++ + long contentLength = -1; + try { + contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length")); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/335121.patch b/Patches/LineageOS-16.0/android_frameworks_base/335121.patch new file mode 100644 index 00000000..784f52c1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/335121.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Makoto Onuki +Date: Tue, 19 Apr 2022 10:54:18 -0700 +Subject: [PATCH] Only allow the system server to connect to sync adapters + +Bug: 203229608 +Test: Manual test with changing the check logic + debug log +Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f +(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee) +(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff) +Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f +--- + .../content/AbstractThreadedSyncAdapter.java | 20 +++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/core/java/android/content/AbstractThreadedSyncAdapter.java b/core/java/android/content/AbstractThreadedSyncAdapter.java +index a086a308d0d9..da4ecdd8c1f2 100644 +--- a/core/java/android/content/AbstractThreadedSyncAdapter.java ++++ b/core/java/android/content/AbstractThreadedSyncAdapter.java +@@ -21,6 +21,7 @@ import static com.android.internal.util.function.pooled.PooledLambda.obtainMessa + import android.accounts.Account; + import android.annotation.MainThread; + import android.annotation.NonNull; ++import android.os.Binder; + import android.os.Build; + import android.os.Bundle; + import android.os.Handler; +@@ -171,8 +172,20 @@ public abstract class AbstractThreadedSyncAdapter { + } + + private class ISyncAdapterImpl extends ISyncAdapter.Stub { ++ private boolean isCallerSystem() { ++ final long callingUid = Binder.getCallingUid(); ++ if (callingUid != Process.SYSTEM_UID) { ++ android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, ""); ++ return false; ++ } ++ return true; ++ } ++ + @Override + public void onUnsyncableAccount(ISyncAdapterUnsyncableAccountCallback cb) { ++ if (!isCallerSystem()) { ++ return; ++ } + Handler.getMain().sendMessage(obtainMessage( + AbstractThreadedSyncAdapter::handleOnUnsyncableAccount, + AbstractThreadedSyncAdapter.this, cb)); +@@ -181,12 +194,16 @@ public abstract class AbstractThreadedSyncAdapter { + @Override + public void startSync(ISyncContext syncContext, String authority, Account account, + Bundle extras) { ++ if (!isCallerSystem()) { ++ return; ++ } + if (ENABLE_LOG) { + if (extras != null) { + extras.size(); // Unparcel so its toString() will show the contents. + } + Log.d(TAG, "startSync() start " + authority + " " + account + " " + extras); + } ++ + try { + final SyncContext syncContextClient = new SyncContext(syncContext); + +@@ -242,6 +259,9 @@ public abstract class AbstractThreadedSyncAdapter { + + @Override + public void cancelSync(ISyncContext syncContext) { ++ if (!isCallerSystem()) { ++ return; ++ } + try { + // synchronize to make sure that mSyncThreads doesn't change between when we + // check it and when we use it diff --git a/Patches/LineageOS-16.0/android_frameworks_base/338346.patch b/Patches/LineageOS-16.0/android_frameworks_base/338346.patch new file mode 100644 index 00000000..00960aec --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/338346.patch @@ -0,0 +1,113 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Manjeet Rulhania +Date: Thu, 28 Apr 2022 20:23:58 +0000 +Subject: [PATCH] Fix duplicate permission privilege escalation + +Duplicate permissions definition with different group allows +privilege permission escalation to a different permission group. + +Android studio and gradle plugin does not allow duplicate +permissions with different attributes, these tools only allow +if duplicate permissions are exact copies. + +Also platform stores permissions in map at multiple places with +permission name as key. This suggests that we can disallow +duplicate permissions during package install/update. + +Bug: 213323615 +Test: manual +Change-Id: I6f44e740897305e7a0553c1cf6c3af37faf02a2e +Merged-In: I1910dca44104e35a57eba4acfa8188cd9b8626ac +Merged-In: I34120fff2ec2a158dfa55779d2afd4bbd49487ff +Merged-In: I9bc839836786a0876e67fd73c05f8944bb532249 +(cherry picked from commit 31bd425bb66b108cdec357a00f4a586379bcd33a) +Merged-In: I6f44e740897305e7a0553c1cf6c3af37faf02a2e +--- + .../android/content/pm/PackageParser.java | 53 +++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index e0c2d2dc6dde..c56dfbe97895 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -81,6 +81,7 @@ import android.util.AttributeSet; + import android.util.Base64; + import android.util.ByteStringUtils; + import android.util.DisplayMetrics; ++import android.util.EventLog; + import android.util.Log; + import android.util.PackageUtils; + import android.util.Pair; +@@ -125,6 +126,7 @@ import java.util.Collections; + import java.util.Comparator; + import java.util.Iterator; + import java.util.List; ++import java.util.Objects; + import java.util.Set; + import java.util.UUID; + import java.util.concurrent.atomic.AtomicInteger; +@@ -2469,6 +2471,12 @@ public class PackageParser { + } + } + ++ if (declareDuplicatePermission(pkg)) { ++ outError[0] = "Found duplicate permission with a different attribute value."; ++ mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED; ++ return null; ++ } ++ + if (supportsSmallScreens < 0 || (supportsSmallScreens > 0 + && pkg.applicationInfo.targetSdkVersion + >= android.os.Build.VERSION_CODES.DONUT)) { +@@ -2507,6 +2515,51 @@ public class PackageParser { + return pkg; + } + ++ /** ++ * @return {@code true} if the package declares malformed duplicate permissions. ++ */ ++ public static boolean declareDuplicatePermission(@NonNull Package pkg) { ++ final List permissions = pkg.permissions; ++ final int size = permissions.size(); ++ if (size > 0) { ++ final ArrayMap checkDuplicatePerm = new ArrayMap<>(size); ++ for (int i = 0; i < size; i++) { ++ final Permission permissionDefinition = permissions.get(i); ++ final String name = permissionDefinition.info.name; ++ final Permission perm = checkDuplicatePerm.get(name); ++ if (isMalformedDuplicate(permissionDefinition, perm)) { ++ // Fix for b/213323615 ++ EventLog.writeEvent(0x534e4554, "213323615", ++ "The package " + pkg.packageName + " seems malicious"); ++ return true; ++ } ++ checkDuplicatePerm.put(name, permissionDefinition); ++ } ++ } ++ return false; ++ } ++ ++ /** ++ * Determines if a duplicate permission is malformed .i.e. defines different protection level ++ * or group. ++ */ ++ private static boolean isMalformedDuplicate(Permission p1, Permission p2) { ++ // Since a permission tree is also added as a permission with normal protection ++ // level, we need to skip if the parsedPermission is a permission tree. ++ if (p1 == null || p2 == null || p1.tree || p2.tree) { ++ return false; ++ } ++ ++ if (p1.info.getProtection() != p2.info.getProtection()) { ++ return true; ++ } ++ if (!Objects.equals(p1.info.group, p2.info.group)) { ++ return true; ++ } ++ ++ return false; ++ } ++ + private boolean checkOverlayRequiredSystemProperty(String propName, String propValue) { + + if (TextUtils.isEmpty(propName) || TextUtils.isEmpty(propValue)) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/338347.patch b/Patches/LineageOS-16.0/android_frameworks_base/338347.patch new file mode 100644 index 00000000..cbc4e821 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/338347.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Steven Moreland +Date: Wed, 30 Mar 2022 21:46:29 +0000 +Subject: [PATCH] Parcel: recycle recycles + +Before, it was like getting a used pan with food stuck on it. We run +a clean ship here. You want a Parcel? You get a fresh Parcel. When +we recycle a Parcel, we do a real clean-up job. Air freshener. All +bits brushed over. These Parcel objects are clean as heck now! + +(specifically cleans mClassCookies) + +Bug: 208279300 +Test: build +Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218 +Change-Id: I250872f5c6796bb64e2dc68008154c0e90feb218 +(cherry picked from commit 46770fa49c9a5e51a5ea5a3afc7aab0dba2e59bd) +(cherry picked from commit b5c79e141a81fa86fc834980d46886ac3c86ab11) +Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218 +--- + core/java/android/os/Parcel.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java +index 460f12510d45..8d44ba1ad625 100644 +--- a/core/java/android/os/Parcel.java ++++ b/core/java/android/os/Parcel.java +@@ -406,6 +406,7 @@ public final class Parcel { + */ + public final void recycle() { + if (DEBUG_RECYCLE) mStack = null; ++ mClassCookies = null; + freeBuffer(); + + final Parcel[] pool; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/338348.patch b/Patches/LineageOS-16.0/android_frameworks_base/338348.patch new file mode 100644 index 00000000..7b42feb2 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/338348.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Adrian Roos +Date: Thu, 24 Sep 2020 15:30:46 +0200 +Subject: [PATCH] IMMS: Make IMMS PendingIntents immutable + +Fixes: 154913391 +Test: n/a +Change-Id: I34a95732ef3e7c20d6549b57230c11f0c3db04d6 +Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6 +(cherry picked from commit d4b625994f7664666ac7b53bf6a7d79a6459b3f1) +(cherry picked from commit 6842f03c9d2f128785df5ce2bd02c61f35226554) +(cherry picked from commit 2b859826165bddb11f17b217d097253c442f6045) +Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6 +--- + .../java/com/android/server/InputMethodManagerService.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java +index 412b314aefbf..e728b0aa92e8 100644 +--- a/services/core/java/com/android/server/InputMethodManagerService.java ++++ b/services/core/java/com/android/server/InputMethodManagerService.java +@@ -1402,7 +1402,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub + + Intent intent = new Intent(ACTION_SHOW_INPUT_METHOD_PICKER) + .setPackage(mContext.getPackageName()); +- mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, 0); ++ mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, ++ PendingIntent.FLAG_IMMUTABLE); + + mShowOngoingImeSwitcherForPhones = false; + +@@ -2003,7 +2004,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub + mCurIntent.putExtra(Intent.EXTRA_CLIENT_LABEL, + com.android.internal.R.string.input_method_binding_label); + mCurIntent.putExtra(Intent.EXTRA_CLIENT_INTENT, PendingIntent.getActivity( +- mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), 0)); ++ mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), ++ PendingIntent.FLAG_IMMUTABLE)); + if (bindCurrentInputMethodServiceLocked(mCurIntent, this, IME_CONNECTION_BIND_FLAGS)) { + mLastBindTime = SystemClock.uptimeMillis(); + mHaveConnection = true; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/338349.patch b/Patches/LineageOS-16.0/android_frameworks_base/338349.patch new file mode 100644 index 00000000..0ce0af7c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/338349.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Manjeet Rulhania +Date: Thu, 30 Jun 2022 18:52:50 +0000 +Subject: [PATCH] Remove package name from SafetyNet logs + +Bug: 213323615 +Test: AppSecurityTests +Change-Id: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a +Merged-In: I993832e148636f1795ffe393c6dc74a08b9442f8 +Merged-In: I8f823487ca16861a35135cfc3383fa2ce8258017 +Merged-In: I4b61d13256ce0bfb8fc9d21db52ee78ce2097f14 +(cherry picked from commit 50d343c656921ba9c730c68b7a41de6b15f57f03) +Merged-In: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a +--- + core/java/android/content/pm/PackageParser.java | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java +index c56dfbe97895..d99302d6696f 100644 +--- a/core/java/android/content/pm/PackageParser.java ++++ b/core/java/android/content/pm/PackageParser.java +@@ -2529,8 +2529,7 @@ public class PackageParser { + final Permission perm = checkDuplicatePerm.get(name); + if (isMalformedDuplicate(permissionDefinition, perm)) { + // Fix for b/213323615 +- EventLog.writeEvent(0x534e4554, "213323615", +- "The package " + pkg.packageName + " seems malicious"); ++ EventLog.writeEvent(0x534e4554, "213323615"); + return true; + } + checkDuplicatePerm.put(name, permissionDefinition); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/342100.patch b/Patches/LineageOS-16.0/android_frameworks_base/342100.patch new file mode 100644 index 00000000..4a7c4b45 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/342100.patch @@ -0,0 +1,251 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Fri, 1 Jul 2022 09:49:12 -0400 +Subject: [PATCH] DO NOT MERGE Limit the number of concurrently snoozed + notifications + +Test: atest FrameworksUiServicesTests +Bug: 234441463 +Change-Id: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35 +Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35 +(cherry picked from commit 7c38394ae9c69620499a87e629edae4fe0ac4edc) +(cherry picked from commit c38cc3e355718577192da8f544d21fd0be5f6be2) +Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35 +--- + .../NotificationManagerService.java | 25 +++++-- + .../server/notification/SnoozeHelper.java | 9 +++ + .../NotificationManagerServiceTest.java | 68 +++++++++++++++++++ + .../server/notification/SnoozeHelperTest.java | 18 +++++ + 4 files changed, 116 insertions(+), 4 deletions(-) + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 0dfc0ab0c3e0..acef7148cd2f 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -4487,13 +4487,17 @@ public class NotificationManagerService extends SystemService { + + @GuardedBy("mNotificationLock") + void snoozeLocked(NotificationRecord r) { ++ final List recordsToSnooze = new ArrayList<>(); + if (r.sbn.isGroup()) { +- final List groupNotifications = findGroupNotificationsLocked( +- r.sbn.getPackageName(), r.sbn.getGroupKey(), r.sbn.getUserId()); ++ final List groupNotifications = ++ findGroupNotificationsLocked(r.sbn.getPackageName(), ++ r.sbn.getGroupKey(), r.sbn.getUserId()); + if (r.getNotification().isGroupSummary()) { + // snooze summary and all children + for (int i = 0; i < groupNotifications.size(); i++) { +- snoozeNotificationLocked(groupNotifications.get(i)); ++ if (!mKey.equals(groupNotifications.get(i).getKey())) { ++ recordsToSnooze.add(groupNotifications.get(i)); ++ } + } + } else { + // if there is a valid summary for this group, and we are snoozing the only +@@ -4504,7 +4508,9 @@ public class NotificationManagerService extends SystemService { + } else { + // snooze summary and the one child + for (int i = 0; i < groupNotifications.size(); i++) { +- snoozeNotificationLocked(groupNotifications.get(i)); ++ if (!mKey.equals(groupNotifications.get(i).getKey())) { ++ recordsToSnooze.add(groupNotifications.get(i)); ++ } + } + } + } else { +@@ -4515,6 +4521,17 @@ public class NotificationManagerService extends SystemService { + // just snooze the one notification + snoozeNotificationLocked(r); + } ++ ++ // snooze the notification ++ recordsToSnooze.add(r); ++ ++ if (mSnoozeHelper.canSnooze(recordsToSnooze.size())) { ++ for (int i = 0; i < recordsToSnooze.size(); i++) { ++ snoozeNotificationLocked(recordsToSnooze.get(i)); ++ } ++ } else { ++ Log.w(TAG, "Cannot snooze " + r.getKey() + ": too many snoozed notifications"); ++ } + } + + @GuardedBy("mNotificationLock") +diff --git a/services/core/java/com/android/server/notification/SnoozeHelper.java b/services/core/java/com/android/server/notification/SnoozeHelper.java +index 732a58774b78..fc0962d9ea36 100644 +--- a/services/core/java/com/android/server/notification/SnoozeHelper.java ++++ b/services/core/java/com/android/server/notification/SnoozeHelper.java +@@ -55,6 +55,8 @@ import java.util.Set; + * NotificationManagerService helper for handling snoozed notifications. + */ + public class SnoozeHelper { ++ static final int CONCURRENT_SNOOZE_LIMIT = 500; ++ + private static final String TAG = "SnoozeHelper"; + private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + private static final String INDENT = " "; +@@ -89,6 +91,13 @@ public class SnoozeHelper { + mUserProfiles = userProfiles; + } + ++ protected boolean canSnooze(int numberToSnooze) { ++ if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT) { ++ return false; ++ } ++ return true; ++ } ++ + protected boolean isSnoozed(int userId, String pkg, String key) { + return mSnoozedNotifications.containsKey(userId) + && mSnoozedNotifications.get(userId).containsKey(pkg) +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index ed3406fc95b4..9592e1905b54 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -1799,6 +1799,69 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + assertFalse(mService.hasCompanionDevice(mListener)); + } + ++ @Test ++ public void testSnoozeRunnable_tooManySnoozed_singleNotification() { ++ final NotificationRecord notification = generateNotificationRecord( ++ mTestNotificationChannel, 1, null, true); ++ mService.addNotification(notification); ++ ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); ++ when(mSnoozeHelper.canSnooze(1)).thenReturn(false); ++ ++ NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = ++ mService.new SnoozeNotificationRunnable( ++ notification.getKey(), 100, null); ++ snoozeNotificationRunnable.run(); ++ ++ verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong()); ++ assertEquals(1, mService.getNotificationRecordCount()); ++ } ++ ++ @Test ++ public void testSnoozeRunnable_tooManySnoozed_singleGroupChildNotification() { ++ final NotificationRecord notification = generateNotificationRecord( ++ mTestNotificationChannel, 1, "group", true); ++ final NotificationRecord notificationChild = generateNotificationRecord( ++ mTestNotificationChannel, 1, "group", false); ++ mService.addNotification(notification); ++ mService.addNotification(notificationChild); ++ ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); ++ when(mSnoozeHelper.canSnooze(2)).thenReturn(false); ++ ++ NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = ++ mService.new SnoozeNotificationRunnable( ++ notificationChild.getKey(), 100, null); ++ snoozeNotificationRunnable.run(); ++ ++ verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong()); ++ assertEquals(2, mService.getNotificationRecordCount()); ++ } ++ ++ @Test ++ public void testSnoozeRunnable_tooManySnoozed_summaryNotification() { ++ final NotificationRecord notification = generateNotificationRecord( ++ mTestNotificationChannel, 1, "group", true); ++ final NotificationRecord notificationChild = generateNotificationRecord( ++ mTestNotificationChannel, 12, "group", false); ++ final NotificationRecord notificationChild2 = generateNotificationRecord( ++ mTestNotificationChannel, 13, "group", false); ++ mService.addNotification(notification); ++ mService.addNotification(notificationChild); ++ mService.addNotification(notificationChild2); ++ ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); ++ when(mSnoozeHelper.canSnooze(3)).thenReturn(false); ++ ++ NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = ++ mService.new SnoozeNotificationRunnable( ++ notification.getKey(), 100, null); ++ snoozeNotificationRunnable.run(); ++ ++ verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong()); ++ assertEquals(3, mService.getNotificationRecordCount()); ++ } ++ + @Test + public void testSnoozeRunnable_snoozeNonGrouped() throws Exception { + final NotificationRecord nonGrouped = generateNotificationRecord( +@@ -1807,6 +1870,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + mTestNotificationChannel, 2, "group", false); + mService.addNotification(grouped); + mService.addNotification(nonGrouped); ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); + + NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = + mService.new SnoozeNotificationRunnable( +@@ -1829,6 +1893,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + mService.addNotification(parent); + mService.addNotification(child); + mService.addNotification(child2); ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); + + NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = + mService.new SnoozeNotificationRunnable( +@@ -1850,6 +1915,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + mService.addNotification(parent); + mService.addNotification(child); + mService.addNotification(child2); ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); + + NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = + mService.new SnoozeNotificationRunnable( +@@ -1869,6 +1935,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + mTestNotificationChannel, 2, "group", false); + mService.addNotification(parent); + mService.addNotification(child); ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); + + NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = + mService.new SnoozeNotificationRunnable( +@@ -1884,6 +1951,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + final NotificationRecord child = generateNotificationRecord( + mTestNotificationChannel, 2, "group", false); + mService.addNotification(child); ++ when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true); + + NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable = + mService.new SnoozeNotificationRunnable( +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java +index 7adfbd3cb777..30ec5589d594 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java +@@ -22,6 +22,8 @@ import org.mockito.ArgumentCaptor; + import org.mockito.Mock; + import org.mockito.MockitoAnnotations; + ++import static com.android.server.notification.SnoozeHelper.CONCURRENT_SNOOZE_LIMIT; ++ + import android.app.AlarmManager; + import android.app.Notification; + import android.app.NotificationChannel; +@@ -101,6 +103,22 @@ public class SnoozeHelperTest extends UiServiceTestCase { + UserHandle.USER_SYSTEM, r.sbn.getPackageName(), r.getKey())); + } + ++ @Test ++ public void testSnoozeLimit() { ++ for (int i = 0; i < CONCURRENT_SNOOZE_LIMIT; i++ ) { ++ NotificationRecord r = getNotificationRecord("pkg", i, i+"", UserHandle.SYSTEM); ++ ++ assertTrue("cannot snooze record " + i, mSnoozeHelper.canSnooze(1)); ++ ++ if (i % 2 == 0) { ++ mSnoozeHelper.snooze(r, 1000); ++ } else { ++ mSnoozeHelper.snooze(r, 9000); ++ } ++ } ++ assertFalse(mSnoozeHelper.canSnooze(1)); ++ } ++ + @Test + public void testCancelByApp() throws Exception { + NotificationRecord r = getNotificationRecord("pkg", 1, "one", UserHandle.SYSTEM); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344168.patch b/Patches/LineageOS-16.0/android_frameworks_base/344168.patch new file mode 100644 index 00000000..e89ffc76 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344168.patch @@ -0,0 +1,102 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aseem Kumar +Date: Mon, 21 Mar 2022 20:35:20 -0700 +Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from + Account.java to AccountManagerService. + +Bug: 169762606 +Test: atest AccountManagerServiceTest +Change-Id: I80fabf3a64c55837db98ff316e7e5420129c001b +(cherry picked from commit 3f218c9a5e1f7c3213ceb84c15afca0d3041057b) +Merged-In: I80fabf3a64c55837db98ff316e7e5420129c001b +--- + core/java/android/accounts/Account.java | 7 ------- + .../accounts/AccountManagerService.java | 12 ++++++++++++ + .../accounts/AccountManagerServiceTest.java | 19 +++++++++++++++++++ + 3 files changed, 31 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/accounts/Account.java b/core/java/android/accounts/Account.java +index 1546ae14862d..3f90f36fb2a1 100644 +--- a/core/java/android/accounts/Account.java ++++ b/core/java/android/accounts/Account.java +@@ -28,7 +28,6 @@ import android.util.ArraySet; + import android.util.Log; + import com.android.internal.annotations.GuardedBy; + +-import java.util.Objects; + import java.util.Set; + + /** +@@ -81,12 +80,6 @@ public class Account implements Parcelable { + if (TextUtils.isEmpty(type)) { + throw new IllegalArgumentException("the type must not be empty: " + type); + } +- if (name.length() > 200) { +- throw new IllegalArgumentException("account name is longer than 200 characters"); +- } +- if (type.length() > 200) { +- throw new IllegalArgumentException("account type is longer than 200 characters"); +- } + this.name = name; + this.type = type; + this.accessId = accessId; +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 9e8464728b9b..4c8acc5ffb63 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -1777,6 +1777,14 @@ public class AccountManagerService + if (account == null) { + return false; + } ++ if (account.name != null && account.name.length() > 200) { ++ Log.w(TAG, "Account cannot be added - Name longer than 200 chars"); ++ return false; ++ } ++ if (account.type != null && account.type.length() > 200) { ++ Log.w(TAG, "Account cannot be added - Name longer than 200 chars"); ++ return false; ++ } + if (!isLocalUnlockedUser(accounts.userId)) { + Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId + + " is locked. callingUid=" + callingUid); +@@ -1969,6 +1977,10 @@ public class AccountManagerService + + ", pid " + Binder.getCallingPid()); + } + if (accountToRename == null) throw new IllegalArgumentException("account is null"); ++ if (newName != null && newName.length() > 200) { ++ Log.e(TAG, "renameAccount failed - account name longer than 200"); ++ throw new IllegalArgumentException("account name longer than 200"); ++ } + int userId = UserHandle.getCallingUserId(); + if (!isAccountManagedByCaller(accountToRename.type, callingUid, userId)) { + String msg = String.format( +diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +index 149ef156a9fa..73267e4868a6 100644 +--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java ++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +@@ -237,6 +237,25 @@ public class AccountManagerServiceTest extends AndroidTestCase { + assertEquals(a31, accounts[1]); + } + ++ @SmallTest ++ public void testCheckAddAccountLongName() throws Exception { ++ unlockSystemUser(); ++ String longString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaa"; ++ Account a11 = new Account(longString, AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1); ++ ++ mAms.addAccountExplicitly(a11, /* password= */ "p11", /* extras= */ null); ++ ++ String[] list = new String[]{AccountManagerServiceTestFixtures.CALLER_PACKAGE}; ++ when(mMockPackageManager.getPackagesForUid(anyInt())).thenReturn(list); ++ Account[] accounts = mAms.getAccountsAsUser(null, ++ UserHandle.getCallingUserId(), mContext.getOpPackageName()); ++ assertEquals(0, accounts.length); ++ } ++ ++ + @SmallTest + public void testPasswords() throws Exception { + unlockSystemUser(); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344169.patch b/Patches/LineageOS-16.0/android_frameworks_base/344169.patch new file mode 100644 index 00000000..7fbd5088 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344169.patch @@ -0,0 +1,141 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:27:43 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09) +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +--- + telecomm/java/android/telecom/TelecomManager.java | 14 ++++++++------ + .../android/internal/telecom/ITelecomService.aidl | 13 +++++++------ + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java +index 6b00a495668c..ae97db00507d 100644 +--- a/telecomm/java/android/telecom/TelecomManager.java ++++ b/telecomm/java/android/telecom/TelecomManager.java +@@ -831,7 +831,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme, +- mContext.getOpPackageName()); ++ mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e); +@@ -873,7 +873,8 @@ public class TelecomManager { + public List getSelfManagedPhoneAccounts() { + try { + if (isServiceConnected()) { +- return getTelecomService().getSelfManagedPhoneAccounts(mContext.getOpPackageName()); ++ return getTelecomService() ++ .getSelfManagedPhoneAccounts(mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getSelfManagedPhoneAccounts()", e); +@@ -892,7 +893,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getCallCapablePhoneAccounts( +- includeDisabledAccounts, mContext.getOpPackageName()); ++ includeDisabledAccounts, mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" + +@@ -912,7 +913,8 @@ public class TelecomManager { + public List getPhoneAccountsForPackage() { + try { + if (isServiceConnected()) { +- return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName()); ++ return getTelecomService() ++ .getPhoneAccountsForPackage(mContext.getPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e); +@@ -966,7 +968,7 @@ public class TelecomManager { + public List getAllPhoneAccounts() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccounts(); ++ return getTelecomService().getAllPhoneAccounts().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e); +@@ -984,7 +986,7 @@ public class TelecomManager { + public List getAllPhoneAccountHandles() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccountHandles(); ++ return getTelecomService().getAllPhoneAccountHandles().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e); +diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +index b4e7d56bc642..5169a7d24093 100644 +--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl ++++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle; + import android.net.Uri; + import android.os.Bundle; + import android.telecom.PhoneAccount; ++import android.content.pm.ParceledListSlice; + + /** + * Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing +@@ -55,24 +56,24 @@ interface ITelecomService { + /** + * @see TelecomServiceImpl#getCallCapablePhoneAccounts + */ +- List getCallCapablePhoneAccounts( ++ ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage); + + /** + * @see TelecomServiceImpl#getSelfManagedPhoneAccounts + */ +- List getSelfManagedPhoneAccounts(String callingPackage); ++ ParceledListSlice getSelfManagedPhoneAccounts(String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsSupportingScheme + */ +- List getPhoneAccountsSupportingScheme(in String uriScheme, ++ ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme, + String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsForPackage + */ +- List getPhoneAccountsForPackage(in String packageName); ++ ParceledListSlice getPhoneAccountsForPackage(in String packageName); + + /** + * @see TelecomManager#getPhoneAccount +@@ -87,12 +88,12 @@ interface ITelecomService { + /** + * @see TelecomManager#getAllPhoneAccounts + */ +- List getAllPhoneAccounts(); ++ ParceledListSlice getAllPhoneAccounts(); + + /** + * @see TelecomManager#getAllPhoneAccountHandles + */ +- List getAllPhoneAccountHandles(); ++ ParceledListSlice getAllPhoneAccountHandles(); + + /** + * @see TelecomServiceImpl#getSimCallManager diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344170.patch b/Patches/LineageOS-16.0/android_frameworks_base/344170.patch new file mode 100644 index 00000000..775c084d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344170.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Louis Chang +Date: Tue, 2 Aug 2022 03:33:39 +0000 +Subject: [PATCH] Do not send new Intent to non-exported activity when + navigateUpTo + +The new Intent was delivered to a non-exported activity while +'#navigateUpTo was called from an Activity of a different uid. + +Backport to pie: + * services/core/java/com/android/server/am directory (not wm) + * back port of getPid() method + +Bug: 238605611 +Test: atest StartActivityTests +Change-Id: I854dd825bfd9a2c08851980d480d1f3a177af6cf +Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf +(cherry picked from commit b9a934064598aa655fab4ce75c8eab6165409670) +Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf +--- + .../com/android/server/am/ActivityRecord.java | 4 ++++ + .../com/android/server/am/ActivityStack.java | 18 +++++++++++++++++- + .../com/android/server/am/ProcessRecord.java | 4 ++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/services/core/java/com/android/server/am/ActivityRecord.java +index 2c5b8568515f..089a3984a480 100644 +--- a/services/core/java/com/android/server/am/ActivityRecord.java ++++ b/services/core/java/com/android/server/am/ActivityRecord.java +@@ -2922,6 +2922,10 @@ final class ActivityRecord extends ConfigurationContainer implements AppWindowCo + return info.applicationInfo.uid; + } + ++ int getPid() { ++ return app != null ? app.getPid() : 0; ++ } ++ + void setShowWhenLocked(boolean showWhenLocked) { + mShowWhenLocked = showWhenLocked; + mStackSupervisor.ensureActivitiesVisibleLocked(null, 0 /* configChanges */, +diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/services/core/java/com/android/server/am/ActivityStack.java +index dddcc9e466a4..68af5184dec0 100644 +--- a/services/core/java/com/android/server/am/ActivityStack.java ++++ b/services/core/java/com/android/server/am/ActivityStack.java +@@ -4008,7 +4008,23 @@ class ActivityStack extends ConfigurationContai + parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TASK || + parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TOP || + (destIntentFlags & Intent.FLAG_ACTIVITY_CLEAR_TOP) != 0) { +- parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName); ++ boolean abort; ++ try { ++ final int callingPid = srec.app != null ? srec.app.getPid() : 0; ++ abort = !mStackSupervisor.checkStartAnyActivityPermission(destIntent, ++ parent.info, null /* resultWho */, -1 /* requestCode */, callingPid, ++ callingUid, srec.info.packageName, false /* ignoreTargetSecurity */, ++ false /* launchingInTask */, srec.app, null /* resultRecord */, ++ null /* resultRootTask */); ++ } catch (SecurityException e) { ++ abort = true; ++ } ++ if (abort) { ++ android.util.EventLog.writeEvent(0x534e4554, "238605611", callingUid, ""); ++ foundParentInTask = false; ++ } else { ++ parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName); ++ } + } else { + try { + ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo( +diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java +index e3e839f63172..b15cf6a606cc 100644 +--- a/services/core/java/com/android/server/am/ProcessRecord.java ++++ b/services/core/java/com/android/server/am/ProcessRecord.java +@@ -520,6 +520,10 @@ final class ProcessRecord { + stringName = null; + } + ++ public int getPid() { ++ return pid; ++ } ++ + public void makeActive(IApplicationThread _thread, ProcessStatsService tracker) { + if (thread == null) { + final ProcessState origBase = baseProcessTracker; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344171.patch b/Patches/LineageOS-16.0/android_frameworks_base/344171.patch new file mode 100644 index 00000000..e9145bbb --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344171.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Fri, 12 Aug 2022 11:40:41 -0700 +Subject: [PATCH] Do not send AccessibilityEvent if notification is for + different user. + +Bug: 237540408 +Test: BuzzBeepBlinkTest#testA11yCrossUserEventNotSent +Change-Id: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +(cherry picked from commit 18f2ec86d680bff26ce9248061878894ad16e05f) +Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +--- + .../notification/NotificationManagerService.java | 3 ++- + .../server/notification/BuzzBeepBlinkTest.java | 15 +++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index acef7148cd2f..a53f2aec436c 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -4985,7 +4985,8 @@ public class NotificationManagerService extends SystemService { + boolean sentAccessibilityEvent = false; + // If the notification will appear in the status bar, it should send an accessibility + // event +- if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN) { ++ if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN ++ && isNotificationForCurrentUser(record)) { + sendAccessibilityEvent(record); + sentAccessibilityEvent = true; + } +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java b/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java +index 3b3f128b6ca5..feae34dcb68c 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java +@@ -1102,6 +1102,21 @@ public class BuzzBeepBlinkTest extends UiServiceTestCase { + verify(mAccessibilityService, times(1)).sendAccessibilityEvent(any(), anyInt()); + } + ++ @Test ++ public void testA11yCrossUserEventNotSent() throws Exception { ++ final Notification n = new Builder(getContext(), "test") ++ .setSmallIcon(android.R.drawable.sym_def_app_icon).build(); ++ int userId = mUser.getIdentifier() + 1; ++ StatusBarNotification sbn = new StatusBarNotification(mPkg, mPkg, 0, mTag, mUid, ++ mPid, n, UserHandle.of(userId), null, System.currentTimeMillis()); ++ NotificationRecord r = new NotificationRecord(getContext(), sbn, ++ new NotificationChannel("test", "test", IMPORTANCE_HIGH)); ++ ++ mService.buzzBeepBlinkLocked(r); ++ ++ verify(mAccessibilityService, never()).sendAccessibilityEvent(any(), anyInt()); ++ } ++ + @Test + public void testLightsScreenOn() { + mService.mScreenOn = true; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344172.patch b/Patches/LineageOS-16.0/android_frameworks_base/344172.patch new file mode 100644 index 00000000..f08d80b1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344172.patch @@ -0,0 +1,126 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Mon, 29 Aug 2022 17:40:14 -0400 +Subject: [PATCH] Trim any long string inputs that come in to AutomaticZenRule + +This change both prevents any rules from being unable to be written to +disk and also avoids risk of running out of memory while handling all +the zen rules. + +Bug: 242703460 +Bug: 242703505 +Bug: 242703780 +Bug: 242704043 +Bug: 243794204 +Test: cts AutomaticZenRuleTest; atest android.app.AutomaticZenRuleTest; +manually confirmed each exploit example either saves the rule +successfully with a truncated string (in the case of name & conditionId) +or may fail to save the rule at all (if the owner/configactivity is invalid). +Additionally ran the memory-exhausting PoC without device crashes. + +Change-Id: I110172a43f28528dd274b3b346eb29c3796ff2c6 +Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6 +(cherry picked from commit de172ba0d434c940be9e2aad8685719731ab7da2) +(cherry picked from commit c4b2c877ec28e2473104d9fcdcf321bd81da881b) +Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6 +--- + core/java/android/app/AutomaticZenRule.java | 50 ++++++++++++++++++--- + 1 file changed, 43 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java +index cd4ace669b6c..29dd91ec1ad6 100644 +--- a/core/java/android/app/AutomaticZenRule.java ++++ b/core/java/android/app/AutomaticZenRule.java +@@ -36,6 +36,13 @@ public final class AutomaticZenRule implements Parcelable { + private ComponentName owner; + private long creationTime; + ++ /** ++ * The maximum string length for any string contained in this automatic zen rule. This pertains ++ * both to fields in the rule itself (such as its name) and items with sub-fields. ++ * @hide ++ */ ++ public static final int MAX_STRING_LENGTH = 1000; ++ + /** + * Creates an automatic zen rule. + * +@@ -50,9 +57,9 @@ public final class AutomaticZenRule implements Parcelable { + */ + public AutomaticZenRule(String name, ComponentName owner, Uri conditionId, + int interruptionFilter, boolean enabled) { +- this.name = name; +- this.owner = owner; +- this.conditionId = conditionId; ++ this.name = getTrimmedString(name); ++ this.owner = getTrimmedComponentName(owner); ++ this.conditionId = getTrimmedUri(conditionId); + this.interruptionFilter = interruptionFilter; + this.enabled = enabled; + } +@@ -70,11 +77,11 @@ public final class AutomaticZenRule implements Parcelable { + public AutomaticZenRule(Parcel source) { + enabled = source.readInt() == 1; + if (source.readInt() == 1) { +- name = source.readString(); ++ name = getTrimmedString(source.readString()); + } + interruptionFilter = source.readInt(); + conditionId = source.readParcelable(null); +- owner = source.readParcelable(null); ++ owner = getTrimmedComponentName(source.readParcelable(null)); + creationTime = source.readLong(); + } + +@@ -124,7 +131,7 @@ public final class AutomaticZenRule implements Parcelable { + * Sets the representation of the state that causes this rule to become active. + */ + public void setConditionId(Uri conditionId) { +- this.conditionId = conditionId; ++ this.conditionId = getTrimmedUri(conditionId); + } + + /** +@@ -139,7 +146,7 @@ public final class AutomaticZenRule implements Parcelable { + * Sets the name of this rule. + */ + public void setName(String name) { +- this.name = name; ++ this.name = getTrimmedString(name); + } + + /** +@@ -210,4 +217,33 @@ public final class AutomaticZenRule implements Parcelable { + return new AutomaticZenRule[size]; + } + }; ++ ++ /** ++ * If the package or class name of the provided ComponentName are longer than MAX_STRING_LENGTH, ++ * return a trimmed version that truncates each of the package and class name at the max length. ++ */ ++ private static ComponentName getTrimmedComponentName(ComponentName cn) { ++ if (cn == null) return null; ++ return new ComponentName(getTrimmedString(cn.getPackageName()), ++ getTrimmedString(cn.getClassName())); ++ } ++ /** ++ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH. ++ */ ++ private static String getTrimmedString(String input) { ++ if (input != null && input.length() > MAX_STRING_LENGTH) { ++ return input.substring(0, MAX_STRING_LENGTH); ++ } ++ return input; ++ } ++ /** ++ * Returns a truncated copy of the Uri by trimming the string representation to the maximum ++ * string length. ++ */ ++ private static Uri getTrimmedUri(Uri input) { ++ if (input != null && input.toString().length() > MAX_STRING_LENGTH) { ++ return Uri.parse(getTrimmedString(input.toString())); ++ } ++ return input; ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344173.patch b/Patches/LineageOS-16.0/android_frameworks_base/344173.patch new file mode 100644 index 00000000..9237dc9f --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344173.patch @@ -0,0 +1,202 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ivan Chiang +Date: Mon, 15 Aug 2022 15:09:33 +0800 +Subject: [PATCH] Check permission for VoiceInteraction + +The service must have the CAPTURE_AUDIO_HOTWORD permission to access +AlwaysOnHotwordDetector. If it doesn't have the permission, return +STATE_HARDWARE_UNAVAILABLE state. If it is not granted the +RECORD_AUDIO permisison, it also can't start to recognize the audio. + +Test: manual +Test: atest CtsVoiceInteractionTestCases +Test: atest CtsAssistTestCases +Bug: 229793943 +Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a) +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +--- + .../voice/AlwaysOnHotwordDetector.java | 40 ++++++++++++++++++- + .../voice/VoiceInteractionService.java | 2 +- + .../VoiceInteractionManagerService.java | 14 +++++++ + 3 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +index 76d89ef039c8..350a4169287f 100644 +--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java ++++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +@@ -16,11 +16,14 @@ + + package android.service.voice; + ++import android.Manifest; + import android.annotation.IntDef; + import android.annotation.NonNull; + import android.annotation.Nullable; + import android.app.Activity; ++import android.content.Context; + import android.content.Intent; ++import android.content.pm.PackageManager; + import android.hardware.soundtrigger.IRecognitionStatusCallback; + import android.hardware.soundtrigger.KeyphraseEnrollmentInfo; + import android.hardware.soundtrigger.KeyphraseMetadata; +@@ -194,8 +197,10 @@ public class AlwaysOnHotwordDetector { + private final Callback mExternalCallback; + private final Object mLock = new Object(); + private final Handler mHandler; ++ private final Context mContext; + + private int mAvailability = STATE_NOT_READY; ++ private boolean mIsGrantedHotwordPermission; + + /** + * Additional payload for {@link Callback#onDetected}. +@@ -322,19 +327,32 @@ public class AlwaysOnHotwordDetector { + public abstract void onRecognitionResumed(); + } + ++ private static boolean hasHotwordPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ ++ private static boolean hasRecordAudioPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ + /** ++ * @param context The context to check permission + * @param text The keyphrase text to get the detector for. + * @param locale The java locale for the detector. + * @param callback A non-null Callback for receiving the recognition events. ++ * @param keyphraseEnrollmentInfo The Enrollment info of key phrase + * @param voiceInteractionService The current voice interaction service. + * @param modelManagementService A service that allows management of sound models. + * + * @hide + */ +- public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback, ++ public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback, + KeyphraseEnrollmentInfo keyphraseEnrollmentInfo, + IVoiceInteractionService voiceInteractionService, + IVoiceInteractionManagerService modelManagementService) { ++ mContext = context; + mText = text; + mLocale = locale; + mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo; +@@ -344,6 +362,7 @@ public class AlwaysOnHotwordDetector { + mInternalCallback = new SoundTriggerListener(mHandler); + mVoiceInteractionService = voiceInteractionService; + mModelManagementService = modelManagementService; ++ mIsGrantedHotwordPermission = hasHotwordPermission(mContext); + new RefreshAvailabiltyTask().execute(); + } + +@@ -400,6 +419,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean startRecognition(@RecognitionFlags int recognitionFlags) { + if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("startRecognition called on an invalid detector"); +@@ -428,6 +453,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean stopRecognition() { + if (DBG) Slog.d(TAG, "stopRecognition()"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("stopRecognition called on an invalid detector"); +@@ -544,7 +575,8 @@ public class AlwaysOnHotwordDetector { + synchronized (mLock) { + if (mAvailability == STATE_INVALID + || mAvailability == STATE_HARDWARE_UNAVAILABLE +- || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) { ++ || mAvailability == STATE_KEYPHRASE_UNSUPPORTED ++ || !hasRecordAudioPermission(mContext)) { + Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config"); + return; + } +@@ -715,6 +747,10 @@ public class AlwaysOnHotwordDetector { + * @return The initial availability without checking the enrollment status. + */ + private int internalGetInitialAvailability() { ++ if (!mIsGrantedHotwordPermission) { ++ return STATE_HARDWARE_UNAVAILABLE; ++ } ++ + synchronized (mLock) { + // This detector has already been invalidated. + if (mAvailability == STATE_INVALID) { +diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java +index 8f79bcffa776..409d8ddddc2d 100644 +--- a/core/java/android/service/voice/VoiceInteractionService.java ++++ b/core/java/android/service/voice/VoiceInteractionService.java +@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service { + synchronized (mLock) { + // Allow only one concurrent recognition via the APIs. + safelyShutdownHotwordDetector(); +- mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback, ++ mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback, + mKeyphraseEnrollmentInfo, mInterface, mSystemService); + } + return mHotwordDetector; +diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +index 44f55511f940..e6e3ef372e28 100644 +--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java ++++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +@@ -902,6 +902,9 @@ public class VoiceInteractionManagerService extends SystemService { + + @Override + public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) { ++ // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD. ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -923,6 +926,9 @@ public class VoiceInteractionManagerService extends SystemService { + public int startRecognition(IVoiceInteractionService service, int keyphraseId, + String bcp47Locale, IRecognitionStatusCallback callback, + RecognitionConfig recognitionConfig) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -963,6 +969,9 @@ public class VoiceInteractionManagerService extends SystemService { + @Override + public int stopRecognition(IVoiceInteractionService service, int keyphraseId, + IRecognitionStatusCallback callback) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -1172,6 +1181,11 @@ public class VoiceInteractionManagerService extends SystemService { + mSoundTriggerInternal.dump(fd, pw, args); + } + ++ private void enforceAlwaysOnHotwordPermissions() { ++ enforceCallingPermission(Manifest.permission.RECORD_AUDIO); ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ } ++ + private void enforceCallingPermission(String permission) { + if (mContext.checkCallingOrSelfPermission(permission) + != PackageManager.PERMISSION_GRANTED) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/344174.patch b/Patches/LineageOS-16.0/android_frameworks_base/344174.patch new file mode 100644 index 00000000..ac928ba5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/344174.patch @@ -0,0 +1,353 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Matt Pietal +Date: Thu, 18 Aug 2022 12:04:43 +0000 +Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock + +After PUK unlock, multiple calls to +KeyguardSecurityContainerController#dismiss() were being called from +the KeyguardSimPukViewController, which begins the transition to the +next security screen, if any. At the same time, other parts of the +system, also listening to SIM events, recognize the PUK unlock and +call KeyguardSecurityContainer#showSecurityScreen, which updates which +security method comes next. After boot, this should be one of PIN, +Password, Pattern, assuming they have a security method. If one of the +first dismiss() calls comes AFTER the security method changes, this is +incorrectly recognized by the code as a successful +PIN/pattern/password unlock. This causes the keyguard to be marked as +done, causing screen flickers and incorrect system state. + +The solution: every call to dismiss() should include a new parameter +for the security method used. If there is a difference between this +parameter and the current value in KeyguardSecurityContainerCallback, +ignore the request, as the system state has changed. + +Bug: 218500036 +Test: atest KeyguardSecurityContainerTest + +Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243 +Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3) +Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +--- + .../keyguard/KeyguardAbsKeyInputView.java | 4 ++- + .../android/keyguard/KeyguardHostView.java | 13 +++++--- + .../com/android/keyguard/KeyguardPINView.java | 6 ++++ + .../keyguard/KeyguardPasswordView.java | 6 ++++ + .../android/keyguard/KeyguardPatternView.java | 3 +- + .../keyguard/KeyguardSecurityCallback.java | 5 ++- + .../keyguard/KeyguardSecurityContainer.java | 32 +++++++++++++++---- + .../android/keyguard/KeyguardSimPinView.java | 10 +++++- + .../android/keyguard/KeyguardSimPukView.java | 12 +++++-- + 9 files changed, 73 insertions(+), 18 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java +index c3119793eaf5..959da444cee7 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java +@@ -29,6 +29,7 @@ import android.view.KeyEvent; + import android.view.View; + import android.widget.LinearLayout; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.internal.util.LatencyTracker; + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; +@@ -92,6 +93,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + + protected abstract int getPasswordTextViewId(); + protected abstract void resetState(); ++ protected abstract SecurityMode getSecurityMode(); + + @Override + protected void onFinishInflate() { +@@ -191,7 +193,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mDismissing = true; +- mCallback.dismiss(true, userId); ++ mCallback.dismiss(true, userId, getSecurityMode()); + } + } else { + if (isValidPassword) { +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java +index aa0bcc5cf2b8..27e7d79bd6f5 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java +@@ -89,7 +89,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + // the user proved presence via some other way to the trust agent. + Log.i(TAG, "TrustAgent dismissed Keyguard."); + } +- dismiss(false /* authenticated */, userId); ++ dismiss(false /* authenticated */, userId, SecurityMode.Invalid); + } else { + mViewMediatorCallback.playTrustedSound(); + } +@@ -189,12 +189,13 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + * @return True if the keyguard is done. + */ + public boolean dismiss(int targetUserId) { +- return dismiss(false, targetUserId); ++ return dismiss(false, targetUserId, getCurrentSecurityMode()); + } + + public boolean handleBackKey() { + if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) { +- mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser()); ++ mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser(), ++ getCurrentSecurityMode()); + return true; + } + return false; +@@ -205,8 +206,10 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + } + + @Override +- public boolean dismiss(boolean authenticated, int targetUserId) { +- return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId); ++ public boolean dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { ++ return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId, ++ expectedSecurityMode); + } + + /** +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java +index 4058d3e0f6c0..c75997a89c2e 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java +@@ -23,6 +23,7 @@ import android.view.ViewGroup; + import android.view.animation.AnimationUtils; + import android.widget.LinearLayout; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; + +@@ -212,4 +213,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView { + public boolean hasOverlappingRendering() { + return false; + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.PIN; ++ } + } +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java +index 5dd2655a8f16..16cb7796d13f 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java +@@ -36,6 +36,7 @@ import android.widget.TextView; + import android.widget.TextView.OnEditorActionListener; + + import com.android.internal.widget.TextViewInputDisabler; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + import java.util.List; + /** +@@ -368,4 +369,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView + return getContext().getString( + com.android.internal.R.string.keyguard_accessibility_password_unlock); + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.Password; ++ } + } +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java +index 69e3b0d50020..ef2ef4febcac 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java +@@ -37,6 +37,7 @@ import com.android.internal.util.LatencyTracker; + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; + import com.android.internal.widget.LockPatternView; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationCreator; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; +@@ -321,7 +322,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct); +- mCallback.dismiss(true, userId); ++ mCallback.dismiss(true, userId, SecurityMode.Pattern); + } + } else { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong); +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java +index 5b743c1a20c5..c8eec6b80897 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java +@@ -15,14 +15,17 @@ + */ + package com.android.keyguard; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++ + public interface KeyguardSecurityCallback { + + /** + * Dismiss the given security screen. + * @param securityVerified true if the user correctly entered credentials for the given screen. + * @param targetUserId a user that needs to be the foreground user at the dismissal completion. ++ * @param expectedSecurityMode The security mode that is invoking this dismiss. + */ +- void dismiss(boolean securityVerified, int targetUserId); ++ void dismiss(boolean securityVerified, int targetUserId, SecurityMode expectedSecurityMode); + + /** + * Manually report user activity to keep the device awake. +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index 9c69432d3178..6a71cf84759c 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -54,7 +54,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + + // Used to notify the container when something interesting happens. + public interface SecurityCallback { +- public boolean dismiss(boolean authenticated, int targetUserId); ++ public boolean dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode); + public void userActivity(); + public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput); + +@@ -312,10 +313,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + * @param authenticated true if the user entered the correct authentication + * @param targetUserId a user that needs to be the foreground user at the finish (if called) + * completion. ++ * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid ++ * indicates that no check should be done + * @return true if keyguard is done + */ +- boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId) { ++ boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { + if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")"); ++ if (expectedSecurityMode != SecurityMode.Invalid ++ && expectedSecurityMode != getCurrentSecurityMode()) { ++ Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode " ++ + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode()); ++ return false; ++ } ++ + boolean finish = false; + boolean strongAuth = false; + if (mUpdateMonitor.getUserCanSkipBouncer(targetUserId)) { +@@ -417,8 +428,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + } + } + +- public void dismiss(boolean authenticated, int targetId) { +- mSecurityCallback.dismiss(authenticated, targetId); ++ /** ++ * Potentially dismiss the current security screen, after validating that all device ++ * security has been unlocked. Otherwise show the next screen. ++ */ ++ public void dismiss(boolean authenticated, int targetId, ++ SecurityMode expectedSecurityMode) { ++ mSecurityCallback.dismiss(authenticated, targetId, expectedSecurityMode); + } + + public boolean isVerifyUnlockOnly() { +@@ -454,7 +470,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + @Override + public boolean isVerifyUnlockOnly() { return false; } + @Override +- public void dismiss(boolean securityVerified, int targetUserId) { } ++ public void dismiss(boolean securityVerified, int targetUserId, ++ SecurityMode expectedSecurityMode) { } + @Override + public void reset() {} + }; +@@ -500,8 +517,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + return mCurrentSecuritySelection; + } + +- public void dismiss(boolean authenticated, int targetUserId) { +- mCallback.dismiss(authenticated, targetUserId); ++ public void dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { ++ mCallback.dismiss(authenticated, targetUserId, expectedSecurityMode); + } + + public boolean needsInput() { +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java +index df9fb355ce2f..f2cfdd2f4c86 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java +@@ -42,6 +42,8 @@ import android.view.View; + import android.view.WindowManager; + import android.widget.ImageView; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++ + /** + * Displays a PIN pad for unlocking. + */ +@@ -342,7 +344,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + mRemainingAttempts = -1; + mShowDefaultMessage = true; + if (mCallback != null) { +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPin); + } + } else { + mShowDefaultMessage = false; +@@ -390,5 +393,10 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + return getContext().getString( + com.android.internal.R.string.keyguard_accessibility_sim_pin_unlock); + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPin; ++ } + } + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java +index 5da764d90f73..08ba8d4ef6e8 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java +@@ -40,6 +40,7 @@ import com.android.internal.telephony.ITelephony; + import com.android.internal.telephony.IccCardConstants; + import com.android.internal.telephony.PhoneConstants; + import com.android.internal.telephony.IccCardConstants.State; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + + /** +@@ -78,7 +79,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + // mCallback can be null if onSimStateChanged callback is called when keyguard + // isn't active. + if (mCallback != null) { +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPuk); + } + break; + } +@@ -408,7 +410,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + mRemainingAttempts = -1; + mShowDefaultMessage = true; + if (mCallback != null) { +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPuk); + } + } else { + mShowDefaultMessage = false; +@@ -463,6 +466,11 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + return getContext().getString( + com.android.internal.R.string.keyguard_accessibility_sim_puk_unlock); + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPuk; ++ } + } + + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345892.patch b/Patches/LineageOS-16.0/android_frameworks_base/345892.patch new file mode 100644 index 00000000..c45f4ddf --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345892.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Tue, 19 Jul 2022 10:45:22 +0000 +Subject: [PATCH] Revert "RESTRICT AUTOMERGE Prevent non-admin users from + deleting system apps." + +This reverts commit 4005549db2fa7e1524fc0dbbe22c774fb00b6cb3. + +Reason for revert: Regression, DELETE_SYSTEM_APP flag no longer works + +Change-Id: I7386d1ba3d61b95836b85c52214c83b216c478e8 +(cherry picked from commit 49d8f9325a8d103497632097010899f87f403faa) +Merged-In: I7386d1ba3d61b95836b85c52214c83b216c478e8 +--- + .../com/android/server/pm/PackageManagerService.java | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index e8532ce4edd3..dc44fe17722d 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -18476,16 +18476,6 @@ public class PackageManagerService extends IPackageManager.Stub + return PackageManager.DELETE_FAILED_INTERNAL_ERROR; + } + +- if (isSystemApp(uninstalledPs)) { +- UserInfo userInfo = sUserManager.getUserInfo(userId); +- if (userInfo == null || !userInfo.isAdmin()) { +- Slog.w(TAG, "Not removing package " + packageName +- + " as only admin user may downgrade system apps"); +- EventLog.writeEvent(0x534e4554, "170646036", -1, packageName); +- return PackageManager.DELETE_FAILED_USER_RESTRICTED; +- } +- } +- + // Static shared libs can be declared by any package, so let us not + // allow removing a package if it provides a lib others depend on. + pkg = mPackages.get(packageName); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345893.patch b/Patches/LineageOS-16.0/android_frameworks_base/345893.patch new file mode 100644 index 00000000..1a452e35 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345893.patch @@ -0,0 +1,325 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Fri, 19 Aug 2022 09:54:23 -0400 +Subject: [PATCH] Limit the size of NotificationChannel and + NotificationChannelGroup + +Test: android.app.NotificationChannelGroupTest +Test: android.app.NotificationChannelTest +Test: cts NotificationChannelTest +Test: cts NotificationChannelGroupTest +Bug: 241764350 +Bug: 241764340 +Bug: 241764135 +Bug: 242702935 +Bug: 242703118 +Bug: 242703202 +Bug: 242702851 +Bug: 242703217 +Bug: 242703556 +Change-Id: I0925583ab54d6c81c415859618f6b907ab7baada +Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada +(cherry picked from commit 3850857cb0e7f26702d5bd601731d7290390fa3b) +(cherry picked from commit c2d264989a2c18af9e3f210f62eba8d987fefb5b) +Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada +--- + .../java/android/app/NotificationChannel.java | 19 +++- + .../android/app/NotificationChannelGroup.java | 10 +- + .../app/NotificationChannelGroupTest.java | 73 +++++++++++++ + .../android/app/NotificationChannelTest.java | 102 ++++++++++++++++++ + 4 files changed, 195 insertions(+), 9 deletions(-) + create mode 100644 core/tests/coretests/src/android/app/NotificationChannelGroupTest.java + create mode 100644 core/tests/coretests/src/android/app/NotificationChannelTest.java + +diff --git a/core/java/android/app/NotificationChannel.java b/core/java/android/app/NotificationChannel.java +index ba355f9f9c1d..5c5801d0019b 100644 +--- a/core/java/android/app/NotificationChannel.java ++++ b/core/java/android/app/NotificationChannel.java +@@ -55,8 +55,13 @@ public final class NotificationChannel implements Parcelable { + /** + * The maximum length for text fields in a NotificationChannel. Fields will be truncated at this + * limit. ++ * @hide + */ +- private static final int MAX_TEXT_LENGTH = 1000; ++ public static final int MAX_TEXT_LENGTH = 1000; ++ /** ++ * @hide ++ */ ++ public static final int MAX_VIBRATION_LENGTH = 1000; + + private static final String TAG_CHANNEL = "channel"; + private static final String ATT_NAME = "name"; +@@ -177,17 +182,17 @@ public final class NotificationChannel implements Parcelable { + */ + protected NotificationChannel(Parcel in) { + if (in.readByte() != 0) { +- mId = in.readString(); ++ mId = getTrimmedString(in.readString()); + } else { + mId = null; + } + if (in.readByte() != 0) { +- mName = in.readString(); ++ mName = getTrimmedString(in.readString()); + } else { + mName = null; + } + if (in.readByte() != 0) { +- mDesc = in.readString(); ++ mDesc = getTrimmedString(in.readString()); + } else { + mDesc = null; + } +@@ -196,18 +201,22 @@ public final class NotificationChannel implements Parcelable { + mLockscreenVisibility = in.readInt(); + if (in.readByte() != 0) { + mSound = Uri.CREATOR.createFromParcel(in); ++ mSound = Uri.parse(getTrimmedString(mSound.toString())); + } else { + mSound = null; + } + mLights = in.readByte() != 0; + mVibration = in.createLongArray(); ++ if (mVibration != null && mVibration.length > MAX_VIBRATION_LENGTH) { ++ mVibration = Arrays.copyOf(mVibration, MAX_VIBRATION_LENGTH); ++ } + mUserLockedFields = in.readInt(); + mFgServiceShown = in.readByte() != 0; + mVibrationEnabled = in.readByte() != 0; + mShowBadge = in.readByte() != 0; + mDeleted = in.readByte() != 0; + if (in.readByte() != 0) { +- mGroup = in.readString(); ++ mGroup = getTrimmedString(in.readString()); + } else { + mGroup = null; + } +diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java +index 0fa3c7fa6492..14c8be38b8a4 100644 +--- a/core/java/android/app/NotificationChannelGroup.java ++++ b/core/java/android/app/NotificationChannelGroup.java +@@ -40,8 +40,9 @@ public final class NotificationChannelGroup implements Parcelable { + /** + * The maximum length for text fields in a NotificationChannelGroup. Fields will be truncated at + * this limit. ++ * @hide + */ +- private static final int MAX_TEXT_LENGTH = 1000; ++ public static final int MAX_TEXT_LENGTH = 1000; + + private static final String TAG_GROUP = "channelGroup"; + private static final String ATT_NAME = "name"; +@@ -75,13 +76,14 @@ public final class NotificationChannelGroup implements Parcelable { + */ + protected NotificationChannelGroup(Parcel in) { + if (in.readByte() != 0) { +- mId = in.readString(); ++ mId = getTrimmedString(in.readString()); + } else { + mId = null; + } + mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in); ++ mName = getTrimmedString(mName.toString()); + if (in.readByte() != 0) { +- mDescription = in.readString(); ++ mDescription = getTrimmedString(in.readString()); + } else { + mDescription = null; + } +@@ -104,7 +106,7 @@ public final class NotificationChannelGroup implements Parcelable { + } else { + dest.writeByte((byte) 0); + } +- TextUtils.writeToParcel(mName, dest, flags); ++ TextUtils.writeToParcel(mName.toString(), dest, flags); + if (mDescription != null) { + dest.writeByte((byte) 1); + dest.writeString(mDescription); +diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java +new file mode 100644 +index 000000000000..2a3da05eabb3 +--- /dev/null ++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (C) 2022 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package android.app; ++ ++import static junit.framework.TestCase.assertEquals; ++ ++import android.os.Parcel; ++import android.test.AndroidTestCase; ++ ++import androidx.test.filters.SmallTest; ++import androidx.test.runner.AndroidJUnit4; ++ ++import com.google.common.base.Strings; ++ ++import org.junit.Test; ++import org.junit.runner.RunWith; ++ ++import java.lang.reflect.Field; ++ ++@RunWith(AndroidJUnit4.class) ++@SmallTest ++public class NotificationChannelGroupTest { ++ private final String CLASS = "android.app.NotificationChannelGroup"; ++ ++ @Test ++ public void testLongStringFields() { ++ NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", "groupName"); ++ ++ try { ++ String longString = Strings.repeat("A", 65536); ++ Field mName = Class.forName(CLASS).getDeclaredField("mName"); ++ mName.setAccessible(true); ++ mName.set(group, longString); ++ Field mId = Class.forName(CLASS).getDeclaredField("mId"); ++ mId.setAccessible(true); ++ mId.set(group, longString); ++ Field mDescription = Class.forName(CLASS).getDeclaredField("mDescription"); ++ mDescription.setAccessible(true); ++ mDescription.set(group, longString); ++ } catch (NoSuchFieldException e) { ++ e.printStackTrace(); ++ } catch (ClassNotFoundException e) { ++ e.printStackTrace(); ++ } catch (IllegalAccessException e) { ++ e.printStackTrace(); ++ } ++ ++ Parcel parcel = Parcel.obtain(); ++ group.writeToParcel(parcel, 0); ++ parcel.setDataPosition(0); ++ ++ NotificationChannelGroup fromParcel = ++ NotificationChannelGroup.CREATOR.createFromParcel(parcel); ++ assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getId().length()); ++ assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getName().length()); ++ assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, ++ fromParcel.getDescription().length()); ++ } ++} +diff --git a/core/tests/coretests/src/android/app/NotificationChannelTest.java b/core/tests/coretests/src/android/app/NotificationChannelTest.java +new file mode 100644 +index 000000000000..d8be502e6db6 +--- /dev/null ++++ b/core/tests/coretests/src/android/app/NotificationChannelTest.java +@@ -0,0 +1,102 @@ ++/* ++ * Copyright (C) 2022 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package android.app; ++ ++import static junit.framework.TestCase.assertEquals; ++ ++import android.net.Uri; ++import android.os.Parcel; ++ ++import androidx.test.filters.SmallTest; ++import androidx.test.runner.AndroidJUnit4; ++ ++import com.google.common.base.Strings; ++ ++import org.junit.Test; ++import org.junit.runner.RunWith; ++ ++import java.lang.reflect.Field; ++ ++@RunWith(AndroidJUnit4.class) ++@SmallTest ++public class NotificationChannelTest { ++ private final String CLASS = "android.app.NotificationChannel"; ++ ++ @Test ++ public void testLongStringFields() { ++ NotificationChannel channel = new NotificationChannel("id", "name", 3); ++ ++ try { ++ String longString = Strings.repeat("A", 65536); ++ Field mName = Class.forName(CLASS).getDeclaredField("mName"); ++ mName.setAccessible(true); ++ mName.set(channel, longString); ++ Field mId = Class.forName(CLASS).getDeclaredField("mId"); ++ mId.setAccessible(true); ++ mId.set(channel, longString); ++ Field mDesc = Class.forName(CLASS).getDeclaredField("mDesc"); ++ mDesc.setAccessible(true); ++ mDesc.set(channel, longString); ++ Field mParentId = Class.forName(CLASS).getDeclaredField("mParentId"); ++ mParentId.setAccessible(true); ++ mParentId.set(channel, longString); ++ Field mGroup = Class.forName(CLASS).getDeclaredField("mGroup"); ++ mGroup.setAccessible(true); ++ mGroup.set(channel, longString); ++ Field mConversationId = Class.forName(CLASS).getDeclaredField("mConversationId"); ++ mConversationId.setAccessible(true); ++ mConversationId.set(channel, longString); ++ } catch (NoSuchFieldException e) { ++ e.printStackTrace(); ++ } catch (ClassNotFoundException e) { ++ e.printStackTrace(); ++ } catch (IllegalAccessException e) { ++ e.printStackTrace(); ++ } ++ ++ Parcel parcel = Parcel.obtain(); ++ channel.writeToParcel(parcel, 0); ++ parcel.setDataPosition(0); ++ ++ NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel); ++ assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getId().length()); ++ assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getName().length()); ++ assertEquals(NotificationChannel.MAX_TEXT_LENGTH, ++ fromParcel.getDescription().length()); ++ assertEquals(NotificationChannel.MAX_TEXT_LENGTH, ++ fromParcel.getGroup().length()); ++ } ++ ++ @Test ++ public void testLongAlertFields() { ++ NotificationChannel channel = new NotificationChannel("id", "name", 3); ++ ++ channel.setSound(Uri.parse("content://" + Strings.repeat("A",65536)), ++ Notification.AUDIO_ATTRIBUTES_DEFAULT); ++ channel.setVibrationPattern(new long[65550/2]); ++ ++ Parcel parcel = Parcel.obtain(); ++ channel.writeToParcel(parcel, 0); ++ parcel.setDataPosition(0); ++ ++ NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel); ++ assertEquals(NotificationChannel.MAX_VIBRATION_LENGTH, ++ fromParcel.getVibrationPattern().length); ++ assertEquals(NotificationChannel.MAX_TEXT_LENGTH, ++ fromParcel.getSound().toString().length()); ++ } ++} diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345894.patch b/Patches/LineageOS-16.0/android_frameworks_base/345894.patch new file mode 100644 index 00000000..3b921046 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345894.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Mon, 8 Aug 2022 13:31:36 +0100 +Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting + system apps. + +This addresses a security issue where the guest user can remove updates +for system apps. + +With this CL, attempts to uninstall/downgrade system apps will fail if +attempted by a non-admin user, unless the DELETE_SYSTEM_APP flag is +specified. + +This is a fixed version of ag/17400663, to address b/236578018. + +Bug: 170646036 +Test: manual, try uninstalling system app update as guest +Change-Id: I5eab215cba6528aa4316ed7b20bee544915c1486 +(cherry picked from commit 7fdc96aef4e098d2271ac3a8557bd8e1ad6827f3) +Merged-In: I5eab215cba6528aa4316ed7b20bee544915c1486 +--- + .../com/android/server/pm/PackageManagerService.java | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index dc44fe17722d..c873f82d740c 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -18476,6 +18476,17 @@ public class PackageManagerService extends IPackageManager.Stub + return PackageManager.DELETE_FAILED_INTERNAL_ERROR; + } + ++ if (isSystemApp(uninstalledPs) ++ && (deleteFlags & PackageManager.DELETE_SYSTEM_APP) == 0) { ++ UserInfo userInfo = sUserManager.getUserInfo(userId); ++ if (userInfo == null || !userInfo.isAdmin()) { ++ Slog.w(TAG, "Not removing package " + packageName ++ + " as only admin user may downgrade system apps"); ++ EventLog.writeEvent(0x534e4554, "170646036", -1, packageName); ++ return PackageManager.DELETE_FAILED_USER_RESTRICTED; ++ } ++ } ++ + // Static shared libs can be declared by any package, so let us not + // allow removing a package if it provides a lib others depend on. + pkg = mPackages.get(packageName); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345895.patch b/Patches/LineageOS-16.0/android_frameworks_base/345895.patch new file mode 100644 index 00000000..0d9380e1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345895.patch @@ -0,0 +1,106 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 19 Aug 2022 17:08:13 +0100 +Subject: [PATCH] Validate package name passed to setApplicationRestrictions. + +This adds validation that the package name passed to +setApplicationRestrictions is in the correct format. This will avoid +an issue where a path could be entered resulting in a file being +written to an unexpected place. + +Bug: 239701237 +Test: atest UserManagerServiceTest +Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67) +Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d) +Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +--- + .../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++ + .../server/pm/UserManagerServiceTest.java | 7 ++++ + 2 files changed, 48 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index 56d737d50fbf..423b88388809 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -76,6 +76,7 @@ import android.provider.Settings; + import android.security.GateKeeper; + import android.service.gatekeeper.IGateKeeperService; + import android.util.AtomicFile; ++import android.util.EventLog; + import android.util.IntArray; + import android.util.Log; + import android.util.Slog; +@@ -3104,6 +3105,13 @@ public class UserManagerService extends IUserManager.Stub { + public void setApplicationRestrictions(String packageName, Bundle restrictions, + int userId) { + checkSystemOrRoot("set application restrictions"); ++ String validationResult = validateName(packageName); ++ if (validationResult != null) { ++ if (packageName.contains("../")) { ++ EventLog.writeEvent(0x534e4554, "239701237", -1, ""); ++ } ++ throw new IllegalArgumentException("Invalid package name: " + validationResult); ++ } + if (restrictions != null) { + restrictions.setDefusable(true); + } +@@ -3123,6 +3131,39 @@ public class UserManagerService extends IUserManager.Stub { + mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId)); + } + ++ /** ++ * Check if the given name is valid. ++ * ++ * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove ++ * unnecessary parts. Copied here for a security fix. ++ * ++ * @param name The name to check. ++ * @return null if it's valid, error message if not ++ */ ++ @VisibleForTesting ++ static String validateName(String name) { ++ final int n = name.length(); ++ boolean front = true; ++ for (int i = 0; i < n; i++) { ++ final char c = name.charAt(i); ++ if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) { ++ front = false; ++ continue; ++ } ++ if (!front) { ++ if ((c >= '0' && c <= '9') || c == '_') { ++ continue; ++ } ++ if (c == '.') { ++ front = true; ++ continue; ++ } ++ } ++ return "bad character '" + c + "'"; ++ } ++ return null; ++ } ++ + private int getUidForPackage(String packageName) { + long ident = Binder.clearCallingIdentity(); + try { +diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java +index d1366144d33b..8da7a76f18ce 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java ++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java +@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase { + assertEquals(accountName, um.getUserAccount(tempUserId)); + } + ++ public void testValidateName() { ++ assertNull(UserManagerService.validateName("android")); ++ assertNull(UserManagerService.validateName("com.company.myapp")); ++ assertNotNull(UserManagerService.validateName("/../../data")); ++ assertNotNull(UserManagerService.validateName("/dir")); ++ } ++ + private Bundle createBundle() { + Bundle result = new Bundle(); + // Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[] diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345896.patch b/Patches/LineageOS-16.0/android_frameworks_base/345896.patch new file mode 100644 index 00000000..30a19535 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345896.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Thu, 1 Sep 2022 10:14:24 -0700 +Subject: [PATCH] Include all enabled services when FEEDBACK_ALL_MASK. + +Bug: 243849844 +Test: m sts; + sts-tradefed run sts-dynamic-develop -m CtsAccessibilityTestCases +Change-Id: I4f93e06d1066085bd64e8f09882de2f4a72a0633 +(cherry picked from commit 2bc4d49c2b0265f5de1c62d1342b1426cc5e1377) +Merged-In: I4f93e06d1066085bd64e8f09882de2f4a72a0633 +--- + .../server/accessibility/AccessibilityManagerService.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 7798cf7af3cb..58a1beed70c9 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -620,7 +620,8 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub + final List result = new ArrayList<>(serviceCount); + for (int i = 0; i < serviceCount; ++i) { + final AccessibilityServiceConnection service = services.get(i); +- if ((service.mFeedbackType & feedbackType) != 0) { ++ if ((service.mFeedbackType & feedbackType) != 0 ++ || feedbackType == AccessibilityServiceInfo.FEEDBACK_ALL_MASK) { + result.add(service.getServiceInfo()); + } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345897.patch b/Patches/LineageOS-16.0/android_frameworks_base/345897.patch new file mode 100644 index 00000000..fd8c9b99 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345897.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Fri, 9 Sep 2022 14:50:31 -0700 +Subject: [PATCH] forbid deletion of protected packages + +BUG: 242996180 +Test: adb shell pm uninstall --user 0 com.google.android.apps.work.oobconfig +Test: Verified with the command above. Before this CL, the package can +be deleted. After this CL, the deletion will fail. + +Change-Id: Iba408e536b340ea5d66ab499442c0c4f828fa36f +(cherry picked from commit 15f85c7fa97fe9faa540e6ad9e850990f46a5cca) +Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f +(cherry picked from commit 2e42c393f2d5521d20acd9281d411a0fbc6196c3) +Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f +--- + .../android/server/pm/PackageManagerService.java | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index c873f82d740c..4cd38c15ce52 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -18144,6 +18144,20 @@ public class PackageManagerService extends IPackageManager.Stub + + final String packageName = versionedPackage.getPackageName(); + final long versionCode = versionedPackage.getLongVersionCode(); ++ ++ if (mProtectedPackages.isPackageStateProtected(userId, packageName)) { ++ mHandler.post(() -> { ++ try { ++ Slog.w(TAG, "Attempted to delete protected package: " + packageName); ++ observer.onPackageDeleted(packageName, ++ PackageManager.DELETE_FAILED_INTERNAL_ERROR, null); ++ } catch (RemoteException re) { ++ } ++ }); ++ return; ++ } ++ ++ + final String internalPackageName; + synchronized (mPackages) { + // Normalize package name to handle renamed packages and static libs diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345898.patch b/Patches/LineageOS-16.0/android_frameworks_base/345898.patch new file mode 100644 index 00000000..fbce6e63 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345898.patch @@ -0,0 +1,93 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Tue, 6 Sep 2022 10:19:06 -0400 +Subject: [PATCH] Fix NPE + +Test: NotificationChannelGroupTest +Test: view notification settings for an app that doesn't use groups +Fixes: 244574602 +Bug: 241764350 +Bug: 241764340 +Bug: 241764135 +Bug: 242702935 +Bug: 242703118 +Bug: 242703202 +Bug: 242702851 +Bug: 242703217 +Bug: 242703556 +Change-Id: I9c681106f6d645e62b0e44903d40aa523fee0e95 +(cherry picked from commit 6f02c07176d0fa4d6985c8f2200ccf49a1657d1c) +(cherry picked from commit a37554289731f0d52923123697d55074b0f41748) +Merged-In: I9c681106f6d645e62b0e44903d40aa523fee0e95 +--- + .../android/app/NotificationChannelGroup.java | 14 +++++++++++--- + .../app/NotificationChannelGroupTest.java | 16 ++++++++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java +index 14c8be38b8a4..87565312448c 100644 +--- a/core/java/android/app/NotificationChannelGroup.java ++++ b/core/java/android/app/NotificationChannelGroup.java +@@ -80,8 +80,11 @@ public final class NotificationChannelGroup implements Parcelable { + } else { + mId = null; + } +- mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in); +- mName = getTrimmedString(mName.toString()); ++ if (in.readByte() != 0) { ++ mName = getTrimmedString(in.readString()); ++ } else { ++ mName = ""; ++ } + if (in.readByte() != 0) { + mDescription = getTrimmedString(in.readString()); + } else { +@@ -106,7 +109,12 @@ public final class NotificationChannelGroup implements Parcelable { + } else { + dest.writeByte((byte) 0); + } +- TextUtils.writeToParcel(mName.toString(), dest, flags); ++ if (mName != null) { ++ dest.writeByte((byte) 1); ++ dest.writeString(mName.toString()); ++ } else { ++ dest.writeByte((byte) 0); ++ } + if (mDescription != null) { + dest.writeByte((byte) 1); + dest.writeString(mDescription); +diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java +index 2a3da05eabb3..625c66a4c60e 100644 +--- a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java ++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java +@@ -17,9 +17,11 @@ + package android.app; + + import static junit.framework.TestCase.assertEquals; ++import static junit.framework.TestCase.assertTrue; + + import android.os.Parcel; + import android.test.AndroidTestCase; ++import android.text.TextUtils; + + import androidx.test.filters.SmallTest; + import androidx.test.runner.AndroidJUnit4; +@@ -70,4 +72,18 @@ public class NotificationChannelGroupTest { + assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, + fromParcel.getDescription().length()); + } ++ ++ @Test ++ public void testNullableFields() { ++ NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", null); ++ ++ Parcel parcel = Parcel.obtain(); ++ group.writeToParcel(parcel, 0); ++ parcel.setDataPosition(0); ++ ++ NotificationChannelGroup fromParcel = ++ NotificationChannelGroup.CREATOR.createFromParcel(parcel); ++ assertEquals(group.getId(), fromParcel.getId()); ++ assertTrue(TextUtils.isEmpty(fromParcel.getName())); ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345899.patch b/Patches/LineageOS-16.0/android_frameworks_base/345899.patch new file mode 100644 index 00000000..041b0952 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345899.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 14 Jul 2022 11:25:54 -0700 +Subject: [PATCH] Fix a security issue in app widget service. + +Bug: 234013191 +Test: atest RemoteViewsAdapterTest +Change-Id: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20 +Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20 +(cherry picked from commit 263d7d0ba8818c471a27938c4e002bae33569f01) +(cherry picked from commit 0ee21ef3e652c78c934d257632a4951bd6d38011) +Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20 +--- + core/java/android/appwidget/AppWidgetManager.java | 4 +++- + .../com/android/server/appwidget/AppWidgetServiceImpl.java | 7 ++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/core/java/android/appwidget/AppWidgetManager.java b/core/java/android/appwidget/AppWidgetManager.java +index 20248b90d1e9..b8d33b1c8a17 100644 +--- a/core/java/android/appwidget/AppWidgetManager.java ++++ b/core/java/android/appwidget/AppWidgetManager.java +@@ -1089,7 +1089,9 @@ public class AppWidgetManager { + * @param intent The intent of the service which will be providing the data to the + * RemoteViewsAdapter. + * @param connection The callback interface to be notified when a connection is made or lost. +- * @param flags Flags used for binding to the service ++ * @param flags Flags used for binding to the service. Currently only ++ * {@link Context#BIND_AUTO_CREATE} and ++ * {@link Context#BIND_FOREGROUND_SERVICE_WHILE_AWAKE} are supported. + * + * @see Context#getServiceDispatcher(ServiceConnection, Handler, int) + * @hide +diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +index da52d408e125..9c18029ec693 100644 +--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java ++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +@@ -1299,11 +1299,12 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku + try { + // Ask ActivityManager to bind it. Notice that we are binding the service with the + // caller app instead of DevicePolicyManagerService. +- if(ActivityManager.getService().bindService( ++ if (ActivityManager.getService().bindService( + caller, activtiyToken, intent, + intent.resolveTypeIfNeeded(mContext.getContentResolver()), +- connection, flags, mContext.getOpPackageName(), +- widget.provider.getUserId()) != 0) { ++ connection, flags & (Context.BIND_AUTO_CREATE ++ | Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE), ++ mContext.getOpPackageName(), widget.provider.getUserId()) != 0) { + + // Add it to the mapping of RemoteViewsService to appWidgetIds so that we + // can determine when we can call back to the RemoteViewsService later to diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345900.patch b/Patches/LineageOS-16.0/android_frameworks_base/345900.patch new file mode 100644 index 00000000..27161b53 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345900.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Wed, 21 Sep 2022 23:03:11 +0000 +Subject: [PATCH] Ignore malformed shortcuts + +After an app publishes a shortcut that contains malformed intent, the +system can be stuck in boot-loop due to uncaught exception caused by +parsing the malformed intent. + +This CL ignores that particular malformed entry. Since shortcuts are +constantly writes back into the xml from system memory, the malformed +entry will be removed from the xml the next time system persists +shortcuts from memory to file system. + +Bug: 246540168 +Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94 +Test: manual +(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e) +Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94 +--- + .../com/android/server/pm/ShortcutPackage.java | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java +index 92e261a72617..320cd382c2fc 100644 +--- a/services/core/java/com/android/server/pm/ShortcutPackage.java ++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java +@@ -1486,11 +1486,15 @@ class ShortcutPackage extends ShortcutPackageItem { + + continue; + case TAG_SHORTCUT: +- final ShortcutInfo si = parseShortcut(parser, packageName, +- shortcutUser.getUserId(), fromBackup); +- +- // Don't use addShortcut(), we don't need to save the icon. +- ret.mShortcuts.put(si.getId(), si); ++ try { ++ final ShortcutInfo si = parseShortcut(parser, packageName, ++ shortcutUser.getUserId(), fromBackup); ++ // Don't use addShortcut(), we don't need to save the icon. ++ ret.mShortcuts.put(si.getId(), si); ++ } catch (Exception e) { ++ // b/246540168 malformed shortcuts should be ignored ++ Slog.e(TAG, "Failed parsing shortcut.", e); ++ } + continue; + } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345901.patch b/Patches/LineageOS-16.0/android_frameworks_base/345901.patch new file mode 100644 index 00000000..a89e6eca --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345901.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rhed Jao +Date: Mon, 26 Sep 2022 21:35:26 +0800 +Subject: [PATCH] Fix permanent denial of service via + setComponentEnabledSetting + +Do not update invalid component enabled settings to prevent the +malicious apps from exhausting system server memory. + +Bug: 240936919 +Test: atest android.security.cts.PackageManagerTest +Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d +(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f) +Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d +--- + .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 4cd38c15ce52..5b454f2d8939 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -21244,6 +21244,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName()); + } else { + Slog.w(TAG, "Failed setComponentEnabledSetting: component class " + + className + " does not exist in " + packageName); ++ // Safetynet logging for b/240936919 ++ EventLog.writeEvent(0x534e4554, "240936919", callingUid); ++ return; + } + } + switch (newState) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/345902.patch b/Patches/LineageOS-16.0/android_frameworks_base/345902.patch new file mode 100644 index 00000000..4acf6269 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/345902.patch @@ -0,0 +1,102 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hao Ke +Date: Tue, 4 Oct 2022 19:43:58 +0000 +Subject: [PATCH] Add safety checks on KEY_INTENT mismatch. + +For many years, Parcel mismatch typed exploits has been using the +AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of +launching arbitrary intents. We are adding an extra check on the service +side to simulate the final deserialization of the KEY_INTENT value, to +make sure the client side won't get a mismatched KEY_INTENT value. + +Bug: 250588548 +Bug: 240138294 +Test: atest CtsAccountManagerTestCases +Test: local test, also see b/250588548 +Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc +(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82) +Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc +--- + .../accounts/AccountManagerService.java | 34 ++++++++++++++++--- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 4c8acc5ffb63..c1f401e9a11f 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -87,6 +87,7 @@ import android.os.SystemClock; + import android.os.UserHandle; + import android.os.UserManager; + import android.text.TextUtils; ++import android.util.EventLog; + import android.util.Log; + import android.util.Pair; + import android.util.Slog; +@@ -3001,7 +3002,7 @@ public class AccountManagerService + */ + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; +@@ -3411,7 +3412,7 @@ public class AccountManagerService + && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; +@@ -4771,7 +4772,13 @@ public class AccountManagerService + * into launching arbitrary intents on the device via by tricking to click authenticator + * supplied entries in the system Settings app. + */ +- protected boolean checkKeyIntent(int authUid, Intent intent) { ++ protected boolean checkKeyIntent(int authUid, Bundle bundle) { ++ if (!checkKeyIntentParceledCorrectly(bundle)) { ++ EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); ++ return false; ++ } ++ ++ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + // Explicitly set an empty ClipData to ensure that we don't offer to + // promote any Uris contained inside for granting purposes + if (intent.getClipData() == null) { +@@ -4808,6 +4815,25 @@ public class AccountManagerService + } + } + ++ /** ++ * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't ++ * violate our security policy. ++ * ++ * In particular we want to make sure the Authenticator doesn't trick users ++ * into launching arbitrary intents on the device via exploiting any other Parcel read/write ++ * mismatch problems. ++ */ ++ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) { ++ Parcel p = Parcel.obtain(); ++ p.writeBundle(bundle); ++ p.setDataPosition(0); ++ Bundle simulateBundle = p.readBundle(); ++ p.recycle(); ++ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); ++ return (intent.filterEquals(simulateIntent)); ++ } ++ + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { + String className = activityInfo.name; + return "android".equals(activityInfo.packageName) && +@@ -4954,7 +4980,7 @@ public class AccountManagerService + && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347044.patch b/Patches/LineageOS-16.0/android_frameworks_base/347044.patch new file mode 100644 index 00000000..9716ee27 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347044.patch @@ -0,0 +1,86 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Tue, 13 Sep 2022 12:53:19 -0400 +Subject: [PATCH] Limit lengths of fields in Condition to a max length. + +This app-generated input needs to not be too long to avoid errors in the process of writing to disk. + +Bug: 242846316 +Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK + +Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +(cherry picked from commit 81352c3775949c622441e10b468766441e35edc7) +(cherry picked from commit 5cb217fff3bc7184bd776a9dc2991e7fce5e25bd) +Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +--- + .../service/notification/Condition.java | 38 +++++++++++++++++-- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/core/java/android/service/notification/Condition.java b/core/java/android/service/notification/Condition.java +index 5a7a83f19b0c..10a7f5afaa50 100644 +--- a/core/java/android/service/notification/Condition.java ++++ b/core/java/android/service/notification/Condition.java +@@ -99,6 +99,12 @@ public final class Condition implements Parcelable { + @SystemApi + public final int icon; + ++ /** ++ * The maximum string length for any string contained in this condition. ++ * @hide ++ */ ++ public static final int MAX_STRING_LENGTH = 1000; ++ + /** + * An object representing the current state of a {@link android.app.AutomaticZenRule}. + * @param id the {@link android.app.AutomaticZenRule#getConditionId()} of the zen rule +@@ -114,16 +120,19 @@ public final class Condition implements Parcelable { + if (id == null) throw new IllegalArgumentException("id is required"); + if (summary == null) throw new IllegalArgumentException("summary is required"); + if (!isValidState(state)) throw new IllegalArgumentException("state is invalid: " + state); +- this.id = id; +- this.summary = summary; +- this.line1 = line1; +- this.line2 = line2; ++ this.id = getTrimmedUri(id); ++ this.summary = getTrimmedString(summary); ++ this.line1 = getTrimmedString(line1); ++ this.line2 = getTrimmedString(line2); + this.icon = icon; + this.state = state; + this.flags = flags; + } + + public Condition(Parcel source) { ++ // This constructor passes all fields directly into the constructor that takes all the ++ // fields as arguments; that constructor will trim each of the input strings to ++ // max length if necessary. + this((Uri)source.readParcelable(Condition.class.getClassLoader()), + source.readString(), + source.readString(), +@@ -255,4 +264,25 @@ public final class Condition implements Parcelable { + return new Condition[size]; + } + }; ++ ++ /** ++ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH. ++ */ ++ private static String getTrimmedString(String input) { ++ if (input != null && input.length() > MAX_STRING_LENGTH) { ++ return input.substring(0, MAX_STRING_LENGTH); ++ } ++ return input; ++ } ++ ++ /** ++ * Returns a truncated copy of the Uri by trimming the string representation to the maximum ++ * string length. ++ */ ++ private static Uri getTrimmedUri(Uri input) { ++ if (input != null && input.toString().length() > MAX_STRING_LENGTH) { ++ return Uri.parse(getTrimmedString(input.toString())); ++ } ++ return input; ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347045.patch b/Patches/LineageOS-16.0/android_frameworks_base/347045.patch new file mode 100644 index 00000000..3778fa7e --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347045.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Wed, 5 Oct 2022 16:28:20 -0700 +Subject: [PATCH] RESTRICT AUTOMERGE Disable all A11yServices from an + uninstalled package. + +Previous logic would exit the loop after removing the first service +matching the uninstalled package. + +Bug: 243378132 +Test: atest AccessibilityEndToEndTest +Test: m sts; + sts-tradefed run sts-dynamic-develop -m \ + CtsAccessibilityServiceTestCases +Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3 +(cherry picked from commit 37966299859153377e61a6a97b036388d231c2d0) +Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3 +--- + .../AccessibilityManagerService.java | 24 ++++++++++--------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 58a1beed70c9..91d1b7576ca7 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -379,25 +379,27 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub + } + UserState userState = getUserStateLocked(userId); + Iterator it = userState.mEnabledServices.iterator(); ++ boolean anyServiceRemoved = false; + while (it.hasNext()) { + ComponentName comp = it.next(); + String compPkg = comp.getPackageName(); + if (compPkg.equals(packageName)) { + it.remove(); +- // Update the enabled services setting. +- persistComponentNamesToSettingLocked( +- Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, +- userState.mEnabledServices, userId); +- // Update the touch exploration granted services setting. + userState.mTouchExplorationGrantedServices.remove(comp); +- persistComponentNamesToSettingLocked( +- Settings.Secure. +- TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, +- userState.mTouchExplorationGrantedServices, userId); +- onUserStateChangedLocked(userState); +- return; ++ anyServiceRemoved = true; + } + } ++ if (anyServiceRemoved) { ++ // Update the enabled services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, ++ userState.mEnabledServices, userId); ++ // Update the touch exploration granted services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, ++ userState.mTouchExplorationGrantedServices, userId); ++ onUserStateChangedLocked(userState); ++ } + } + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347046.patch b/Patches/LineageOS-16.0/android_frameworks_base/347046.patch new file mode 100644 index 00000000..57dfb7c6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347046.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Wed, 12 Oct 2022 14:27:46 +0000 +Subject: [PATCH] Fix conditionId string trimming in AutomaticZenRule + +This change only applies to S branches and earlier. + +Bug: 253085433 +Bug: 242703460 +Bug: 242703505 +Bug: 242703780 +Bug: 242704043 +Bug: 243794204 +Test: AutomaticZenRuleTest +Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec +Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec +(cherry picked from commit 303f6bde896877793370c1697fa8c8331b808e56) +Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec +--- + core/java/android/app/AutomaticZenRule.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java +index 29dd91ec1ad6..5998ab6fdaf4 100644 +--- a/core/java/android/app/AutomaticZenRule.java ++++ b/core/java/android/app/AutomaticZenRule.java +@@ -80,7 +80,7 @@ public final class AutomaticZenRule implements Parcelable { + name = getTrimmedString(source.readString()); + } + interruptionFilter = source.readInt(); +- conditionId = source.readParcelable(null); ++ conditionId = getTrimmedUri(source.readParcelable(null)); + owner = getTrimmedComponentName(source.readParcelable(null)); + creationTime = source.readLong(); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347047.patch b/Patches/LineageOS-16.0/android_frameworks_base/347047.patch new file mode 100644 index 00000000..a4ab8c3d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347047.patch @@ -0,0 +1,237 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Wed, 17 Aug 2022 09:37:18 -0700 +Subject: [PATCH] mem limit should be checked before settings are updated + +Previously, a setting is updated before the memory usage limit +check, which can be exploited by malicious apps and cause OoM DoS. + +This CL changes the logic to checkMemLimit -> update -> updateMemUsage. + +BUG: 239415861 +Test: atest com.android.providers.settings.SettingsStateTest + +(cherry picked from commit 8eeb92950f4a7012d4cf282106a1418fd211f475) +Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +(cherry picked from commit d85a42821075ad80b931d904bdc9c1d4c3129456) +Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +--- + .../providers/settings/SettingsState.java | 75 ++++++++++++------- + .../providers/settings/SettingsStateTest.java | 43 ++++++++++- + 2 files changed, 90 insertions(+), 28 deletions(-) + +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +index 449946d7ab15..33b506468e11 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +@@ -358,9 +358,11 @@ final class SettingsState { + Setting newSetting = new Setting(name, oldSetting.getValue(), null, + oldSetting.getPackageName(), oldSetting.getTag(), false, + oldSetting.getId()); +- mSettings.put(name, newSetting); +- updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, ++ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, + newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); ++ checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); ++ mSettings.put(name, newSetting); ++ updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); + scheduleWriteIfNeededLocked(); + } + } +@@ -375,6 +377,12 @@ final class SettingsState { + Setting oldState = mSettings.get(name); + String oldValue = (oldState != null) ? oldState.value : null; + String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null; ++ String newDefaultValue = makeDefault ? value : oldDefaultValue; ++ ++ int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value, ++ oldDefaultValue, newDefaultValue); ++ checkNewMemoryUsagePerPackageLocked(packageName, newSize); ++ + Setting newState; + + if (oldState != null) { +@@ -392,8 +400,7 @@ final class SettingsState { + + addHistoricalOperationLocked(HISTORICAL_OPERATION_UPDATE, newState); + +- updateMemoryUsagePerPackageLocked(packageName, oldValue, value, +- oldDefaultValue, newState.getDefaultValue()); ++ updateMemoryUsagePerPackageLocked(packageName, newSize); + + scheduleWriteIfNeededLocked(); + +@@ -413,13 +420,14 @@ final class SettingsState { + } + + Setting oldState = mSettings.remove(name); ++ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, ++ null, oldState.defaultValue, null); + + StatsLog.write(StatsLog.SETTING_CHANGED, name, /* value= */ "", /* newValue= */ "", + oldState.value, /* tag */ "", false, getUserIdFromKey(mKey), + StatsLog.SETTING_CHANGED__REASON__DELETED); + +- updateMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, +- null, oldState.defaultValue, null); ++ updateMemoryUsagePerPackageLocked(oldState.packageName, newSize); + + addHistoricalOperationLocked(HISTORICAL_OPERATION_DELETE, oldState); + +@@ -439,16 +447,18 @@ final class SettingsState { + Setting oldSetting = new Setting(setting); + String oldValue = setting.getValue(); + String oldDefaultValue = setting.getDefaultValue(); ++ String newValue = oldDefaultValue; ++ String newDefaultValue = oldDefaultValue; ++ ++ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue, ++ newValue, oldDefaultValue, newDefaultValue); ++ checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize); + + if (!setting.reset()) { + return false; + } + +- String newValue = setting.getValue(); +- String newDefaultValue = setting.getDefaultValue(); +- +- updateMemoryUsagePerPackageLocked(setting.packageName, oldValue, +- newValue, oldDefaultValue, newDefaultValue); ++ updateMemoryUsagePerPackageLocked(setting.packageName, newSize); + + addHistoricalOperationLocked(HISTORICAL_OPERATION_RESET, oldSetting); + +@@ -553,38 +563,49 @@ final class SettingsState { + } + } + +- private void updateMemoryUsagePerPackageLocked(String packageName, String oldValue, +- String newValue, String oldDefaultValue, String newDefaultValue) { +- if (mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED) { +- return; +- } ++ private boolean isExemptFromMemoryUsageCap(String packageName) { ++ return mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED ++ || SYSTEM_PACKAGE_NAME.equals(packageName); ++ } + +- if (SYSTEM_PACKAGE_NAME.equals(packageName)) { ++ @GuardedBy("mLock") ++ private void checkNewMemoryUsagePerPackageLocked(String packageName, int newSize) ++ throws IllegalStateException { ++ if (isExemptFromMemoryUsageCap(packageName)) { + return; + } ++ if (newSize > mMaxBytesPerAppPackage) { ++ throw new IllegalStateException("You are adding too many system settings. " ++ + "You should stop using system settings for app specific data" ++ + " package: " + packageName); ++ } ++ } + ++ @GuardedBy("mLock") ++ private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue, ++ String newValue, String oldDefaultValue, String newDefaultValue) { ++ if (isExemptFromMemoryUsageCap(packageName)) { ++ return 0; ++ } ++ final Integer currentSize = mPackageToMemoryUsage.get(packageName); + final int oldValueSize = (oldValue != null) ? oldValue.length() : 0; + final int newValueSize = (newValue != null) ? newValue.length() : 0; + final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0; + final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0; + final int deltaSize = newValueSize + newDefaultValueSize + - oldValueSize - oldDefaultValueSize; ++ return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0); ++ } + +- Integer currentSize = mPackageToMemoryUsage.get(packageName); +- final int newSize = Math.max((currentSize != null) +- ? currentSize + deltaSize : deltaSize, 0); +- +- if (newSize > mMaxBytesPerAppPackage) { +- throw new IllegalStateException("You are adding too many system settings. " +- + "You should stop using system settings for app specific data" +- + " package: " + packageName); ++ @GuardedBy("mLock") ++ private void updateMemoryUsagePerPackageLocked(String packageName, int newSize) { ++ if (isExemptFromMemoryUsageCap(packageName)) { ++ return; + } +- + if (DEBUG) { + Slog.i(LOG_TAG, "Settings for package: " + packageName + + " size: " + newSize + " bytes."); + } +- + mPackageToMemoryUsage.put(packageName, newSize); + } + +diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +index 3f68554ffe87..6f45adef91f7 100644 +--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java ++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +@@ -21,6 +21,8 @@ import android.util.Xml; + + import org.xmlpull.v1.XmlSerializer; + ++import com.google.common.base.Strings; ++ + import java.io.ByteArrayOutputStream; + import java.io.File; + import java.io.FileOutputStream; +@@ -46,7 +48,6 @@ public class SettingsStateTest extends AndroidTestCase { + "\uD800ab\uDC00 " + // broken surrogate pairs + "日本語"; + +- + public void testIsBinary() { + assertFalse(SettingsState.isBinary(" abc 日本語")); + +@@ -182,4 +183,44 @@ public class SettingsStateTest extends AndroidTestCase { + assertEquals("p2", s.getPackageName()); + } + } ++ ++ public void testInsertSetting_memoryUsage() { ++ final Object lock = new Object(); ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String settingName = "test_setting"; ++ ++ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper()); ++ // No exception should be thrown when there is no cap ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ settingsState.deleteSettingLocked(settingName); ++ ++ settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper()); ++ // System package doesn't have memory usage limit ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "android"); ++ settingsState.deleteSettingLocked(settingName); ++ ++ // Should not throw if usage is under the cap ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999), ++ null, false, "p1"); ++ settingsState.deleteSettingLocked(settingName); ++ try { ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("p1")); ++ } ++ try { ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("p1")); ++ } ++ assertTrue(settingsState.getSettingLocked(settingName).isNull()); ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347048.patch b/Patches/LineageOS-16.0/android_frameworks_base/347048.patch new file mode 100644 index 00000000..586df17b --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347048.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nate Myren +Date: Wed, 26 Oct 2022 17:37:26 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Revert "Revert "RESTRICT AUTOMERGE + Validate permission tree size..." + +Revert submission 20285709-revert-20103164-permTree-qt-dev-QWIEBZIWEA + +Reason for revert: resubmission +Reverted Changes: +I0a3b68aff:Revert "RESTRICT AUTOMERGE Add PermissionMemoryFoo... +I4e8ec8b1a:Revert "RESTRICT AUTOMERGE Validate permission tre... + +Change-Id: I3cd1aa270373bb32f95dfbe8422faa783ee49dca +(cherry picked from commit 4e83e59b27f7d6232ee9fe96f789e32debc19772) +Merged-In: I3cd1aa270373bb32f95dfbe8422faa783ee49dca +--- + .../android/server/pm/permission/PermissionManagerService.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index 79b2636481b3..a61f67d32452 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -688,8 +688,8 @@ public class PermissionManagerService { + BasePermission bp = mSettings.getPermissionLocked(info.name); + added = bp == null; + int fixedLevel = PermissionInfo.fixProtectionLevel(info.protectionLevel); ++ enforcePermissionCapLocked(info, tree); + if (added) { +- enforcePermissionCapLocked(info, tree); + bp = new BasePermission(info.name, tree.getSourcePackageName(), + BasePermission.TYPE_DYNAMIC); + } else if (!bp.isDynamic()) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347049.patch b/Patches/LineageOS-16.0/android_frameworks_base/347049.patch new file mode 100644 index 00000000..3ffb1a12 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347049.patch @@ -0,0 +1,249 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Tue, 11 Oct 2022 18:08:11 -0700 +Subject: [PATCH] key size limit for mutating settings + +Prior to targetSdk 22, apps could add random system settings keys which +opens an opportunity for OOM attacks. This CL adds a key size limit. + +BUG: 239415997 +Test: manual; will add cts test +Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +(cherry picked from commit 783bcba343c480f6ccedaaff41ba7171a1082e0c) +(cherry picked from commit f1831c87122e56951c04e1f62f647ab156ca71e3) +Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +--- + .../providers/settings/SettingsState.java | 40 ++++--- + .../providers/settings/SettingsStateTest.java | 102 +++++++++++++++++- + 2 files changed, 126 insertions(+), 16 deletions(-) + +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +index 33b506468e11..c27c43d0cdc7 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +@@ -48,6 +48,7 @@ import android.util.Xml; + import android.util.proto.ProtoOutputStream; + + import com.android.internal.annotations.GuardedBy; ++import com.android.internal.annotations.VisibleForTesting; + import com.android.internal.util.ArrayUtils; + import com.android.server.LocalServices; + +@@ -358,8 +359,8 @@ final class SettingsState { + Setting newSetting = new Setting(name, oldSetting.getValue(), null, + oldSetting.getPackageName(), oldSetting.getTag(), false, + oldSetting.getId()); +- int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, +- newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); ++ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), 0, ++ oldValue, newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); + checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); + mSettings.put(name, newSetting); + updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); +@@ -379,8 +380,9 @@ final class SettingsState { + String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null; + String newDefaultValue = makeDefault ? value : oldDefaultValue; + +- int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value, +- oldDefaultValue, newDefaultValue); ++ int newSize = getNewMemoryUsagePerPackageLocked(packageName, ++ oldValue == null ? name.length() : 0 /* deltaKeySize */, ++ oldValue, value, oldDefaultValue, newDefaultValue); + checkNewMemoryUsagePerPackageLocked(packageName, newSize); + + Setting newState; +@@ -420,8 +422,12 @@ final class SettingsState { + } + + Setting oldState = mSettings.remove(name); +- int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, +- null, oldState.defaultValue, null); ++ if (oldState == null) { ++ return false; ++ } ++ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, ++ -name.length() /* deltaKeySize */, ++ oldState.value, null, oldState.defaultValue, null); + + StatsLog.write(StatsLog.SETTING_CHANGED, name, /* value= */ "", /* newValue= */ "", + oldState.value, /* tag */ "", false, getUserIdFromKey(mKey), +@@ -443,15 +449,16 @@ final class SettingsState { + } + + Setting setting = mSettings.get(name); ++ if (setting == null) { ++ return false; ++ } + + Setting oldSetting = new Setting(setting); + String oldValue = setting.getValue(); + String oldDefaultValue = setting.getDefaultValue(); +- String newValue = oldDefaultValue; +- String newDefaultValue = oldDefaultValue; + +- int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue, +- newValue, oldDefaultValue, newDefaultValue); ++ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, 0, oldValue, ++ oldDefaultValue, oldDefaultValue, oldDefaultValue); + checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize); + + if (!setting.reset()) { +@@ -582,8 +589,8 @@ final class SettingsState { + } + + @GuardedBy("mLock") +- private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue, +- String newValue, String oldDefaultValue, String newDefaultValue) { ++ private int getNewMemoryUsagePerPackageLocked(String packageName, int deltaKeySize, ++ String oldValue, String newValue, String oldDefaultValue, String newDefaultValue) { + if (isExemptFromMemoryUsageCap(packageName)) { + return 0; + } +@@ -592,7 +599,7 @@ final class SettingsState { + final int newValueSize = (newValue != null) ? newValue.length() : 0; + final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0; + final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0; +- final int deltaSize = newValueSize + newDefaultValueSize ++ final int deltaSize = deltaKeySize + newValueSize + newDefaultValueSize + - oldValueSize - oldDefaultValueSize; + return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0); + } +@@ -1216,4 +1223,11 @@ final class SettingsState { + return false; + } + } ++ ++ @VisibleForTesting ++ public int getMemoryUsage(String packageName) { ++ synchronized (mLock) { ++ return mPackageToMemoryUsage.getOrDefault(packageName, 0); ++ } ++ } + } +diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +index 6f45adef91f7..adb356726eec 100644 +--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java ++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +@@ -186,8 +186,8 @@ public class SettingsStateTest extends AndroidTestCase { + + public void testInsertSetting_memoryUsage() { + final Object lock = new Object(); +- final File file = new File(getContext().getCacheDir(), "setting.xml"); +- final String settingName = "test_setting"; ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String settingName = "test_setting"; + + SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, + SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper()); +@@ -204,7 +204,7 @@ public class SettingsStateTest extends AndroidTestCase { + settingsState.deleteSettingLocked(settingName); + + // Should not throw if usage is under the cap +- settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999), ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19975), + null, false, "p1"); + settingsState.deleteSettingLocked(settingName); + try { +@@ -222,5 +222,101 @@ public class SettingsStateTest extends AndroidTestCase { + assertTrue(ex.getMessage().contains("p1")); + } + assertTrue(settingsState.getSettingLocked(settingName).isNull()); ++ try { ++ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ } ++ ++ public void testMemoryUsagePerPackage() { ++ final Object lock = new Object(); ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String testPackage = "package"; ++ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper()); ++ ++ // Test inserting one key with default ++ final String settingName = "test_setting"; ++ final String testKey1 = settingName; ++ final String testValue1 = Strings.repeat("A", 100); ++ settingsState.insertSettingLocked(testKey1, testValue1, null, true, testPackage); ++ int expectedMemUsage = testKey1.length() + testValue1.length() ++ + testValue1.length() /* size for default */; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test inserting another key ++ final String testKey2 = settingName + "2"; ++ settingsState.insertSettingLocked(testKey2, testValue1, null, false, testPackage); ++ expectedMemUsage += testKey2.length() + testValue1.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating first key with new default ++ final String testValue2 = Strings.repeat("A", 300); ++ settingsState.insertSettingLocked(testKey1, testValue2, null, true, testPackage); ++ expectedMemUsage += (testValue2.length() - testValue1.length()) * 2; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating first key without new default ++ final String testValue3 = Strings.repeat("A", 50); ++ settingsState.insertSettingLocked(testKey1, testValue3, null, false, testPackage); ++ expectedMemUsage -= testValue2.length() - testValue3.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating second key ++ settingsState.insertSettingLocked(testKey2, testValue2, null, false, testPackage); ++ expectedMemUsage -= testValue1.length() - testValue2.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test resetting key ++ settingsState.resetSettingLocked(testKey1); ++ expectedMemUsage += testValue2.length() - testValue3.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test resetting default value ++ settingsState.resetSettingDefaultValueLocked(testKey1); ++ expectedMemUsage -= testValue2.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test deletion ++ settingsState.deleteSettingLocked(testKey2); ++ expectedMemUsage -= testValue2.length() + testKey2.length() /* key is deleted too */; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test another package with a different key ++ final String testPackage2 = testPackage + "2"; ++ final String testKey3 = settingName + "3"; ++ settingsState.insertSettingLocked(testKey3, testValue1, null, true, testPackage2); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ final int expectedMemUsage2 = testKey3.length() + testValue1.length() * 2; ++ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2)); ++ ++ // Test system package ++ settingsState.insertSettingLocked(testKey1, testValue1, null, true, "android"); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2)); ++ assertEquals(0, settingsState.getMemoryUsage("android")); ++ ++ // Test invalid value ++ try { ++ settingsState.insertSettingLocked(testKey1, Strings.repeat("A", 20001), null, false, ++ testPackage); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test invalid key ++ try { ++ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", null, false, ++ testPackage); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); + } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347050.patch b/Patches/LineageOS-16.0/android_frameworks_base/347050.patch new file mode 100644 index 00000000..70e8b503 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347050.patch @@ -0,0 +1,129 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nate Myren +Date: Fri, 23 Sep 2022 12:04:57 -0700 +Subject: [PATCH] RESTRICT AUTOMERGE Revoke SYSTEM_ALERT_WINDOW on upgrade past + api 23 + +Bug: 221040577 +Test: atest PermissionTest23#testPre23AppsWithSystemAlertWindowGetDeniedOnUpgrade +Change-Id: I4b4605aaae107875811070dea6d031c5d9f25c96 +(cherry picked from commit f6ba142a84a38014e56c3178f0aa322a377b77cd) +Merged-In: I4b4605aaae107875811070dea6d031c5d9f25c96 +--- + .../server/pm/PackageManagerService.java | 4 +- + .../permission/PermissionManagerInternal.java | 20 ++++----- + .../permission/PermissionManagerService.java | 44 ++++++++++++++++++- + 3 files changed, 54 insertions(+), 14 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 5b454f2d8939..25f70b23e68f 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -11812,8 +11812,8 @@ public class PackageManagerService extends IPackageManager.Stub + + AsyncTask.execute(() -> { + if (hasOldPkg) { +- mPermissionManager.revokeRuntimePermissionsIfGroupChanged(pkg, oldPkg, +- allPackageNames, mPermissionCallback); ++ mPermissionManager.onPackageUpdated(pkg, oldPkg, allPackageNames, ++ mPermissionCallback); + } + if (hasPermissionDefinitionChanges) { + mPermissionManager.revokeRuntimePermissionsIfPermissionDefinitionChanged( +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java b/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java +index 185e0e1fda5f..0f98126171d8 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java +@@ -91,17 +91,15 @@ public abstract class PermissionManagerInternal { + public abstract void updateAllPermissions(@Nullable String volumeUuid, boolean sdkUpdated, + @NonNull Collection allPacakges, PermissionCallback callback); + +- /** +- * We might auto-grant permissions if any permission of the group is already granted. Hence if +- * the group of a granted permission changes we need to revoke it to avoid having permissions of +- * the new group auto-granted. +- * +- * @param newPackage The new package that was installed +- * @param oldPackage The old package that was updated +- * @param allPackageNames All packages +- * @param permissionCallback Callback for permission changed +- */ +- public abstract void revokeRuntimePermissionsIfGroupChanged( ++ /** ++ * If the app is updated, then some checks need to be performed to ensure the package is not ++ * attempting to expoit permission changes across API boundaries. ++ * @param newPackage The new package that was installed ++ * @param oldPackage The old package that was updated ++ * @param allPackageNames The current packages in the system ++ * @param permissionCallback Callback for permission changed ++ */ ++ public abstract void onPackageUpdated( + @NonNull PackageParser.Package newPackage, + @NonNull PackageParser.Package oldPackage, + @NonNull ArrayList allPackageNames, +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index a61f67d32452..bdfe64c2c348 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -392,6 +392,46 @@ public class PermissionManagerService { + return protectionLevel; + } + ++ /** ++ * If the package was below api 23, got the SYSTEM_ALERT_WINDOW permission automatically, and ++ * then updated past api 23, and the app does not satisfy any of the other SAW permission flags, ++ * the permission should be revoked. ++ * ++ * @param newPackage The new package that was installed ++ * @param oldPackage The old package that was updated ++ */ ++ private void revokeSystemAlertWindowIfUpgradedPast23( ++ @NonNull PackageParser.Package newPackage, ++ @NonNull PackageParser.Package oldPackage, ++ @NonNull PermissionCallback permissionCallback) { ++ if (oldPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.M ++ || newPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M ++ || !newPackage.requestedPermissions ++ .contains(Manifest.permission.SYSTEM_ALERT_WINDOW)) { ++ return; ++ } ++ ++ BasePermission saw; ++ final int callingUid = Binder.getCallingUid(); ++ synchronized (mLock) { ++ saw = mSettings.getPermissionLocked(Manifest.permission.SYSTEM_ALERT_WINDOW); ++ } ++ final PackageSetting ps = (PackageSetting) newPackage.mExtras; ++ if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, saw, ++ ps.getPermissionsState())) { ++ return; ++ } ++ for (int userId: mUserManagerInt.getUserIds()) { ++ try { ++ revokeRuntimePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, ++ newPackage.packageName, false, callingUid, userId, permissionCallback); ++ } catch (IllegalStateException | SecurityException e) { ++ Log.e(TAG, "unable to revoke SYSTEM_ALERT_WINDOW for " ++ + newPackage.packageName + " user " + userId, e); ++ } ++ } ++ } ++ + /** + * We might auto-grant permissions if any permission of the group is already granted. Hence if + * the group of a granted permission changes we need to revoke it to avoid having permissions of +@@ -2127,11 +2167,13 @@ public class PermissionManagerService { + return PermissionManagerService.this.isPermissionsReviewRequired(pkg, userId); + } + @Override +- public void revokeRuntimePermissionsIfGroupChanged( ++ public void onPackageUpdated( + @NonNull PackageParser.Package newPackage, + @NonNull PackageParser.Package oldPackage, + @NonNull ArrayList allPackageNames, + @NonNull PermissionCallback permissionCallback) { ++ PermissionManagerService.this.revokeSystemAlertWindowIfUpgradedPast23(newPackage, ++ oldPackage, permissionCallback); + PermissionManagerService.this.revokeRuntimePermissionsIfGroupChanged(newPackage, + oldPackage, allPackageNames, permissionCallback); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/347051.patch b/Patches/LineageOS-16.0/android_frameworks_base/347051.patch new file mode 100644 index 00000000..7d50d95c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/347051.patch @@ -0,0 +1,254 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Khoa Hong +Date: Wed, 19 Oct 2022 16:29:18 +0800 +Subject: [PATCH] Add protections agains use-after-free issues if cancel() or + queue() is called after a device connection has been closed. + +This is a backport of ag/7528082 and ag/20033068. + +Bug: 132319116 +Bug: 130571162 +Bug: 204584366 +Test: CTS Verifier: USB Accessory Test & USB Device Test +Change-Id: I952ab566e26a808997e362dc85ebd1d8eb4574b9 +(cherry picked from commit 7a8d56b2fe3496f7717ad1afe45d2ef523b7e252) +Merged-In: I952ab566e26a808997e362dc85ebd1d8eb4574b9 +--- + .../hardware/usb/UsbDeviceConnection.java | 71 +++++++++++++-- + .../java/android/hardware/usb/UsbRequest.java | 86 +++++++++++++++++-- + 2 files changed, 143 insertions(+), 14 deletions(-) + +diff --git a/core/java/android/hardware/usb/UsbDeviceConnection.java b/core/java/android/hardware/usb/UsbDeviceConnection.java +index 9e5174ad93a8..7a521166f35c 100644 +--- a/core/java/android/hardware/usb/UsbDeviceConnection.java ++++ b/core/java/android/hardware/usb/UsbDeviceConnection.java +@@ -50,6 +50,8 @@ public class UsbDeviceConnection { + + private final CloseGuard mCloseGuard = CloseGuard.get(); + ++ private final Object mLock = new Object(); ++ + /** + * UsbDevice should only be instantiated by UsbService implementation + * @hide +@@ -60,13 +62,23 @@ public class UsbDeviceConnection { + + /* package */ boolean open(String name, ParcelFileDescriptor pfd, @NonNull Context context) { + mContext = context.getApplicationContext(); +- boolean wasOpened = native_open(name, pfd.getFileDescriptor()); + +- if (wasOpened) { +- mCloseGuard.open("close"); ++ synchronized (mLock) { ++ boolean wasOpened = native_open(name, pfd.getFileDescriptor()); ++ ++ if (wasOpened) { ++ mCloseGuard.open("close"); ++ } ++ ++ return wasOpened; + } ++ } + +- return wasOpened; ++ /*** ++ * @return If this connection is currently open and usable. ++ */ ++ boolean isOpen() { ++ return mNativeContext != 0; + } + + /** +@@ -78,6 +90,49 @@ public class UsbDeviceConnection { + return mContext; + } + ++ /** ++ * Cancel a request which relates to this connection. ++ * ++ * @return true if the request was successfully cancelled. ++ */ ++ /* package */ boolean cancelRequest(UsbRequest request) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.cancelIfOpen(); ++ } ++ } ++ ++ /** ++ * This is meant to be called by UsbRequest's queue() in order to synchronize on ++ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueRequest(UsbRequest request, ByteBuffer buffer, int length) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.queueIfConnectionOpen(buffer, length); ++ } ++ } ++ ++ /** ++ * This is meant to be called by UsbRequest's queue() in order to synchronize on ++ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueRequest(UsbRequest request, @Nullable ByteBuffer buffer) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.queueIfConnectionOpen(buffer); ++ } ++ } ++ + /** + * Releases all system resources related to the device. + * Once the object is closed it cannot be used again. +@@ -85,9 +140,11 @@ public class UsbDeviceConnection { + * to retrieve a new instance to reestablish communication with the device. + */ + public void close() { +- if (mNativeContext != 0) { +- native_close(); +- mCloseGuard.close(); ++ synchronized (mLock) { ++ if (isOpen()) { ++ native_close(); ++ mCloseGuard.close(); ++ } + } + } + +diff --git a/core/java/android/hardware/usb/UsbRequest.java b/core/java/android/hardware/usb/UsbRequest.java +index f59c87eecfcb..441d718b6067 100644 +--- a/core/java/android/hardware/usb/UsbRequest.java ++++ b/core/java/android/hardware/usb/UsbRequest.java +@@ -108,11 +108,13 @@ public class UsbRequest { + * Releases all resources related to this request. + */ + public void close() { +- if (mNativeContext != 0) { +- mEndpoint = null; +- mConnection = null; +- native_close(); +- mCloseGuard.close(); ++ synchronized (mLock) { ++ if (mNativeContext != 0) { ++ mEndpoint = null; ++ mConnection = null; ++ native_close(); ++ mCloseGuard.close(); ++ } + } + } + +@@ -186,10 +188,32 @@ public class UsbRequest { + */ + @Deprecated + public boolean queue(ByteBuffer buffer, int length) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new NullPointerException("invalid connection"); ++ } ++ ++ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent ++ // the connection being closed while queueing. ++ return connection.queueRequest(this, buffer, length); ++ } ++ ++ /** ++ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over ++ * there, to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueIfConnectionOpen(ByteBuffer buffer, int length) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null || !connection.isOpen()) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new NullPointerException("invalid connection"); ++ } ++ + boolean out = (mEndpoint.getDirection() == UsbConstants.USB_DIR_OUT); + boolean result; + +- if (mConnection.getContext().getApplicationInfo().targetSdkVersion < Build.VERSION_CODES.P ++ if (connection.getContext().getApplicationInfo().targetSdkVersion < Build.VERSION_CODES.P + && length > MAX_USBFS_BUFFER_SIZE) { + length = MAX_USBFS_BUFFER_SIZE; + } +@@ -238,6 +262,28 @@ public class UsbRequest { + * @return true if the queueing operation succeeded + */ + public boolean queue(@Nullable ByteBuffer buffer) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new IllegalStateException("invalid connection"); ++ } ++ ++ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent ++ // the connection being closed while queueing. ++ return connection.queueRequest(this, buffer); ++ } ++ ++ /** ++ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over ++ * there, to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueIfConnectionOpen(@Nullable ByteBuffer buffer) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null || !connection.isOpen()) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new IllegalStateException("invalid connection"); ++ } ++ + // Request need to be initialized + Preconditions.checkState(mNativeContext != 0, "request is not initialized"); + +@@ -255,7 +301,7 @@ public class UsbRequest { + mIsUsingNewQueue = true; + wasQueued = native_queue(null, 0, 0); + } else { +- if (mConnection.getContext().getApplicationInfo().targetSdkVersion ++ if (connection.getContext().getApplicationInfo().targetSdkVersion + < Build.VERSION_CODES.P) { + // Can only send/receive MAX_USBFS_BUFFER_SIZE bytes at once + Preconditions.checkArgumentInRange(buffer.remaining(), 0, MAX_USBFS_BUFFER_SIZE, +@@ -358,6 +404,32 @@ public class UsbRequest { + * @return true if cancelling succeeded + */ + public boolean cancel() { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ return false; ++ } ++ ++ return connection.cancelRequest(this); ++ } ++ ++ /** ++ * Cancels a pending queue operation (for use when the UsbDeviceConnection associated ++ * with this request is synchronized). This ensures we don't have a race where the ++ * device is closed and then the request is canceled which would lead to a ++ * use-after-free because the cancel operation uses the device connection ++ * information freed in the when UsbDeviceConnection is closed.
++ * ++ * This method assumes the connected is not closed while this method is executed. ++ * ++ * @return true if cancelling succeeded. ++ */ ++ /* package */ boolean cancelIfOpen() { ++ UsbDeviceConnection connection = mConnection; ++ if (mNativeContext == 0 || (connection != null && !connection.isOpen())) { ++ Log.w(TAG, ++ "Detected attempt to cancel a request on a connection which isn't open"); ++ return false; ++ } + return native_cancel(); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/349330.patch b/Patches/LineageOS-16.0/android_frameworks_base/349330.patch new file mode 100644 index 00000000..50df06c4 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/349330.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jackal Guo +Date: Tue, 25 Oct 2022 15:03:55 +0800 +Subject: [PATCH] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED + +This action should be only broadcasted when the user data is cleared +successfully. Broadcasting this action when failed case may result in +unexpected result. + +Bug: 240267890 +Test: manually using the PoC in the buganizer to ensure the symptom + no longer exists. +Change-Id: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b +(cherry picked from commit 8b2e092146c7ab5c2952818dab6dcb6af9c417ce) +Merged-In: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b +--- + .../server/am/ActivityManagerService.java | 26 ++++++++++--------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 8f1692a24d27..dd41196e62a4 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -6718,19 +6718,21 @@ public class ActivityManagerService extends IActivityManager.Stub + finishForceStopPackageLocked(packageName, appInfo.uid); + } + } +- final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED, +- Uri.fromParts("package", packageName, null)); +- intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND); +- intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1); +- intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId); +- if (isInstantApp) { +- intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName); +- broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0, +- null, null, permission.ACCESS_INSTANT_APPS, null, false, false, ++ if (succeeded) { ++ final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED, ++ Uri.fromParts("package", packageName, null /* fragment */)); ++ intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND); ++ intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1); ++ intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId); ++ if (isInstantApp) { ++ intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName); ++ } ++ broadcastIntentInPackage("android", SYSTEM_UID, ++ intent, null /* resolvedType */, null /* resultTo */, ++ 0 /* resultCode */, null /* resultData */, null /* resultExtras */, ++ isInstantApp ? permission.ACCESS_INSTANT_APPS : null, ++ null /* bOptions */, false /* serialized */, false /* sticky */, + resolvedUserId); +- } else { +- broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0, +- null, null, null, null, false, false, resolvedUserId); + } + + if (observer != null) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/349331.patch b/Patches/LineageOS-16.0/android_frameworks_base/349331.patch new file mode 100644 index 00000000..5bbdfcaf --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/349331.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 22 Nov 2022 22:54:01 +0000 +Subject: [PATCH] Convert argument to intent in ChooseTypeAndAccountActivity + +Bug: 244154558 +Test: manual +Change-Id: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e +(cherry picked from commit ede0a767c26f144e38b4a0c1c2f530b05ffd29a8) +Merged-In: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e +--- + core/java/android/accounts/ChooseTypeAndAccountActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/accounts/ChooseTypeAndAccountActivity.java b/core/java/android/accounts/ChooseTypeAndAccountActivity.java +index 887ba18822f8..96f23a314e7b 100644 +--- a/core/java/android/accounts/ChooseTypeAndAccountActivity.java ++++ b/core/java/android/accounts/ChooseTypeAndAccountActivity.java +@@ -407,7 +407,7 @@ public class ChooseTypeAndAccountActivity extends Activity + mExistingAccounts = AccountManager.get(this).getAccountsForPackage(mCallingPackage, + mCallingUid); + intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK); +- startActivityForResult(intent, REQUEST_ADD_ACCOUNT); ++ startActivityForResult(new Intent(intent), REQUEST_ADD_ACCOUNT); + return; + } + } catch (OperationCanceledException e) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/351910.patch b/Patches/LineageOS-16.0/android_frameworks_base/351910.patch new file mode 100644 index 00000000..129a684b --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/351910.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Mon, 16 May 2022 15:28:24 -0400 +Subject: [PATCH] Move service initialization + +Occasionally ILockSettings can fail to be initialized otherwise +Fixes: 232714129 +Test: boot (and eventually bootstress/reboot-long) + +Change-Id: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002 +Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002 +(cherry picked from commit 8e278543bd290d4b6c417758554d6dee93a4fe74) +(cherry picked from commit caa5a22ea0c401c4eef548fb8161820beda3ff13) +Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002 +--- + .../server/notification/NotificationManagerService.java | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index a53f2aec436c..bcb657b5a8e2 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -1319,7 +1319,6 @@ public class NotificationManagerService extends SystemService { + } + } + +- private LockPatternUtils mLockPatternUtils; + private StrongAuthTracker mStrongAuthTracker; + + public NotificationManagerService(Context context) { +@@ -1490,7 +1489,6 @@ public class NotificationManagerService extends SystemService { + + mHandler = new WorkerHandler(looper); + mRankingThread.start(); +- mLockPatternUtils = new LockPatternUtils(getContext()); + mStrongAuthTracker = new StrongAuthTracker(getContext()); + String[] extractorNames; + try { +@@ -1737,7 +1735,7 @@ public class NotificationManagerService extends SystemService { + mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class); + mKeyguardManager = getContext().getSystemService(KeyguardManager.class); + mZenModeHelper.onSystemReady(); +- mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker); ++ new LockPatternUtils(getContext()).registerStrongAuthTracker(mStrongAuthTracker); + } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) { + // This observer will force an update when observe is called, causing us to + // bind to listener services. diff --git a/Patches/LineageOS-16.0/android_frameworks_base/351911.patch b/Patches/LineageOS-16.0/android_frameworks_base/351911.patch new file mode 100644 index 00000000..fa789c1d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/351911.patch @@ -0,0 +1,212 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wenhao Wang +Date: Tue, 30 Aug 2022 11:09:46 -0700 +Subject: [PATCH] Enable user graularity for lockdown mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The NotificationManagerService registers a LockPatternUtils.StrongAuthTracker +to observe the StrongAuth changes of every user. +More specifically, it’s the STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN flag. +Via this flag, NotificationManagerService can perform the following operations +when the user enter or exit lockdown mode: + +Enter lockdown: +1. Remove all the notifications belonging to the user. +2. Set the local flag to indicate the lockdown is on for the user. + The local flag will suppress the user's notifications on the + post, remove and update functions. + +Exit lockdown: +1. Clear the local flag to indicate the lockdown is off for the user. +2. Repost the user’s notifications (suppressed during lockdown mode). + +The CL also updates corresponding tests. + +Bug: 173721373 +Bug: 250743174 +Test: atest NotificationManagerServiceTest +Test: atest NotificationListenersTest +Ignore-AOSP-First: pending fix for a security issue. + +Change-Id: I4f30e56550729db7d673a92d2a1250509713f36d +Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d +(cherry picked from commit de3b12fca23178d8c821058261572449b67d5967) +(cherry picked from commit 5e40f39f5bd4ae769d79ce022a64f1345512b65d) +Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d +--- + .../NotificationManagerService.java | 75 ++++++++++++------- + 1 file changed, 46 insertions(+), 29 deletions(-) + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index bcb657b5a8e2..0ac51524a648 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -1287,34 +1287,39 @@ public class NotificationManagerService extends SystemService { + return (haystack & needle) != 0; + } + +- public boolean isInLockDownMode() { +- return mIsInLockDownMode; ++ // Return whether the user is in lockdown mode. ++ // If the flag is not set, we assume the user is not in lockdown. ++ public boolean isInLockDownMode(int userId) { ++ return mUserInLockDownMode.get(userId, false); + } + + @Override + public synchronized void onStrongAuthRequiredChanged(int userId) { + boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId), + STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN); +- mUserInLockDownMode.put(userId, userInLockDownModeNext); +- boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1; + +- if (mIsInLockDownMode == isInLockDownModeNext) { ++ // Nothing happens if the lockdown mode of userId keeps the same. ++ if (userInLockDownModeNext == isInLockDownMode(userId)) { + return; + } + +- if (isInLockDownModeNext) { +- cancelNotificationsWhenEnterLockDownMode(); ++ // When the lockdown mode is changed, we perform the following steps. ++ // If the userInLockDownModeNext is true, all the function calls to ++ // notifyPostedLocked and notifyRemovedLocked will not be executed. ++ // The cancelNotificationsWhenEnterLockDownMode calls notifyRemovedLocked ++ // and postNotificationsWhenExitLockDownMode calls notifyPostedLocked. ++ // So we shall call cancelNotificationsWhenEnterLockDownMode before ++ // we set mUserInLockDownMode as true. ++ // On the other hand, if the userInLockDownModeNext is false, we shall call ++ // postNotificationsWhenExitLockDownMode after we put false into mUserInLockDownMode ++ if (userInLockDownModeNext) { ++ cancelNotificationsWhenEnterLockDownMode(userId); + } + +- // When the mIsInLockDownMode is true, both notifyPostedLocked and +- // notifyRemovedLocked will be dismissed. So we shall call +- // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode +- // as true and call postNotificationsWhenExitLockDownMode after we set +- // mIsInLockDownMode as false. +- mIsInLockDownMode = isInLockDownModeNext; ++ mUserInLockDownMode.put(userId, userInLockDownModeNext); + +- if (!isInLockDownModeNext) { +- postNotificationsWhenExitLockDownMode(); ++ if (!userInLockDownModeNext) { ++ postNotificationsWhenExitLockDownMode(userId); + } + } + } +@@ -6417,11 +6422,14 @@ public class NotificationManagerService extends SystemService { + } + } + +- private void cancelNotificationsWhenEnterLockDownMode() { ++ private void cancelNotificationsWhenEnterLockDownMode(int userId) { + synchronized (mNotificationLock) { + int numNotifications = mNotificationList.size(); + for (int i = 0; i < numNotifications; i++) { + NotificationRecord rec = mNotificationList.get(i); ++ if (rec.getUser().getIdentifier() != userId) { ++ continue; ++ } + mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL, + rec.getStats()); + } +@@ -6429,14 +6437,23 @@ public class NotificationManagerService extends SystemService { + } + } + +- private void postNotificationsWhenExitLockDownMode() { ++ private void postNotificationsWhenExitLockDownMode(int userId) { + synchronized (mNotificationLock) { + int numNotifications = mNotificationList.size(); ++ // Set the delay to spread out the burst of notifications. ++ long delay = 0; + for (int i = 0; i < numNotifications; i++) { + NotificationRecord rec = mNotificationList.get(i); +- mListeners.notifyPostedLocked(rec, rec); ++ if (rec.getUser().getIdentifier() != userId) { ++ continue; ++ } ++ mHandler.postDelayed(() -> { ++ synchronized (mNotificationLock) { ++ mListeners.notifyPostedLocked(rec, rec); ++ } ++ }, delay); ++ delay += 20; + } +- + } + } + +@@ -6545,7 +6562,7 @@ public class NotificationManagerService extends SystemService { + * notifications visible to the given listener. + */ + @GuardedBy("mNotificationLock") +- private NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) { ++ NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) { + final int N = mNotificationList.size(); + ArrayList keys = new ArrayList(N); + ArrayList interceptedKeys = new ArrayList(N); +@@ -6562,6 +6579,9 @@ public class NotificationManagerService extends SystemService { + Bundle hidden = new Bundle(); + for (int i = 0; i < N; i++) { + NotificationRecord record = mNotificationList.get(i); ++ if (isInLockDownMode(record.getUser().getIdentifier())) { ++ continue; ++ } + if (!isVisibleToListener(record.sbn, info)) { + continue; + } +@@ -6600,8 +6620,8 @@ public class NotificationManagerService extends SystemService { + channels, overridePeople, snoozeCriteria, showBadge, userSentiment, hidden); + } + +- boolean isInLockDownMode() { +- return mStrongAuthTracker.isInLockDownMode(); ++ boolean isInLockDownMode(int userId) { ++ return mStrongAuthTracker.isInLockDownMode(userId); + } + + boolean hasCompanionDevice(ManagedServiceInfo info) { +@@ -6636,7 +6656,8 @@ public class NotificationManagerService extends SystemService { + ServiceManager.getService(Context.COMPANION_DEVICE_SERVICE)); + } + +- private boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) { ++ @VisibleForTesting ++ boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) { + if (!listener.enabledAndUserMatches(sbn.getUserId())) { + return false; + } +@@ -6926,7 +6947,7 @@ public class NotificationManagerService extends SystemService { + @GuardedBy("mNotificationLock") + void notifyPostedLocked(NotificationRecord r, NotificationRecord old, + boolean notifyAllListeners) { +- if (isInLockDownMode()) { ++ if (isInLockDownMode(r.getUser().getIdentifier())) { + return; + } + +@@ -6992,7 +7013,7 @@ public class NotificationManagerService extends SystemService { + @GuardedBy("mNotificationLock") + public void notifyRemovedLocked(NotificationRecord r, int reason, + NotificationStats notificationStats) { +- if (isInLockDownMode()) { ++ if (isInLockDownMode(r.getUser().getIdentifier())) { + return; + } + +@@ -7047,10 +7068,6 @@ public class NotificationManagerService extends SystemService { + */ + @GuardedBy("mNotificationLock") + public void notifyRankingUpdateLocked(List changedHiddenNotifications) { +- if (isInLockDownMode()) { +- return; +- } +- + boolean isHiddenRankingUpdate = changedHiddenNotifications != null + && changedHiddenNotifications.size() > 0; + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/351912.patch b/Patches/LineageOS-16.0/android_frameworks_base/351912.patch new file mode 100644 index 00000000..ad422a4f --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/351912.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nate Myren +Date: Fri, 2 Dec 2022 09:44:31 -0800 +Subject: [PATCH] RESTRICT AUTOMERGE Revoke dev perm if app is upgrading to + post 23 and perm has pre23 flag + +If a permission has the "pre23" flag, and an app is upgrading past api +23, then we should not assume that a "development" permission remains +granted + +Fixes: 259458532 +Test: atest RevokeSawPermissionTest +Change-Id: I214396f455c5ed9e8bac2e50b1525b86475c81c7 +(cherry picked from commit 2f30a63b11e59f9daf42f51eb85aa91c86f4baf4) +Merged-In: I214396f455c5ed9e8bac2e50b1525b86475c81c7 +--- + .../pm/permission/PermissionManagerService.java | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index bdfe64c2c348..b902001cd359 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -418,7 +418,7 @@ public class PermissionManagerService { + } + final PackageSetting ps = (PackageSetting) newPackage.mExtras; + if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, saw, +- ps.getPermissionsState())) { ++ ps.getPermissionsState(), true)) { + return; + } + for (int userId: mUserManagerInt.getUserIds()) { +@@ -1147,6 +1147,13 @@ public class PermissionManagerService { + + private boolean grantSignaturePermission(String perm, PackageParser.Package pkg, + BasePermission bp, PermissionsState origPermissions) { ++ return grantSignaturePermission(perm, pkg, bp, origPermissions, false); ++ } ++ ++ ++ private boolean grantSignaturePermission(String perm, PackageParser.Package pkg, ++ BasePermission bp, PermissionsState origPermissions, ++ boolean isApi23Upgrade) { + boolean oemPermission = bp.isOEM(); + boolean vendorPrivilegedPermission = bp.isVendorPrivileged(); + boolean privilegedPermission = bp.isPrivileged() || bp.isVendorPrivileged(); +@@ -1324,7 +1331,7 @@ public class PermissionManagerService { + // Any pre-installed system app is allowed to get this permission. + allowed = true; + } +- if (!allowed && bp.isDevelopment()) { ++ if (!allowed && bp.isDevelopment() && !(bp.isPre23() && isApi23Upgrade)) { + // For development permissions, a development permission + // is granted only if it was already granted. + allowed = origPermissions.hasInstallPermission(perm); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/351913.patch b/Patches/LineageOS-16.0/android_frameworks_base/351913.patch new file mode 100644 index 00000000..9f054b65 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/351913.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Wright +Date: Mon, 26 Sep 2022 20:37:33 +0100 +Subject: [PATCH] Reconcile WorkSource parcel and unparcel code. + +Prior to this CL, WorkSources would Parcel their list of WorkChains as +-1 if null, or the size of the list followed by the list itself if +non-null. When reading it back in, on the other hand, they would check +if the size was positive, and only then read the list from the Parcel. +This works for all cases except when the WorkSource has an empty but +non-null list of WorkChains as the list would get written to the parcel, +but then never read on the other side. + +If parceling a list was a no-op when empty this wouldn't be an issue, +but it must write at least its size into the parcel to know how many +elements to extract. In the empty list case, this single element is left +unread as the size is not positive which essentially corrupts any future +items read from that same parcelable. + +Bug: 220302519 +Test: atest android.security.cts.WorkSourceTest#testWorkChainParceling +Change-Id: I2fec40dfced420ca38e717059b0e95ee8ef9946a +(cherry picked from commit 266b3bddcf14d448c0972db64b42950f76c759e3) +Merged-In: I2fec40dfced420ca38e717059b0e95ee8ef9946a +--- + core/java/android/os/WorkSource.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/os/WorkSource.java b/core/java/android/os/WorkSource.java +index 327071906e18..c2f43edfc8af 100644 +--- a/core/java/android/os/WorkSource.java ++++ b/core/java/android/os/WorkSource.java +@@ -107,7 +107,7 @@ public class WorkSource implements Parcelable { + mNames = in.createStringArray(); + + int numChains = in.readInt(); +- if (numChains > 0) { ++ if (numChains >= 0) { + mChains = new ArrayList<>(numChains); + in.readParcelableList(mChains, WorkChain.class.getClassLoader()); + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/354242.patch b/Patches/LineageOS-16.0/android_frameworks_base/354242.patch new file mode 100644 index 00000000..b83a7cc5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/354242.patch @@ -0,0 +1,97 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 4 Aug 2022 11:36:26 -0700 +Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started + from SHELL only now. + +Or, if an instrumentation starts another instrumentation and so on, +and the original instrumentation is started from SHELL, allow all +Context#startInstrumentation calls in this chain. + +Otherwise, it'll throw a SecurityException. + +Bug: 237766679 +Test: atest CtsAppTestCases:InstrumentationTest +Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c +Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c +Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892 +Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1) +Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +--- + .../server/am/ActivityManagerService.java | 34 +++++++++++++++++++ + .../com/android/server/am/ProcessRecord.java | 4 +++ + 2 files changed, 38 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index dd41196e62a4..f522b20f7ccd 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -4907,6 +4907,26 @@ public class ActivityManagerService extends IActivityManager.Stub + return procState; + } + ++ @GuardedBy("this") ++ private boolean hasActiveInstrumentationLocked(int pid) { ++ if (pid == 0) { ++ return false; ++ } ++ synchronized (mPidsSelfLocked) { ++ ProcessRecord process = mPidsSelfLocked.get(pid); ++ return process != null && process.getActiveInstrumentation() != null; ++ } ++ } ++ private String getPackageNameByPid(int pid) { ++ synchronized (mPidsSelfLocked) { ++ final ProcessRecord app = mPidsSelfLocked.get(pid); ++ if (app != null && app.info != null) { ++ return app.info.packageName; ++ } ++ return null; ++ } ++ } ++ + private boolean isCallerShell() { + final int callingUid = Binder.getCallingUid(); + return callingUid == SHELL_UID || callingUid == ROOT_UID; +@@ -22264,6 +22284,8 @@ public class ActivityManagerService extends IActivityManager.Stub + IInstrumentationWatcher watcher, IUiAutomationConnection uiAutomationConnection, + int userId, String abiOverride) { + enforceNotIsolatedCaller("startInstrumentation"); ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); + userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), + userId, false, ALLOW_FULL_ONLY, "startInstrumentation", null); + // Refuse possible leaked file descriptors +@@ -22312,6 +22334,18 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + ++ if (!Build.IS_DEBUGGABLE && callingUid != ROOT_UID && callingUid != SHELL_UID ++ && callingUid != SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) { ++ // If it's not debug build and not called from root/shell/system uid, reject it. ++ final String msg = "Permission Denial: instrumentation test " ++ + className + " from pid=" + callingPid + ", uid=" + callingUid ++ + ", pkgName=" + getPackageNameByPid(callingPid) ++ + " not allowed because it's not started from SHELL"; ++ Slog.wtfQuiet(TAG, msg); ++ reportStartInstrumentationFailureLocked(watcher, className, msg); ++ throw new SecurityException(msg); ++ } ++ + ActiveInstrumentation activeInstr = new ActiveInstrumentation(this); + activeInstr.mClass = className; + String defProcess = ai.processName;; +diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java +index b15cf6a606cc..5e14e81acac6 100644 +--- a/services/core/java/com/android/server/am/ProcessRecord.java ++++ b/services/core/java/com/android/server/am/ProcessRecord.java +@@ -870,4 +870,8 @@ final class ProcessRecord { + boolean hasForegroundServices() { + return foregroundServices; + } ++ ++ ActiveInstrumentation getActiveInstrumentation() { ++ return instr; ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/354243.patch b/Patches/LineageOS-16.0/android_frameworks_base/354243.patch new file mode 100644 index 00000000..45ca7bb9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/354243.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Mon, 7 Nov 2022 23:33:55 +0000 +Subject: [PATCH] Checking if package belongs to UID before registering + broadcast receiver + +Test: manual testing done on device by installing test APK and checking if receiver can register +Bug: 242040055 +Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0) +(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130) +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +--- + services/core/java/com/android/server/am/ActiveServices.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java +index 8b4013405b22..05be900e5403 100644 +--- a/services/core/java/com/android/server/am/ActiveServices.java ++++ b/services/core/java/com/android/server/am/ActiveServices.java +@@ -1971,6 +1971,11 @@ public final class ActiveServices { + throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " + name + + " is not an isolatedProcess"); + } ++ if (AppGlobals.getPackageManager().getPackageUid(callingPackage, ++ 0, userId) != callingUid) { ++ throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " ++ + "calling package not owned by calling UID "); ++ } + // Run the service under the calling package's application. + ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo( + callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/354244.patch b/Patches/LineageOS-16.0/android_frameworks_base/354244.patch new file mode 100644 index 00000000..daac97c9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/354244.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hao Ke +Date: Mon, 12 Dec 2022 15:49:16 +0000 +Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass + +The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call. + +This CL did the following: + +- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null. + +Bug: 260567867 +Bug: 262230405 +Test: local test, see b/262230405 +Test: atest CtsAccountManagerTestCases +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477 +(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981) +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +--- + .../server/accounts/AccountManagerService.java | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index c1f401e9a11f..d2f5d59e7030 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -3408,8 +3408,7 @@ public class AccountManagerService + Bundle.setDefusable(result, true); + mNumResults++; + Intent intent = null; +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { +@@ -4777,8 +4776,10 @@ public class AccountManagerService + EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); + return false; + } +- + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ if (intent == null) { ++ return true; ++ } + // Explicitly set an empty ClipData to ensure that we don't offer to + // promote any Uris contained inside for granting purposes + if (intent.getClipData() == null) { +@@ -4831,7 +4832,10 @@ public class AccountManagerService + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); +- return (intent.filterEquals(simulateIntent)); ++ if (intent == null) { ++ return (simulateIntent == null); ++ } ++ return intent.filterEquals(simulateIntent); + } + + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { +@@ -4976,8 +4980,7 @@ public class AccountManagerService + } + } + } +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/354245.patch b/Patches/LineageOS-16.0/android_frameworks_base/354245.patch new file mode 100644 index 00000000..14d774ff --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/354245.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Winson Chiu +Date: Fri, 6 Jan 2023 21:26:24 +0000 +Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT + AUTOMERGE + +Avoids deserialization error when the scheme contains a +reserved character. + +Bug: 261858325 + +Test: atest android.content.cts.IntentTest#testEncoding + +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4) +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +--- + core/java/android/content/Intent.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index e4502ffdd61f..66c2658f9f13 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -9860,7 +9860,7 @@ public class Intent implements Parcelable, Cloneable { + private void toUriInner(StringBuilder uri, String scheme, String defAction, + String defPackage, int flags) { + if (scheme != null) { +- uri.append("scheme=").append(scheme).append(';'); ++ uri.append("scheme=").append(Uri.encode(scheme)).append(';'); + } + if (mAction != null && !mAction.equals(defAction)) { + uri.append("action=").append(Uri.encode(mAction)).append(';'); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/356154.patch b/Patches/LineageOS-16.0/android_frameworks_base/356154.patch new file mode 100644 index 00000000..11b9d3c1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/356154.patch @@ -0,0 +1,81 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Thu, 9 Feb 2023 12:28:26 -0800 +Subject: [PATCH] Checks if AccessibilityServiceInfo is within parcelable size. + +- If too large when parsing service XMLs then skip this service. +- If too large when a service attempts to update its own info + then throw an error. + +Bug: 261589597 +Test: atest AccessibilityServiceInfoTest +Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +(cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142) +Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906 +--- + .../accessibilityservice/AccessibilityService.java | 4 ++++ + .../accessibilityservice/AccessibilityServiceInfo.java | 10 ++++++++++ + .../accessibility/AccessibilityManagerService.java | 6 ++++++ + 3 files changed, 20 insertions(+) + +diff --git a/core/java/android/accessibilityservice/AccessibilityService.java b/core/java/android/accessibilityservice/AccessibilityService.java +index 6933e5201a21..ef59803e3ede 100644 +--- a/core/java/android/accessibilityservice/AccessibilityService.java ++++ b/core/java/android/accessibilityservice/AccessibilityService.java +@@ -1488,6 +1488,10 @@ public abstract class AccessibilityService extends Service { + IAccessibilityServiceConnection connection = + AccessibilityInteractionClient.getInstance().getConnection(mConnectionId); + if (mInfo != null && connection != null) { ++ if (!mInfo.isWithinParcelableSize()) { ++ throw new IllegalStateException( ++ "Cannot update service info: size is larger than safe parcelable limits."); ++ } + try { + connection.setServiceInfo(mInfo); + mInfo = null; +diff --git a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java +index f85f35889aae..76930d75c5de 100644 +--- a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java ++++ b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java +@@ -29,6 +29,7 @@ import android.content.res.Resources; + import android.content.res.TypedArray; + import android.content.res.XmlResourceParser; + import android.hardware.fingerprint.FingerprintManager; ++import android.os.IBinder; + import android.os.Parcel; + import android.os.Parcelable; + import android.util.AttributeSet; +@@ -766,6 +767,15 @@ public class AccessibilityServiceInfo implements Parcelable { + return 0; + } + ++ /** @hide */ ++ public final boolean isWithinParcelableSize() { ++ final Parcel parcel = Parcel.obtain(); ++ writeToParcel(parcel, 0); ++ final boolean result = parcel.dataSize() <= IBinder.MAX_IPC_SIZE; ++ parcel.recycle(); ++ return result; ++ } ++ + public void writeToParcel(Parcel parcel, int flagz) { + parcel.writeInt(eventTypes); + parcel.writeStringArray(packageNames); +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 91d1b7576ca7..fd87be3e5649 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -1302,6 +1302,12 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub + AccessibilityServiceInfo accessibilityServiceInfo; + try { + accessibilityServiceInfo = new AccessibilityServiceInfo(resolveInfo, mContext); ++ if (!accessibilityServiceInfo.isWithinParcelableSize()) { ++ Slog.e(LOG_TAG, "Skipping service " ++ + accessibilityServiceInfo.getResolveInfo().getComponentInfo() ++ + " because service info size is larger than safe parcelable limits."); ++ continue; ++ } + mTempAccessibilityServiceInfoList.add(accessibilityServiceInfo); + } catch (XmlPullParserException | IOException xppe) { + Slog.e(LOG_TAG, "Error while initializing AccessibilityServiceInfo", xppe); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/356155.patch b/Patches/LineageOS-16.0/android_frameworks_base/356155.patch new file mode 100644 index 00000000..bff79087 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/356155.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Orion Hodson +Date: Thu, 7 Apr 2022 21:42:04 +0100 +Subject: [PATCH] Uri: check authority and scheme as part of determining URI + path + +The interpretation of the path depends on whether the scheme or +authority are specified and should be observed when unparcelling +URIs. + +Bug: 171966843 +Test: atest FrameworksCoreTests:android.net.UriTest +Test: atest com.android.devicehealthchecks.SystemAppCheck +Change-Id: I06981d1c6e387b16df792494523994518848db37 +Merged-In: I06981d1c6e387b16df792494523994518848db37 +(cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1) +(cherry picked from commit on googleplex-android-review.googlesource.com host: c87f0623be4042c39a9b73f7a6e02aa116925e50) +Merged-In: I06981d1c6e387b16df792494523994518848db37 +--- + core/java/android/net/Uri.java | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java +index 0fb84b723634..af1c0e8e9178 100644 +--- a/core/java/android/net/Uri.java ++++ b/core/java/android/net/Uri.java +@@ -1179,13 +1179,16 @@ public abstract class Uri implements Parcelable, Comparable { + } + + static Uri readFrom(Parcel parcel) { +- return new HierarchicalUri( +- parcel.readString(), +- Part.readFrom(parcel), +- PathPart.readFrom(parcel), +- Part.readFrom(parcel), +- Part.readFrom(parcel) +- ); ++ final String scheme = parcel.readString(); ++ final Part authority = Part.readFrom(parcel); ++ // In RFC3986 the path should be determined based on whether there is a scheme or ++ // authority present (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.3). ++ final boolean hasSchemeOrAuthority = ++ (scheme != null && scheme.length() > 0) || !authority.isEmpty(); ++ final PathPart path = PathPart.readFrom(hasSchemeOrAuthority, parcel); ++ final Part query = Part.readFrom(parcel); ++ final Part fragment = Part.readFrom(parcel); ++ return new HierarchicalUri(scheme, authority, path, query, fragment); + } + + public int describeContents() { +@@ -2240,6 +2243,11 @@ public abstract class Uri implements Parcelable, Comparable { + } + } + ++ static PathPart readFrom(boolean hasSchemeOrAuthority, Parcel parcel) { ++ final PathPart path = readFrom(parcel); ++ return hasSchemeOrAuthority ? makeAbsolute(path) : path; ++ } ++ + /** + * Creates a path from the encoded string. + * diff --git a/Patches/LineageOS-16.0/android_frameworks_base/356156.patch b/Patches/LineageOS-16.0/android_frameworks_base/356156.patch new file mode 100644 index 00000000..e4ce68d7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/356156.patch @@ -0,0 +1,74 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Mon, 21 Nov 2022 17:38:21 -0800 +Subject: [PATCH] enforce stricter rules when registering phoneAccounts + +- include disable accounts when looking up accounts for a package to + check if the limit is reached (10) +- put a new limit of 10 supported schemes +- put a new limit of 256 characters per scheme +- put a new limit of 256 characters per address +- ensure the Icon can write to memory w/o throwing an exception + +bug: 259064622 +bug: 256819769 +Test: cts + unit +Change-Id: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7 +Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7 +(cherry picked from commit on googleplex-android-review.googlesource.com host: a66a3156e03fbd1c3a29015db9193d66f2709f98) +Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7 +--- + .../java/android/telecom/PhoneAccount.java | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/telecomm/java/android/telecom/PhoneAccount.java b/telecomm/java/android/telecom/PhoneAccount.java +index 8e22221d7876..702b1cf87d7d 100644 +--- a/telecomm/java/android/telecom/PhoneAccount.java ++++ b/telecomm/java/android/telecom/PhoneAccount.java +@@ -439,6 +439,11 @@ public final class PhoneAccount implements Parcelable { + + /** + * Sets the address. See {@link PhoneAccount#getAddress}. ++ *

++ * Note: The entire URI value is limited to 256 characters. This check is ++ * enforced when registering the PhoneAccount via ++ * {@link TelecomManager#registerPhoneAccount(PhoneAccount)} and will cause an ++ * {@link IllegalArgumentException} to be thrown if URI is over 256. + * + * @param value The address of the phone account. + * @return The builder. +@@ -472,6 +477,10 @@ public final class PhoneAccount implements Parcelable { + + /** + * Sets the icon. See {@link PhoneAccount#getIcon}. ++ *

++ * Note: An {@link IllegalArgumentException} if the Icon cannot be written to memory. ++ * This check is enforced when registering the PhoneAccount via ++ * {@link TelecomManager#registerPhoneAccount(PhoneAccount)} + * + * @param icon The icon to set. + */ +@@ -505,6 +514,10 @@ public final class PhoneAccount implements Parcelable { + /** + * Specifies an additional URI scheme supported by the {@link PhoneAccount}. + * ++ *

++ * Each URI scheme is limited to 256 characters. Adding a scheme over 256 characters will ++ * cause an {@link IllegalArgumentException} to be thrown when the account is registered. ++ * + * @param uriScheme The URI scheme. + * @return The builder. + */ +@@ -518,6 +531,12 @@ public final class PhoneAccount implements Parcelable { + /** + * Specifies the URI schemes supported by the {@link PhoneAccount}. + * ++ *

++ * A max of 10 URI schemes can be added per account. Additionally, each URI scheme is ++ * limited to 256 characters. Adding more than 10 URI schemes or 256 characters on any ++ * scheme will cause an {@link IllegalArgumentException} to be thrown when the account ++ * is registered. ++ * + * @param uriSchemes The URI schemes. + * @return The builder. + */ diff --git a/Patches/LineageOS-16.0/android_frameworks_base/359730.patch b/Patches/LineageOS-16.0/android_frameworks_base/359730.patch new file mode 100644 index 00000000..a31d38b2 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/359730.patch @@ -0,0 +1,167 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Lee +Date: Fri, 17 Feb 2023 16:05:17 -0800 +Subject: [PATCH] Check key intent for selectors and prohibited flags + +Bug: 265015796 +Test: atest +FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest +(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8) +Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3 +Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3 +--- + .../accounts/AccountManagerService.java | 18 +++++++--- + .../accounts/AccountManagerServiceTest.java | 36 +++++++++++++++++++ + .../AccountManagerServiceTestFixtures.java | 5 ++- + .../TestAccountType1Authenticator.java | 5 +-- + 4 files changed, 54 insertions(+), 10 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index d2f5d59e7030..36732273ab6f 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4785,10 +4785,6 @@ public class AccountManagerService + if (intent.getClipData() == null) { + intent.setClipData(ClipData.newPlainText(null, null)); + } +- intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION +- | Intent.FLAG_GRANT_WRITE_URI_PERMISSION +- | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION +- | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION)); + long bid = Binder.clearCallingIdentity(); + try { + PackageManager pm = mContext.getPackageManager(); +@@ -4835,7 +4831,19 @@ public class AccountManagerService + if (intent == null) { + return (simulateIntent == null); + } +- return intent.filterEquals(simulateIntent); ++ if (!intent.filterEquals(simulateIntent)) { ++ return false; ++ } ++ ++ if (intent.getSelector() != simulateIntent.getSelector()) { ++ return false; ++ } ++ ++ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION ++ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION; ++ return (simulateIntent.getFlags() & prohibitedFlags) == 0; + } + + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { +diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +index 73267e4868a6..c063f645a4ea 100644 +--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java ++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +@@ -17,6 +17,7 @@ + package com.android.server.accounts; + + import static android.database.sqlite.SQLiteDatabase.deleteDatabase; ++import static org.mockito.ArgumentMatchers.contains; + import static org.mockito.Matchers.any; + import static org.mockito.Matchers.anyBoolean; + import static org.mockito.Matchers.anyInt; +@@ -681,6 +682,41 @@ public class AccountManagerServiceTest extends AndroidTestCase { + assertNotNull(intent.getParcelableExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK)); + } + ++ @SmallTest ++ public void testStartAddAccountSessionWhereAuthenticatorReturnsIntentWithProhibitedFlags() ++ throws Exception { ++ unlockSystemUser(); ++ ResolveInfo resolveInfo = new ResolveInfo(); ++ resolveInfo.activityInfo = new ActivityInfo(); ++ resolveInfo.activityInfo.applicationInfo = new ApplicationInfo(); ++ when(mMockPackageManager.resolveActivityAsUser( ++ any(Intent.class), anyInt(), anyInt())).thenReturn(resolveInfo); ++ when(mMockPackageManager.checkSignatures( ++ anyInt(), anyInt())).thenReturn(PackageManager.SIGNATURE_MATCH); ++ ++ final CountDownLatch latch = new CountDownLatch(1); ++ Response response = new Response(latch, mMockAccountManagerResponse); ++ Bundle options = createOptionsWithAccountName( ++ AccountManagerServiceTestFixtures.ACCOUNT_NAME_INTERVENE); ++ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION ++ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION; ++ options.putInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, prohibitedFlags); ++ ++ mAms.startAddAccountSession( ++ response, // response ++ AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1, // accountType ++ "authTokenType", ++ null, // requiredFeatures ++ true, // expectActivityLaunch ++ options); // optionsIn ++ waitForLatch(latch); ++ ++ verify(mMockAccountManagerResponse).onError( ++ eq(AccountManager.ERROR_CODE_INVALID_RESPONSE), contains("invalid intent")); ++ } ++ + @SmallTest + public void testStartAddAccountSessionError() throws Exception { + unlockSystemUser(); +diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java +index 73f30d9f9e79..b98a6a891d55 100644 +--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java ++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java +@@ -17,9 +17,6 @@ package com.android.server.accounts; + + import android.accounts.Account; + +-import java.util.ArrayList; +-import java.util.List; +- + /** + * Constants shared between test AccountAuthenticators and AccountManagerServiceTest. + */ +@@ -31,6 +28,8 @@ public final class AccountManagerServiceTestFixtures { + "account_manager_service_test:account_status_token_key"; + public static final String KEY_ACCOUNT_PASSWORD = + "account_manager_service_test:account_password_key"; ++ public static final String KEY_INTENT_FLAGS = ++ "account_manager_service_test:intent_flags_key"; + public static final String KEY_OPTIONS_BUNDLE = + "account_manager_service_test:option_bundle_key"; + public static final String ACCOUNT_NAME_SUCCESS = "success_on_return@fixture.com"; +diff --git a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java +index 8106364477d9..924443e9d5cf 100644 +--- a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java ++++ b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java +@@ -24,8 +24,6 @@ import android.content.Context; + import android.content.Intent; + import android.os.Bundle; + +-import com.android.frameworks.servicestests.R; +- + import java.util.concurrent.atomic.AtomicInteger; + + /** +@@ -270,11 +268,13 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator + String accountName = null; + Bundle sessionBundle = null; + String password = null; ++ int intentFlags = 0; + if (options != null) { + accountName = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_NAME); + sessionBundle = options.getBundle( + AccountManagerServiceTestFixtures.KEY_ACCOUNT_SESSION_BUNDLE); + password = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_PASSWORD); ++ intentFlags = options.getInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, 0); + } + + Bundle result = new Bundle(); +@@ -302,6 +302,7 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator + intent.putExtra(AccountManagerServiceTestFixtures.KEY_RESULT, + eventualActivityResultData); + intent.putExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK, response); ++ intent.setFlags(intentFlags); + + result.putParcelable(AccountManager.KEY_INTENT, intent); + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/359731.patch b/Patches/LineageOS-16.0/android_frameworks_base/359731.patch new file mode 100644 index 00000000..e0971199 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/359731.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kweku Adams +Date: Wed, 21 Sep 2022 22:13:01 +0000 +Subject: [PATCH] Handle invalid data during job loading. + +Catch exceptions that may be thrown if invalid data ended up in the +persisted job file. + +Bug: 246541702 +Bug: 246542132 +Bug: 246542285 +Bug: 246542330 +Test: install test app with invalid job config, start app to schedule job, then reboot device +(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203) +Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e +Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e +--- + .../java/com/android/server/job/JobStore.java | 26 ++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java +index 4f8b1dcc6bb4..7f2d7fb5987d 100644 +--- a/services/core/java/com/android/server/job/JobStore.java ++++ b/services/core/java/com/android/server/job/JobStore.java +@@ -623,6 +623,10 @@ public final class JobStore { + } + } catch (XmlPullParserException | IOException e) { + Slog.wtf(TAG, "Error jobstore xml.", e); ++ } catch (Exception e) { ++ // Crashing at this point would result in a boot loop, so live with a general ++ // Exception for system stability's sake. ++ Slog.wtf(TAG, "Unexpected exception", e); + } finally { + if (mPersistInfo.countAllJobsLoaded < 0) { // Only set them once. + mPersistInfo.countAllJobsLoaded = numJobs; +@@ -753,6 +757,15 @@ public final class JobStore { + } catch (NumberFormatException e) { + Slog.d(TAG, "Error reading constraints, skipping."); + return null; ++ } catch (XmlPullParserException e) { ++ Slog.d(TAG, "Error Parser Exception.", e); ++ return null; ++ } catch (IOException e) { ++ Slog.d(TAG, "Error I/O Exception.", e); ++ return null; ++ } catch (IllegalArgumentException e) { ++ Slog.e(TAG, "Constraints contained invalid data", e); ++ return null; + } + parser.next(); // Consume + +@@ -848,8 +861,14 @@ public final class JobStore { + return null; + } + +- PersistableBundle extras = PersistableBundle.restoreFromXml(parser); +- jobBuilder.setExtras(extras); ++ final PersistableBundle extras; ++ try { ++ extras = PersistableBundle.restoreFromXml(parser); ++ jobBuilder.setExtras(extras); ++ } catch (IllegalArgumentException e) { ++ Slog.e(TAG, "Persisted extras contained invalid data", e); ++ return null; ++ } + parser.nextTag(); // Consume + + // Migrate sync jobs forward from earlier, incomplete representation +@@ -887,7 +906,8 @@ public final class JobStore { + return new JobInfo.Builder(jobId, cname); + } + +- private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) { ++ private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) ++ throws XmlPullParserException, IOException { + String val; + + final String netCapabilities = parser.getAttributeValue(null, "net-capabilities"); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/359732.patch b/Patches/LineageOS-16.0/android_frameworks_base/359732.patch new file mode 100644 index 00000000..23125594 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/359732.patch @@ -0,0 +1,232 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Tue, 7 Mar 2023 15:44:49 -0500 +Subject: [PATCH] Allow filtering of services + +Test: ServiceListingTest +Bug: 260570119 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44dcb8351e61f4b3a63ec68fa5d8490501e8a823) +Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760 +Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760 +--- + .../applications/ServiceListing.java | 19 +++- + .../applications/ServiceListingTest.java | 98 ++++++++++++++++++- + 2 files changed, 113 insertions(+), 4 deletions(-) + +diff --git a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java +index 3c3c70ac364e..8c1cc256eee4 100644 +--- a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java ++++ b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java +@@ -37,6 +37,7 @@ import com.android.settingslib.wrapper.PackageManagerWrapper; + import java.util.ArrayList; + import java.util.HashSet; + import java.util.List; ++import java.util.function.Predicate; + + /** + * Class for managing services matching a given intent and requesting a given permission. +@@ -52,11 +53,13 @@ public class ServiceListing { + private final HashSet mEnabledServices = new HashSet<>(); + private final List mServices = new ArrayList<>(); + private final List mCallbacks = new ArrayList<>(); ++ private final Predicate mValidator; + + private boolean mListening; + + private ServiceListing(Context context, String tag, +- String setting, String intentAction, String permission, String noun) { ++ String setting, String intentAction, String permission, String noun, ++ Predicate validator) { + mContentResolver = context.getContentResolver(); + mContext = context; + mTag = tag; +@@ -64,6 +67,7 @@ public class ServiceListing { + mIntentAction = intentAction; + mPermission = permission; + mNoun = noun; ++ mValidator = validator; + } + + public void addCallback(Callback callback) { +@@ -133,7 +137,6 @@ public class ServiceListing { + new Intent(mIntentAction), + PackageManager.GET_SERVICES | PackageManager.GET_META_DATA, + user); +- + for (ResolveInfo resolveInfo : installedServices) { + ServiceInfo info = resolveInfo.serviceInfo; + +@@ -144,6 +147,9 @@ public class ServiceListing { + + mPermission); + continue; + } ++ if (mValidator != null && !mValidator.test(info)) { ++ continue; ++ } + mServices.add(info); + } + for (Callback callback : mCallbacks) { +@@ -189,6 +195,7 @@ public class ServiceListing { + private String mIntentAction; + private String mPermission; + private String mNoun; ++ private Predicate mValidator; + + public Builder(Context context) { + mContext = context; +@@ -219,8 +226,14 @@ public class ServiceListing { + return this; + } + ++ public Builder setValidator(Predicate validator) { ++ mValidator = validator; ++ return this; ++ } ++ + public ServiceListing build() { +- return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun); ++ return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun, ++ mValidator); + } + } + } +diff --git a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java +index 060b716bb435..6cfbd458fd79 100644 +--- a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java ++++ b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java +@@ -17,21 +17,36 @@ + package com.android.settingslib.applications; + + import static com.google.common.truth.Truth.assertThat; ++import static org.mockito.ArgumentMatchers.any; ++import static org.mockito.ArgumentMatchers.anyInt; + import static org.mockito.ArgumentMatchers.anyList; + import static org.mockito.Mockito.mock; ++import static org.mockito.Mockito.spy; + import static org.mockito.Mockito.times; + import static org.mockito.Mockito.verify; ++import static org.mockito.Mockito.spy; + + import android.content.ComponentName; ++import android.content.Context; ++import android.content.pm.PackageManager; ++import android.content.pm.ResolveInfo; ++import android.content.pm.ServiceInfo; + import android.provider.Settings; + ++import androidx.test.core.app.ApplicationProvider; ++ + import com.android.settingslib.SettingsLibRobolectricTestRunner; + ++import com.google.common.collect.ImmutableList; ++ + import org.junit.Before; + import org.junit.Test; + import org.junit.runner.RunWith; ++import org.mockito.ArgumentCaptor; + import org.robolectric.RuntimeEnvironment; + ++import java.util.List; ++ + @RunWith(SettingsLibRobolectricTestRunner.class) + public class ServiceListingTest { + +@@ -39,16 +54,97 @@ public class ServiceListingTest { + private static final String TEST_INTENT = "com.example.intent"; + + private ServiceListing mServiceListing; ++ private Context mContext; ++ private PackageManager mPm; + + @Before + public void setUp() { +- mServiceListing = new ServiceListing.Builder(RuntimeEnvironment.application) ++ mPm = mock(PackageManager.class); ++ mContext = spy(ApplicationProvider.getApplicationContext()); ++ when(mContext.getPackageManager()).thenReturn(mPm); ++ ++ mServiceListing = new ServiceListing.Builder(mContext) ++ .setTag("testTag") ++ .setSetting(TEST_SETTING) ++ .setNoun("testNoun") ++ .setIntentAction(TEST_INTENT) ++ .setPermission("testPermission") ++ .build(); ++ } ++ ++ @Test ++ public void testValidator() { ++ ServiceInfo s1 = new ServiceInfo(); ++ s1.permission = "testPermission"; ++ s1.packageName = "pkg"; ++ ServiceInfo s2 = new ServiceInfo(); ++ s2.permission = "testPermission"; ++ s2.packageName = "pkg2"; ++ ResolveInfo r1 = new ResolveInfo(); ++ r1.serviceInfo = s1; ++ ResolveInfo r2 = new ResolveInfo(); ++ r2.serviceInfo = s2; ++ ++ when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn( ++ ImmutableList.of(r1, r2)); ++ ++ mServiceListing = new ServiceListing.Builder(mContext) ++ .setTag("testTag") ++ .setSetting(TEST_SETTING) ++ .setNoun("testNoun") ++ .setIntentAction(TEST_INTENT) ++ .setValidator(info -> { ++ if (info.packageName.equals("pkg")) { ++ return true; ++ } ++ return false; ++ }) ++ .setPermission("testPermission") ++ .build(); ++ ServiceListing.Callback callback = mock(ServiceListing.Callback.class); ++ mServiceListing.addCallback(callback); ++ mServiceListing.reload(); ++ ++ verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt()); ++ ArgumentCaptor> captor = ArgumentCaptor.forClass(List.class); ++ verify(callback, times(1)).onServicesReloaded(captor.capture()); ++ ++ assertThat(captor.getValue().size()).isEqualTo(1); ++ assertThat(captor.getValue().get(0)).isEqualTo(s1); ++ } ++ ++ @Test ++ public void testNoValidator() { ++ ServiceInfo s1 = new ServiceInfo(); ++ s1.permission = "testPermission"; ++ s1.packageName = "pkg"; ++ ServiceInfo s2 = new ServiceInfo(); ++ s2.permission = "testPermission"; ++ s2.packageName = "pkg2"; ++ ResolveInfo r1 = new ResolveInfo(); ++ r1.serviceInfo = s1; ++ ResolveInfo r2 = new ResolveInfo(); ++ r2.serviceInfo = s2; ++ ++ when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn( ++ ImmutableList.of(r1, r2)); ++ ++ mServiceListing = new ServiceListing.Builder(mContext) + .setTag("testTag") + .setSetting(TEST_SETTING) + .setNoun("testNoun") + .setIntentAction(TEST_INTENT) + .setPermission("testPermission") + .build(); ++ ServiceListing.Callback callback = mock(ServiceListing.Callback.class); ++ mServiceListing.addCallback(callback); ++ mServiceListing.reload(); ++ ++ verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt()); ++ ArgumentCaptor> captor = ArgumentCaptor.forClass(List.class); ++ verify(callback, times(1)).onServicesReloaded(captor.capture()); ++ ++ assertThat(captor.getValue().size()).isEqualTo(2); + } + + @Test diff --git a/Patches/LineageOS-16.0/android_frameworks_base/359733.patch b/Patches/LineageOS-16.0/android_frameworks_base/359733.patch new file mode 100644 index 00000000..b5c98965 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/359733.patch @@ -0,0 +1,85 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Valentin Iftime +Date: Wed, 22 Feb 2023 09:38:55 +0100 +Subject: [PATCH] Prevent RemoteViews crashing SystemUi + + Catch canvas drawing exceptions caused by unsuported image sizes. + +Test: 1. Post a custom view notification with a layout + containing an ImageView that references a 5k x 5k image +2. Add an App Widget to the home screen with that has the + layout mentioned above as preview/initial layout. + +Bug: 268193777 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d) +Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a +Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a +--- + .../android/appwidget/AppWidgetHostView.java | 39 ++++++++++++++----- + 1 file changed, 29 insertions(+), 10 deletions(-) + +diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java +index ab0eb92e1726..02b244bdd9a6 100644 +--- a/core/java/android/appwidget/AppWidgetHostView.java ++++ b/core/java/android/appwidget/AppWidgetHostView.java +@@ -21,6 +21,7 @@ import android.content.Context; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager.NameNotFoundException; + import android.content.res.Resources; ++import android.graphics.Canvas; + import android.graphics.Color; + import android.graphics.Rect; + import android.os.Build; +@@ -248,19 +249,26 @@ public class AppWidgetHostView extends FrameLayout { + super.onLayout(changed, left, top, right, bottom); + } catch (final RuntimeException e) { + Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e); +- removeViewInLayout(mView); +- View child = getErrorView(); +- prepareView(child); +- addViewInLayout(child, 0, child.getLayoutParams()); +- measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY), +- MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY)); +- child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight, +- child.getMeasuredHeight() + mPaddingTop + mPaddingBottom); +- mView = child; +- mViewMode = VIEW_MODE_ERROR; ++ handleViewError(); + } + } + ++ /** ++ * Remove bad view and replace with error message view ++ */ ++ private void handleViewError() { ++ removeViewInLayout(mView); ++ View child = getErrorView(); ++ prepareView(child); ++ addViewInLayout(child, 0, child.getLayoutParams()); ++ measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY), ++ MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY)); ++ child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight, ++ child.getMeasuredHeight() + mPaddingTop + mPaddingBottom); ++ mView = child; ++ mViewMode = VIEW_MODE_ERROR; ++ } ++ + /** + * Provide guidance about the size of this widget to the AppWidgetManager. The widths and + * heights should correspond to the full area the AppWidgetHostView is given. Padding added by +@@ -646,4 +654,15 @@ public class AppWidgetHostView extends FrameLayout { + super.onInitializeAccessibilityNodeInfoInternal(info); + info.setClassName(AppWidgetHostView.class.getName()); + } ++ ++ @Override ++ protected void dispatchDraw(Canvas canvas) { ++ try { ++ super.dispatchDraw(canvas); ++ } catch (Exception e) { ++ // Catch draw exceptions that may be caused by RemoteViews ++ Log.e(TAG, "Drawing view failed: " + e); ++ post(this::handleViewError); ++ } ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361254.patch b/Patches/LineageOS-16.0/android_frameworks_base/361254.patch new file mode 100644 index 00000000..54fd089c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361254.patch @@ -0,0 +1,145 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lucas Lin +Date: Fri, 3 Mar 2023 08:13:50 +0000 +Subject: [PATCH] Sanitize VPN label to prevent HTML injection + +This commit will try to sanitize the content of VpnDialog. This +commit creates a function which will try to sanitize the VPN +label, if the sanitized VPN label is different from the original +one, which means the VPN label might contain HTML tag or the VPN +label violates the words restriction(may contain some wording +which will mislead the user). For this kind of case, show the +package name instead of the VPN label to prevent misleading the +user. + +The malicious VPN app might be able to add a large number of line +breaks with HTML in order to hide the system-displayed text from +the user in the connection request dialog. Thus, sanitizing the +content of the dialog is needed. + +Bug: 204554636 +Test: N/A +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab) +Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d +Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d +--- + packages/VpnDialogs/res/values/strings.xml | 28 ++++++++++ + .../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++-- + 2 files changed, 76 insertions(+), 5 deletions(-) + +diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml +index 443a9bc33b90..b4166f0bedfd 100644 +--- a/packages/VpnDialogs/res/values/strings.xml ++++ b/packages/VpnDialogs/res/values/strings.xml +@@ -89,4 +89,32 @@ + without any consequences. [CHAR LIMIT=20] --> + Dismiss + ++ ++ ++ %1$s… ( ++ %2$s) ++ ++ ++ ++ ++ %1$s ( ++ %2$s) ++ + +diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +index 09339743db5c..43d18df3a10d 100644 +--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java ++++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity + implements DialogInterface.OnClickListener, ImageGetter { + private static final String TAG = "VpnConfirm"; + ++ // Usually the label represents the app name, 150 code points might be enough to display the app ++ // name, and 150 code points won't cover the warning message from VpnDialog. ++ static final int MAX_VPN_LABEL_LENGTH = 150; ++ + private String mPackage; + + private IConnectivityManager mService; + ++ private View mView; ++ ++ /** ++ * This function will use the string resource to combine the VPN label and the package name. ++ * ++ * If the VPN label violates the length restriction, the first 30 code points of VPN label and ++ * the package name will be returned. Or return the VPN label and the package name directly if ++ * the VPN label doesn't violate the length restriction. ++ * ++ * The result will be something like, ++ * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app) ++ * if the VPN label violates the length restriction. ++ * or ++ * - VpnLabelWith<br>HtmlTag (com.vpn.app) ++ * if the VPN label doesn't violate the length restriction. ++ * ++ */ ++ private String getSimplifiedLabel(String vpnLabel, String packageName) { ++ if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) { ++ return getString(R.string.sanitized_vpn_label_with_ellipsis, ++ vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)), ++ packageName); ++ } ++ ++ return getString(R.string.sanitized_vpn_label, vpnLabel, packageName); ++ } ++ ++ protected String getSanitizedVpnLabel(String vpnLabel, String packageName) { ++ final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel); ++ final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0, ++ sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH; ++ if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) { ++ return getSimplifiedLabel(sanitizedVpnLabel, packageName); ++ } ++ ++ return sanitizedVpnLabel; ++ } ++ + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); +@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity + finish(); + return; + } +- View view = View.inflate(this, R.layout.confirm, null); +- ((TextView) view.findViewById(R.id.warning)).setText( +- Html.fromHtml(getString(R.string.warning, getVpnLabel()), +- this, null /* tagHandler */)); ++ mView = View.inflate(this, R.layout.confirm, null); ++ ((TextView) mView.findViewById(R.id.warning)).setText( ++ Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel( ++ getVpnLabel().toString(), mPackage)), ++ this /* imageGetter */, null /* tagHandler */)); + mAlertParams.mTitle = getText(R.string.prompt); + mAlertParams.mPositiveButtonText = getText(android.R.string.ok); + mAlertParams.mPositiveButtonListener = this; + mAlertParams.mNegativeButtonText = getText(android.R.string.cancel); +- mAlertParams.mView = view; ++ mAlertParams.mView = mView; + setupAlert(); + + getWindow().setCloseOnTouchOutside(false); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361255.patch b/Patches/LineageOS-16.0/android_frameworks_base/361255.patch new file mode 100644 index 00000000..449a4d66 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361255.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Groover +Date: Fri, 31 Mar 2023 21:31:22 +0000 +Subject: [PATCH] Limit the number of supported v1 and v2 signers + +The v1 and v2 APK Signature Schemes support multiple signers; this +was intended to allow multiple entities to sign an APK. Previously, +the platform had no limits placed on the number of signers supported +in an APK, but this commit sets a hard limit of 10 supported signers +for these signature schemes to ensure a large number of signers +does not place undue burden on the platform. + +Bug: 266580022 +Test: Manually verified the platform only allowed an APK with the + maximum number of supported signers. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597) +Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +--- + .../util/apk/ApkSignatureSchemeV2Verifier.java | 10 ++++++++++ + core/java/android/util/jar/StrictJarVerifier.java | 11 +++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +index 533d72590f0a..d5f6ebe8c2e9 100644 +--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java ++++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +@@ -83,6 +83,11 @@ public class ApkSignatureSchemeV2Verifier { + + private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a; + ++ /** ++ * The maximum number of signers supported by the v2 APK signature scheme. ++ */ ++ private static final int MAX_V2_SIGNERS = 10; ++ + /** + * Returns {@code true} if the provided APK contains an APK Signature Scheme V2 signature. + * +@@ -188,6 +193,11 @@ public class ApkSignatureSchemeV2Verifier { + } + while (signers.hasRemaining()) { + signerCount++; ++ if (signerCount > MAX_V2_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS ++ + " signers"); ++ } + try { + ByteBuffer signer = getLengthPrefixedSlice(signers); + X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory); +diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java +index 45254908c5c9..a6aca330d323 100644 +--- a/core/java/android/util/jar/StrictJarVerifier.java ++++ b/core/java/android/util/jar/StrictJarVerifier.java +@@ -78,6 +78,11 @@ class StrictJarVerifier { + "SHA1", + }; + ++ /** ++ * The maximum number of signers supported by the JAR signature scheme. ++ */ ++ private static final int MAX_JAR_SIGNERS = 10; ++ + private final String jarName; + private final StrictJarManifest manifest; + private final HashMap metaEntries; +@@ -293,10 +298,16 @@ class StrictJarVerifier { + return false; + } + ++ int signerCount = 0; + Iterator it = metaEntries.keySet().iterator(); + while (it.hasNext()) { + String key = it.next(); + if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) { ++ if (++signerCount > MAX_JAR_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS ++ + " signers"); ++ } + verifyCertificate(key); + it.remove(); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361256.patch b/Patches/LineageOS-16.0/android_frameworks_base/361256.patch new file mode 100644 index 00000000..16178028 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361256.patch @@ -0,0 +1,1034 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Bill Yi +Date: Tue, 4 Apr 2023 10:14:08 -0700 +Subject: [PATCH] Import translations. DO NOT MERGE ANYWHERE + +BUG:204554636 + +Auto-generated-cl: translation import +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2fe87df11e447755351c1934bcbae5f2f870950d) +Merged-In: I1720c67e4361d9019b12fa5a510cd34918dfedb4 +Change-Id: I1720c67e4361d9019b12fa5a510cd34918dfedb4 +--- + packages/VpnDialogs/res/values-af/strings.xml | 2 ++ + packages/VpnDialogs/res/values-am/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ar/strings.xml | 2 ++ + packages/VpnDialogs/res/values-as/strings.xml | 2 ++ + packages/VpnDialogs/res/values-az/strings.xml | 2 ++ + packages/VpnDialogs/res/values-b+sr+Latn/strings.xml | 2 ++ + packages/VpnDialogs/res/values-be/strings.xml | 2 ++ + packages/VpnDialogs/res/values-bg/strings.xml | 2 ++ + packages/VpnDialogs/res/values-bn/strings.xml | 2 ++ + packages/VpnDialogs/res/values-bs/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ca/strings.xml | 2 ++ + packages/VpnDialogs/res/values-cs/strings.xml | 2 ++ + packages/VpnDialogs/res/values-da/strings.xml | 2 ++ + packages/VpnDialogs/res/values-de/strings.xml | 2 ++ + packages/VpnDialogs/res/values-el/strings.xml | 2 ++ + packages/VpnDialogs/res/values-en-rAU/strings.xml | 2 ++ + packages/VpnDialogs/res/values-en-rCA/strings.xml | 2 ++ + packages/VpnDialogs/res/values-en-rGB/strings.xml | 2 ++ + packages/VpnDialogs/res/values-en-rIN/strings.xml | 2 ++ + packages/VpnDialogs/res/values-en-rXC/strings.xml | 2 ++ + packages/VpnDialogs/res/values-es-rUS/strings.xml | 2 ++ + packages/VpnDialogs/res/values-es/strings.xml | 2 ++ + packages/VpnDialogs/res/values-et/strings.xml | 2 ++ + packages/VpnDialogs/res/values-eu/strings.xml | 2 ++ + packages/VpnDialogs/res/values-fa/strings.xml | 2 ++ + packages/VpnDialogs/res/values-fi/strings.xml | 2 ++ + packages/VpnDialogs/res/values-fr-rCA/strings.xml | 2 ++ + packages/VpnDialogs/res/values-fr/strings.xml | 2 ++ + packages/VpnDialogs/res/values-gl/strings.xml | 2 ++ + packages/VpnDialogs/res/values-gu/strings.xml | 2 ++ + packages/VpnDialogs/res/values-hi/strings.xml | 2 ++ + packages/VpnDialogs/res/values-hr/strings.xml | 2 ++ + packages/VpnDialogs/res/values-hu/strings.xml | 2 ++ + packages/VpnDialogs/res/values-hy/strings.xml | 2 ++ + packages/VpnDialogs/res/values-in/strings.xml | 2 ++ + packages/VpnDialogs/res/values-is/strings.xml | 2 ++ + packages/VpnDialogs/res/values-it/strings.xml | 2 ++ + packages/VpnDialogs/res/values-iw/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ja/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ka/strings.xml | 2 ++ + packages/VpnDialogs/res/values-kk/strings.xml | 2 ++ + packages/VpnDialogs/res/values-km/strings.xml | 2 ++ + packages/VpnDialogs/res/values-kn/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ko/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ky/strings.xml | 2 ++ + packages/VpnDialogs/res/values-lo/strings.xml | 2 ++ + packages/VpnDialogs/res/values-lt/strings.xml | 2 ++ + packages/VpnDialogs/res/values-lv/strings.xml | 2 ++ + packages/VpnDialogs/res/values-mk/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ml/strings.xml | 2 ++ + packages/VpnDialogs/res/values-mn/strings.xml | 2 ++ + packages/VpnDialogs/res/values-mr/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ms/strings.xml | 2 ++ + packages/VpnDialogs/res/values-my/strings.xml | 2 ++ + packages/VpnDialogs/res/values-nb/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ne/strings.xml | 2 ++ + packages/VpnDialogs/res/values-nl/strings.xml | 2 ++ + packages/VpnDialogs/res/values-or/strings.xml | 2 ++ + packages/VpnDialogs/res/values-pa/strings.xml | 2 ++ + packages/VpnDialogs/res/values-pl/strings.xml | 2 ++ + packages/VpnDialogs/res/values-pt-rBR/strings.xml | 2 ++ + packages/VpnDialogs/res/values-pt-rPT/strings.xml | 2 ++ + packages/VpnDialogs/res/values-pt/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ro/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ru/strings.xml | 2 ++ + packages/VpnDialogs/res/values-si/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sk/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sl/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sq/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sr/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sv/strings.xml | 2 ++ + packages/VpnDialogs/res/values-sw/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ta/strings.xml | 2 ++ + packages/VpnDialogs/res/values-te/strings.xml | 2 ++ + packages/VpnDialogs/res/values-th/strings.xml | 2 ++ + packages/VpnDialogs/res/values-tl/strings.xml | 2 ++ + packages/VpnDialogs/res/values-tr/strings.xml | 2 ++ + packages/VpnDialogs/res/values-uk/strings.xml | 2 ++ + packages/VpnDialogs/res/values-ur/strings.xml | 2 ++ + packages/VpnDialogs/res/values-uz/strings.xml | 2 ++ + packages/VpnDialogs/res/values-vi/strings.xml | 2 ++ + packages/VpnDialogs/res/values-zh-rCN/strings.xml | 2 ++ + packages/VpnDialogs/res/values-zh-rHK/strings.xml | 2 ++ + packages/VpnDialogs/res/values-zh-rTW/strings.xml | 2 ++ + packages/VpnDialogs/res/values-zu/strings.xml | 2 ++ + 85 files changed, 170 insertions(+) + +diff --git a/packages/VpnDialogs/res/values-af/strings.xml b/packages/VpnDialogs/res/values-af/strings.xml +index ac82b0e0009a..b2718fd83e4f 100644 +--- a/packages/VpnDialogs/res/values-af/strings.xml ++++ b/packages/VpnDialogs/res/values-af/strings.xml +@@ -33,4 +33,6 @@ + "Ontkoppel" + "Maak program oop" + "Maak toe" ++ "%1$s … ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-am/strings.xml b/packages/VpnDialogs/res/values-am/strings.xml +index 103f101b8262..aa92dd708051 100644 +--- a/packages/VpnDialogs/res/values-am/strings.xml ++++ b/packages/VpnDialogs/res/values-am/strings.xml +@@ -33,4 +33,6 @@ + "አለያይ" + "መተግበሪያን ክፈት" + "አሰናብት" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ar/strings.xml b/packages/VpnDialogs/res/values-ar/strings.xml +index 808cde906d2f..20057c66750c 100644 +--- a/packages/VpnDialogs/res/values-ar/strings.xml ++++ b/packages/VpnDialogs/res/values-ar/strings.xml +@@ -33,4 +33,6 @@ + "قطع الاتصال" + "فتح التطبيق" + "تجاهل" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-as/strings.xml b/packages/VpnDialogs/res/values-as/strings.xml +index 45d8458f4d45..9d05505b1fa8 100644 +--- a/packages/VpnDialogs/res/values-as/strings.xml ++++ b/packages/VpnDialogs/res/values-as/strings.xml +@@ -33,4 +33,6 @@ + "সংযোগ বিচ্ছিন্ন কৰক" + "এপ্ খোলক" + "অগ্ৰাহ্য কৰক" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-az/strings.xml b/packages/VpnDialogs/res/values-az/strings.xml +index 2bdf23ee2aa0..47cdeee180ed 100644 +--- a/packages/VpnDialogs/res/values-az/strings.xml ++++ b/packages/VpnDialogs/res/values-az/strings.xml +@@ -33,4 +33,6 @@ + "Əlaqəni kəs" + "Tətbiqi açın" + "İmtina edin" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-b+sr+Latn/strings.xml b/packages/VpnDialogs/res/values-b+sr+Latn/strings.xml +index f40e40670bf3..ea8e60d36ba5 100644 +--- a/packages/VpnDialogs/res/values-b+sr+Latn/strings.xml ++++ b/packages/VpnDialogs/res/values-b+sr+Latn/strings.xml +@@ -33,4 +33,6 @@ + "Prekini vezu" + "Otvori aplikaciju" + "Odbaci" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-be/strings.xml b/packages/VpnDialogs/res/values-be/strings.xml +index 0903c8ece36b..914a1638b14a 100644 +--- a/packages/VpnDialogs/res/values-be/strings.xml ++++ b/packages/VpnDialogs/res/values-be/strings.xml +@@ -33,4 +33,6 @@ + "Адключыцца" + "Адкрыць праграму" + "Адхіліць" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-bg/strings.xml b/packages/VpnDialogs/res/values-bg/strings.xml +index 9ac853d2016f..e1aa242496de 100644 +--- a/packages/VpnDialogs/res/values-bg/strings.xml ++++ b/packages/VpnDialogs/res/values-bg/strings.xml +@@ -33,4 +33,6 @@ + "Изключване" + "Към приложението" + "Отхвърляне" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-bn/strings.xml b/packages/VpnDialogs/res/values-bn/strings.xml +index 2defd8184c5e..4aadfdd022f9 100644 +--- a/packages/VpnDialogs/res/values-bn/strings.xml ++++ b/packages/VpnDialogs/res/values-bn/strings.xml +@@ -33,4 +33,6 @@ + "সংযোগ বিচ্ছিন্ন করুন" + "অ্যাপটি খুলুন" + "খারিজ করুন" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-bs/strings.xml b/packages/VpnDialogs/res/values-bs/strings.xml +index 56812d59e106..c8537ca6de17 100644 +--- a/packages/VpnDialogs/res/values-bs/strings.xml ++++ b/packages/VpnDialogs/res/values-bs/strings.xml +@@ -33,4 +33,6 @@ + "Prekini vezu" + "Otvori aplikaciju" + "Odbaci" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ca/strings.xml b/packages/VpnDialogs/res/values-ca/strings.xml +index 97738c316f4b..1702e553f6e3 100644 +--- a/packages/VpnDialogs/res/values-ca/strings.xml ++++ b/packages/VpnDialogs/res/values-ca/strings.xml +@@ -33,4 +33,6 @@ + "Desconnecta" + "Obre l\'aplicació" + "Ignora" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-cs/strings.xml b/packages/VpnDialogs/res/values-cs/strings.xml +index 5cc809c7cb02..909cd2982b27 100644 +--- a/packages/VpnDialogs/res/values-cs/strings.xml ++++ b/packages/VpnDialogs/res/values-cs/strings.xml +@@ -33,4 +33,6 @@ + "Odpojit" + "Do aplikace" + "Zavřít" ++ "%1$s… ( %2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-da/strings.xml b/packages/VpnDialogs/res/values-da/strings.xml +index 7641158af3da..f8985bd263f3 100644 +--- a/packages/VpnDialogs/res/values-da/strings.xml ++++ b/packages/VpnDialogs/res/values-da/strings.xml +@@ -33,4 +33,6 @@ + "Fjern tilknytning" + "Åbn app" + "Luk" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-de/strings.xml b/packages/VpnDialogs/res/values-de/strings.xml +index 0f1e00980439..d75736315767 100644 +--- a/packages/VpnDialogs/res/values-de/strings.xml ++++ b/packages/VpnDialogs/res/values-de/strings.xml +@@ -33,4 +33,6 @@ + "Verbindung trennen" + "App öffnen" + "Schließen" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-el/strings.xml b/packages/VpnDialogs/res/values-el/strings.xml +index 78bcc43ff609..13df0dda440d 100644 +--- a/packages/VpnDialogs/res/values-el/strings.xml ++++ b/packages/VpnDialogs/res/values-el/strings.xml +@@ -33,4 +33,6 @@ + "Αποσύνδεση" + "Άνοιγμα εφαρμογής" + "Παράβλεψη" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-en-rAU/strings.xml b/packages/VpnDialogs/res/values-en-rAU/strings.xml +index 6ed50a7668ae..0fb49a1ad7e7 100644 +--- a/packages/VpnDialogs/res/values-en-rAU/strings.xml ++++ b/packages/VpnDialogs/res/values-en-rAU/strings.xml +@@ -33,4 +33,6 @@ + "Disconnect" + "Open app" + "Dismiss" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-en-rCA/strings.xml b/packages/VpnDialogs/res/values-en-rCA/strings.xml +index 6ed50a7668ae..0fb49a1ad7e7 100644 +--- a/packages/VpnDialogs/res/values-en-rCA/strings.xml ++++ b/packages/VpnDialogs/res/values-en-rCA/strings.xml +@@ -33,4 +33,6 @@ + "Disconnect" + "Open app" + "Dismiss" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-en-rGB/strings.xml b/packages/VpnDialogs/res/values-en-rGB/strings.xml +index 6ed50a7668ae..0fb49a1ad7e7 100644 +--- a/packages/VpnDialogs/res/values-en-rGB/strings.xml ++++ b/packages/VpnDialogs/res/values-en-rGB/strings.xml +@@ -33,4 +33,6 @@ + "Disconnect" + "Open app" + "Dismiss" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-en-rIN/strings.xml b/packages/VpnDialogs/res/values-en-rIN/strings.xml +index 6ed50a7668ae..0fb49a1ad7e7 100644 +--- a/packages/VpnDialogs/res/values-en-rIN/strings.xml ++++ b/packages/VpnDialogs/res/values-en-rIN/strings.xml +@@ -33,4 +33,6 @@ + "Disconnect" + "Open app" + "Dismiss" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-en-rXC/strings.xml b/packages/VpnDialogs/res/values-en-rXC/strings.xml +index 9d010e63518f..2fb8403a6920 100644 +--- a/packages/VpnDialogs/res/values-en-rXC/strings.xml ++++ b/packages/VpnDialogs/res/values-en-rXC/strings.xml +@@ -33,4 +33,6 @@ + "‎‏‎‎‎‎‎‏‎‏‏‏‎‎‎‎‎‎‏‎‎‏‎‎‎‎‏‏‏‏‏‎‎‏‏‎‏‎‏‏‏‏‎‏‏‎‎‏‎‎‏‏‎‎‏‎‏‏‏‏‏‏‏‏‏‏‎‏‏‎‎‎‎‏‏‎‏‏‎‏‎‏‏‎‏‎‏‏‏‏‎‎‎‎Disconnect‎‏‎‎‏‎" + "‎‏‎‎‎‎‎‏‎‏‏‏‎‎‎‎‎‎‏‎‎‏‎‎‎‎‏‏‏‏‏‏‎‏‏‎‎‏‏‏‎‎‏‎‏‏‏‏‎‏‏‎‏‎‏‎‎‏‎‎‎‏‎‏‏‎‏‎‎‏‏‎‏‎‎‏‎‎‏‎‏‏‏‏‏‏‏‏‎‎‎‏‎‏‏‎Open app‎‏‎‎‏‎" + "‎‏‎‎‎‎‎‏‎‏‏‏‎‎‎‎‎‎‏‎‎‏‎‎‎‎‏‏‏‏‏‏‏‏‎‏‎‏‎‏‏‏‏‏‎‎‎‏‎‏‏‏‎‏‎‎‏‏‎‎‎‎‎‎‏‎‏‏‏‏‎‏‎‎‎‎‎‎‏‎‎‎‎‎‎‎‏‏‎‎‏‏‏‎‏‏‎Dismiss‎‏‎‎‏‎" ++ "‎‏‎‎‎‎‎‏‎‏‏‏‎‎‎‎‎‎‏‎‎‏‎‎‎‎‏‏‏‏‏‏‏‏‏‎‎‎‎‏‎‏‎‏‎‏‏‏‏‏‏‎‎‏‎‏‏‎‏‎‏‏‎‎‏‎‏‏‎‏‏‏‏‏‎‎‏‎‎‏‏‎‏‏‎‏‎‏‏‎‎‏‏‎‏‏‎‎‏‎‎‏‏‎%1$s‎‏‎‎‏‏‏‎… ( ‎‏‎‎‏‏‎%2$s‎‏‎‎‏‏‏‎)‎‏‎‎‏‎" ++ "‎‏‎‎‎‎‎‏‎‏‏‏‎‎‎‎‎‎‏‎‎‏‎‎‎‎‏‏‏‏‏‎‏‏‏‎‏‎‎‎‎‎‏‏‎‏‏‏‏‎‏‎‏‏‎‎‎‎‎‎‏‎‎‏‎‏‏‎‎‏‏‎‏‎‎‏‎‎‏‎‏‏‏‎‏‎‏‏‎‎‏‏‏‎‎‎‏‎‎‏‏‎%1$s‎‏‎‎‏‏‏‎ ( ‎‏‎‎‏‏‎%2$s‎‏‎‎‏‏‏‎)‎‏‎‎‏‎" + +diff --git a/packages/VpnDialogs/res/values-es-rUS/strings.xml b/packages/VpnDialogs/res/values-es-rUS/strings.xml +index 21cfc042e707..4917d6158bba 100644 +--- a/packages/VpnDialogs/res/values-es-rUS/strings.xml ++++ b/packages/VpnDialogs/res/values-es-rUS/strings.xml +@@ -33,4 +33,6 @@ + "Desconectar" + "Abrir app" + "Descartar" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-es/strings.xml b/packages/VpnDialogs/res/values-es/strings.xml +index 372147f2479a..6efb545a97ed 100644 +--- a/packages/VpnDialogs/res/values-es/strings.xml ++++ b/packages/VpnDialogs/res/values-es/strings.xml +@@ -33,4 +33,6 @@ + "Desconectar" + "Abrir aplicación" + "Cerrar" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-et/strings.xml b/packages/VpnDialogs/res/values-et/strings.xml +index c328cd725396..b15c130f0d70 100644 +--- a/packages/VpnDialogs/res/values-et/strings.xml ++++ b/packages/VpnDialogs/res/values-et/strings.xml +@@ -33,4 +33,6 @@ + "Katkesta ühendus" + "Ava rakendus" + "Loobu" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-eu/strings.xml b/packages/VpnDialogs/res/values-eu/strings.xml +index a3b7716e91d3..a07237366c29 100644 +--- a/packages/VpnDialogs/res/values-eu/strings.xml ++++ b/packages/VpnDialogs/res/values-eu/strings.xml +@@ -33,4 +33,6 @@ + "Deskonektatu" + "Ireki aplikazioa" + "Baztertu" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-fa/strings.xml b/packages/VpnDialogs/res/values-fa/strings.xml +index 56f847c15827..30e7493141c6 100644 +--- a/packages/VpnDialogs/res/values-fa/strings.xml ++++ b/packages/VpnDialogs/res/values-fa/strings.xml +@@ -33,4 +33,6 @@ + "قطع اتصال" + "باز کردن برنامه" + "رد کردن" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-fi/strings.xml b/packages/VpnDialogs/res/values-fi/strings.xml +index 91c918af09c3..40d4a9feb4a1 100644 +--- a/packages/VpnDialogs/res/values-fi/strings.xml ++++ b/packages/VpnDialogs/res/values-fi/strings.xml +@@ -33,4 +33,6 @@ + "Katkaise yhteys" + "Avaa sovellus" + "Hylkää" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-fr-rCA/strings.xml b/packages/VpnDialogs/res/values-fr-rCA/strings.xml +index aa86c7ca8a7f..2bcf6b2ed382 100644 +--- a/packages/VpnDialogs/res/values-fr-rCA/strings.xml ++++ b/packages/VpnDialogs/res/values-fr-rCA/strings.xml +@@ -33,4 +33,6 @@ + "Déconnecter" + "Ouvrir l\'application" + "Ignorer" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-fr/strings.xml b/packages/VpnDialogs/res/values-fr/strings.xml +index 71801197ddf2..820c8f98c806 100644 +--- a/packages/VpnDialogs/res/values-fr/strings.xml ++++ b/packages/VpnDialogs/res/values-fr/strings.xml +@@ -33,4 +33,6 @@ + "Déconnecter" + "Ouvrir l\'application" + "Ignorer" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-gl/strings.xml b/packages/VpnDialogs/res/values-gl/strings.xml +index 8a66d081a71b..765e7f7336e2 100644 +--- a/packages/VpnDialogs/res/values-gl/strings.xml ++++ b/packages/VpnDialogs/res/values-gl/strings.xml +@@ -33,4 +33,6 @@ + "Desconectar" + "Abrir aplicación" + "Ignorar" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-gu/strings.xml b/packages/VpnDialogs/res/values-gu/strings.xml +index 961711c57c3d..6faeb8758d0b 100644 +--- a/packages/VpnDialogs/res/values-gu/strings.xml ++++ b/packages/VpnDialogs/res/values-gu/strings.xml +@@ -33,4 +33,6 @@ + "ડિસ્કનેક્ટ કરો" + "ઍપ ખોલો" + "છોડી દો" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-hi/strings.xml b/packages/VpnDialogs/res/values-hi/strings.xml +index 5560a855627f..0e28c2b063d7 100644 +--- a/packages/VpnDialogs/res/values-hi/strings.xml ++++ b/packages/VpnDialogs/res/values-hi/strings.xml +@@ -33,4 +33,6 @@ + "डिस्‍कनेक्‍ट करें" + "ऐप खोलें" + "खारिज करें" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-hr/strings.xml b/packages/VpnDialogs/res/values-hr/strings.xml +index aa9e436f56e7..7d68f0ab4f44 100644 +--- a/packages/VpnDialogs/res/values-hr/strings.xml ++++ b/packages/VpnDialogs/res/values-hr/strings.xml +@@ -33,4 +33,6 @@ + "Prekini vezu" + "Otvori aplikaciju" + "Odbaci" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-hu/strings.xml b/packages/VpnDialogs/res/values-hu/strings.xml +index 703aa792f3c3..97d3946418b4 100644 +--- a/packages/VpnDialogs/res/values-hu/strings.xml ++++ b/packages/VpnDialogs/res/values-hu/strings.xml +@@ -33,4 +33,6 @@ + "Kapcsolat bontása" + "Alkalmazás indítása" + "Bezárás" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-hy/strings.xml b/packages/VpnDialogs/res/values-hy/strings.xml +index c296c8547283..84eace72bb3c 100644 +--- a/packages/VpnDialogs/res/values-hy/strings.xml ++++ b/packages/VpnDialogs/res/values-hy/strings.xml +@@ -33,4 +33,6 @@ + "Անջատել" + "Բացել հավելվածը" + "Փակել" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-in/strings.xml b/packages/VpnDialogs/res/values-in/strings.xml +index 18ef372a8cda..1782b696805b 100644 +--- a/packages/VpnDialogs/res/values-in/strings.xml ++++ b/packages/VpnDialogs/res/values-in/strings.xml +@@ -33,4 +33,6 @@ + "Putuskan sambungan" + "Buka aplikasi" + "Tutup" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-is/strings.xml b/packages/VpnDialogs/res/values-is/strings.xml +index 70fb40fc467c..af87d13e7aaf 100644 +--- a/packages/VpnDialogs/res/values-is/strings.xml ++++ b/packages/VpnDialogs/res/values-is/strings.xml +@@ -33,4 +33,6 @@ + "Aftengja" + "Opna forrit" + "Hunsa" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-it/strings.xml b/packages/VpnDialogs/res/values-it/strings.xml +index 2602493faf00..5689acbea102 100644 +--- a/packages/VpnDialogs/res/values-it/strings.xml ++++ b/packages/VpnDialogs/res/values-it/strings.xml +@@ -33,4 +33,6 @@ + "Disconnetti" + "Apri app" + "Ignora" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-iw/strings.xml b/packages/VpnDialogs/res/values-iw/strings.xml +index 55ac85f2c76a..96233bfa5fdf 100644 +--- a/packages/VpnDialogs/res/values-iw/strings.xml ++++ b/packages/VpnDialogs/res/values-iw/strings.xml +@@ -33,4 +33,6 @@ + "נתק" + "לאפליקציה" + "סגירה" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ja/strings.xml b/packages/VpnDialogs/res/values-ja/strings.xml +index 8480692e9dd3..32898a3a1ce2 100644 +--- a/packages/VpnDialogs/res/values-ja/strings.xml ++++ b/packages/VpnDialogs/res/values-ja/strings.xml +@@ -33,4 +33,6 @@ + "切断" + "アプリを開く" + "閉じる" ++ "%1$s…(%2$s)" ++ "%1$s%2$s)" + +diff --git a/packages/VpnDialogs/res/values-ka/strings.xml b/packages/VpnDialogs/res/values-ka/strings.xml +index e5a07532c32e..0cc59d21a1da 100644 +--- a/packages/VpnDialogs/res/values-ka/strings.xml ++++ b/packages/VpnDialogs/res/values-ka/strings.xml +@@ -33,4 +33,6 @@ + "კავშირის გაწყვეტა" + "გახსენით აპი" + "დახურვა" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-kk/strings.xml b/packages/VpnDialogs/res/values-kk/strings.xml +index 79f79c34e1b4..d702f3f4a424 100644 +--- a/packages/VpnDialogs/res/values-kk/strings.xml ++++ b/packages/VpnDialogs/res/values-kk/strings.xml +@@ -33,4 +33,6 @@ + "Ажырату" + "Қолданбаны ашу" + "Жабу" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-km/strings.xml b/packages/VpnDialogs/res/values-km/strings.xml +index 06f34dbf2733..60627104f3f4 100644 +--- a/packages/VpnDialogs/res/values-km/strings.xml ++++ b/packages/VpnDialogs/res/values-km/strings.xml +@@ -33,4 +33,6 @@ + "ផ្ដាច់" + "បើកកម្មវិធី" + "បដិសេធ" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-kn/strings.xml b/packages/VpnDialogs/res/values-kn/strings.xml +index 040cd6c5aeda..254d64de3bdf 100644 +--- a/packages/VpnDialogs/res/values-kn/strings.xml ++++ b/packages/VpnDialogs/res/values-kn/strings.xml +@@ -33,4 +33,6 @@ + "ಸಂಪರ್ಕ ಕಡಿತಗೊಳಿಸು" + "ಅಪ್ಲಿಕೇಶನ್ ತೆರೆಯಿರಿ" + "ವಜಾಗೊಳಿಸಿ" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ko/strings.xml b/packages/VpnDialogs/res/values-ko/strings.xml +index 6ad497680ae7..d2281938176a 100644 +--- a/packages/VpnDialogs/res/values-ko/strings.xml ++++ b/packages/VpnDialogs/res/values-ko/strings.xml +@@ -33,4 +33,6 @@ + "연결 끊기" + "앱 열기" + "닫기" ++ "%1$s…(%2$s)" ++ "%1$s(%2$s)" + +diff --git a/packages/VpnDialogs/res/values-ky/strings.xml b/packages/VpnDialogs/res/values-ky/strings.xml +index 4e2f698bb1e5..452176674571 100644 +--- a/packages/VpnDialogs/res/values-ky/strings.xml ++++ b/packages/VpnDialogs/res/values-ky/strings.xml +@@ -33,4 +33,6 @@ + "Ажыратуу" + "Колдонмону ачуу" + "Четке кагуу" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-lo/strings.xml b/packages/VpnDialogs/res/values-lo/strings.xml +index c591308480c1..1b851e127abd 100644 +--- a/packages/VpnDialogs/res/values-lo/strings.xml ++++ b/packages/VpnDialogs/res/values-lo/strings.xml +@@ -33,4 +33,6 @@ + "ຕັດການເຊື່ອມຕໍ່" + "ເປີດແອັບ" + "ປິດໄວ້" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-lt/strings.xml b/packages/VpnDialogs/res/values-lt/strings.xml +index 8846310730ce..e8e20a8d218d 100644 +--- a/packages/VpnDialogs/res/values-lt/strings.xml ++++ b/packages/VpnDialogs/res/values-lt/strings.xml +@@ -33,4 +33,6 @@ + "Atsijungti" + "Atidaryti programą" + "Atsisakyti" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-lv/strings.xml b/packages/VpnDialogs/res/values-lv/strings.xml +index 07625b6173c6..af19f4dce065 100644 +--- a/packages/VpnDialogs/res/values-lv/strings.xml ++++ b/packages/VpnDialogs/res/values-lv/strings.xml +@@ -33,4 +33,6 @@ + "Pārtraukt savienojumu" + "Atvērt lietotni" + "Nerādīt" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-mk/strings.xml b/packages/VpnDialogs/res/values-mk/strings.xml +index b5a64f213066..4db7e4a50241 100644 +--- a/packages/VpnDialogs/res/values-mk/strings.xml ++++ b/packages/VpnDialogs/res/values-mk/strings.xml +@@ -33,4 +33,6 @@ + "Исклучи" + "Отвори ја апликацијата" + "Отфрли" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ml/strings.xml b/packages/VpnDialogs/res/values-ml/strings.xml +index 680d0ef539b7..9d3bba43f84c 100644 +--- a/packages/VpnDialogs/res/values-ml/strings.xml ++++ b/packages/VpnDialogs/res/values-ml/strings.xml +@@ -33,4 +33,6 @@ + "വിച്ഛേദിക്കുക" + "ആപ്പ് തുറക്കുക" + "നിരസിക്കുക" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-mn/strings.xml b/packages/VpnDialogs/res/values-mn/strings.xml +index 9aa104aff5ab..15f56b155053 100644 +--- a/packages/VpnDialogs/res/values-mn/strings.xml ++++ b/packages/VpnDialogs/res/values-mn/strings.xml +@@ -33,4 +33,6 @@ + "Салгах" + "Апп нээх" + "Хаах" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-mr/strings.xml b/packages/VpnDialogs/res/values-mr/strings.xml +index 318f854340e2..d8fbe904043d 100644 +--- a/packages/VpnDialogs/res/values-mr/strings.xml ++++ b/packages/VpnDialogs/res/values-mr/strings.xml +@@ -33,4 +33,6 @@ + "‍डिस्कनेक्ट करा" + "अ‍ॅप उघडा" + "डिसमिस करा" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ms/strings.xml b/packages/VpnDialogs/res/values-ms/strings.xml +index b489f2edabc0..a7de3f166303 100644 +--- a/packages/VpnDialogs/res/values-ms/strings.xml ++++ b/packages/VpnDialogs/res/values-ms/strings.xml +@@ -33,4 +33,6 @@ + "Putuskan sambungan" + "Buka apl" + "Ketepikan" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-my/strings.xml b/packages/VpnDialogs/res/values-my/strings.xml +index 9d60ff42a7cd..52675b6092ac 100644 +--- a/packages/VpnDialogs/res/values-my/strings.xml ++++ b/packages/VpnDialogs/res/values-my/strings.xml +@@ -33,4 +33,6 @@ + "ချိတ်ဆက်ခြင်းရပ်ရန်" + "အက်ပ်ကို ဖွင့်ရန်" + "ပယ်ရန်" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-nb/strings.xml b/packages/VpnDialogs/res/values-nb/strings.xml +index be572d4408f8..bad15e913938 100644 +--- a/packages/VpnDialogs/res/values-nb/strings.xml ++++ b/packages/VpnDialogs/res/values-nb/strings.xml +@@ -33,4 +33,6 @@ + "Koble fra" + "Åpne appen" + "Lukk" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ne/strings.xml b/packages/VpnDialogs/res/values-ne/strings.xml +index b716c35cfad4..ac21dd1713d1 100644 +--- a/packages/VpnDialogs/res/values-ne/strings.xml ++++ b/packages/VpnDialogs/res/values-ne/strings.xml +@@ -33,4 +33,6 @@ + "विच्छेदन गर्नुहोस्" + "अनुप्रयोग खोल्नुहोस्" + "खारेज गर्नुहोस्" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-nl/strings.xml b/packages/VpnDialogs/res/values-nl/strings.xml +index 8073b09e203c..ab77d5e9f218 100644 +--- a/packages/VpnDialogs/res/values-nl/strings.xml ++++ b/packages/VpnDialogs/res/values-nl/strings.xml +@@ -33,4 +33,6 @@ + "Verbinding verbreken" + "App openen" + "Sluiten" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-or/strings.xml b/packages/VpnDialogs/res/values-or/strings.xml +index f1122ebd4386..40ad247433de 100644 +--- a/packages/VpnDialogs/res/values-or/strings.xml ++++ b/packages/VpnDialogs/res/values-or/strings.xml +@@ -33,4 +33,6 @@ + "ବିଚ୍ଛିନ୍ନ କରନ୍ତୁ" + "ଆପ୍‌ ଖୋଲନ୍ତୁ" + "ଖାରଜ କରନ୍ତୁ" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-pa/strings.xml b/packages/VpnDialogs/res/values-pa/strings.xml +index 1815f4fb0d25..a3b6e04061c1 100644 +--- a/packages/VpnDialogs/res/values-pa/strings.xml ++++ b/packages/VpnDialogs/res/values-pa/strings.xml +@@ -33,4 +33,6 @@ + "ਡਿਸਕਨੈਕਟ ਕਰੋ" + "ਐਪ ਖੋਲ੍ਹੋ" + "ਖਾਰਜ ਕਰੋ" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-pl/strings.xml b/packages/VpnDialogs/res/values-pl/strings.xml +index d5201d7fbdf5..3af093ae9841 100644 +--- a/packages/VpnDialogs/res/values-pl/strings.xml ++++ b/packages/VpnDialogs/res/values-pl/strings.xml +@@ -33,4 +33,6 @@ + "Rozłącz" + "Otwórz aplikację" + "Zamknij" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-pt-rBR/strings.xml b/packages/VpnDialogs/res/values-pt-rBR/strings.xml +index 75c140617cf5..8c1ae840aa15 100644 +--- a/packages/VpnDialogs/res/values-pt-rBR/strings.xml ++++ b/packages/VpnDialogs/res/values-pt-rBR/strings.xml +@@ -33,4 +33,6 @@ + "Desconectar" + "Abrir app" + "Dispensar" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-pt-rPT/strings.xml b/packages/VpnDialogs/res/values-pt-rPT/strings.xml +index 01beddbab4e4..34980dc30916 100644 +--- a/packages/VpnDialogs/res/values-pt-rPT/strings.xml ++++ b/packages/VpnDialogs/res/values-pt-rPT/strings.xml +@@ -33,4 +33,6 @@ + "Desligar" + "Abrir aplicação" + "Ignorar" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-pt/strings.xml b/packages/VpnDialogs/res/values-pt/strings.xml +index 75c140617cf5..8c1ae840aa15 100644 +--- a/packages/VpnDialogs/res/values-pt/strings.xml ++++ b/packages/VpnDialogs/res/values-pt/strings.xml +@@ -33,4 +33,6 @@ + "Desconectar" + "Abrir app" + "Dispensar" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-ro/strings.xml b/packages/VpnDialogs/res/values-ro/strings.xml +index 4e60df2eca8e..11137cce96b5 100644 +--- a/packages/VpnDialogs/res/values-ro/strings.xml ++++ b/packages/VpnDialogs/res/values-ro/strings.xml +@@ -33,4 +33,6 @@ + "Deconectați" + "Deschideți aplicația" + "Închideți" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-ru/strings.xml b/packages/VpnDialogs/res/values-ru/strings.xml +index f8fcfb83aa9a..84a71d25cc16 100644 +--- a/packages/VpnDialogs/res/values-ru/strings.xml ++++ b/packages/VpnDialogs/res/values-ru/strings.xml +@@ -33,4 +33,6 @@ + "Разъединить" + "Открыть приложение" + "Закрыть" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-si/strings.xml b/packages/VpnDialogs/res/values-si/strings.xml +index bb97a5d86c5f..e1dbf9774839 100644 +--- a/packages/VpnDialogs/res/values-si/strings.xml ++++ b/packages/VpnDialogs/res/values-si/strings.xml +@@ -33,4 +33,6 @@ + "විසන්ධි කරන්න" + "යෙදුම විවෘත කරන්න" + "ඉවතලන්න" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-sk/strings.xml b/packages/VpnDialogs/res/values-sk/strings.xml +index 00029641e57b..f5c42280fb86 100644 +--- a/packages/VpnDialogs/res/values-sk/strings.xml ++++ b/packages/VpnDialogs/res/values-sk/strings.xml +@@ -33,4 +33,6 @@ + "Odpojiť" + "Otvoriť aplikáciu" + "Zrušiť" ++ "%1$s… ( %2$s" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-sl/strings.xml b/packages/VpnDialogs/res/values-sl/strings.xml +index d5014fa34394..62bdd03cbe67 100644 +--- a/packages/VpnDialogs/res/values-sl/strings.xml ++++ b/packages/VpnDialogs/res/values-sl/strings.xml +@@ -33,4 +33,6 @@ + "Prekini povezavo" + "Odpri aplikacijo" + "Opusti" ++ "%1$s … (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-sq/strings.xml b/packages/VpnDialogs/res/values-sq/strings.xml +index 4a96e7b92212..50ad7cf02c8e 100644 +--- a/packages/VpnDialogs/res/values-sq/strings.xml ++++ b/packages/VpnDialogs/res/values-sq/strings.xml +@@ -33,4 +33,6 @@ + "Shkëputu" + "Hap aplikacionin" + "Largoje" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-sr/strings.xml b/packages/VpnDialogs/res/values-sr/strings.xml +index 8ce8060e333d..3bc65413b728 100644 +--- a/packages/VpnDialogs/res/values-sr/strings.xml ++++ b/packages/VpnDialogs/res/values-sr/strings.xml +@@ -33,4 +33,6 @@ + "Прекини везу" + "Отвори апликацију" + "Одбаци" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-sv/strings.xml b/packages/VpnDialogs/res/values-sv/strings.xml +index 16b6a31d7d1a..fee6f971824d 100644 +--- a/packages/VpnDialogs/res/values-sv/strings.xml ++++ b/packages/VpnDialogs/res/values-sv/strings.xml +@@ -33,4 +33,6 @@ + "Koppla från" + "Öppna appen" + "Ignorera" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-sw/strings.xml b/packages/VpnDialogs/res/values-sw/strings.xml +index ea2688438b7a..3e696f20fabe 100644 +--- a/packages/VpnDialogs/res/values-sw/strings.xml ++++ b/packages/VpnDialogs/res/values-sw/strings.xml +@@ -33,4 +33,6 @@ + "Tenganisha" + "Fungua programu" + "Ondoa" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ta/strings.xml b/packages/VpnDialogs/res/values-ta/strings.xml +index 3b4cc571d860..8cdffc8579eb 100644 +--- a/packages/VpnDialogs/res/values-ta/strings.xml ++++ b/packages/VpnDialogs/res/values-ta/strings.xml +@@ -33,4 +33,6 @@ + "தொடர்பைத் துண்டி" + "பயன்பாட்டைத் திற" + "நிராகரி" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-te/strings.xml b/packages/VpnDialogs/res/values-te/strings.xml +index 864c926bc615..416f2e399240 100644 +--- a/packages/VpnDialogs/res/values-te/strings.xml ++++ b/packages/VpnDialogs/res/values-te/strings.xml +@@ -33,4 +33,6 @@ + "డిస్‌కనెక్ట్ చేయి" + "యాప్‌ని తెరవండి" + "తీసివేయండి" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-th/strings.xml b/packages/VpnDialogs/res/values-th/strings.xml +index 333ff5fefacc..14e2b7fcb8c9 100644 +--- a/packages/VpnDialogs/res/values-th/strings.xml ++++ b/packages/VpnDialogs/res/values-th/strings.xml +@@ -33,4 +33,6 @@ + "ยกเลิกการเชื่อมต่อ" + "เปิดแอป" + "ปิด" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-tl/strings.xml b/packages/VpnDialogs/res/values-tl/strings.xml +index 9c01c32d0d0d..b79e262ffce9 100644 +--- a/packages/VpnDialogs/res/values-tl/strings.xml ++++ b/packages/VpnDialogs/res/values-tl/strings.xml +@@ -33,4 +33,6 @@ + "Idiskonekta" + "Buksan ang app" + "I-dismiss" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-tr/strings.xml b/packages/VpnDialogs/res/values-tr/strings.xml +index 8665a47e6633..309d116d7715 100644 +--- a/packages/VpnDialogs/res/values-tr/strings.xml ++++ b/packages/VpnDialogs/res/values-tr/strings.xml +@@ -33,4 +33,6 @@ + "Bağlantıyı kes" + "Uygulamayı aç" + "Kapat" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-uk/strings.xml b/packages/VpnDialogs/res/values-uk/strings.xml +index 8f91abf990b3..fe726049974a 100644 +--- a/packages/VpnDialogs/res/values-uk/strings.xml ++++ b/packages/VpnDialogs/res/values-uk/strings.xml +@@ -33,4 +33,6 @@ + "Від’єднати" + "Відкрити додаток" + "Закрити" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-ur/strings.xml b/packages/VpnDialogs/res/values-ur/strings.xml +index db0c2971a64c..d2ee5a8d0aa9 100644 +--- a/packages/VpnDialogs/res/values-ur/strings.xml ++++ b/packages/VpnDialogs/res/values-ur/strings.xml +@@ -33,4 +33,6 @@ + "منقطع کریں" + "ایپ کھولیں" + "برخاست کریں" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-uz/strings.xml b/packages/VpnDialogs/res/values-uz/strings.xml +index 5a348a0610d3..854417691e30 100644 +--- a/packages/VpnDialogs/res/values-uz/strings.xml ++++ b/packages/VpnDialogs/res/values-uz/strings.xml +@@ -33,4 +33,6 @@ + "Aloqani uzish" + "Ilovani ochish" + "Yopish" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-vi/strings.xml b/packages/VpnDialogs/res/values-vi/strings.xml +index 097c9aeee013..d74151a819e1 100644 +--- a/packages/VpnDialogs/res/values-vi/strings.xml ++++ b/packages/VpnDialogs/res/values-vi/strings.xml +@@ -33,4 +33,6 @@ + "Ngắt kết nối" + "Mở ứng dụng" + "Loại bỏ" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-zh-rCN/strings.xml b/packages/VpnDialogs/res/values-zh-rCN/strings.xml +index 7e528bdfb04a..92e10fd9fe16 100644 +--- a/packages/VpnDialogs/res/values-zh-rCN/strings.xml ++++ b/packages/VpnDialogs/res/values-zh-rCN/strings.xml +@@ -33,4 +33,6 @@ + "断开连接" + "打开应用" + "关闭" ++ "%1$s…(%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-zh-rHK/strings.xml b/packages/VpnDialogs/res/values-zh-rHK/strings.xml +index f70cd5115e72..9c61128c2e45 100644 +--- a/packages/VpnDialogs/res/values-zh-rHK/strings.xml ++++ b/packages/VpnDialogs/res/values-zh-rHK/strings.xml +@@ -33,4 +33,6 @@ + "中斷連線" + "開啟應用程式" + "關閉" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + +diff --git a/packages/VpnDialogs/res/values-zh-rTW/strings.xml b/packages/VpnDialogs/res/values-zh-rTW/strings.xml +index edd8e61d5555..234635091f11 100644 +--- a/packages/VpnDialogs/res/values-zh-rTW/strings.xml ++++ b/packages/VpnDialogs/res/values-zh-rTW/strings.xml +@@ -33,4 +33,6 @@ + "中斷連線" + "開啟應用程式" + "關閉" ++ "%1$s… (%2$s)" ++ "%1$s (%2$s)" + +diff --git a/packages/VpnDialogs/res/values-zu/strings.xml b/packages/VpnDialogs/res/values-zu/strings.xml +index 4ab1225e6fc6..6c7d0471efac 100644 +--- a/packages/VpnDialogs/res/values-zu/strings.xml ++++ b/packages/VpnDialogs/res/values-zu/strings.xml +@@ -33,4 +33,6 @@ + "Ayixhumekile kwi-inthanethi" + "Vula uhlelo lokusebenza" + "Cashisa" ++ "%1$s… ( %2$s)" ++ "%1$s ( %2$s)" + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361257.patch b/Patches/LineageOS-16.0/android_frameworks_base/361257.patch new file mode 100644 index 00000000..2a314156 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361257.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aaron Liu +Date: Tue, 28 Mar 2023 13:15:04 -0700 +Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and... + +security method is none. This is mostly to fix the case where we auth +sim pin in the set up wizard and it goes straight to keyguard instead of +the setup wizard activity. + +This works with the prevent bypass keyguard flag because the device +should be noe secure in this case. + +Fixes: 222446076 +Test: turn locked sim on, which opens the sim pin screen. Auth the +screen and observe that keyguard is not shown. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6) +Cherry-picking this CL as a security fix + +Bug: 222446076 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c) +Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101 +Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101 +--- + .../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index 6a71cf84759c..bb205956e932 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + case SimPuk: + // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home + SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId); +- if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled( ++ if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled( + KeyguardUpdateMonitor.getCurrentUser())) { + finish = true; + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361258.patch b/Patches/LineageOS-16.0/android_frameworks_base/361258.patch new file mode 100644 index 00000000..3b47c5f1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361258.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= +Date: Fri, 21 Apr 2023 09:45:07 +0000 +Subject: [PATCH] Truncate ShortcutInfo Id + +Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput. +This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior. + +Fixes: 273729476 +Test: atest ShortcutManagerTest2 +Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e) +Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 + +Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 +--- + .../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++--- + .../server/pm/ShortcutManagerTest2.java | 10 ++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java +index ea476b0abf33..cddad1798219 100644 +--- a/core/java/android/content/pm/ShortcutInfo.java ++++ b/core/java/android/content/pm/ShortcutInfo.java +@@ -214,6 +214,12 @@ public final class ShortcutInfo implements Parcelable { + */ + public static final int DISABLED_REASON_OTHER_RESTORE_ISSUE = 103; + ++ /** ++ * The maximum length of Shortcut ID. IDs will be truncated at this limit. ++ * @hide ++ */ ++ public static final int MAX_ID_LENGTH = 1000; ++ + /** @hide */ + @IntDef(prefix = { "DISABLED_REASON_" }, value = { + DISABLED_REASON_NOT_DISABLED, +@@ -380,8 +386,7 @@ public final class ShortcutInfo implements Parcelable { + + private ShortcutInfo(Builder b) { + mUserId = b.mContext.getUserId(); +- +- mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided")); + + // Note we can't do other null checks here because SM.updateShortcuts() takes partial + // information. +@@ -463,6 +468,14 @@ public final class ShortcutInfo implements Parcelable { + return ret; + } + ++ @NonNull ++ private static String getSafeId(@NonNull String id) { ++ if (id.length() > MAX_ID_LENGTH) { ++ return id.substring(0, MAX_ID_LENGTH); ++ } ++ return id; ++ } ++ + /** + * Throws if any of the mandatory fields is not set. + * +@@ -1851,7 +1864,8 @@ public final class ShortcutInfo implements Parcelable { + final ClassLoader cl = getClass().getClassLoader(); + + mUserId = source.readInt(); +- mId = source.readString(); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(), ++ "Shortcut ID must be provided")); + mPackageName = source.readString(); + mActivity = source.readParcelable(cl); + mFlags = source.readInt(); +diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +index fcdadaccd2ac..464f563640c1 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java ++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +@@ -53,6 +53,7 @@ import java.io.IOException; + import java.io.PrintWriter; + import java.io.StringWriter; + import java.io.Writer; ++import java.util.Collections; + import java.util.Locale; + + /** +@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest { + }); + } + ++ public void testShortcutIdTruncated() { ++ ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(), ++ String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build(); ++ ++ assertTrue( ++ "id must be truncated to MAX_ID_LENGTH", ++ si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH); ++ } ++ + public void testShortcutInfoParcel() { + setCaller(CALLING_PACKAGE_1, USER_10); + ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext) diff --git a/Patches/LineageOS-16.0/android_frameworks_base/361259.patch b/Patches/LineageOS-16.0/android_frameworks_base/361259.patch new file mode 100644 index 00000000..c6315db0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/361259.patch @@ -0,0 +1,128 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Thu, 27 Apr 2023 12:36:05 +0000 +Subject: [PATCH] Visit URIs in landscape/portrait custom remote views. + +Bug: 277740848 +Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e8acb2f660bdb03616989852f9dbbf1726f8237e) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e1ae4e0d408604b9e3c18ac0e9bf87529b92a8) +Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517 +Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517 +--- + core/java/android/widget/RemoteViews.java | 6 ++ + .../src/android/widget/RemoteViewsTest.java | 65 +++++++++++++++++++ + 2 files changed, 71 insertions(+) + +diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java +index 4865dab6056a..10053dddb0fb 100644 +--- a/core/java/android/widget/RemoteViews.java ++++ b/core/java/android/widget/RemoteViews.java +@@ -543,6 +543,12 @@ public class RemoteViews implements Parcelable, Filter { + mActions.get(i).visitUris(visitor); + } + } ++ if (mLandscape != null) { ++ mLandscape.visitUris(visitor); ++ } ++ if (mPortrait != null) { ++ mPortrait.visitUris(visitor); ++ } + } + + private static void visitIconUri(Icon icon, @NonNull Consumer visitor) { +diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +index 70cf097f42a3..7d2e07ecbd71 100644 +--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java ++++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +@@ -19,6 +19,10 @@ package android.widget; + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertSame; + import static org.junit.Assert.assertTrue; ++import static org.mockito.ArgumentMatchers.eq; ++import static org.mockito.Mockito.spy; ++import static org.mockito.Mockito.times; ++import static org.mockito.Mockito.verify; + + import android.app.PendingIntent; + import android.content.Context; +@@ -26,6 +30,8 @@ import android.content.Intent; + import android.graphics.Bitmap; + import android.graphics.drawable.BitmapDrawable; + import android.graphics.drawable.Drawable; ++import android.graphics.drawable.Icon; ++import android.net.Uri; + import android.os.AsyncTask; + import android.os.Binder; + import android.os.Parcel; +@@ -46,6 +52,7 @@ import org.junit.runner.RunWith; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.concurrent.CountDownLatch; ++import java.util.function.Consumer; + + /** + * Tests for RemoteViews. +@@ -444,4 +451,62 @@ public class RemoteViewsTest { + } + return found[0]; + } ++ ++ ++ @Test ++ public void visitUris() { ++ RemoteViews views = new RemoteViews(mPackage, R.layout.remote_views_test); ++ ++ final Uri imageUri = Uri.parse("content://media/image"); ++ final Icon icon1 = Icon.createWithContentUri("content://media/icon1"); ++ final Icon icon2 = Icon.createWithContentUri("content://media/icon2"); ++ final Icon icon3 = Icon.createWithContentUri("content://media/icon3"); ++ final Icon icon4 = Icon.createWithContentUri("content://media/icon4"); ++ views.setImageViewUri(R.id.image, imageUri); ++ views.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ views.visitUris(visitor); ++ verify(visitor, times(1)).accept(eq(imageUri)); ++ verify(visitor, times(1)).accept(eq(icon1.getUri())); ++ verify(visitor, times(1)).accept(eq(icon2.getUri())); ++ verify(visitor, times(1)).accept(eq(icon3.getUri())); ++ verify(visitor, times(1)).accept(eq(icon4.getUri())); ++ } ++ ++ @Test ++ public void visitUris_separateOrientation() { ++ final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test); ++ final Uri imageUriL = Uri.parse("content://landscape/image"); ++ final Icon icon1L = Icon.createWithContentUri("content://landscape/icon1"); ++ final Icon icon2L = Icon.createWithContentUri("content://landscape/icon2"); ++ final Icon icon3L = Icon.createWithContentUri("content://landscape/icon3"); ++ final Icon icon4L = Icon.createWithContentUri("content://landscape/icon4"); ++ landscape.setImageViewUri(R.id.image, imageUriL); ++ landscape.setTextViewCompoundDrawables(R.id.text, icon1L, icon2L, icon3L, icon4L); ++ ++ final RemoteViews portrait = new RemoteViews(mPackage, 33); ++ final Uri imageUriP = Uri.parse("content://portrait/image"); ++ final Icon icon1P = Icon.createWithContentUri("content://portrait/icon1"); ++ final Icon icon2P = Icon.createWithContentUri("content://portrait/icon2"); ++ final Icon icon3P = Icon.createWithContentUri("content://portrait/icon3"); ++ final Icon icon4P = Icon.createWithContentUri("content://portrait/icon4"); ++ portrait.setImageViewUri(R.id.image, imageUriP); ++ portrait.setTextViewCompoundDrawables(R.id.text, icon1P, icon2P, icon3P, icon4P); ++ ++ RemoteViews views = new RemoteViews(landscape, portrait); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ views.visitUris(visitor); ++ verify(visitor, times(1)).accept(eq(imageUriL)); ++ verify(visitor, times(1)).accept(eq(icon1L.getUri())); ++ verify(visitor, times(1)).accept(eq(icon2L.getUri())); ++ verify(visitor, times(1)).accept(eq(icon3L.getUri())); ++ verify(visitor, times(1)).accept(eq(icon4L.getUri())); ++ verify(visitor, times(1)).accept(eq(imageUriP)); ++ verify(visitor, times(1)).accept(eq(icon1P.getUri())); ++ verify(visitor, times(1)).accept(eq(icon2P.getUri())); ++ verify(visitor, times(1)).accept(eq(icon3P.getUri())); ++ verify(visitor, times(1)).accept(eq(icon4P.getUri())); ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364607.patch b/Patches/LineageOS-16.0/android_frameworks_base/364607.patch new file mode 100644 index 00000000..68ed7d90 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364607.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Tue, 25 Oct 2022 22:39:52 -0700 +Subject: [PATCH] DO NOT MERGE: ActivityManager#killBackgroundProcesses can + kill caller's own app only + +unless it's a system app. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8b382775b258220466a977453905797521e159de) +Merged-In: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 +Change-Id: Iac6baa889965b8ffecd9a43179a4c96632ad1d02 +--- + core/java/android/app/ActivityManager.java | 3 ++ + core/res/AndroidManifest.xml | 6 +++- + .../server/am/ActivityManagerService.java | 32 +++++++++++++++++-- + 3 files changed, 38 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/ActivityManager.java b/core/java/android/app/ActivityManager.java +index 83630f4c3693..51411c9e208e 100644 +--- a/core/java/android/app/ActivityManager.java ++++ b/core/java/android/app/ActivityManager.java +@@ -3615,6 +3615,9 @@ public class ActivityManager { + * processes to reclaim memory; the system will take care of restarting + * these processes in the future as needed. + * ++ *

Third party applications can only use this API to kill their own processes. ++ *

++ * + * @param packageName The name of the package whose processes are to + * be killed. + */ +diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml +index 0aafab66dabd..d23501a86b79 100644 +--- a/core/res/AndroidManifest.xml ++++ b/core/res/AndroidManifest.xml +@@ -2092,7 +2092,11 @@ + android:protectionLevel="normal" /> + + + = FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364608.patch b/Patches/LineageOS-16.0/android_frameworks_base/364608.patch new file mode 100644 index 00000000..e0fd81b1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364608.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Thu, 27 Apr 2023 14:55:28 +0000 +Subject: [PATCH] Verify URI permissions for notification shortcutIcon. + +Bug: 277593270 +Test: atest NotificationManagerServiceTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:47e661cbf37e1dedf676f482ac07ffc433c92d0b) +Merged-In: I1efaa1301bca36895ad4322a919d7421156a60df +Change-Id: I1efaa1301bca36895ad4322a919d7421156a60df +--- + core/java/android/app/Notification.java | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index 21bc17172b1f..d8e7d0199615 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -17,6 +17,7 @@ + package android.app; + + import static com.android.internal.util.NotificationColorUtil.satisfiesTextContrast; ++import static android.graphics.drawable.Icon.TYPE_URI; + + import android.annotation.ColorInt; + import android.annotation.DrawableRes; +@@ -2329,6 +2330,14 @@ public class Notification implements Parcelable + } + } + ++ private static void visitIconUri(@NonNull Consumer visitor, @Nullable Icon icon) { ++ if (icon == null) return; ++ final int iconType = icon.getType(); ++ if (iconType == TYPE_URI /*|| iconType == TYPE_URI_ADAPTIVE_BITMAP*/) { ++ visitor.accept(icon.getUri()); ++ } ++ } ++ + /** + * Note all {@link Uri} that are referenced internally, with the expectation + * that Uri permission grants will need to be issued to ensure the recipient +@@ -2344,7 +2353,18 @@ public class Notification implements Parcelable + if (bigContentView != null) bigContentView.visitUris(visitor); + if (headsUpContentView != null) headsUpContentView.visitUris(visitor); + ++ visitIconUri(visitor, mSmallIcon); ++ visitIconUri(visitor, mLargeIcon); ++ ++ if (actions != null) { ++ for (Action action : actions) { ++ visitIconUri(visitor, action.getIcon()); ++ } ++ } ++ + if (extras != null) { ++ visitIconUri(visitor, extras.getParcelable(EXTRA_LARGE_ICON_BIG)); ++ + visitor.accept(extras.getParcelable(EXTRA_AUDIO_CONTENTS_URI)); + visitor.accept(extras.getParcelable(EXTRA_BACKGROUND_IMAGE_URI)); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364609.patch b/Patches/LineageOS-16.0/android_frameworks_base/364609.patch new file mode 100644 index 00000000..b301b91d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364609.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly +Date: Mon, 8 May 2023 16:33:12 +0000 +Subject: [PATCH] On device lockdown, always show the keyguard + +Manual test steps: +1. Enable app pinning and disable "Ask for PIN before unpinning" setting +2. Pin an app (ie: Settings) +3. Lockdown from the power menu +Observe: user is brought to the keyguard, primary auth is required +to enter the device. After entering credential, the device is still in +app pinning mode. + +Test: atest KeyguardViewMediatorTest +Test: manual steps outlined above +Bug: 218495634 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94) +Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2 +Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index bac481c8e478..f0d389c15228 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -586,6 +586,13 @@ public class KeyguardViewMediator extends SystemUI { + notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); + } + } ++ ++ @Override ++ public void onStrongAuthStateChanged(int userId) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ doKeyguardLocked(null); ++ } ++ } + }; + + ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { +@@ -1341,7 +1348,8 @@ public class KeyguardViewMediator extends SystemUI { + } + + // if another app is disabling us, don't show +- if (!mExternallyEnabled) { ++ if (!mExternallyEnabled ++ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + // note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364610.patch b/Patches/LineageOS-16.0/android_frameworks_base/364610.patch new file mode 100644 index 00000000..0da689c9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364610.patch @@ -0,0 +1,242 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pavel Grafov +Date: Wed, 5 Apr 2023 15:15:41 +0000 +Subject: [PATCH] Ensure policy has no absurdly long strings + +The following APIs now enforce limits and throw IllegalArgumentException +when limits are violated: +* DPM.setTrustAgentConfiguration() limits agent packgage name, + component name, and strings within configuration bundle. +* DPM.setPermittedAccessibilityServices() limits package names. +* DPM.setPermittedInputMethods() limits package names. +* DPM.setAccountManagementDisabled() limits account name. +* DPM.setLockTaskPackages() limits package names. +* DPM.setAffiliationIds() limits id. +* DPM.transferOwnership() limits strings inside the bundle. + +Package names are limited at 223, because they become directory names +and it is a filesystem restriction, see FrameworkParsingPackageUtils. + +All other strings are limited at 65535, because longer ones break binary +XML serializer. + +The following APIs silently truncate strings that are long beyond reason: +* DPM.setShortSupportMessage() truncates message at 200. +* DPM.setLongSupportMessage() truncates message at 20000. +* DPM.setOrganizationName() truncates org name at 200. + +Bug: 260729089 +Test: atest com.android.server.devicepolicy +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb7e82ceaa6d16267e7b0e14563161b506d26be8) +Merged-In: Idcf54e408722f164d16bf2f24a00cd1f5b626d23 +Change-Id: Idcf54e408722f164d16bf2f24a00cd1f5b626d23 +--- + .../app/admin/DevicePolicyManager.java | 3 +- + .../DevicePolicyManagerService.java | 91 ++++++++++++++++++- + 2 files changed, 90 insertions(+), 4 deletions(-) + +diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java +index 485ce78c3320..28b7ccb7b946 100644 +--- a/core/java/android/app/admin/DevicePolicyManager.java ++++ b/core/java/android/app/admin/DevicePolicyManager.java +@@ -8100,7 +8100,8 @@ public class DevicePolicyManager { + + /** + * Called by a device admin to set the long support message. This will be displayed to the user +- * in the device administators settings screen. ++ * in the device administrators settings screen. If the message is longer than 20000 characters ++ * it may be truncated. + *

+ * If the long support message needs to be localized, it is the responsibility of the + * {@link DeviceAdminReceiver} to listen to the {@link Intent#ACTION_LOCALE_CHANGED} broadcast +diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +index d7539e11bea9..2fd54b4981af 100644 +--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java ++++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +@@ -250,6 +250,7 @@ import java.lang.reflect.Constructor; + import java.nio.charset.StandardCharsets; + import java.text.DateFormat; + import java.time.LocalDate; ++import java.util.ArrayDeque; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.Collection; +@@ -260,6 +261,7 @@ import java.util.List; + import java.util.Map; + import java.util.Map.Entry; + import java.util.Objects; ++import java.util.Queue; + import java.util.Set; + import java.util.concurrent.CountDownLatch; + import java.util.concurrent.TimeUnit; +@@ -325,6 +327,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + + private static final int REQUEST_EXPIRE_PASSWORD = 5571; + ++ // Binary XML serializer doesn't support longer strings ++ private static final int MAX_POLICY_STRING_LENGTH = 65535; ++ // FrameworkParsingPackageUtils#MAX_FILE_NAME_SIZE, Android packages are used in dir names. ++ private static final int MAX_PACKAGE_NAME_LENGTH = 223; ++ ++ private static final int MAX_LONG_SUPPORT_MESSAGE_LENGTH = 20000; ++ private static final int MAX_SHORT_SUPPORT_MESSAGE_LENGTH = 200; ++ private static final int MAX_ORG_NAME_LENGTH = 200; ++ + private static final long MS_PER_DAY = TimeUnit.DAYS.toMillis(1); + + private static final long EXPIRATION_GRACE_PERIOD_MS = 5 * MS_PER_DAY; // 5 days, in ms +@@ -8284,6 +8295,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + } + Preconditions.checkNotNull(admin, "admin is null"); + Preconditions.checkNotNull(agent, "agent is null"); ++ enforceMaxPackageNameLength(agent.getPackageName()); ++ final String agentAsString = agent.flattenToString(); ++ enforceMaxStringLength(agentAsString, "agent name"); ++ if (args != null) { ++ enforceMaxStringLength(args, "args"); ++ } + final int userHandle = UserHandle.getCallingUserId(); + synchronized (getLockObject()) { + ActiveAdmin ap = getActiveAdminForCallerLocked(admin, +@@ -8486,6 +8503,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + Preconditions.checkNotNull(who, "ComponentName is null"); + + if (packageList != null) { ++ for (String pkg : (List) packageList) { ++ enforceMaxPackageNameLength(pkg); ++ } ++ + int userId = UserHandle.getCallingUserId(); + List enabledServices = null; + long id = mInjector.binderClearCallingIdentity(); +@@ -8668,6 +8689,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + + final int callingUserId = mInjector.userHandleGetCallingUserId(); + if (packageList != null) { ++ for (String pkg : (List) packageList) { ++ enforceMaxPackageNameLength(pkg); ++ } ++ + // InputMethodManager fetches input methods for current user. + // So this can only be set when calling user is the current user + // or parent is current user in case of managed profiles. +@@ -9608,6 +9633,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + return; + } + Preconditions.checkNotNull(who, "ComponentName is null"); ++ enforceMaxStringLength(accountType, "account type"); + synchronized (getLockObject()) { + ActiveAdmin ap = getActiveAdminForCallerLocked(who, + DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); +@@ -9871,6 +9897,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + throws SecurityException { + Preconditions.checkNotNull(who, "ComponentName is null"); + Preconditions.checkNotNull(packages, "packages is null"); ++ for (String pkg : packages) { ++ enforceMaxPackageNameLength(pkg); ++ } + + synchronized (getLockObject()) { + enforceCanCallLockTaskLocked(who); +@@ -11249,6 +11278,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + if (!mHasFeature) { + return; + } ++ ++ message = truncateIfLonger(message, MAX_LONG_SUPPORT_MESSAGE_LENGTH); ++ + Preconditions.checkNotNull(who, "ComponentName is null"); + final int userHandle = mInjector.userHandleGetCallingUserId(); + synchronized (getLockObject()) { +@@ -11280,6 +11312,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + return; + } + Preconditions.checkNotNull(who, "ComponentName is null"); ++ message = truncateIfLonger(message, MAX_SHORT_SUPPORT_MESSAGE_LENGTH); ++ + final int userHandle = mInjector.userHandleGetCallingUserId(); + synchronized (getLockObject()) { + ActiveAdmin admin = getActiveAdminForUidLocked(who, +@@ -11408,6 +11442,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + Preconditions.checkNotNull(who, "ComponentName is null"); + final int userHandle = mInjector.userHandleGetCallingUserId(); + ++ text = truncateIfLonger(text, MAX_ORG_NAME_LENGTH); ++ + synchronized (getLockObject()) { + ActiveAdmin admin = getActiveAdminForCallerLocked(who, + DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); +@@ -11572,9 +11608,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + throw new IllegalArgumentException("ids must not be null"); + } + for (String id : ids) { +- if (TextUtils.isEmpty(id)) { +- throw new IllegalArgumentException("ids must not contain empty string"); +- } ++ Preconditions.checkArgument(!TextUtils.isEmpty(id), "ids must not have empty string"); ++ enforceMaxStringLength(id, "affiliation id"); + } + + final Set affiliationIds = new ArraySet<>(ids); +@@ -12740,6 +12775,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + + Preconditions.checkNotNull(admin, "Admin cannot be null."); + Preconditions.checkNotNull(target, "Target cannot be null."); ++ if (bundle != null) { ++ enforceMaxStringLength(bundle, "bundle"); ++ } + + enforceProfileOrDeviceOwner(admin); + +@@ -13194,4 +13232,51 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { + private static String getManagedProvisioningPackage(Context context) { + return context.getResources().getString(R.string.config_managed_provisioning_package); + } ++ ++ /** ++ * Truncates char sequence to maximum length, nulls are ignored. ++ */ ++ private static CharSequence truncateIfLonger(CharSequence input, int maxLength) { ++ return input == null || input.length() <= maxLength ++ ? input ++ : input.subSequence(0, maxLength); ++ } ++ ++ /** ++ * Throw if string argument is too long to be serialized. ++ */ ++ private static void enforceMaxStringLength(String str, String argName) { ++ Preconditions.checkArgument( ++ str.length() <= MAX_POLICY_STRING_LENGTH, argName + " loo long"); ++ } ++ ++ private static void enforceMaxPackageNameLength(String pkg) { ++ Preconditions.checkArgument( ++ pkg.length() <= MAX_PACKAGE_NAME_LENGTH, "Package name too long"); ++ } ++ ++ /** ++ * Throw if persistable bundle contains any string that we can't serialize. ++ */ ++ private static void enforceMaxStringLength(PersistableBundle bundle, String argName) { ++ // Persistable bundles can have other persistable bundles as values, traverse with a queue. ++ Queue queue = new ArrayDeque<>(); ++ queue.add(bundle); ++ while (!queue.isEmpty()) { ++ PersistableBundle current = queue.remove(); ++ for (String key : current.keySet()) { ++ enforceMaxStringLength(key, "key in " + argName); ++ Object value = current.get(key); ++ if (value instanceof String) { ++ enforceMaxStringLength((String) value, "string value in " + argName); ++ } else if (value instanceof String[]) { ++ for (String str : (String[]) value) { ++ enforceMaxStringLength(str, "string value in " + argName); ++ } ++ } else if (value instanceof PersistableBundle) { ++ queue.add((PersistableBundle) value); ++ } ++ } ++ } ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364611.patch b/Patches/LineageOS-16.0/android_frameworks_base/364611.patch new file mode 100644 index 00000000..a23cf16a --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364611.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Fri, 12 May 2023 15:41:09 +0000 +Subject: [PATCH] Implement visitUris for RemoteViews ViewGroupActionAdd. + +This is to prevent a vulnerability where notifications can show +resources belonging to other users, since the URI in the nested views +was not being checked. + +Bug: 277740082 +Test: atest RemoteViewsTest NotificationVisitUrisTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:850fd984e5f346645b5a941ed7307387c7e4c4de) +Merged-In: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8 +Change-Id: I5c71f0bad0a6f6361eb5ceffe8d1e47e936d78f8 +--- + core/java/android/widget/RemoteViews.java | 5 ++++ + .../src/android/widget/RemoteViewsTest.java | 24 +++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java +index 10053dddb0fb..b36d27fc3b3b 100644 +--- a/core/java/android/widget/RemoteViews.java ++++ b/core/java/android/widget/RemoteViews.java +@@ -1672,6 +1672,11 @@ public class RemoteViews implements Parcelable, Filter { + public int getActionTag() { + return VIEW_GROUP_ACTION_ADD_TAG; + } ++ ++ @Override ++ public final void visitUris(@NonNull Consumer visitor) { ++ mNestedViews.visitUris(visitor); ++ } + } + + /** +diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +index 7d2e07ecbd71..1123988e9512 100644 +--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java ++++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java +@@ -474,6 +474,30 @@ public class RemoteViewsTest { + verify(visitor, times(1)).accept(eq(icon4.getUri())); + } + ++ @Test ++ public void visitUris_nestedViews() { ++ final RemoteViews outer = new RemoteViews(mPackage, R.layout.remote_views_test); ++ ++ final RemoteViews inner = new RemoteViews(mPackage, 33); ++ final Uri imageUriI = Uri.parse("content://inner/image"); ++ final Icon icon1 = Icon.createWithContentUri("content://inner/icon1"); ++ final Icon icon2 = Icon.createWithContentUri("content://inner/icon2"); ++ final Icon icon3 = Icon.createWithContentUri("content://inner/icon3"); ++ final Icon icon4 = Icon.createWithContentUri("content://inner/icon4"); ++ inner.setImageViewUri(R.id.image, imageUriI); ++ inner.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4); ++ ++ outer.addView(R.id.layout, inner); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ outer.visitUris(visitor); ++ verify(visitor, times(1)).accept(eq(imageUriI)); ++ verify(visitor, times(1)).accept(eq(icon1.getUri())); ++ verify(visitor, times(1)).accept(eq(icon2.getUri())); ++ verify(visitor, times(1)).accept(eq(icon3.getUri())); ++ verify(visitor, times(1)).accept(eq(icon4.getUri())); ++ } ++ + @Test + public void visitUris_separateOrientation() { + final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364612.patch b/Patches/LineageOS-16.0/android_frameworks_base/364612.patch new file mode 100644 index 00000000..3e43c08c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364612.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ioana Alexandru +Date: Mon, 15 May 2023 16:15:55 +0000 +Subject: [PATCH] Check URIs in notification public version. + +Bug: 276294099 +Test: atest NotificationManagerServiceTest NotificationVisitUrisTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9663d493142b59c65311bc09d48427d3bdde0222) +Merged-In: I670198b213abb2cb29a9865eb9d1e897700508b4 +Change-Id: I670198b213abb2cb29a9865eb9d1e897700508b4 +--- + core/java/android/app/Notification.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index d8e7d0199615..b2daecc659cc 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -2346,6 +2346,10 @@ public class Notification implements Parcelable + * @hide + */ + public void visitUris(@NonNull Consumer visitor) { ++ if (publicVersion != null) { ++ publicVersion.visitUris(visitor); ++ } ++ + visitor.accept(sound); + + if (tickerView != null) tickerView.visitUris(visitor); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364613.patch b/Patches/LineageOS-16.0/android_frameworks_base/364613.patch new file mode 100644 index 00000000..0c3ded3b --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364613.patch @@ -0,0 +1,125 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Mikhail +Date: Fri, 28 Apr 2023 16:17:16 +0000 +Subject: [PATCH] Verify URI permissions in MediaMetadata + +Add a check for URI permission to make sure that user can access the URI +set in MediaMetadata. If permission is denied, clear the URI string set +in metadata. + +Bug: 271851153 +Test: atest MediaSessionTest +Test: Verified by POC app attached in bug, image of second user is not +the UMO background of the first user. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f95b7fc61d6b3bf49420ded0357bec031f8cbdcf) +Merged-In: I384f8e230c909d8fc8e5f147e2fd3558fec44626 +Change-Id: I384f8e230c909d8fc8e5f147e2fd3558fec44626 +--- + .../server/media/MediaSessionRecord.java | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java +index 442354bbb6b9..01d09178f7dd 100644 +--- a/services/core/java/com/android/server/media/MediaSessionRecord.java ++++ b/services/core/java/com/android/server/media/MediaSessionRecord.java +@@ -16,7 +16,11 @@ + + package com.android.server.media; + ++import android.app.ActivityManager; ++import android.app.IActivityManager; + import android.app.PendingIntent; ++import android.content.ContentProvider; ++import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; + import android.content.pm.ParceledListSlice; +@@ -49,6 +53,7 @@ import android.os.Process; + import android.os.RemoteException; + import android.os.ResultReceiver; + import android.os.SystemClock; ++import android.text.TextUtils; + import android.util.Log; + import android.util.Slog; + import android.view.KeyEvent; +@@ -64,6 +69,10 @@ import java.util.ArrayList; + */ + public class MediaSessionRecord implements IBinder.DeathRecipient { + private static final String TAG = "MediaSessionRecord"; ++ private static final String[] ART_URIS = new String[] { ++ MediaMetadata.METADATA_KEY_ALBUM_ART_URI, ++ MediaMetadata.METADATA_KEY_ART_URI, ++ MediaMetadata.METADATA_KEY_DISPLAY_ICON_URI}; + private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); + + /** +@@ -83,6 +92,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + private final SessionStub mSession; + private final SessionCb mSessionCb; + private final MediaSessionService mService; ++ final IActivityManager mAm; + private final Context mContext; + + private final Object mLock = new Object(); +@@ -133,6 +143,7 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + mAudioManager = (AudioManager) mContext.getSystemService(Context.AUDIO_SERVICE); + mAudioManagerInternal = LocalServices.getService(AudioManagerInternal.class); + mAudioAttrs = new AudioAttributes.Builder().setUsage(AudioAttributes.USAGE_MEDIA).build(); ++ mAm = ActivityManager.getService(); + } + + /** +@@ -792,19 +803,44 @@ public class MediaSessionRecord implements IBinder.DeathRecipient { + @Override + public void setMetadata(MediaMetadata metadata) { + synchronized (mLock) { +- MediaMetadata temp = metadata == null ? null : new MediaMetadata.Builder(metadata) +- .build(); +- // This is to guarantee that the underlying bundle is unparceled +- // before we set it to prevent concurrent reads from throwing an +- // exception +- if (temp != null) { +- temp.size(); +- } +- mMetadata = temp; ++ mMetadata = sanitizeMediaMetadata(metadata); + } + mHandler.post(MessageHandler.MSG_UPDATE_METADATA); + } + ++ ++ private MediaMetadata sanitizeMediaMetadata(MediaMetadata metadata) { ++ if (metadata == null) { ++ return null; ++ } ++ MediaMetadata.Builder metadataBuilder = new MediaMetadata.Builder(metadata); ++ for (String key: ART_URIS) { ++ String uriString = metadata.getString(key); ++ if (TextUtils.isEmpty(uriString)) { ++ continue; ++ } ++ Uri uri = Uri.parse(uriString); ++ if (!ContentResolver.SCHEME_CONTENT.equals(uri.getScheme())) { ++ continue; ++ } ++ try { ++ mAm.checkGrantUriPermission(getUid(), ++ getPackageName(), ++ ContentProvider.getUriWithoutUserId(uri), ++ Intent.FLAG_GRANT_READ_URI_PERMISSION, ++ ContentProvider.getUserIdFromUri(uri, getUserId())); ++ } catch (RemoteException | SecurityException e) { ++ metadataBuilder.putString(key, null); ++ } ++ } ++ MediaMetadata sanitizedMetadata = metadataBuilder.build(); ++ // sanitizedMetadata.size() guarantees that the underlying bundle is unparceled ++ // before we set it to prevent concurrent reads from throwing an ++ // exception ++ sanitizedMetadata.size(); ++ return sanitizedMetadata; ++ } ++ + @Override + public void setPlaybackState(PlaybackState state) { + int oldState = mPlaybackState == null diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364614.patch b/Patches/LineageOS-16.0/android_frameworks_base/364614.patch new file mode 100644 index 00000000..31116ace --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364614.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chandru S +Date: Tue, 16 May 2023 10:41:07 -0700 +Subject: [PATCH] Use Settings.System.getIntForUser instead of getInt to make + sure user specific settings are used + +Bug: 265431505 +Test: atest KeyguardViewMediatorTest +(cherry picked from commit 625e009fc195ba5d658ca2d78ebb23d2770cc6c4) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ce6510deba06bcb72a0e468294b483fc4ac4be17) +Merged-In: I66a660c091c90a957a0fd1e144c013840db3f47e +Change-Id: I66a660c091c90a957a0fd1e144c013840db3f47e +--- + .../systemui/keyguard/KeyguardViewMediator.java | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index f0d389c15228..820c7eac715a 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -935,9 +935,9 @@ public class KeyguardViewMediator extends SystemUI { + final ContentResolver cr = mContext.getContentResolver(); + + // From SecuritySettings +- final long lockAfterTimeout = Settings.Secure.getInt(cr, ++ final long lockAfterTimeout = Settings.Secure.getIntForUser(cr, + Settings.Secure.LOCK_SCREEN_LOCK_AFTER_TIMEOUT, +- KEYGUARD_LOCK_AFTER_DELAY_DEFAULT); ++ KEYGUARD_LOCK_AFTER_DELAY_DEFAULT, userId); + + // From DevicePolicyAdmin + final long policyTimeout = mLockPatternUtils.getDevicePolicyManager() +@@ -949,8 +949,8 @@ public class KeyguardViewMediator extends SystemUI { + timeout = lockAfterTimeout; + } else { + // From DisplaySettings +- long displayTimeout = Settings.System.getInt(cr, SCREEN_OFF_TIMEOUT, +- KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT); ++ long displayTimeout = Settings.System.getIntForUser(cr, SCREEN_OFF_TIMEOUT, ++ KEYGUARD_DISPLAY_TIMEOUT_DELAY_DEFAULT, userId); + + // policy in effect. Make sure we don't go beyond policy limit. + displayTimeout = Math.max(displayTimeout, 0); // ignore negative values +@@ -1792,7 +1792,10 @@ public class KeyguardViewMediator extends SystemUI { + private void playSound(int soundId) { + if (soundId == 0) return; + final ContentResolver cr = mContext.getContentResolver(); +- if (Settings.System.getInt(cr, Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1) == 1) { ++ int lockscreenSoundsEnabled = Settings.System.getIntForUser(cr, ++ Settings.System.LOCKSCREEN_SOUNDS_ENABLED, 1, ++ KeyguardUpdateMonitor.getCurrentUser()); ++ if (lockscreenSoundsEnabled == 1) { + + mLockSounds.stop(mLockSoundStreamId); + // Init mAudioManager diff --git a/Patches/LineageOS-16.0/android_frameworks_base/364615.patch b/Patches/LineageOS-16.0/android_frameworks_base/364615.patch new file mode 100644 index 00000000..3119d33f --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/364615.patch @@ -0,0 +1,126 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Thu, 25 May 2023 21:58:19 +0000 +Subject: [PATCH] Resolve StatusHints image exploit across user. + +Because of the INTERACT_ACROSS_USERS permission, an app that implements +a ConnectionService can upload an image icon belonging to another user +by setting it in the StatusHints. Validating the construction of the +StatusHints on the calling user would prevent a malicious app from +registering a connection service with the embedded image icon from a +different user. + +From additional feedback, this CL also addresses potential +vulnerabilities in an app being able to directly invoke the binder for a +means to manipulate the contents of the bundle that are passed with it. +The targeted points of entry are in ConnectionServiceWrapper for the +following APIs: handleCreateConnectionComplete, setStatusHints, +addConferenceCall, and addExistingConnection. + +Fixes: 280797684 +Test: Manual (verified that original exploit is no longer an issue). +Test: Unit test for validating image in StatusHints constructor. +Test: Unit tests to address vulnerabilities via the binder. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48223d6034907349c6a3fab3018c1b37d86367af) +Merged-In: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2 +Change-Id: I6e70e238b3a5ace1cab41ec5796a6bb4d79769f2 +--- + .../java/android/telecom/StatusHints.java | 53 ++++++++++++++++++- + 1 file changed, 51 insertions(+), 2 deletions(-) + +diff --git a/telecomm/java/android/telecom/StatusHints.java b/telecomm/java/android/telecom/StatusHints.java +index 453f408bedba..c75bd2781f9f 100644 +--- a/telecomm/java/android/telecom/StatusHints.java ++++ b/telecomm/java/android/telecom/StatusHints.java +@@ -16,14 +16,19 @@ + + package android.telecom; + ++import android.annotation.Nullable; + import android.annotation.SystemApi; + import android.content.ComponentName; + import android.content.Context; + import android.graphics.drawable.Drawable; + import android.graphics.drawable.Icon; ++import android.os.Binder; + import android.os.Bundle; + import android.os.Parcel; + import android.os.Parcelable; ++import android.os.UserHandle; ++ ++import com.android.internal.annotations.VisibleForTesting; + + import java.util.Objects; + +@@ -33,7 +38,7 @@ import java.util.Objects; + public final class StatusHints implements Parcelable { + + private final CharSequence mLabel; +- private final Icon mIcon; ++ private Icon mIcon; + private final Bundle mExtras; + + /** +@@ -48,10 +53,30 @@ public final class StatusHints implements Parcelable { + + public StatusHints(CharSequence label, Icon icon, Bundle extras) { + mLabel = label; +- mIcon = icon; ++ mIcon = validateAccountIconUserBoundary(icon, Binder.getCallingUserHandle()); + mExtras = extras; + } + ++ /** ++ * @param icon ++ * @hide ++ */ ++ @VisibleForTesting ++ public StatusHints(@Nullable Icon icon) { ++ mLabel = null; ++ mExtras = null; ++ mIcon = icon; ++ } ++ ++ /** ++ * ++ * @param icon ++ * @hide ++ */ ++ public void setIcon(@Nullable Icon icon) { ++ mIcon = icon; ++ } ++ + /** + * @return A package used to load the icon. + * +@@ -112,6 +137,30 @@ public final class StatusHints implements Parcelable { + return 0; + } + ++ /** ++ * Validates the StatusHints image icon to see if it's not in the calling user space. ++ * Invalidates the icon if so, otherwise returns back the original icon. ++ * ++ * @param icon ++ * @return icon (validated) ++ * @hide ++ */ ++ public static Icon validateAccountIconUserBoundary(Icon icon, UserHandle callingUserHandle) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI ++ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ // Do not try to save the icon if the user id isn't in the calling user space. ++ if (userId != callingUserHandle.getIdentifier()) return null; ++ } ++ } ++ return icon; ++ } ++ + @Override + public void writeToParcel(Parcel out, int flags) { + out.writeCharSequence(mLabel); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/366127.patch b/Patches/LineageOS-16.0/android_frameworks_base/366127.patch new file mode 100644 index 00000000..086d1d86 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/366127.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= +Date: Thu, 15 Jun 2023 18:31:34 +0200 +Subject: [PATCH] Forbid granting access to NLSes with too-long component names + +This makes the limitation, which was previously only checked on the Settings UI, enforced everywhere. + +Fixes: 260570119 +Fixes: 286043036 +Test: atest + manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc71156a29427c8b228129f5b1368392f297835b) +Merged-In: I4c25d80978cb37a8fa1531f5045259d25ac64692 +Change-Id: I4c25d80978cb37a8fa1531f5045259d25ac64692 +--- + .../java/android/app/NotificationManager.java | 6 ++++ + .../NotificationManagerService.java | 5 ++++ + .../android/server/vr/VrManagerService.java | 6 +++- + .../NotificationManagerServiceTest.java | 28 +++++++++++++++++++ + 4 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/app/NotificationManager.java b/core/java/android/app/NotificationManager.java +index f6dc5d15f385..32f40a805502 100644 +--- a/core/java/android/app/NotificationManager.java ++++ b/core/java/android/app/NotificationManager.java +@@ -308,6 +308,12 @@ public class NotificationManager { + */ + public static final int IMPORTANCE_MAX = 5; + ++ /** ++ * Maximum length of the component name of a registered NotificationListenerService. ++ * @hide ++ */ ++ public static int MAX_SERVICE_COMPONENT_NAME_LENGTH = 500; ++ + private static INotificationManager sService; + + /** @hide */ +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 0ac51524a648..ca0ec012fb60 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -3540,6 +3540,11 @@ public class NotificationManagerService extends SystemService { + boolean granted) throws RemoteException { + Preconditions.checkNotNull(listener); + checkCallerIsSystemOrShell(); ++ if (granted && listener.flattenToString().length() ++ > NotificationManager.MAX_SERVICE_COMPONENT_NAME_LENGTH) { ++ throw new IllegalArgumentException( ++ "Component name too long: " + listener.flattenToString()); ++ } + final long identity = Binder.clearCallingIdentity(); + try { + if (mAllowedManagedServicePackages.test(listener.getPackageName())) { +diff --git a/services/core/java/com/android/server/vr/VrManagerService.java b/services/core/java/com/android/server/vr/VrManagerService.java +index faa197e984cf..87f66de5c704 100644 +--- a/services/core/java/com/android/server/vr/VrManagerService.java ++++ b/services/core/java/com/android/server/vr/VrManagerService.java +@@ -1055,7 +1055,11 @@ public class VrManagerService extends SystemService + + for (ComponentName c : possibleServices) { + if (Objects.equals(c.getPackageName(), pkg)) { +- nm.setNotificationListenerAccessGrantedForUser(c, userId, true); ++ try { ++ nm.setNotificationListenerAccessGrantedForUser(c, userId, true); ++ } catch (Exception e) { ++ Slog.w(TAG, "Could not grant NLS access to package " + pkg, e); ++ } + } + } + } +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index 9592e1905b54..e073e6767da6 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -2021,6 +2021,34 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + any(), anyInt(), anyBoolean(), anyBoolean()); + } + ++ @Test ++ public void testSetListenerAccessForUser_grantWithNameTooLong_throws() throws Exception { ++ UserHandle user = UserHandle.of(mContext.getUserId() + 10); ++ ComponentName c = new ComponentName("com.example.package", ++ com.google.common.base.Strings.repeat("Blah", 150)); ++ ++ try { ++ mBinderService.setNotificationListenerAccessGrantedForUser(c, user.getIdentifier(), ++ /* enabled= */ true); ++ fail("Should've thrown IllegalArgumentException"); ++ } catch (IllegalArgumentException e) { ++ // Good! ++ } ++ } ++ ++ @Test ++ public void testSetListenerAccessForUser_revokeWithNameTooLong_okay() throws Exception { ++ UserHandle user = UserHandle.of(mContext.getUserId() + 10); ++ ComponentName c = new ComponentName("com.example.package", ++ com.google.common.base.Strings.repeat("Blah", 150)); ++ ++ mBinderService.setNotificationListenerAccessGrantedForUser( ++ c, user.getIdentifier(), /* enabled= */ false); ++ ++ verify(mListeners).setPackageOrComponentEnabled( ++ c.flattenToString(), user.getIdentifier(), true, /* enabled= */ false); ++ } ++ + @Test + public void testSetAssistantAccessForUser() throws Exception { + UserHandle user = UserHandle.of(10); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/366128.patch b/Patches/LineageOS-16.0/android_frameworks_base/366128.patch new file mode 100644 index 00000000..02e2c7d5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/366128.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Fri, 30 Jun 2023 14:36:44 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly. + +Bug: 265798288 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1) +Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb +Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 36732273ab6f..ec15113c2c78 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4827,6 +4827,9 @@ public class AccountManagerService + Bundle simulateBundle = p.readBundle(); + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ if (intent != null && intent.getClass() != Intent.class) { ++ return false; ++ } + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); + if (intent == null) { + return (simulateIntent == null); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370693.patch b/Patches/LineageOS-16.0/android_frameworks_base/370693.patch new file mode 100644 index 00000000..cb42760d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370693.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jean-Michel Trivi +Date: Wed, 7 Dec 2022 04:36:46 +0000 +Subject: [PATCH] RingtoneManager: verify default ringtone is audio + +When a ringtone picker tries to set a ringtone through +RingtoneManager.setActualDefaultRingtoneUri (also +called by com.android.settings.DefaultRingtonePreference), +verify the mimeType can be obtained (not found when caller +doesn't have access to it) and it is an audio resource. + +Bug: 205837340 +Test: atest android.media.audio.cts.RingtoneManagerTest +(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377144b64325dadad102f5233ecb50a4446b205b) +Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e +Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e +--- + media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java +index fefa1ede849e..0e03bfb2502a 100644 +--- a/media/java/android/media/RingtoneManager.java ++++ b/media/java/android/media/RingtoneManager.java +@@ -819,10 +819,10 @@ public class RingtoneManager { + + return ringtoneUri; + } +- ++ + /** + * Sets the {@link Uri} of the default sound for a given sound type. +- * ++ * + * @param context A context used for querying. + * @param type The type whose default sound should be set. One of + * {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or +@@ -843,6 +843,21 @@ public class RingtoneManager { + if(!isInternalRingtoneUri(ringtoneUri)) { + ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId()); + } ++ ++ if (ringtoneUri != null) { ++ final String mimeType = resolver.getType(ringtoneUri); ++ if (mimeType == null) { ++ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri ++ + " ignored: failure to find mimeType (no access from this context?)"); ++ return; ++ } ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { ++ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri ++ + " ignored: associated mimeType:" + mimeType + " is not an audio type"); ++ return; ++ } ++ } ++ + Settings.System.putStringForUser(resolver, setting, + ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId()); + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370694.patch b/Patches/LineageOS-16.0/android_frameworks_base/370694.patch new file mode 100644 index 00000000..de7a0236 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370694.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josep del Rio +Date: Mon, 26 Jun 2023 11:16:37 +0000 +Subject: [PATCH] Do not share key mappings with JNI object + +The key mapping information between the native key mappings and +the KeyCharacterMap object available in Java is currently shared, +which means that a read can be attempted while it's being modified. + +Because the code changed between R and S, this CL fixes it just +for R; the patch for versions S+ is ag/23785419 + +Bug: 274058082 +Test: Presubmit +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4b3c4620166071561ec44961fb08a56676b4fd6c) +Merged-In: I3be94534dcda365da473f82347ae2e3f57bb1b42 +Change-Id: I3be94534dcda365da473f82347ae2e3f57bb1b42 +--- + core/jni/android_view_InputDevice.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp +index 494fad7900ef..806a88f8f50e 100644 +--- a/core/jni/android_view_InputDevice.cpp ++++ b/core/jni/android_view_InputDevice.cpp +@@ -14,6 +14,7 @@ + * limitations under the License. + */ + ++#include + #include + + #include +@@ -48,9 +49,16 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi + return NULL; + } + ++ sp map = deviceInfo.getKeyCharacterMap(); ++ if (map != nullptr) { ++ Parcel parcel; ++ map->writeToParcel(&parcel); ++ map = map->readFromParcel(&parcel); ++ } ++ + ScopedLocalRef kcmObj(env, +- android_view_KeyCharacterMap_create(env, deviceInfo.getId(), +- deviceInfo.getKeyCharacterMap())); ++ android_view_KeyCharacterMap_create(env, deviceInfo.getId(), ++ map)); + if (!kcmObj.get()) { + return NULL; + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370695.patch b/Patches/LineageOS-16.0/android_frameworks_base/370695.patch new file mode 100644 index 00000000..2d9eaadd --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370695.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tim Yu +Date: Tue, 20 Jun 2023 21:24:36 +0000 +Subject: [PATCH] Verify URI Permissions in Autofill RemoteViews + +Check permissions of URI inside of FillResponse's RemoteViews. If the +current user does not have the required permissions to view the URI, the +RemoteView is dropped from displaying. + +This fixes a security spill in which a user can view content of another +user through a malicious Autofill provider. + +Bug: 283137865 +Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566 +b/281534749 b/283101289 +Test: Verified by POC app attached in bugs +Test: atest CtsAutoFillServiceTestCases (added new tests) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26beceb9a252a50374d056b162fa7e8ea55051b3) +Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a +Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a +--- + .../com/android/server/autofill/Helper.java | 43 +++++++++++++++++++ + .../android/server/autofill/ui/FillUi.java | 11 +++-- + .../android/server/autofill/ui/SaveUi.java | 2 +- + 3 files changed, 52 insertions(+), 4 deletions(-) + +diff --git a/services/autofill/java/com/android/server/autofill/Helper.java b/services/autofill/java/com/android/server/autofill/Helper.java +index f14c8f1aa7f6..a50d87ac81e4 100644 +--- a/services/autofill/java/com/android/server/autofill/Helper.java ++++ b/services/autofill/java/com/android/server/autofill/Helper.java +@@ -18,6 +18,8 @@ package com.android.server.autofill; + + import android.annotation.NonNull; + import android.annotation.Nullable; ++import android.annotation.UserIdInt; ++import android.app.ActivityManager; + import android.app.assist.AssistStructure; + import android.app.assist.AssistStructure.ViewNode; + import android.content.ComponentName; +@@ -29,13 +31,16 @@ import android.util.Slog; + import android.view.WindowManager; + import android.view.autofill.AutofillId; + import android.view.autofill.AutofillValue; ++import android.widget.RemoteViews; + + import com.android.internal.logging.nano.MetricsProto.MetricsEvent; + import com.android.internal.util.ArrayUtils; + + import java.io.PrintWriter; ++import java.util.Arrays; + import java.util.ArrayList; + import java.util.LinkedList; ++import java.util.concurrent.atomic.AtomicBoolean; + + public final class Helper { + +@@ -79,6 +84,44 @@ public final class Helper { + throw new UnsupportedOperationException("contains static members only"); + } + ++ private static boolean checkRemoteViewUriPermissions( ++ @UserIdInt int userId, @NonNull RemoteViews rView) { ++ final AtomicBoolean permissionsOk = new AtomicBoolean(true); ++ ++ rView.visitUris(uri -> { ++ int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri); ++ boolean allowed = uriOwnerId == userId; ++ permissionsOk.set(allowed && permissionsOk.get()); ++ }); ++ ++ return permissionsOk.get(); ++ } ++ ++ /** ++ * Checks the URI permissions of the remote view, ++ * to see if the current userId is able to access it. ++ * ++ * Returns the RemoteView that is passed if user is able, null otherwise. ++ * ++ * TODO: instead of returning a null remoteview when ++ * the current userId cannot access an URI, ++ * return a new RemoteView with the URI removed. ++ */ ++ public static @Nullable RemoteViews sanitizeRemoteView(RemoteViews rView) { ++ if (rView == null) return null; ++ ++ int userId = ActivityManager.getCurrentUser(); ++ ++ boolean ok = checkRemoteViewUriPermissions(userId, rView); ++ if (!ok) { ++ Slog.w(TAG, ++ "sanitizeRemoteView() user: " + userId ++ + " tried accessing resource that does not belong to them"); ++ } ++ return (ok ? rView : null); ++ } ++ ++ + @Nullable + static AutofillId[] toArray(@Nullable ArraySet set) { + if (set == null) return null; +diff --git a/services/autofill/java/com/android/server/autofill/ui/FillUi.java b/services/autofill/java/com/android/server/autofill/ui/FillUi.java +index 8119054f4196..cacfcdff686f 100644 +--- a/services/autofill/java/com/android/server/autofill/ui/FillUi.java ++++ b/services/autofill/java/com/android/server/autofill/ui/FillUi.java +@@ -137,8 +137,9 @@ final class FillUi { + mContext = new ContextThemeWrapper(context, THEME_ID); + final LayoutInflater inflater = LayoutInflater.from(mContext); + +- final RemoteViews headerPresentation = response.getHeader(); +- final RemoteViews footerPresentation = response.getFooter(); ++ final RemoteViews headerPresentation = Helper.sanitizeRemoteView(response.getHeader()); ++ final RemoteViews footerPresentation = Helper.sanitizeRemoteView(response.getFooter()); ++ + final ViewGroup decor; + if (mFullScreen) { + decor = (ViewGroup) inflater.inflate(R.layout.autofill_dataset_picker_fullscreen, null); +@@ -219,6 +220,9 @@ final class FillUi { + ViewGroup container = decor.findViewById(R.id.autofill_dataset_picker); + final View content; + try { ++ if (Helper.sanitizeRemoteView(response.getPresentation()) == null) { ++ throw new RuntimeException("Permission error accessing RemoteView"); ++ } + response.getPresentation().setApplyTheme(THEME_ID); + content = response.getPresentation().apply(mContext, decor, interceptionHandler); + container.addView(content); +@@ -296,7 +300,8 @@ final class FillUi { + final Dataset dataset = response.getDatasets().get(i); + final int index = dataset.getFieldIds().indexOf(focusedViewId); + if (index >= 0) { +- final RemoteViews presentation = dataset.getFieldPresentation(index); ++ final RemoteViews presentation = Helper.sanitizeRemoteView( ++ dataset.getFieldPresentation(index)); + if (presentation == null) { + Slog.w(TAG, "not displaying UI on field " + focusedViewId + " because " + + "service didn't provide a presentation for it on " + dataset); +diff --git a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java +index 58823036212d..695171e82773 100644 +--- a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java ++++ b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java +@@ -269,7 +269,7 @@ final class SaveUi { + final int type = info.getType(); + writeLog(MetricsEvent.AUTOFILL_SAVE_CUSTOM_DESCRIPTION, type); + +- final RemoteViews template = customDescription.getPresentation(); ++ final RemoteViews template = Helper.sanitizeRemoteView(customDescription.getPresentation()); + if (template == null) { + Slog.w(TAG, "No remote view on custom description"); + return false; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370696.patch b/Patches/LineageOS-16.0/android_frameworks_base/370696.patch new file mode 100644 index 00000000..fb16b368 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370696.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josep del Rio +Date: Wed, 12 Jul 2023 16:32:05 +0000 +Subject: [PATCH] Fix KCM key mapping cloning + +ag/23792288 tried to fix a security issue by cloning the key +mappings, but unfortunately the parcel was not being rewinded. + +Bug: 274058082 +Test: Confirmed change works in newer Android versions +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aaaba6cf190d976efdc5db6c78997dbdc9214c15) +Merged-In: I6f75b9202e20d82ebf81a35a2916e653ee1b8372 +Change-Id: I6f75b9202e20d82ebf81a35a2916e653ee1b8372 +--- + core/jni/android_view_InputDevice.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp +index 806a88f8f50e..f36300ada64e 100644 +--- a/core/jni/android_view_InputDevice.cpp ++++ b/core/jni/android_view_InputDevice.cpp +@@ -53,6 +53,7 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi + if (map != nullptr) { + Parcel parcel; + map->writeToParcel(&parcel); ++ parcel.setDataPosition(0); + map = map->readFromParcel(&parcel); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370697.patch b/Patches/LineageOS-16.0/android_frameworks_base/370697.patch new file mode 100644 index 00000000..b67adf35 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370697.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hongwei Wang +Date: Wed, 24 May 2023 19:35:44 -0700 +Subject: [PATCH] Disallow loading icon from content URI to PipMenu + +Bug: 278246904 +Test: manually, with the PoC app attached to the bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f5a87d8a0dc9190327ba0e6113d5b80ee96abae) +Merged-In: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d +Change-Id: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d +--- + .../systemui/pip/phone/PipMenuActivity.java | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java +index 615b29f93269..214c58a80727 100644 +--- a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java ++++ b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java +@@ -51,6 +51,7 @@ import android.graphics.PointF; + import android.graphics.Rect; + import android.graphics.drawable.ColorDrawable; + import android.graphics.drawable.Drawable; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; +@@ -508,11 +509,17 @@ public class PipMenuActivity extends Activity { + final RemoteAction action = mActions.get(i); + final ImageView actionView = (ImageView) mActionsGroup.getChildAt(i); + +- // TODO: Check if the action drawable has changed before we reload it +- action.getIcon().loadDrawableAsync(this, d -> { +- d.setTint(Color.WHITE); +- actionView.setImageDrawable(d); +- }, mHandler); ++ final int iconType = action.getIcon().getType(); ++ if (iconType == Icon.TYPE_URI /* || iconType == Icon.TYPE_URI_ADAPTIVE_BITMAP*/) { ++ // Disallow loading icon from content URI ++ actionView.setImageDrawable(null); ++ } else { ++ // TODO: Check if the action drawable has changed before we reload it ++ action.getIcon().loadDrawableAsync(this, d -> { ++ d.setTint(Color.WHITE); ++ actionView.setImageDrawable(d); ++ }, mHandler); ++ } + actionView.setContentDescription(action.getContentDescription()); + if (action.isEnabled()) { + actionView.setOnClickListener(v -> { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370698.patch b/Patches/LineageOS-16.0/android_frameworks_base/370698.patch new file mode 100644 index 00000000..79631de4 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370698.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Fri, 2 Jun 2023 23:32:02 +0000 +Subject: [PATCH] Fixing DatabaseUtils to detect malformed UTF-16 strings + +Test: tested with POC in bug, also using atest +Bug: 224771621 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12) +Merged-In: Ide65205b83063801971c5778af3154bcf3f0e530 +Change-Id: Ide65205b83063801971c5778af3154bcf3f0e530 +--- + core/java/android/database/DatabaseUtils.java | 32 +++++++++++++------ + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/core/java/android/database/DatabaseUtils.java b/core/java/android/database/DatabaseUtils.java +index 3d019f07cb84..d3ebfea947db 100644 +--- a/core/java/android/database/DatabaseUtils.java ++++ b/core/java/android/database/DatabaseUtils.java +@@ -337,17 +337,31 @@ public class DatabaseUtils { + */ + public static void appendEscapedSQLString(StringBuilder sb, String sqlString) { + sb.append('\''); +- if (sqlString.indexOf('\'') != -1) { +- int length = sqlString.length(); +- for (int i = 0; i < length; i++) { +- char c = sqlString.charAt(i); +- if (c == '\'') { +- sb.append('\''); ++ int length = sqlString.length(); ++ for (int i = 0; i < length; i++) { ++ char c = sqlString.charAt(i); ++ if (Character.isHighSurrogate(c)) { ++ if (i == length - 1) { ++ continue; ++ } ++ if (Character.isLowSurrogate(sqlString.charAt(i + 1))) { ++ // add them both ++ sb.append(c); ++ sb.append(sqlString.charAt(i + 1)); ++ continue; ++ } else { ++ // this is a lone surrogate, skip it ++ continue; + } +- sb.append(c); + } +- } else +- sb.append(sqlString); ++ if (Character.isLowSurrogate(c)) { ++ continue; ++ } ++ if (c == '\'') { ++ sb.append('\''); ++ } ++ sb.append(c); ++ } + sb.append('\''); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/370699.patch b/Patches/LineageOS-16.0/android_frameworks_base/370699.patch new file mode 100644 index 00000000..28820c9a --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/370699.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aaron Liu +Date: Thu, 10 Aug 2023 15:37:24 +0000 +Subject: [PATCH] Revert "DO NOT MERGE Dismiss keyguard when simpin auth'd + and..." + +This reverts commit 09f004722284ef6b9790ddf9338a1708b3f0833c. + +Reason for revert: causing a partner bug +Fixes: 295205456 +Bug: 222446076 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8df038265475bb062ead9eec1749ee92a0f5eb4e) +Merged-In: Ida11d98117727f63547b096617a4778bea429e22 +Change-Id: Ida11d98117727f63547b096617a4778bea429e22 + +Change-Id: Ie19925a66a392dd4a4120bbf33e454c38aa41d34 +--- + .../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index bb205956e932..6a71cf84759c 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + case SimPuk: + // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home + SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId); +- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled( ++ if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled( + KeyguardUpdateMonitor.getCurrentUser())) { + finish = true; + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/374921.patch b/Patches/LineageOS-16.0/android_frameworks_base/374921.patch new file mode 100644 index 00000000..7cd01f22 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/374921.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nan Wu +Date: Fri, 16 Jun 2023 14:42:24 +0000 +Subject: [PATCH] DO NOT MERGE Fix BAL via notification.publicVersion + +We stripped the token that allows app to retrieve their own notification +and fire their own PI to launch activities from background. But we +forgot to strip the token from notification.publicVersion + +Bug: 278558814 +Test: NotificationManagerTest#testActivityStartFromRetrievedNotification_isBlocked +(cherry picked from commit cf851d81a954f0a6dd0c2fd7defa93932539e7f9) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1896c2e7068c9ec1ab8355d863d7e8107d5d5706) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75fcbb37617246c43c2af34b12c9ae4b4043f9ac) +Merged-In: I8f25d7a5e47890a0496af023149717e1df482f98 +Change-Id: I8f25d7a5e47890a0496af023149717e1df482f98 +--- + core/java/android/app/Notification.java | 7 +++++-- + .../server/notification/NotificationManagerService.java | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index b2daecc659cc..d456e3d57039 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -2860,8 +2860,11 @@ public class Notification implements Parcelable + * + * @hide + */ +- public void setAllowlistToken(@Nullable IBinder token) { +- mWhitelistToken = token; ++ public void clearAllowlistToken() { ++ mWhitelistToken = null; ++ if (publicVersion != null) { ++ publicVersion.clearAllowlistToken(); ++ } + } + + /** +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index ca0ec012fb60..a1e8cd15fd7e 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -2702,7 +2702,7 @@ public class NotificationManagerService extends SystemService { + // Remove background token before returning notification to untrusted app, this + // ensures the app isn't able to perform background operations that are + // associated with notification interactions. +- notification.setAllowlistToken(null); ++ notification.clearAllowlistToken(); + return new StatusBarNotification( + sbn.getPackageName(), + sbn.getOpPkg(), diff --git a/Patches/LineageOS-16.0/android_frameworks_base/374922.patch b/Patches/LineageOS-16.0/android_frameworks_base/374922.patch new file mode 100644 index 00000000..fa11b7b7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/374922.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: kumarashishg +Date: Thu, 3 Aug 2023 12:01:29 +0000 +Subject: [PATCH] Use type safe API of readParcelableArray + +Bug: 291299076 +Test: Build and flash the device and check if it throws exception for +non UsbInterface object +Test: atest CtsUsbManagerTestCases +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85d7e6712a9eeeed3bdd68ea3c3862c7e88bfe70) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60bfbde79f2ffb012abced55d358fdf6380c0bae) +Merged-In: I2917c8331b6d56caaa9a6479bcd9a2d089f5f503 +Change-Id: I2917c8331b6d56caaa9a6479bcd9a2d089f5f503 +--- + core/java/android/hardware/usb/UsbConfiguration.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/hardware/usb/UsbConfiguration.java b/core/java/android/hardware/usb/UsbConfiguration.java +index 6ce420191ed3..34f5c9d0602f 100644 +--- a/core/java/android/hardware/usb/UsbConfiguration.java ++++ b/core/java/android/hardware/usb/UsbConfiguration.java +@@ -172,7 +172,8 @@ public class UsbConfiguration implements Parcelable { + String name = in.readString(); + int attributes = in.readInt(); + int maxPower = in.readInt(); +- Parcelable[] interfaces = in.readParcelableArray(UsbInterface.class.getClassLoader()); ++ Parcelable[] interfaces = in.readParcelableArray( ++ UsbInterface.class.getClassLoader(), UsbInterface.class); + UsbConfiguration configuration = new UsbConfiguration(id, name, attributes, maxPower); + configuration.setInterfaces(interfaces); + return configuration; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/374923.patch b/Patches/LineageOS-16.0/android_frameworks_base/374923.patch new file mode 100644 index 00000000..5f50d167 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/374923.patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Mon, 14 Aug 2023 15:24:11 -0700 +Subject: [PATCH] verify ringtone URI before setting + +Similar to ag/24422287, but the same URI verification should be done in +SettingsProvider as well, which can be called by apps via +Settings.System API or ContentProvider APIs without using +RingtoneManager. + +BUG: 227201030 +Test: manual with a test app. Will add a CTS test. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b234678ec122994ccbfc52ac48aafdad7fdb1ed) +Merged-In: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b + +Change-Id: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b +--- + .../providers/settings/SettingsProvider.java | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +index 8e8ee46b8488..b65b612ecad5 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +@@ -1497,6 +1497,9 @@ public class SettingsProvider extends ContentProvider { + cacheName = Settings.System.ALARM_ALERT_CACHE; + } + if (cacheName != null) { ++ if (!isValidAudioUri(name, value)) { ++ return false; ++ } + final File cacheFile = new File( + getRingtoneCacheDir(owningUserId), cacheName); + cacheFile.delete(); +@@ -1529,6 +1532,34 @@ public class SettingsProvider extends ContentProvider { + } + } + ++ private boolean isValidAudioUri(String name, String uri) { ++ if (uri != null) { ++ Uri audioUri = Uri.parse(uri); ++ if (Settings.AUTHORITY.equals( ++ ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) { ++ // Don't accept setting the default uri to self-referential URIs like ++ // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this ++ // setting. ++ return false; ++ } ++ final String mimeType = getContext().getContentResolver().getType(audioUri); ++ if (mimeType == null) { ++ Slog.e(LOG_TAG, ++ "mutateSystemSetting for setting: " + name + " URI: " + audioUri ++ + " ignored: failure to find mimeType (no access from this context?)"); ++ return false; ++ } ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg") ++ || mimeType.equals("application/x-flac"))) { ++ Slog.e(LOG_TAG, ++ "mutateSystemSetting for setting: " + name + " URI: " + audioUri ++ + " ignored: associated mimeType: " + mimeType + " is not an audio type"); ++ return false; ++ } ++ } ++ return true; ++ } ++ + private boolean hasWriteSecureSettingsPermission() { + // Write secure settings is a more protected permission. If caller has it we are good. + if (getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS) diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377766.patch b/Patches/LineageOS-16.0/android_frameworks_base/377766.patch new file mode 100644 index 00000000..4cc92385 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377766.patch @@ -0,0 +1,95 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= +Date: Wed, 5 Jul 2023 13:52:21 +0200 +Subject: [PATCH] Visit Uris added by WearableExtender + +Bug: 283962802 +Test: atest + manual (POC app now crashes on notify() as expected) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab) +Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed +Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed +--- + core/java/android/app/Notification.java | 17 +++++++++++++++- + .../NotificationManagerServiceTest.java | 20 +++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index d456e3d57039..d1354a7e5c21 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -1700,6 +1700,10 @@ public class Notification implements Parcelable + } + } + ++ private void visitUris(@NonNull Consumer visitor) { ++ visitIconUri(visitor, getIcon()); ++ } ++ + @Override + public Action clone() { + return new Action( +@@ -2362,7 +2366,7 @@ public class Notification implements Parcelable + + if (actions != null) { + for (Action action : actions) { +- visitIconUri(visitor, action.getIcon()); ++ action.visitUris(visitor); + } + } + +@@ -2390,6 +2394,11 @@ public class Notification implements Parcelable + } + } + } ++ ++ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) { ++ WearableExtender extender = new WearableExtender(this); ++ extender.visitUris(visitor); ++ } + } + + /** +@@ -9045,6 +9054,12 @@ public class Notification implements Parcelable + mFlags &= ~mask; + } + } ++ ++ private void visitUris(@NonNull Consumer visitor) { ++ for (Action action : mActions) { ++ action.visitUris(visitor); ++ } ++ } + } + + /** +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index e073e6767da6..379290bcf0ad 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -2797,6 +2797,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + anyInt(), anyInt()); + } + ++ @Test ++ public void testVisitUris_wearableExtender() { ++ Icon actionIcon = Icon.createWithContentUri("content://media/action"); ++ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction"); ++ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(), ++ PendingIntent.FLAG_IMMUTABLE); ++ Notification n = new Notification.Builder(mContext, "a") ++ .setSmallIcon(android.R.drawable.sym_def_app_icon) ++ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build()) ++ .extend(new Notification.WearableExtender().addAction( ++ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build())) ++ .build(); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ n.visitUris(visitor); ++ ++ verify(visitor).accept(eq(actionIcon.getUri())); ++ verify(visitor).accept(eq(wearActionIcon.getUri())); ++ } ++ + @Test + public void testSetNotificationPolicy_preP_setOldFields() { + ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377767.patch b/Patches/LineageOS-16.0/android_frameworks_base/377767.patch new file mode 100644 index 00000000..b6dab918 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377767.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kweku Adams +Date: Fri, 23 Sep 2022 21:06:53 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data. + +Drop invalid data when writing or reading from XML. PersistableBundle +does lazy unparcelling, so checking the values during unparcelling would +remove the benefit of the lazy unparcelling. Checking the validity when +writing to or reading from XML seems like the best alternative. + +Bug: 246542285 +Bug: 247513680 +Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file +(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9) +Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 +Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 +--- + core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++---- + 1 file changed, 34 insertions(+), 8 deletions(-) + +diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java +index 40eceb8a04e1..6a6ff64c5a5f 100644 +--- a/core/java/android/os/PersistableBundle.java ++++ b/core/java/android/os/PersistableBundle.java +@@ -18,6 +18,7 @@ package android.os; + + import android.annotation.Nullable; + import android.util.ArrayMap; ++import android.util.Slog; + import android.util.proto.ProtoOutputStream; + + import com.android.internal.util.XmlUtils; +@@ -38,6 +39,8 @@ import java.util.ArrayList; + */ + public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable, + XmlUtils.WriteMapCallback { ++ private static final String TAG = "PersistableBundle"; ++ + private static final String TAG_PERSISTABLEMAP = "pbundle_as_map"; + public static final PersistableBundle EMPTY; + +@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + * @hide + */ + public PersistableBundle(Bundle b) { +- this(b.getMap()); ++ this(b, true); ++ } ++ ++ private PersistableBundle(Bundle b, boolean throwException) { ++ this(b.getMap(), throwException); + } + + /** +@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + * @param map a Map containing only those items that can be persisted. + * @throws IllegalArgumentException if any element of #map cannot be persisted. + */ +- private PersistableBundle(ArrayMap map) { ++ private PersistableBundle(ArrayMap map, boolean throwException) { + super(); + mFlags = FLAG_DEFUSABLE; + +@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + + // Now verify each item throwing an exception if there is a violation. + final int N = mMap.size(); +- for (int i=0; i= 0; --i) { + Object value = mMap.valueAt(i); + if (value instanceof ArrayMap) { + // Fix up any Maps by replacing them with PersistableBundles. +- mMap.setValueAt(i, new PersistableBundle((ArrayMap) value)); ++ mMap.setValueAt(i, ++ new PersistableBundle((ArrayMap) value, throwException)); + } else if (value instanceof Bundle) { +- mMap.setValueAt(i, new PersistableBundle(((Bundle) value))); ++ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException)); + } else if (!isValidType(value)) { +- throw new IllegalArgumentException("Bad value in PersistableBundle key=" +- + mMap.keyAt(i) + " value=" + value); ++ final String errorMsg = "Bad value in PersistableBundle key=" ++ + mMap.keyAt(i) + " value=" + value; ++ if (throwException) { ++ throw new IllegalArgumentException(errorMsg); ++ } else { ++ Slog.wtfStack(TAG, errorMsg); ++ mMap.removeAt(i); ++ } + } + } + } +@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + /** @hide */ + public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException { + unparcel(); ++ // Explicitly drop invalid types an attacker may have added before persisting. ++ for (int i = mMap.size() - 1; i >= 0; --i) { ++ final Object value = mMap.valueAt(i); ++ if (!isValidType(value)) { ++ Slog.e(TAG, "Dropping bad data before persisting: " ++ + mMap.keyAt(i) + "=" + value); ++ mMap.removeAt(i); ++ } ++ } + XmlUtils.writeMapXml(mMap, out, this); + } + +@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + while (((event = in.next()) != XmlPullParser.END_DOCUMENT) && + (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) { + if (event == XmlPullParser.START_TAG) { ++ // Don't throw an exception when restoring from XML since an attacker could try to ++ // input invalid data in the persisted file. + return new PersistableBundle((ArrayMap) + XmlUtils.readThisArrayMapXml(in, startTag, tagName, +- new MyReadMapCallback())); ++ new MyReadMapCallback()), ++ /* throwException */ false); + } + } + return EMPTY; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377768.patch b/Patches/LineageOS-16.0/android_frameworks_base/377768.patch new file mode 100644 index 00000000..03d413e1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377768.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marzia Favaro +Date: Mon, 31 Jul 2023 15:10:34 +0000 +Subject: [PATCH] BACKPORT: Require permission to unlock keyguard + +Bug: 288896339 +Test: Manual, verify that the app which can be found on the bug can no longer call +keyguardGoingAway successfully + +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd2aa5d309c5bf8e73161975bd5aba7945b25e84) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ef1345d278bd2a8944c6362bf65cff7305ca6fc5) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ad8e7e3b1db22684988a179e23639567a4096ca6) +Merged-In: I7ba7e56f954c8e6f1f734311f735215918975bc6 +Change-Id: I7ba7e56f954c8e6f1f734311f735215918975bc6 + +Change-Id: I8e12811b4171dba1c1ea564362f90c0ce006dc15 +--- + .../core/java/com/android/server/am/ActivityManagerService.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 44761a523abb..c0025e0a2018 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -19,6 +19,7 @@ package com.android.server.am; + import static android.Manifest.permission.BIND_VOICE_INTERACTION; + import static android.Manifest.permission.CHANGE_CONFIGURATION; + import static android.Manifest.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST; ++import static android.Manifest.permission.CONTROL_KEYGUARD; + import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS; + import static android.Manifest.permission.INTERACT_ACROSS_USERS; + import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL; +@@ -8170,6 +8171,7 @@ public class ActivityManagerService extends IActivityManager.Stub + + @Override + public void keyguardGoingAway(int flags) { ++ enforceCallingPermission(CONTROL_KEYGUARD, "keyguardGoingAway()"); + enforceNotIsolatedCaller("keyguardGoingAway"); + final long token = Binder.clearCallingIdentity(); + try { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377769.patch b/Patches/LineageOS-16.0/android_frameworks_base/377769.patch new file mode 100644 index 00000000..a7d671bb --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377769.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pawan Wagh +Date: Tue, 13 Jun 2023 17:37:26 +0000 +Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service + +readFileDescriptor doesn't provide ownership of the fds. fdopen +needs ownership of the fds. Fds read from parcel should be duped +in this scenario and readUniqueFileDescriptor dups fds internally. + +Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer +Test: atest incidentd_test +Bug: 286931110 +Bug: 283699145 +(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055) +Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e +Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e +--- + cmds/incidentd/src/IncidentService.cpp | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp +index e305b5462b77..5610a40b7891 100644 +--- a/cmds/incidentd/src/IncidentService.cpp ++++ b/cmds/incidentd/src/IncidentService.cpp +@@ -258,12 +258,21 @@ Status IncidentService::systemRunning() { + status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* reply, + uint32_t flags) { + status_t err; ++ status_t status; + + switch (code) { + case SHELL_COMMAND_TRANSACTION: { +- int in = data.readFileDescriptor(); +- int out = data.readFileDescriptor(); +- int err = data.readFileDescriptor(); ++ unique_fd in, out, err; ++ ++ status = data.readUniqueFileDescriptor(&in); ++ if (status != OK) return status; ++ ++ status = data.readUniqueFileDescriptor(&out); ++ if (status != OK) return status; ++ ++ status = data.readUniqueFileDescriptor(&err); ++ if (status != OK) return status; ++ + int argc = data.readInt32(); + Vector args; + for (int i = 0; i < argc && data.dataAvail() > 0; i++) { +@@ -273,15 +282,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* + sp resultReceiver = + IResultReceiver::asInterface(data.readStrongBinder()); + +- FILE* fin = fdopen(in, "r"); +- FILE* fout = fdopen(out, "w"); +- FILE* ferr = fdopen(err, "w"); ++ FILE* fin = fdopen(in.release(), "r"); ++ FILE* fout = fdopen(out.release(), "w"); ++ FILE* ferr = fdopen(err.release(), "w"); + + if (fin == NULL || fout == NULL || ferr == NULL) { + resultReceiver->send(NO_MEMORY); + } else { +- err = command(fin, fout, ferr, args); +- resultReceiver->send(err); ++ status_t result = command(fin, fout, ferr, args); ++ resultReceiver->send(result); + } + + if (fin != NULL) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377770.patch b/Patches/LineageOS-16.0/android_frameworks_base/377770.patch new file mode 100644 index 00000000..bcc023bf --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377770.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Mon, 24 Jul 2023 14:58:56 -0700 +Subject: [PATCH] Validate userId when publishing shortcuts + +Bug: 288110451 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c) +Merged-In: Idbde676f871db83825155730e3714f3727e25762 +Change-Id: Idbde676f871db83825155730e3714f3727e25762 +--- + services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java +index e30da13d7d16..d97f653c8326 100644 +--- a/services/core/java/com/android/server/pm/ShortcutService.java ++++ b/services/core/java/com/android/server/pm/ShortcutService.java +@@ -1582,6 +1582,10 @@ public class ShortcutService extends IShortcutService.Stub { + android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, ""); + throw new SecurityException("Shortcut package name mismatch"); + } ++ final int callingUid = injectBinderCallingUid(); ++ if (UserHandle.getUserId(callingUid) != si.getUserId()) { ++ throw new SecurityException("User-ID in shortcut doesn't match the caller"); ++ } + } + + private void verifyShortcutInfoPackages( diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377771.patch b/Patches/LineageOS-16.0/android_frameworks_base/377771.patch new file mode 100644 index 00000000..7c1b6434 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377771.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly Tai +Date: Thu, 14 Sep 2023 20:50:28 +0000 +Subject: [PATCH] Revert "On device lockdown, always show the keyguard" + +This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94. + +Reason for revert: b/300463732 regression +Bug: 300463732 +Bug: 218495634 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f) +Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82 +Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index 820c7eac715a..292e9e752052 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -586,13 +586,6 @@ public class KeyguardViewMediator extends SystemUI { + notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); + } + } +- +- @Override +- public void onStrongAuthStateChanged(int userId) { +- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { +- doKeyguardLocked(null); +- } +- } + }; + + ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { +@@ -1348,8 +1341,7 @@ public class KeyguardViewMediator extends SystemUI { + } + + // if another app is disabling us, don't show +- if (!mExternallyEnabled +- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ if (!mExternallyEnabled) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + // note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377772.patch b/Patches/LineageOS-16.0/android_frameworks_base/377772.patch new file mode 100644 index 00000000..65082c7c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377772.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Thu, 2 Feb 2023 23:48:27 +0000 +Subject: [PATCH] Adding in verification of calling UID in onShellCommand + +Test: manual testing on device +Bug: b/261709193 +(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0) +Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273 +Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273 +--- + .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index c0025e0a2018..847beb87408d 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -16252,6 +16252,13 @@ public class ActivityManagerService extends IActivityManager.Stub + public void onShellCommand(FileDescriptor in, FileDescriptor out, + FileDescriptor err, String[] args, ShellCallback callback, + ResultReceiver resultReceiver) { ++ final int callingUid = Binder.getCallingUid(); ++ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) { ++ if (resultReceiver != null) { ++ resultReceiver.send(-1, null); ++ } ++ throw new SecurityException("Shell commands are only callable by root or shell"); ++ } + (new ActivityManagerShellCommand(this, false)).exec( + this, in, out, err, args, callback, resultReceiver); + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377773.patch b/Patches/LineageOS-16.0/android_frameworks_base/377773.patch new file mode 100644 index 00000000..afb48338 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/377773.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly Tai +Date: Tue, 19 Sep 2023 21:01:11 +0000 +Subject: [PATCH] Updated: always show the keyguard on device lockdown + +Additionally, don't hide keyguard when it's disabled if the user has locked +down the device. + +Manual test steps: + 1. Enable app pinning and disable "Ask for PIN before unpinning" setting + 2. Pin an app (ie: Settings) + 3. Lockdown from the power menu + 4. Observe: user is brought to the keyguard, primary auth is + required to enter the device. + => After entering correct credential, the device is still in + app pinning mode. + => After entering an incorrect credential, the keyguard remains + showing and the user can attempt again up to the limit + +Bug: 300463732 +Bug: 218495634 +Test: atest KeyguardViewMediatorTest +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff) +Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 +Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index 292e9e752052..c7d231f6f522 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -571,6 +571,13 @@ public class KeyguardViewMediator extends SystemUI { + } + } + ++ @Override ++ public void onStrongAuthStateChanged(int userId) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ doKeyguardLocked(null); ++ } ++ } ++ + @Override + public void onTrustChanged(int userId) { + if (userId == KeyguardUpdateMonitor.getCurrentUser()) { +@@ -1129,6 +1136,10 @@ public class KeyguardViewMediator extends SystemUI { + mExternallyEnabled = enabled; + + if (!enabled && mShowing) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown"); ++ return; ++ } + if (mExitSecureCallback != null) { + if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring"); + // we're in the process of handling a request to verify the user +@@ -1340,8 +1351,9 @@ public class KeyguardViewMediator extends SystemUI { + return; + } + +- // if another app is disabling us, don't show +- if (!mExternallyEnabled) { ++ // if another app is disabling us, don't show unless we're in lockdown mode ++ if (!mExternallyEnabled ++ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + // note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379789.patch b/Patches/LineageOS-16.0/android_frameworks_base/379789.patch new file mode 100644 index 00000000..d3150db8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379789.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aaron Liu +Date: Tue, 28 Mar 2023 13:15:04 -0700 +Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and... + +security method is none. This is mostly to fix the case where we auth +sim pin in the set up wizard and it goes straight to keyguard instead of +the setup wizard activity. + +This works with the prevent bypass keyguard flag because the device +should be noe secure in this case. + +Fixes: 222446076 +Test: turn locked sim on, which opens the sim pin screen. Auth the +screen and observe that keyguard is not shown. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6) +Cherry-picking this CL as a security fix + +Bug: 222446076 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c) +Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101 +AOSP-Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101 +Change-Id: Id6eb8eff88481f9ec2c9cbcde9d7b0f78a349d98 +--- + .../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index 6a71cf84759c..bb205956e932 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + case SimPuk: + // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home + SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId); +- if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled( ++ if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled( + KeyguardUpdateMonitor.getCurrentUser())) { + finish = true; + } else { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379790.patch b/Patches/LineageOS-16.0/android_frameworks_base/379790.patch new file mode 100644 index 00000000..5f26e25d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379790.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aaron Liu +Date: Fri, 11 Aug 2023 11:02:33 -0700 +Subject: [PATCH] DO NOT MERGE Ensure finish lockscreen when usersetup + incomplete + +Ensure that when the usersetup for the user is not complete, we do not +want to go to lockscreen, even if lockscreen is not disabled. + +Bug: 222446076 +Test: add Unit test, +Test: Wipe device, auth sim pin in setup, observe that lockscreen is +not there. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01ea2f91df5a1c67da2546d83beeee75c2c1ef94) +Merged-In: I8e33db8eb6e2c917966cab3d6a4f982670473040 +Change-Id: I8e33db8eb6e2c917966cab3d6a4f982670473040 +--- + .../android/keyguard/KeyguardSecurityContainer.java | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index bb205956e932..a6fa034cb901 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -32,6 +32,8 @@ import android.widget.FrameLayout; + + import com.android.internal.widget.LockPatternUtils; + import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++import com.android.systemui.statusbar.policy.DeviceProvisionedController; ++import com.android.systemui.Dependency; + + public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSecurityView { + private static final boolean DEBUG = KeyguardConstants.DEBUG; +@@ -50,6 +52,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + private SecurityCallback mSecurityCallback; + private AlertDialog mAlertDialog; + ++ private final DeviceProvisionedController mDeviceProvisionedController; ++ + private final KeyguardUpdateMonitor mUpdateMonitor; + + // Used to notify the container when something interesting happens. +@@ -81,6 +85,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + mSecurityModel = new KeyguardSecurityModel(context); + mLockPatternUtils = new LockPatternUtils(context); + mUpdateMonitor = KeyguardUpdateMonitor.getInstance(mContext); ++ mDeviceProvisionedController = Dependency.get(DeviceProvisionedController.class); + } + + public void setSecurityCallback(SecurityCallback callback) { +@@ -351,8 +356,11 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + case SimPuk: + // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home + SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId); +- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled( +- KeyguardUpdateMonitor.getCurrentUser())) { ++ boolean isLockscreenDisabled = mLockPatternUtils.isLockScreenDisabled( ++ KeyguardUpdateMonitor.getCurrentUser()) ++ || !mDeviceProvisionedController.isUserSetup(targetUserId); ++ ++ if (securityMode == SecurityMode.None && isLockscreenDisabled) { + finish = true; + } else { + showSecurityScreen(securityMode); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379791.patch b/Patches/LineageOS-16.0/android_frameworks_base/379791.patch new file mode 100644 index 00000000..f62b67fd --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379791.patch @@ -0,0 +1,94 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tetiana Meronyk +Date: Thu, 24 Aug 2023 16:27:30 +0000 +Subject: [PATCH] Truncate user data to a limit of 500 characters + +Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file. + +By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly. + +Bug: 293602317 +Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827) +Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989 +Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989 +--- + .../android/server/pm/UserManagerService.java | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index 423b88388809..7b121ba5a0f6 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -216,6 +216,8 @@ public class UserManagerService extends IUserManager.Stub { + + private static final int USER_VERSION = 7; + ++ private static final int MAX_USER_STRING_LENGTH = 500; ++ + private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms + + // Maximum number of managed profiles permitted per user is 1. This cannot be increased +@@ -2292,15 +2294,17 @@ public class UserManagerService extends IUserManager.Stub { + // Write seed data + if (userData.persistSeedData) { + if (userData.seedAccountName != null) { +- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName); ++ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, ++ truncateString(userData.seedAccountName)); + } + if (userData.seedAccountType != null) { +- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType); ++ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, ++ truncateString(userData.seedAccountType)); + } + } + if (userInfo.name != null) { + serializer.startTag(null, TAG_NAME); +- serializer.text(userInfo.name); ++ serializer.text(truncateString(userInfo.name)); + serializer.endTag(null, TAG_NAME); + } + synchronized (mRestrictionsLock) { +@@ -2335,6 +2339,13 @@ public class UserManagerService extends IUserManager.Stub { + serializer.endDocument(); + } + ++ private String truncateString(String original) { ++ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) { ++ return original; ++ } ++ return original.substring(0, MAX_USER_STRING_LENGTH); ++ } ++ + /* + * Writes the user list file in this format: + * +@@ -2632,6 +2643,7 @@ public class UserManagerService extends IUserManager.Stub { + + private UserInfo createUserInternalUnchecked(String name, int flags, int parentId, + String[] disallowedPackages) { ++ String truncatedName = truncateString(name); + DeviceStorageMonitorInternal dsm = LocalServices + .getService(DeviceStorageMonitorInternal.class); + if (dsm.isMemoryLow()) { +@@ -2710,7 +2722,7 @@ public class UserManagerService extends IUserManager.Stub { + flags |= UserInfo.FLAG_EPHEMERAL; + } + +- userInfo = new UserInfo(userId, name, null, flags); ++ userInfo = new UserInfo(userId, truncatedName, null, flags); + userInfo.serialNumber = mNextSerialNumber++; + long now = System.currentTimeMillis(); + userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0; +@@ -3541,8 +3553,8 @@ public class UserManagerService extends IUserManager.Stub { + Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId); + return; + } +- userData.seedAccountName = accountName; +- userData.seedAccountType = accountType; ++ userData.seedAccountName = truncateString(accountName); ++ userData.seedAccountType = truncateString(accountType); + userData.seedAccountOptions = accountOptions; + userData.persistSeedData = persist; + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379792.patch b/Patches/LineageOS-16.0/android_frameworks_base/379792.patch new file mode 100644 index 00000000..9450f261 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379792.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Mon, 18 Sep 2023 14:07:23 -0700 +Subject: [PATCH] Validate component name length before requesting notification + access. + +Bug: 295335110 +Test: Test app with long component name +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8) +Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579 +Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579 +--- + .../server/companion/CompanionDeviceManagerService.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +index e39652d77b7a..087fe8560fc8 100644 +--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java ++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +@@ -107,6 +107,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + private static final boolean DEBUG = false; + private static final String LOG_TAG = "CompanionDeviceManagerService"; + ++ private static final int MAX_CN_LENGTH = 500; ++ + private static final String XML_TAG_ASSOCIATIONS = "associations"; + private static final String XML_TAG_ASSOCIATION = "association"; + private static final String XML_ATTR_PACKAGE = "package"; +@@ -290,6 +292,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + String callingPackage = component.getPackageName(); + checkCanCallNotificationApi(callingPackage); + int userId = getCallingUserId(); ++ if (component.flattenToString().length() > MAX_CN_LENGTH) { ++ throw new IllegalArgumentException("Component name is too long."); ++ } + final long identity = Binder.clearCallingIdentity(); + try { + return PendingIntent.getActivity(getContext(), diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379793.patch b/Patches/LineageOS-16.0/android_frameworks_base/379793.patch new file mode 100644 index 00000000..eb69e262 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379793.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nan Wu +Date: Fri, 25 Aug 2023 15:02:28 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when + sending non-PI target + +Log ActivityManagerService.sendIntentSender if the target is not a +PendingIntent and a non-null whitelistToken is sent to the client. +This is simply to detect if there are real cases this would happen +before we decide simply remove whitelistToken in that case. + +Do not pass whitelistToken when sending non-PI target + +In ActivityManagerService.sendIntentSender, if the target is not a +PendingIntent, do not send whitelistToken to the client. + +Bug: 279428283 +Test: Manual test +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52) +Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810 +Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810 +--- + .../server/am/ActivityManagerService.java | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 847beb87408d..e1159493fe24 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -8625,12 +8625,12 @@ public class ActivityManagerService extends IActivityManager.Stub + } + + @Override +- public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code, ++ public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code, + Intent intent, String resolvedType, + IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) { + if (target instanceof PendingIntentRecord) { + return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType, +- whitelistToken, finishedReceiver, requiredPermission, options); ++ allowlistToken, finishedReceiver, requiredPermission, options); + } else { + if (intent == null) { + // Weird case: someone has given us their own custom IIntentSender, and now +@@ -8642,7 +8642,20 @@ public class ActivityManagerService extends IActivityManager.Stub + intent = new Intent(Intent.ACTION_MAIN); + } + try { +- target.send(code, intent, resolvedType, whitelistToken, null, ++ if (allowlistToken != null) { ++ final int callingUid = Binder.getCallingUid(); ++ final String packageName; ++ final long token = Binder.clearCallingIdentity(); ++ try { ++ packageName = AppGlobals.getPackageManager().getNameForUid(callingUid); ++ } finally { ++ Binder.restoreCallingIdentity(token); ++ } ++ Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target." ++ + " Calling package: " + packageName + "; intent: " + intent ++ + "; options: " + options); ++ } ++ target.send(code, intent, resolvedType, null, null, + requiredPermission, options); + } catch (RemoteException e) { + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379794.patch b/Patches/LineageOS-16.0/android_frameworks_base/379794.patch new file mode 100644 index 00000000..915f1043 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379794.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Will Leshner +Date: Tue, 31 Oct 2023 13:23:08 -0700 +Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary + activities + +Test: Flashed device and verified dream settings works as expected +Test: Installed APK from bug and verified the dream didn't allow +launching the inappropriate settings activity. +Fixes: 300090204 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14) +Merged-In: I573040df84bf98a493b39f96c8581e4303206bac +Change-Id: I573040df84bf98a493b39f96c8581e4303206bac +--- + .../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +index 3c0f6fe8ccbb..0b771580fff4 100644 +--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java ++++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +@@ -332,7 +332,17 @@ public class DreamBackend { + if (cn != null && cn.indexOf('/') < 0) { + cn = resolveInfo.serviceInfo.packageName + "/" + cn; + } +- return cn == null ? null : ComponentName.unflattenFromString(cn); ++ // Ensure that the component is from the same package as the dream service. If not, ++ // treat the component as invalid and return null instead. ++ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null; ++ if (result != null ++ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) { ++ Log.w(TAG, ++ "Inconsistent package name in component: " + result.getPackageName() ++ + ", should be: " + resolveInfo.serviceInfo.packageName); ++ return null; ++ } ++ return result; + } + + private static void logd(String msg, Object... args) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379980.patch b/Patches/LineageOS-16.0/android_frameworks_base/379980.patch new file mode 100644 index 00000000..8b141e41 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379980.patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 19 Oct 2023 14:22:58 -0700 +Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses + permissions + +In the pevious CL, we incorrectly added the permission check in the +killBackgroundProcessesExcept. Now fix this issue. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37) +Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b +Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b +--- + .../server/am/ActivityManagerService.java | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index e1159493fe24..fb941a7641fc 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -6864,22 +6864,6 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + +- final int callingUid = Binder.getCallingUid(); +- final int callingPid = Binder.getCallingPid(); +- +- ProcessRecord proc; +- synchronized (mPidsSelfLocked) { +- proc = mPidsSelfLocked.get(callingPid); +- } +- if (callingUid >= FIRST_APPLICATION_UID +- && (proc == null || !proc.info.isSystemApp())) { +- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" +- + callingPid + ", uid=" + callingUid + " is not allowed"; +- Slog.w(TAG, msg); +- // Silently return to avoid existing apps from crashing. +- return; +- } +- + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { +@@ -6937,6 +6921,22 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); ++ ++ ProcessRecord proc; ++ synchronized (mPidsSelfLocked) { ++ proc = mPidsSelfLocked.get(callingPid); ++ } ++ if (callingUid >= FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/383563.patch b/Patches/LineageOS-16.0/android_frameworks_base/383563.patch new file mode 100644 index 00000000..4048fe7b --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/383563.patch @@ -0,0 +1,110 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= +Date: Fri, 13 Oct 2023 16:19:27 -0400 +Subject: [PATCH] Unbind TileService onNullBinding + +Test: atest TileLifecycleManagerTest +Test: manual: adb shell dumpsys activity service +Test: sts test +Bug: 300903792 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476) +Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1 +Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1 +--- + .../qs/external/TileLifecycleManager.java | 5 +++ + .../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++--- + 2 files changed, 34 insertions(+), 4 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java +index 1170d7b6e8a9..c0d4736d4a97 100644 +--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java ++++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java +@@ -192,6 +192,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements + handlePendingMessages(); + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ setBindService(false); ++ } ++ + @Override + public void onServiceDisconnected(ComponentName name) { + if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name); +diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java +index e5e8ae3311ef..4a389743a395 100644 +--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java ++++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java +@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals; + import static org.mockito.Mockito.any; + import static org.mockito.Mockito.anyInt; + import static org.mockito.Mockito.anyString; ++import static org.mockito.Mockito.mock; + import static org.mockito.Mockito.never; + import static org.mockito.Mockito.times; + import static org.mockito.Mockito.verify; + import static org.mockito.Mockito.when; + + import android.content.ComponentName; ++import android.content.Context; + import android.content.Intent; ++import android.content.ServiceConnection; + import android.content.pm.PackageInfo; + import android.content.pm.ServiceInfo; + import android.net.Uri; +@@ -49,7 +52,7 @@ import org.junit.After; + import org.junit.Before; + import org.junit.Test; + import org.junit.runner.RunWith; +-import org.mockito.Mockito; ++import org.mockito.ArgumentCaptor; + + @SmallTest + @RunWith(AndroidJUnit4.class) +@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase { + private static final int TEST_FAIL_TIMEOUT = 5000; + + private final PackageManagerAdapter mMockPackageManagerAdapter = +- Mockito.mock(PackageManagerAdapter.class); +- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class); ++ mock(PackageManagerAdapter.class); ++ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class); + private ComponentName mTileServiceComponentName; + private Intent mTileServiceIntent; + private UserHandle mUser; +@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase { + mThread.start(); + mHandler = Handler.createAsync(mThread.getLooper()); + mStateManager = new TileLifecycleManager(mHandler, mContext, +- Mockito.mock(IQSService.class), new Tile(), ++ mock(IQSService.class), new Tile(), + mTileServiceIntent, + mUser, + mMockPackageManagerAdapter); +@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase { + verifyBind(2); + verify(mMockTileService, times(2)).onStartListening(); + } ++ ++ @Test ++ public void testNullBindingCallsUnbind() { ++ Context mockContext = mock(Context.class); ++ // Binding has to succeed ++ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true); ++ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext, ++ mock(IQSService.class), ++ new Tile(), ++ mTileServiceIntent, ++ mUser, ++ mMockPackageManagerAdapter, ++ mMockBroadcastDispatcher); ++ ++ manager.setBindService(true); ++ ++ ArgumentCaptor captor = ArgumentCaptor.forClass(ServiceConnection.class); ++ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any()); ++ ++ captor.getValue().onNullBinding(mTileServiceComponentName); ++ verify(mockContext).unbindService(captor.getValue()); ++ } + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/385672.patch b/Patches/LineageOS-16.0/android_frameworks_base/385672.patch new file mode 100644 index 00000000..3e9cb071 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/385672.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: kumarashishg +Date: Mon, 17 Jul 2023 12:01:18 +0000 +Subject: [PATCH] Resolve custom printer icon boundary exploit. + +Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. + +Bug: 281525042 +Test: Build and flash the code. Try to reproduce the issue with +mentioned steps in the bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83) +Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce +Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce +--- + .../server/print/PrintManagerService.java | 34 ++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java +index dc55179bdc9e..101a2b41addb 100644 +--- a/services/print/java/com/android/server/print/PrintManagerService.java ++++ b/services/print/java/com/android/server/print/PrintManagerService.java +@@ -251,12 +251,44 @@ public final class PrintManagerService extends SystemService { + } + final long identity = Binder.clearCallingIdentity(); + try { +- return userState.getCustomPrinterIcon(printerId); ++ Icon icon = userState.getCustomPrinterIcon(printerId); ++ return validateIconUserBoundary(icon); + } finally { + Binder.restoreCallingIdentity(identity); + } + } + ++ /** ++ * Validates the custom printer icon to see if it's not in the calling user space. ++ * If the condition is not met, return null. Otherwise, return the original icon. ++ * ++ * @param icon ++ * @return icon (validated) ++ */ ++ private Icon validateIconUserBoundary(Icon icon) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ // resolve encoded user ++ final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId); ++ ++ synchronized (mLock) { ++ // Only the current group members can get the printer icons. ++ if (resolveCallingProfileParentLocked(resolvedUserId) ++ != getCurrentUserId()) { ++ return null; ++ } ++ } ++ } ++ } ++ return icon; ++ } ++ + @Override + public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) { + if (printJobId == null) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/385673.patch b/Patches/LineageOS-16.0/android_frameworks_base/385673.patch new file mode 100644 index 00000000..b55510f7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/385673.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Buynytskyy +Date: Wed, 20 Dec 2023 01:50:36 +0000 +Subject: [PATCH] Disallow system apps to be installed/updated as instant. + +Bug: 299441833 +Test: atest android.content.pm.cts.PackageManagerTest +(cherry picked from commit 496e78a1951f2ed69290f03c5625c0f8382f4d31) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d0f185c0d526c1dac0a8894b2c2f2e378328d73) +Merged-In: Idd89a6dd72f0e68259095f677185f0494391025c +Change-Id: Idd89a6dd72f0e68259095f677185f0494391025c +--- + .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 25f70b23e68f..893268da7f36 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -14291,6 +14291,9 @@ public class PackageManagerService extends IPackageManager.Stub + if (pkgSetting == null) { + return PackageManager.INSTALL_FAILED_INVALID_URI; + } ++ if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) { ++ return PackageManager.INSTALL_FAILED_INVALID_URI; ++ } + if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) { + // only allow the existing package to be used if it's installed as a full + // application for at least one user diff --git a/Patches/LineageOS-16.0/android_frameworks_base/385674.patch b/Patches/LineageOS-16.0/android_frameworks_base/385674.patch new file mode 100644 index 00000000..cace3177 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/385674.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Wed, 3 Jan 2024 09:26:56 -0800 +Subject: [PATCH] Close AccountManagerService.session after timeout. + +Bug: 303905130 +Bug: 316893159 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09) +Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 +Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 +--- + .../android/server/accounts/AccountManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index ec15113c2c78..4e4c261d0cc4 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -182,6 +182,7 @@ public class AccountManagerService + + final MessageHandler mHandler; + ++ private static final int TIMEOUT_DELAY_MS = 1000 * 60 * 15; + // Messages that can be sent on mHandler + private static final int MESSAGE_TIMED_OUT = 3; + private static final int MESSAGE_COPY_SHARED_ACCOUNT = 4; +@@ -4743,6 +4744,7 @@ public class AccountManagerService + synchronized (mSessions) { + mSessions.put(toString(), this); + } ++ scheduleTimeout(); + if (response != null) { + try { + response.asBinder().linkToDeath(this, 0 /* flags */); +@@ -4909,6 +4911,11 @@ public class AccountManagerService + } + } + ++ private void scheduleTimeout() { ++ mHandler.sendMessageDelayed( ++ mHandler.obtainMessage(MESSAGE_TIMED_OUT, this), TIMEOUT_DELAY_MS); ++ } ++ + public void cancelTimeout() { + mHandler.removeMessages(MESSAGE_TIMED_OUT, this); + } +@@ -4945,6 +4952,9 @@ public class AccountManagerService + + public void onTimedOut() { + IAccountManagerResponse response = getResponseAndClose(); ++ if (Log.isLoggable(TAG, Log.VERBOSE)) { ++ Log.v(TAG, "Session.onTimedOut"); ++ } + if (response != null) { + try { + response.onError(AccountManager.ERROR_CODE_REMOTE_EXCEPTION, diff --git a/Patches/LineageOS-16.0/android_frameworks_base/389269.patch b/Patches/LineageOS-16.0/android_frameworks_base/389269.patch new file mode 100644 index 00000000..bae6747d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/389269.patch @@ -0,0 +1,107 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly +Date: Thu, 18 Jan 2024 20:13:52 +0000 +Subject: [PATCH] isUserInLockDown can be true when there are other strong auth + requirements + +Bug: 315206668 +Bug: 218495634 +Flag: None +Test: manual, atest LockPatternUtilsTest +(cherry picked from commit d341f1ecdb011d24b17358f115391b3f997cb179) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba8dfc68aada76127abafdb17d0f0896cc14447a) +Merged-In: I5e979a7822dd7254b4579ab28ecf96df1db44179 +Change-Id: I5e979a7822dd7254b4579ab28ecf96df1db44179 +--- + .../internal/widget/LockPatternUtils.java | 4 +-- + .../internal/util/LockPatternUtilsTest.java | 33 ++++++++++++++++--- + 2 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java +index 1d8ae14bbb87..7221e521def5 100644 +--- a/core/java/com/android/internal/widget/LockPatternUtils.java ++++ b/core/java/com/android/internal/widget/LockPatternUtils.java +@@ -1596,8 +1596,8 @@ public class LockPatternUtils { + } + + public boolean isUserInLockdown(int userId) { +- return getStrongAuthForUser(userId) +- == StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN; ++ return (getStrongAuthForUser(userId) ++ & StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN) != 0; + } + + private ICheckCredentialProgressCallback wrapCallback( +diff --git a/core/tests/utiltests/src/com/android/internal/util/LockPatternUtilsTest.java b/core/tests/utiltests/src/com/android/internal/util/LockPatternUtilsTest.java +index b18ee171eb0c..0d102daf76e9 100644 +--- a/core/tests/utiltests/src/com/android/internal/util/LockPatternUtilsTest.java ++++ b/core/tests/utiltests/src/com/android/internal/util/LockPatternUtilsTest.java +@@ -18,6 +18,8 @@ package com.android.internal.util; + + import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_MANAGED; + import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; ++import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_NOT_REQUIRED; ++import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN; + + import static org.junit.Assert.assertFalse; + import static org.junit.Assert.assertTrue; +@@ -46,12 +48,15 @@ import org.mockito.Mockito; + @SmallTest + public class LockPatternUtilsTest { + ++ private ILockSettings mLockSettings; ++ private static final int USER_ID = 1; + private static final int DEMO_USER_ID = 5; + + private LockPatternUtils mLockPatternUtils; + + private void configureTest(boolean isSecure, boolean isDemoUser, int deviceDemoMode) + throws Exception { ++ mLockSettings = Mockito.mock(ILockSettings.class); + final Context context = spy(new ContextWrapper(InstrumentationRegistry.getTargetContext())); + + final MockContentResolver cr = new MockContentResolver(context); +@@ -59,13 +64,12 @@ public class LockPatternUtilsTest { + when(context.getContentResolver()).thenReturn(cr); + Settings.Global.putInt(cr, Settings.Global.DEVICE_DEMO_MODE, deviceDemoMode); + +- final ILockSettings ils = Mockito.mock(ILockSettings.class); +- when(ils.havePassword(DEMO_USER_ID)).thenReturn(isSecure); +- when(ils.getLong("lockscreen.password_type", PASSWORD_QUALITY_UNSPECIFIED, DEMO_USER_ID)) +- .thenReturn((long) PASSWORD_QUALITY_MANAGED); ++ when(mLockSettings.getCredentialType(DEMO_USER_ID)).thenReturn(isSecure); ++ when(mLockSettings.getLong("lockscreen.password_type", PASSWORD_QUALITY_UNSPECIFIED, ++ DEMO_USER_ID)).thenReturn((long) PASSWORD_QUALITY_MANAGED); + // TODO(b/63758238): stop spying the class under test + mLockPatternUtils = spy(new LockPatternUtils(context)); +- when(mLockPatternUtils.getLockSettings()).thenReturn(ils); ++ when(mLockPatternUtils.getLockSettings()).thenReturn(mLockSettings); + + final UserInfo userInfo = Mockito.mock(UserInfo.class); + when(userInfo.isDemo()).thenReturn(isDemoUser); +@@ -74,6 +78,25 @@ public class LockPatternUtilsTest { + when(context.getSystemService(Context.USER_SERVICE)).thenReturn(um); + } + ++ @Test ++ public void isUserInLockDown() throws Exception { ++ configureTest(true, false, 2); ++ // GIVEN strong auth not required ++ when(mLockSettings.getStrongAuthForUser(USER_ID)).thenReturn(STRONG_AUTH_NOT_REQUIRED); ++ // THEN user isn't in lockdown ++ assertFalse(mLockPatternUtils.isUserInLockdown(USER_ID)); ++ // GIVEN lockdown ++ when(mLockSettings.getStrongAuthForUser(USER_ID)).thenReturn( ++ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN); ++ // THEN user is in lockdown ++ assertTrue(mLockPatternUtils.isUserInLockdown(USER_ID)); ++ // GIVEN lockdown and lockout ++ when(mLockSettings.getStrongAuthForUser(USER_ID)).thenReturn( ++ STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN | STRONG_AUTH_REQUIRED_AFTER_LOCKOUT); ++ // THEN user is in lockdown ++ assertTrue(mLockPatternUtils.isUserInLockdown(USER_ID)); ++ } ++ + @Test + public void isLockScreenDisabled_isDemoUser_true() throws Exception { + configureTest(false, true, 2); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/389270.patch b/Patches/LineageOS-16.0/android_frameworks_base/389270.patch new file mode 100644 index 00000000..8d21369c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/389270.patch @@ -0,0 +1,338 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tetiana Meronyk +Date: Wed, 10 Jan 2024 16:25:13 +0000 +Subject: [PATCH] Fix security vulnerability that creates user with no + restrictions when accountOptions are too long. + +Bug: 293602970 +Test: atest UserManagerTest#testAddUserAccountData_validStringValuesAreSaved_validBundleIsSaved && atest UserManagerTest#testAddUserAccountData_invalidStringValuesAreTruncated_invalidBundleIsDropped +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:944ea959ab8464c39a8f6a4fc391fb6953e1df89) +Merged-In: I23c971f671546ac085060add89485cfac6691ca3 +Change-Id: I23c971f671546ac085060add89485cfac6691ca3 +--- + core/java/android/os/PersistableBundle.java | 37 +++++++ + core/java/android/os/UserManager.java | 23 +++- + .../app/ConfirmUserCreationActivity.java | 12 +++ + .../android/server/pm/UserManagerService.java | 29 ++--- + .../android/server/pm/UserManagerTest.java | 102 ++++++++++++++++++ + 5 files changed, 187 insertions(+), 16 deletions(-) + +diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java +index 6a6ff64c5a5f..88e383fc69d3 100644 +--- a/core/java/android/os/PersistableBundle.java ++++ b/core/java/android/os/PersistableBundle.java +@@ -268,6 +268,43 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + XmlUtils.writeMapXml(mMap, out, this); + } + ++ /** ++ * Checks whether all keys and values are within the given character limit. ++ * Note: Maximum character limit of String that can be saved to XML as part of bundle is 65535. ++ * Otherwise IOException is thrown. ++ * @param limit length of String keys and values in the PersistableBundle, including nested ++ * PersistableBundles to check against. ++ * ++ * @hide ++ */ ++ public boolean isBundleContentsWithinLengthLimit(int limit) { ++ unparcel(); ++ if (mMap == null) { ++ return true; ++ } ++ for (int i = 0; i < mMap.size(); i++) { ++ if (mMap.keyAt(i) != null && mMap.keyAt(i).length() > limit) { ++ return false; ++ } ++ final Object value = mMap.valueAt(i); ++ if (value instanceof String && ((String) value).length() > limit) { ++ return false; ++ } else if (value instanceof String[]) { ++ String[] stringArray = (String[]) value; ++ for (int j = 0; j < stringArray.length; j++) { ++ if (stringArray[j] != null ++ && stringArray[j].length() > limit) { ++ return false; ++ } ++ } ++ } else if (value instanceof PersistableBundle ++ && !((PersistableBundle) value).isBundleContentsWithinLengthLimit(limit)) { ++ return false; ++ } ++ } ++ return true; ++ } ++ + /** @hide */ + static class MyReadMapCallback implements XmlUtils.ReadMapCallback { + @Override +diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java +index 4188ea34bb8e..b000c157e338 100644 +--- a/core/java/android/os/UserManager.java ++++ b/core/java/android/os/UserManager.java +@@ -74,6 +74,21 @@ public class UserManager { + + private Boolean mIsManagedProfileCached; + ++ /** Maximum length of username. ++ * @hide ++ */ ++ public static final int MAX_USER_NAME_LENGTH = 100; ++ ++ /** Maximum length of user property String value. ++ * @hide ++ */ ++ public static final int MAX_ACCOUNT_STRING_LENGTH = 500; ++ ++ /** Maximum length of account options String values. ++ * @hide ++ */ ++ public static final int MAX_ACCOUNT_OPTIONS_LENGTH = 1000; ++ + /** + * @hide + * No user restriction. +@@ -1958,15 +1973,15 @@ public class UserManager { + * time, the preferred user name and account information are used by the setup process for that + * user. + * +- * @param userName Optional name to assign to the user. ++ * @param userName Optional name to assign to the user. Character limit is 100. + * @param accountName Optional account name that will be used by the setup wizard to initialize +- * the user. ++ * the user. Character limit is 500. + * @param accountType Optional account type for the account to be created. This is required +- * if the account name is specified. ++ * if the account name is specified. Character limit is 500. + * @param accountOptions Optional bundle of data to be passed in during account creation in the + * new user via {@link AccountManager#addAccount(String, String, String[], + * Bundle, android.app.Activity, android.accounts.AccountManagerCallback, +- * Handler)}. ++ * Handler)}. Character limit is 1000. + * @return An Intent that can be launched from an Activity. + * @see #USER_CREATION_FAILED_NOT_PERMITTED + * @see #USER_CREATION_FAILED_NO_MORE_USERS +diff --git a/core/java/com/android/internal/app/ConfirmUserCreationActivity.java b/core/java/com/android/internal/app/ConfirmUserCreationActivity.java +index 03da9bc939ec..74dedc38a922 100644 +--- a/core/java/com/android/internal/app/ConfirmUserCreationActivity.java ++++ b/core/java/com/android/internal/app/ConfirmUserCreationActivity.java +@@ -110,6 +110,14 @@ public class ConfirmUserCreationActivity extends AlertActivity + if (cantCreateUser) { + setResult(UserManager.USER_CREATION_FAILED_NOT_PERMITTED); + return null; ++ } else if (!(isUserPropertyWithinLimit(mUserName, UserManager.MAX_USER_NAME_LENGTH) ++ && isUserPropertyWithinLimit(mAccountName, UserManager.MAX_ACCOUNT_STRING_LENGTH) ++ && isUserPropertyWithinLimit(mAccountType, UserManager.MAX_ACCOUNT_STRING_LENGTH)) ++ || (mAccountOptions != null && !mAccountOptions.isBundleContentsWithinLengthLimit( ++ UserManager.MAX_ACCOUNT_OPTIONS_LENGTH))) { ++ setResult(UserManager.USER_CREATION_FAILED_NOT_PERMITTED); ++ Log.i(TAG, "User properties must not exceed their character limits"); ++ return null; + } else if (cantCreateAnyMoreUsers) { + setResult(UserManager.USER_CREATION_FAILED_NO_MORE_USERS); + return null; +@@ -137,4 +145,8 @@ public class ConfirmUserCreationActivity extends AlertActivity + } + finish(); + } ++ ++ private boolean isUserPropertyWithinLimit(String property, int limit) { ++ return property == null || property.length() <= limit; ++ } + } +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index 7b121ba5a0f6..553a96374d61 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -216,8 +216,6 @@ public class UserManagerService extends IUserManager.Stub { + + private static final int USER_VERSION = 7; + +- private static final int MAX_USER_STRING_LENGTH = 500; +- + private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms + + // Maximum number of managed profiles permitted per user is 1. This cannot be increased +@@ -2295,16 +2293,18 @@ public class UserManagerService extends IUserManager.Stub { + if (userData.persistSeedData) { + if (userData.seedAccountName != null) { + serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, +- truncateString(userData.seedAccountName)); ++ truncateString(userData.seedAccountName, ++ UserManager.MAX_ACCOUNT_STRING_LENGTH)); + } + if (userData.seedAccountType != null) { + serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, +- truncateString(userData.seedAccountType)); ++ truncateString(userData.seedAccountType, ++ UserManager.MAX_ACCOUNT_STRING_LENGTH)); + } + } + if (userInfo.name != null) { + serializer.startTag(null, TAG_NAME); +- serializer.text(truncateString(userInfo.name)); ++ serializer.text(truncateString(userInfo.name, UserManager.MAX_USER_NAME_LENGTH)); + serializer.endTag(null, TAG_NAME); + } + synchronized (mRestrictionsLock) { +@@ -2339,11 +2339,11 @@ public class UserManagerService extends IUserManager.Stub { + serializer.endDocument(); + } + +- private String truncateString(String original) { +- if (original == null || original.length() <= MAX_USER_STRING_LENGTH) { ++ private String truncateString(String original, int limit) { ++ if (original == null || original.length() <= limit) { + return original; + } +- return original.substring(0, MAX_USER_STRING_LENGTH); ++ return original.substring(0, limit); + } + + /* +@@ -2643,7 +2643,7 @@ public class UserManagerService extends IUserManager.Stub { + + private UserInfo createUserInternalUnchecked(String name, int flags, int parentId, + String[] disallowedPackages) { +- String truncatedName = truncateString(name); ++ String truncatedName = truncateString(name, UserManager.MAX_USER_NAME_LENGTH); + DeviceStorageMonitorInternal dsm = LocalServices + .getService(DeviceStorageMonitorInternal.class); + if (dsm.isMemoryLow()) { +@@ -3553,9 +3553,14 @@ public class UserManagerService extends IUserManager.Stub { + Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId); + return; + } +- userData.seedAccountName = truncateString(accountName); +- userData.seedAccountType = truncateString(accountType); +- userData.seedAccountOptions = accountOptions; ++ userData.seedAccountName = truncateString(accountName, ++ UserManager.MAX_ACCOUNT_STRING_LENGTH); ++ userData.seedAccountType = truncateString(accountType, ++ UserManager.MAX_ACCOUNT_STRING_LENGTH); ++ if (accountOptions != null && accountOptions.isBundleContentsWithinLengthLimit( ++ UserManager.MAX_ACCOUNT_OPTIONS_LENGTH)) { ++ userData.seedAccountOptions = accountOptions; ++ } + userData.persistSeedData = persist; + } + if (persist) { +diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java +index 7bcb5719c357..1f6ca27ee4bb 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java ++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java +@@ -24,6 +24,7 @@ import android.content.pm.PackageManager; + import android.content.pm.UserInfo; + import android.app.ActivityManager; + import android.os.Bundle; ++import android.os.PersistableBundle; + import android.os.UserHandle; + import android.os.UserManager; + import android.provider.Settings; +@@ -536,6 +537,107 @@ public class UserManagerTest extends AndroidTestCase { + assertEquals(canBeCreatedCount, created.get()); + } + ++ @Test ++ public void testAddUserAccountData_validStringValuesAreSaved_validBundleIsSaved() { ++ assumeManagedUsersSupported(); ++ ++ String userName = "User"; ++ String accountName = "accountName"; ++ String accountType = "accountType"; ++ String arrayKey = "StringArrayKey"; ++ String stringKey = "StringKey"; ++ String intKey = "IntKey"; ++ String nestedBundleKey = "PersistableBundleKey"; ++ String value1 = "Value 1"; ++ String value2 = "Value 2"; ++ String value3 = "Value 3"; ++ ++ UserInfo userInfo = mUserManager.createUser(userName, ++ UserManager.USER_TYPE_FULL_SECONDARY, 0); ++ ++ PersistableBundle accountOptions = new PersistableBundle(); ++ String[] stringArray = {value1, value2}; ++ accountOptions.putInt(intKey, 1234); ++ PersistableBundle nested = new PersistableBundle(); ++ nested.putString(stringKey, value3); ++ accountOptions.putPersistableBundle(nestedBundleKey, nested); ++ accountOptions.putStringArray(arrayKey, stringArray); ++ ++ mUserManager.clearSeedAccountData(); ++ mUserManager.setSeedAccountData(mContext.getUserId(), accountName, ++ accountType, accountOptions); ++ ++ //assert userName accountName and accountType were saved correctly ++ assertTrue(mUserManager.getUserInfo(userInfo.id).name.equals(userName)); ++ assertTrue(mUserManager.getSeedAccountName().equals(accountName)); ++ assertTrue(mUserManager.getSeedAccountType().equals(accountType)); ++ ++ //assert bundle with correct values was added ++ assertThat(mUserManager.getSeedAccountOptions().containsKey(arrayKey)).isTrue(); ++ assertThat(mUserManager.getSeedAccountOptions().getPersistableBundle(nestedBundleKey) ++ .getString(stringKey)).isEqualTo(value3); ++ assertThat(mUserManager.getSeedAccountOptions().getStringArray(arrayKey)[0]) ++ .isEqualTo(value1); ++ ++ mUserManager.removeUser(userInfo.id); ++ } ++ ++ @Test ++ public void testAddUserAccountData_invalidStringValuesAreTruncated_invalidBundleIsDropped() { ++ assumeManagedUsersSupported(); ++ ++ String tooLongString = generateLongString(); ++ String userName = "User " + tooLongString; ++ String accountType = "Account Type " + tooLongString; ++ String accountName = "accountName " + tooLongString; ++ String arrayKey = "StringArrayKey"; ++ String stringKey = "StringKey"; ++ String intKey = "IntKey"; ++ String nestedBundleKey = "PersistableBundleKey"; ++ String value1 = "Value 1"; ++ String value2 = "Value 2"; ++ ++ UserInfo userInfo = mUserManager.createUser(userName, ++ UserManager.USER_TYPE_FULL_SECONDARY, 0); ++ ++ PersistableBundle accountOptions = new PersistableBundle(); ++ String[] stringArray = {value1, value2}; ++ accountOptions.putInt(intKey, 1234); ++ PersistableBundle nested = new PersistableBundle(); ++ nested.putString(stringKey, tooLongString); ++ accountOptions.putPersistableBundle(nestedBundleKey, nested); ++ accountOptions.putStringArray(arrayKey, stringArray); ++ mUserManager.clearSeedAccountData(); ++ mUserManager.setSeedAccountData(mContext.getUserId(), accountName, ++ accountType, accountOptions); ++ ++ //assert userName was truncated ++ assertTrue(mUserManager.getUserInfo(userInfo.id).name.length() ++ == UserManager.MAX_USER_NAME_LENGTH); ++ ++ //assert accountName and accountType got truncated ++ assertTrue(mUserManager.getSeedAccountName().length() ++ == UserManager.MAX_ACCOUNT_STRING_LENGTH); ++ assertTrue(mUserManager.getSeedAccountType().length() ++ == UserManager.MAX_ACCOUNT_STRING_LENGTH); ++ ++ //assert bundle with invalid values was dropped ++ assertThat(mUserManager.getSeedAccountOptions() == null).isTrue(); ++ ++ mUserManager.removeUser(userInfo.id); ++ } ++ ++ private String generateLongString() { ++ String partialString = "Test Name Test Name Test Name Test Name Test Name Test Name Test " ++ + "Name Test Name Test Name Test Name "; //String of length 100 ++ StringBuilder resultString = new StringBuilder(); ++ for (int i = 0; i < 600; i++) { ++ resultString.append(partialString); ++ } ++ return resultString.toString(); ++ } ++ ++ + private boolean isPackageInstalledForUser(String packageName, int userId) { + try { + return mPackageManager.getPackageInfoAsUser(packageName, 0, userId) != null; diff --git a/Patches/LineageOS-16.0/android_frameworks_minikin/345903.patch b/Patches/LineageOS-16.0/android_frameworks_minikin/345903.patch new file mode 100644 index 00000000..a1529b34 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_minikin/345903.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Thu, 15 Sep 2022 22:51:42 +0000 +Subject: [PATCH] Fix OOB read for registerLocaleList + +When the buffer size is equal to string size, +the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING +which is a negative number, and U_FAILURE would fail if error number +greater than zero only. + +This would cause non null terminated string passing into following funcs +and causing different types of crash + +Bug: 239210579 +Bug: 239328580 +Bug: 239267173 +Test: locale_fuzzer +Ignore-AOSP-First: security +Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +Change-Id: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +(cherry picked from commit d8a427cc9c8a722b0911af5139b10b0a6aeb0e03) +Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +--- + libs/minikin/LocaleListCache.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libs/minikin/LocaleListCache.cpp b/libs/minikin/LocaleListCache.cpp +index c191ea6..5bd869e 100644 +--- a/libs/minikin/LocaleListCache.cpp ++++ b/libs/minikin/LocaleListCache.cpp +@@ -42,7 +42,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const StringPiece& loc + size_t outLength = 0; + UErrorCode uErr = U_ZERO_ERROR; + outLength = uloc_canonicalize(localeString.c_str(), output, outSize, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper locale identifier + ALOGD("uloc_canonicalize(\"%s\") failed: %s", localeString.c_str(), u_errorName(uErr)); + output[0] = '\0'; +@@ -68,7 +68,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const StringPiece& loc + + uErr = U_ZERO_ERROR; + outLength = uloc_toLanguageTag(likelyChars, output, outSize, FALSE, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper locale identifier + ALOGD("uloc_toLanguageTag(\"%s\") failed: %s", likelyChars, u_errorName(uErr)); + output[0] = '\0'; diff --git a/Patches/LineageOS-16.0/android_frameworks_minikin/345904.patch b/Patches/LineageOS-16.0/android_frameworks_minikin/345904.patch new file mode 100644 index 00000000..786ce6b7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_minikin/345904.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Thu, 29 Sep 2022 22:34:05 +0000 +Subject: [PATCH] Fix OOB crash for registerLocaleList + +When the buffer size is equal to string size, +the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING +which is a negative number, and U_FAILURE would fail if error number +greater than zero only. + +This would cause non null terminated string passing into following funcs +and causing different types of crash + +This fixes the previous partial fix. + +Bug: 248612953 +Bug: 239210579 +Bug: 249151446 +Bug: 239267173 +Test: locale_fuzzer +Ignore-AOSP-First: security +Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +Change-Id: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +(cherry picked from commit 582927b0d6c6920ee6a04049eaa9e68608cfc888) +(cherry picked from commit a8265407660edaa1006545a6401d6409c05acb5d) +Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +--- + libs/minikin/LocaleListCache.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libs/minikin/LocaleListCache.cpp b/libs/minikin/LocaleListCache.cpp +index 5bd869e..ec47145 100644 +--- a/libs/minikin/LocaleListCache.cpp ++++ b/libs/minikin/LocaleListCache.cpp +@@ -59,7 +59,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const StringPiece& loc + char likelyChars[ULOC_FULLNAME_CAPACITY]; + uErr = U_ZERO_ERROR; + uloc_addLikelySubtags(output, likelyChars, ULOC_FULLNAME_CAPACITY, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper locale identifier + ALOGD("uloc_addLikelySubtags(\"%s\") failed: %s", output, u_errorName(uErr)); + output[0] = '\0'; diff --git a/Patches/LineageOS-16.0/android_frameworks_native/356151.patch b/Patches/LineageOS-16.0/android_frameworks_native/356151.patch new file mode 100644 index 00000000..f88e0e68 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_native/356151.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Fri, 17 Feb 2023 17:12:46 +0000 +Subject: [PATCH] Check for malformed Sensor Flattenable + +Test: libsensorserviceaidl_fuzzer with testcase from bug +Bug: 269014004 +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +Change-Id: I0e255c64243c38876fb657cbf942fc1613363216 +(cherry picked from commit aeec1802f7befc8fbb18313ad3ac0969c3811870) +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +(cherry picked from commit on googleplex-android-review.googlesource.com host: f1aa5fb53437ec2fabc9be00099af836da5f07f2) +Merged-In: I0e255c64243c38876fb657cbf942fc1613363216 +--- + libs/sensor/Sensor.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libs/sensor/Sensor.cpp b/libs/sensor/Sensor.cpp +index 2383516c95..f4421c8c65 100644 +--- a/libs/sensor/Sensor.cpp ++++ b/libs/sensor/Sensor.cpp +@@ -576,7 +576,13 @@ bool Sensor::unflattenString8(void const*& buffer, size_t& size, String8& output + return false; + } + outputString8.setTo(static_cast(buffer), len); ++ ++ if (size < FlattenableUtils::align<4>(len)) { ++ ALOGE("Malformed Sensor String8 field. Should be in a 4-byte aligned buffer but is not."); ++ return false; ++ } + FlattenableUtils::advance(buffer, size, FlattenableUtils::align<4>(len)); ++ + return true; + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_native/356152.patch b/Patches/LineageOS-16.0/android_frameworks_native/356152.patch new file mode 100644 index 00000000..b9ffc91b --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_native/356152.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Fri, 17 Feb 2023 19:35:25 +0000 +Subject: [PATCH] Remove some new memory leaks from SensorManager + +After catching an error in Sensor::unflatten, there are memory leaks +caught by the fuzzer in the same test case. + +Test: libsensorserviceaidl_fuzzer with testcase from bug +Bug: 269014004 +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +Change-Id: I509cceb41f56ca117d9475f6f6674244560fe582 +(cherry picked from commit c95fa0f0e7c7b73746ff850b85a79fc5f92b784e) +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +(cherry picked from commit on googleplex-android-review.googlesource.com host: ceb0d52273256c6a5c5622bf81b0ac4ba106faa1) +Merged-In: I509cceb41f56ca117d9475f6f6674244560fe582 +--- + libs/sensor/ISensorServer.cpp | 12 ++++++++++-- + libs/sensor/SensorManager.cpp | 5 +++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/libs/sensor/ISensorServer.cpp b/libs/sensor/ISensorServer.cpp +index 5200545a53..b2f1ba2507 100644 +--- a/libs/sensor/ISensorServer.cpp ++++ b/libs/sensor/ISensorServer.cpp +@@ -66,7 +66,11 @@ public: + v.setCapacity(n); + while (n) { + n--; +- reply.read(s); ++ if(reply.read(s) != OK) { ++ ALOGE("Failed to read reply from getSensorList"); ++ v.clear(); ++ break; ++ } + v.add(s); + } + return v; +@@ -84,7 +88,11 @@ public: + v.setCapacity(n); + while (n) { + n--; +- reply.read(s); ++ if(reply.read(s) != OK) { ++ ALOGE("Failed to read reply from getDynamicSensorList"); ++ v.clear(); ++ break; ++ } + v.add(s); + } + return v; +diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp +index c97e4da9b5..c9b857c60f 100644 +--- a/libs/sensor/SensorManager.cpp ++++ b/libs/sensor/SensorManager.cpp +@@ -162,6 +162,11 @@ status_t SensorManager::assertStateLocked() { + + mSensors = mSensorServer->getSensorList(mOpPackageName); + size_t count = mSensors.size(); ++ if (count == 0) { ++ ALOGE("Failed to get Sensor list"); ++ mSensorServer.clear(); ++ return UNKNOWN_ERROR; ++ } + mSensorList = + static_cast(malloc(count * sizeof(Sensor*))); + LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL"); diff --git a/Patches/LineageOS-16.0/android_frameworks_native/356153.patch b/Patches/LineageOS-16.0/android_frameworks_native/356153.patch new file mode 100644 index 00000000..816fe925 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_native/356153.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Anthony Stange +Date: Tue, 21 Feb 2023 17:57:38 +0000 +Subject: [PATCH] Add removeInstanceForPackageMethod to SensorManager + +In order to ensure that clients don't leak their sensor manager +instance that we currently store in a static map, they need to be able +to remove their instance. Otherwise, this instance is never removed from +the list and will hang around until our SensorManage instance is +destroyed. + +Bug: 269014004 +Test: Run ./libsensorserviceaidl_fuzzer +Change-Id: I52185f74ae8d28b379440235ca6f03c5089081f5 +(cherry picked from commit 9532f7c682fdd4b1e6e553cd6f61fc0cf2555902) +Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5 +(cherry picked from commit on googleplex-android-review.googlesource.com host: 4521fbf8095439a1c1681b5c709b306a5dc1d1e3) +Merged-In: I52185f74ae8d28b379440235ca6f03c5089081f5 +--- + libs/sensor/SensorManager.cpp | 10 ++++++++++ + libs/sensor/include/sensor/SensorManager.h | 1 + + services/sensorservice/hidl/SensorManager.cpp | 3 +++ + 3 files changed, 14 insertions(+) + +diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp +index c9b857c60f..d7210b10e0 100644 +--- a/libs/sensor/SensorManager.cpp ++++ b/libs/sensor/SensorManager.cpp +@@ -92,6 +92,16 @@ SensorManager& SensorManager::getInstanceForPackage(const String16& packageName) + return *sensorManager; + } + ++void SensorManager::removeInstanceForPackage(const String16& packageName) { ++ Mutex::Autolock _l(sLock); ++ auto iterator = sPackageInstances.find(packageName); ++ if (iterator != sPackageInstances.end()) { ++ SensorManager* sensorManager = iterator->second; ++ delete sensorManager; ++ sPackageInstances.erase(iterator); ++ } ++} ++ + SensorManager::SensorManager(const String16& opPackageName) + : mSensorList(0), mOpPackageName(opPackageName), mDirectConnectionHandle(1) { + Mutex::Autolock _l(mLock); +diff --git a/libs/sensor/include/sensor/SensorManager.h b/libs/sensor/include/sensor/SensorManager.h +index 23f7a918bb..d6eab17c45 100644 +--- a/libs/sensor/include/sensor/SensorManager.h ++++ b/libs/sensor/include/sensor/SensorManager.h +@@ -54,6 +54,7 @@ class SensorManager : public ASensorManager + { + public: + static SensorManager& getInstanceForPackage(const String16& packageName); ++ static void removeInstanceForPackage(const String16& packageName); + ~SensorManager(); + + ssize_t getSensorList(Sensor const* const** list); +diff --git a/services/sensorservice/hidl/SensorManager.cpp b/services/sensorservice/hidl/SensorManager.cpp +index fee6da1e60..cf2fc448ea 100644 +--- a/services/sensorservice/hidl/SensorManager.cpp ++++ b/services/sensorservice/hidl/SensorManager.cpp +@@ -60,6 +60,9 @@ SensorManager::~SensorManager() { + if (mPollThread.joinable()) { + mPollThread.join(); + } ++ ++ ::android::SensorManager::removeInstanceForPackage( ++ String16(ISensorManager::descriptor)); + } + + // Methods from ::android::frameworks::sensorservice::V1_0::ISensorManager follow. diff --git a/Patches/LineageOS-16.0/android_frameworks_native/366129.patch b/Patches/LineageOS-16.0/android_frameworks_native/366129.patch new file mode 100644 index 00000000..6f19c8f7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_native/366129.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Devin Moore +Date: Tue, 25 Apr 2023 00:17:13 +0000 +Subject: [PATCH] Allow sensors list to be empty + +Test: atest VtsHalSensorManagerV1_0TargetTest +Bug: 278013275 +Bug: 269014004 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9) +Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 +Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624 +--- + libs/sensor/SensorManager.cpp | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp +index d7210b10e0..35802db95c 100644 +--- a/libs/sensor/SensorManager.cpp ++++ b/libs/sensor/SensorManager.cpp +@@ -172,11 +172,8 @@ status_t SensorManager::assertStateLocked() { + + mSensors = mSensorServer->getSensorList(mOpPackageName); + size_t count = mSensors.size(); +- if (count == 0) { +- ALOGE("Failed to get Sensor list"); +- mSensorServer.clear(); +- return UNKNOWN_ERROR; +- } ++ // If count is 0, mSensorList will be non-null. This is old ++ // existing behavior and callers expect this. + mSensorList = + static_cast(malloc(count * sizeof(Sensor*))); + LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL"); diff --git a/Patches/LineageOS-16.0/android_frameworks_opt_telephony/334263.patch b/Patches/LineageOS-16.0/android_frameworks_opt_telephony/334263.patch new file mode 100644 index 00000000..041b71fc --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_opt_telephony/334263.patch @@ -0,0 +1,94 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ling Ma +Date: Tue, 3 May 2022 18:13:57 -0700 +Subject: [PATCH] Enforce privileged phone state for + getSubscriptionProperty(GROUP_UUID) + +Bug: 213457638 +Test: atest +Change-Id: I8d7cc836402a9a7695c972860d38035c4ec0fa44 +Merged-In: I8d7cc836402a9a7695c972860d38035c4ec0fa44 +Merged-In: Ie8017c39a495f93603aeb5d1a335fe2fe528cf77 +(cherry picked from commit b0e3c5d17e44b6de4ddb5e1ad0018243d38e2cc4) +(cherry picked from commit 12db8db9b127a3a9b414a8a09f6445c2a58f553e) +Merged-In: I8d7cc836402a9a7695c972860d38035c4ec0fa44 +--- + .../telephony/SubscriptionController.java | 18 +++++++++-- + .../telephony/SubscriptionControllerTest.java | 30 +++++++++++++++++++ + 2 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/src/java/com/android/internal/telephony/SubscriptionController.java b/src/java/com/android/internal/telephony/SubscriptionController.java +index 5f9458d2c8..7848367369 100644 +--- a/src/java/com/android/internal/telephony/SubscriptionController.java ++++ b/src/java/com/android/internal/telephony/SubscriptionController.java +@@ -16,6 +16,8 @@ + + package com.android.internal.telephony; + ++import static android.content.pm.PackageManager.PERMISSION_GRANTED; ++ + import android.Manifest; + import android.annotation.Nullable; + import android.app.AppOpsManager; +@@ -2075,9 +2077,19 @@ public class SubscriptionController extends ISub.Stub { + */ + @Override + public String getSubscriptionProperty(int subId, String propKey, String callingPackage) { +- if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState( +- mContext, subId, callingPackage, "getSubscriptionProperty")) { +- return null; ++ switch (propKey) { ++ case "group_uuid": ++ if (mContext.checkCallingOrSelfPermission( ++ Manifest.permission.READ_PRIVILEGED_PHONE_STATE) != PERMISSION_GRANTED) { ++ EventLog.writeEvent(0x534e4554, "213457638", Binder.getCallingUid()); ++ return null; ++ } ++ break; ++ default: ++ if (!TelephonyPermissions.checkCallingOrSelfReadPhoneState(mContext, subId, ++ callingPackage, "getSubscriptionProperty")) { ++ return null; ++ } + } + String resultValue = null; + ContentResolver resolver = mContext.getContentResolver(); +diff --git a/tests/telephonytests/src/com/android/internal/telephony/SubscriptionControllerTest.java b/tests/telephonytests/src/com/android/internal/telephony/SubscriptionControllerTest.java +index ef9f7d4b86..358fddbe94 100644 +--- a/tests/telephonytests/src/com/android/internal/telephony/SubscriptionControllerTest.java ++++ b/tests/telephonytests/src/com/android/internal/telephony/SubscriptionControllerTest.java +@@ -422,4 +422,34 @@ public class SubscriptionControllerTest extends TelephonyTest { + SubscriptionManager.WFC_IMS_ROAMING_MODE, + mCallingPackage)); + } ++ ++ @Test ++ @SmallTest ++ public void testGetSubscriptionProperty() throws Exception { ++ testInsertSim(); ++ ContentValues values = new ContentValues(); ++ values.put(SubscriptionManager.GROUP_UUID, 1); ++ mFakeTelephonyProvider.update(SubscriptionManager.CONTENT_URI, values, ++ SubscriptionManager.UNIQUE_KEY_SUBSCRIPTION_ID + "=" + 1, null); ++ ++ mContextFixture.removeCallingOrSelfPermission(ContextFixture.PERMISSION_ENABLE_ALL); ++ mContextFixture.addCallingOrSelfPermission(Manifest.permission.READ_PHONE_STATE); ++ ++ // should succeed with read phone state permission ++ String prop = mSubscriptionControllerUT.getSubscriptionProperty(1, ++ SubscriptionManager.CB_EXTREME_THREAT_ALERT, mContext.getOpPackageName()); ++ ++ assertNotEquals(null, prop); ++ ++ // group UUID requires privileged phone state permission ++ prop = mSubscriptionControllerUT.getSubscriptionProperty(1, SubscriptionManager.GROUP_UUID, ++ mContext.getOpPackageName()); ++ assertEquals(null, prop); ++ ++ // group UUID should succeed once privileged phone state permission is granted ++ mContextFixture.addCallingOrSelfPermission(Manifest.permission.READ_PRIVILEGED_PHONE_STATE); ++ prop = mSubscriptionControllerUT.getSubscriptionProperty(1, SubscriptionManager.GROUP_UUID, ++ mContext.getOpPackageName()); ++ assertNotEquals(null, prop); ++ } + } diff --git a/Patches/LineageOS-16.0/android_hardware_nxp_nfc/344180.patch b/Patches/LineageOS-16.0/android_hardware_nxp_nfc/344180.patch new file mode 100644 index 00000000..54f5120c --- /dev/null +++ b/Patches/LineageOS-16.0/android_hardware_nxp_nfc/344180.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 3 Aug 2022 12:25:33 -0700 +Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked() + +Bug: 230356196 +Test: builds ok +Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581 +Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491) +Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +--- + halimpl/hal/phNxpNciHal_ext.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc +index 895cc43..ed66878 100755 +--- a/halimpl/hal/phNxpNciHal_ext.cc ++++ b/halimpl/hal/phNxpNciHal_ext.cc +@@ -744,7 +744,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, + status = NFCSTATUS_FAILED; + } + // 2002 0904 3000 3100 3200 5000 +- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && ++ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) && ++ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && + ((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*|| + (p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/ + )) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332758.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332758.patch new file mode 100644 index 00000000..99b1cfb9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332758.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rahul Sabnis +Date: Wed, 6 Apr 2022 18:08:18 +0000 +Subject: [PATCH] Removes app access to BluetoothAdapter#setScanMode by + requiring BLUETOOTH_PRIVILEGED permission. + +Bug: 203431023 +Test: Manual +Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +Change-Id: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +(cherry picked from commit 95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0) +Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c +--- + src/com/android/bluetooth/btservice/AdapterService.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java +index c0772dd30..3b804db7a 100644 +--- a/src/com/android/bluetooth/btservice/AdapterService.java ++++ b/src/com/android/bluetooth/btservice/AdapterService.java +@@ -1701,7 +1701,8 @@ public class AdapterService extends Service { + } + + boolean setScanMode(int mode, int duration) { +- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission"); ++ enforceCallingOrSelfPermission( ++ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission"); + + setDiscoverableTimeout(duration); + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332759.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332759.patch new file mode 100644 index 00000000..9e8ccbd2 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/332759.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rahul Sabnis +Date: Wed, 6 Apr 2022 22:44:01 +0000 +Subject: [PATCH] Removes app access to BluetoothAdapter#setDiscoverableTimeout + by requiring BLUETOOTH_PRIVILEGED permission. + +Bug: 206807679 +Test: Manual +Merged-In: I73288f495d35280a5724d070248db54e2fe537fd +Change-Id: I73288f495d35280a5724d070248db54e2fe537fd +(cherry picked from commit 528ea846133dc7dc4ce843e5b649abd50b58d527) +Merged-In: I73288f495d35280a5724d070248db54e2fe537fd +--- + src/com/android/bluetooth/btservice/AdapterService.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java +index 3b804db7a..a14f8d657 100644 +--- a/src/com/android/bluetooth/btservice/AdapterService.java ++++ b/src/com/android/bluetooth/btservice/AdapterService.java +@@ -1717,7 +1717,8 @@ public class AdapterService extends Service { + } + + boolean setDiscoverableTimeout(int timeout) { +- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission"); ++ enforceCallingOrSelfPermission( ++ BLUETOOTH_PRIVILEGED, "Need BLUETOOTH PRIVILEGED permission"); + + return mAdapterProperties.setDiscoverableTimeout(timeout); + } diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/345907.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/345907.patch new file mode 100644 index 00000000..00eacbd0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/345907.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Wed, 28 Sep 2022 23:30:49 +0000 +Subject: [PATCH] Fix URI check in BluetoothOppUtility.java + +Bug: 225880741 +Test: BT unit tests, validated against researcher POC +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I65c1494023930aa23fede55936488f605c7cfe01 +(cherry picked from commit d0957cfdf1fc1b36620c1545643ffbc37f0ac24c) +Merged-In: I65c1494023930aa23fede55936488f605c7cfe01 +--- + src/com/android/bluetooth/opp/BluetoothOppUtility.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +index 6b1dcc2c9..d6211d701 100644 +--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java ++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +@@ -45,6 +45,7 @@ import android.content.pm.ResolveInfo; + import android.database.Cursor; + import android.net.Uri; + import android.os.Environment; ++import android.util.EventLog; + import android.util.Log; + + import com.android.bluetooth.R; +@@ -71,7 +72,11 @@ public class BluetoothOppUtility { + new ConcurrentHashMap(); + + public static boolean isBluetoothShareUri(Uri uri) { +- return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()); ++ if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()) ++ && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) { ++ EventLog.writeEvent(0x534e4554, "225880741", -1, ""); ++ } ++ return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority()); + } + + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/349332.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/349332.patch new file mode 100644 index 00000000..aa4ea574 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/349332.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 8 Nov 2022 23:32:46 +0000 +Subject: [PATCH] Fix OPP comparison + +isBluetoothShareUri_correctlyCheckUri (under +com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing +on null input due to an incorrect comparison in +isBluetoothShareUri. Change the comparison to one which can +cope with null input. + +Bug: 257190999 +Test: atest: BluetoothOppUtilityTest +Tag: #security +Ignore-AOSP-First: Security +Change-Id: Ia6a08e7092c2084e1816b782317c13254e78719b +(cherry picked from commit 90dc6fcdcba6c0c2b0f9bdaad28457a81c9af4ba) +Merged-In: Ia6a08e7092c2084e1816b782317c13254e78719b +--- + src/com/android/bluetooth/opp/BluetoothOppUtility.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +index d6211d701..a002c1829 100644 +--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java ++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +@@ -58,6 +58,7 @@ import java.math.RoundingMode; + import java.text.DecimalFormat; + import java.util.ArrayList; + import java.util.List; ++import java.util.Objects; + import java.util.concurrent.ConcurrentHashMap; + + /** +@@ -73,10 +74,10 @@ public class BluetoothOppUtility { + + public static boolean isBluetoothShareUri(Uri uri) { + if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()) +- && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) { ++ && !Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority())) { + EventLog.writeEvent(0x534e4554, "225880741", -1, ""); + } +- return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority()); ++ return Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority()); + } + + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377774.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377774.patch new file mode 100644 index 00000000..8fbbe903 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377774.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 5 Oct 2023 00:01:03 +0000 +Subject: [PATCH] Fix UAF in ~CallbackEnv + +com_android_bluetooth_btservice_AdapterService does not null its local +JNI environment variable after detaching the thread (which frees the +environment context), allowing UAF under certain conditions. + +Null the variable in this case. + +Testing here was done through a custom unit test; see patchsets 4-6 for +contents. However, unit testing of the JNI layer is problematic in +production, so that part of the patch is omitted for final merge. + +Bug: 291500341 +Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) +Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 +Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 +--- + jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp +index f88a675b7..8faf670ce 100644 +--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp ++++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp +@@ -406,6 +406,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { + return; + } + vm->DetachCurrentThread(); ++ callbackEnv = NULL; + } + } + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Contacts/332760.patch b/Patches/LineageOS-16.0/android_packages_apps_Contacts/332760.patch new file mode 100644 index 00000000..bfa4e4f9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Contacts/332760.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: John Shao +Date: Thu, 24 Feb 2022 22:20:11 +0000 +Subject: [PATCH] No longer export CallSubjectDialog + +This is most likely not used outside of the app and can be potentially +exploited + +Bug: 218341397 +Test: Manual +Change-Id: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +(cherry picked from commit eadb0b1cc94deaa238bfdf225a504119a8a24388) +(cherry picked from commit 1f6d68c79699a9790e6cf0ab82bdc15c64eb7f5a) +Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455 +--- + AndroidManifest.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 221dd6928..071c394f2 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -567,6 +567,7 @@ + + + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Dialer/332761.patch b/Patches/LineageOS-16.0/android_packages_apps_Dialer/332761.patch new file mode 100644 index 00000000..74ae4a04 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Dialer/332761.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tatsuaki Machida +Date: Mon, 28 Feb 2022 10:36:08 +0000 +Subject: [PATCH] No longer export CallSubjectDialog + +Bug: 221802256 +Change-Id: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48 +Test: N/A +(cherry picked from commit d96b98bbb21118356726588d0ff3707246369fdb) +(cherry picked from commit 1ab4eeb65ed117745b9576769b069cf0b38eafb0) +Merged-In: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48 +--- + java/com/android/contacts/common/AndroidManifest.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/java/com/android/contacts/common/AndroidManifest.xml b/java/com/android/contacts/common/AndroidManifest.xml +index e97221549..84ac96fdb 100644 +--- a/java/com/android/contacts/common/AndroidManifest.xml ++++ b/java/com/android/contacts/common/AndroidManifest.xml +@@ -21,6 +21,7 @@ + + + diff --git a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/342101.patch b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/342101.patch new file mode 100644 index 00000000..86c88eed --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/342101.patch @@ -0,0 +1,122 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 25 Feb 2022 15:48:29 +0000 +Subject: [PATCH] Prevent exfiltration of system files via user image settings. + +This adds mitigations to prevent system files being exfiltrated +via the settings content provider when a content URI is provided +as a chosen user image. + +The mitigations are: + +1) Copy the image to a new URI rather than the existing takePictureUri +prior to cropping. + +2) Only allow a system handler to respond to the CROP intent. + +A similar change is made in ag/17003629 which uses the same +mechanism. + +Bug: 187702830 +Test: builds +Change-Id: Iba9e08b3cf9e31c162354f09aaf6b4f9afb6bd27 +(cherry picked from commit fac28abbe64a1c3e430414f35139988ef96edb7c) +Merged-In: Iba9e08b3cf9e31c162354f09aaf6b4f9afb6bd27 +--- + .../preferences/EditUserPhotoController.java | 33 ++++++++++++++----- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java +index 77bed01..8aeb8b0 100644 +--- a/src/com/android/emergency/preferences/EditUserPhotoController.java ++++ b/src/com/android/emergency/preferences/EditUserPhotoController.java +@@ -22,6 +22,7 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; + import android.database.Cursor; + import android.graphics.Bitmap; +@@ -73,6 +74,7 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 10002; + private static final int REQUEST_CODE_CROP_PHOTO = 10003; + ++ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -85,6 +87,7 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + ++ private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -96,6 +99,7 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; ++ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -122,7 +126,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(); ++ cropPhoto(pictureUri); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -231,7 +235,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mTakePictureUri)) { ++ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -242,21 +246,32 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(); ++ cropPhoto(mPreCropPictureUri); + } + }.execute(); + } + +- private void cropPhoto() { ++ private void cropPhoto(final Uri pictureUri) { + Intent intent = new Intent(ACTION_CROP); +- intent.setDataAndType(mTakePictureUri, "image/*"); ++ intent.setDataAndType(pictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (intent.resolveActivity(mContext.getPackageManager()) != null) { +- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); +- } else { +- onPhotoCropped(mTakePictureUri, false); ++ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { ++ return; ++ } ++ onPhotoCropped(mTakePictureUri, false); ++ } ++ ++ private boolean startSystemActivityForResult(Intent intent, int code) { ++ ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(), ++ PackageManager.MATCH_SYSTEM_ONLY); ++ if (info == null) { ++ Log.w(TAG, "No system package activity could be found for code " + code); ++ return false; + } ++ intent.setPackage(info.packageName); ++ mFragment.startActivityForResult(intent, code); ++ return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345908.patch b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345908.patch new file mode 100644 index 00000000..26e6d625 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345908.patch @@ -0,0 +1,113 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Wed, 27 Jul 2022 17:18:23 +0000 +Subject: [PATCH] Revert "Prevent exfiltration of system files via user image + settings." + +This reverts commit fac28abbe64a1c3e430414f35139988ef96edb7c. + +Reason for revert: regression if multiple crop system crop handlers are present + +Bug: 239914925 + +Change-Id: I1784eec7ffa2af0b48fa0d0d075e015ebfb7fa47 +(cherry picked from commit 889b93dd4ec351889db69b528d81cdc3f63968fc) +Merged-In: I1784eec7ffa2af0b48fa0d0d075e015ebfb7fa47 +--- + .../preferences/EditUserPhotoController.java | 33 +++++-------------- + 1 file changed, 9 insertions(+), 24 deletions(-) + +diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java +index 8aeb8b0..77bed01 100644 +--- a/src/com/android/emergency/preferences/EditUserPhotoController.java ++++ b/src/com/android/emergency/preferences/EditUserPhotoController.java +@@ -22,7 +22,6 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; +-import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; + import android.database.Cursor; + import android.graphics.Bitmap; +@@ -74,7 +73,6 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 10002; + private static final int REQUEST_CODE_CROP_PHOTO = 10003; + +- private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -87,7 +85,6 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + +- private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -99,7 +96,6 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; +- mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -126,7 +122,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(pictureUri); ++ cropPhoto(); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -235,7 +231,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { ++ OutputStream out = cr.openOutputStream(mTakePictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -246,32 +242,21 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(mPreCropPictureUri); ++ cropPhoto(); + } + }.execute(); + } + +- private void cropPhoto(final Uri pictureUri) { ++ private void cropPhoto() { + Intent intent = new Intent(ACTION_CROP); +- intent.setDataAndType(pictureUri, "image/*"); ++ intent.setDataAndType(mTakePictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { +- return; +- } +- onPhotoCropped(mTakePictureUri, false); +- } +- +- private boolean startSystemActivityForResult(Intent intent, int code) { +- ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(), +- PackageManager.MATCH_SYSTEM_ONLY); +- if (info == null) { +- Log.w(TAG, "No system package activity could be found for code " + code); +- return false; ++ if (intent.resolveActivity(mContext.getPackageManager()) != null) { ++ mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); ++ } else { ++ onPhotoCropped(mTakePictureUri, false); + } +- intent.setPackage(info.packageName); +- mFragment.startActivityForResult(intent, code); +- return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345909.patch b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345909.patch new file mode 100644 index 00000000..193d1859 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/345909.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 26 Aug 2022 18:33:53 +0100 +Subject: [PATCH] Prevent exfiltration of system files via avatar picker. + +This adds mitigations to prevent system files being exfiltrated +via the settings content provider when a content URI is provided +as a chosen user image. + +The mitigations are: + +1) Copy the image to a new URI rather than the existing takePictureUri +prior to cropping. + +2) Only allow a system handler to respond to the CROP intent. + +This is a fixed version of ag/17004678, to address b/239513606. + +Bug: 187702830 +Test: build and check functionality +Change-Id: I07bb987b930b851a28871a13032b8fcfcd96d6d1 +(cherry picked from commit 5981e18eb50c54088dc29f8a1e1dc8efdd4bb887) +Merged-In: I07bb987b930b851a28871a13032b8fcfcd96d6d1 +--- + .../preferences/EditUserPhotoController.java | 34 ++++++++++++++----- + 1 file changed, 25 insertions(+), 9 deletions(-) + +diff --git a/src/com/android/emergency/preferences/EditUserPhotoController.java b/src/com/android/emergency/preferences/EditUserPhotoController.java +index 77bed01..7265187 100644 +--- a/src/com/android/emergency/preferences/EditUserPhotoController.java ++++ b/src/com/android/emergency/preferences/EditUserPhotoController.java +@@ -22,7 +22,9 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; ++import android.content.pm.ResolveInfo; + import android.database.Cursor; + import android.graphics.Bitmap; + import android.graphics.Bitmap.Config; +@@ -73,6 +75,7 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 10002; + private static final int REQUEST_CODE_CROP_PHOTO = 10003; + ++ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -85,6 +88,7 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + ++ private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -96,6 +100,7 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; ++ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -122,7 +127,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(); ++ cropPhoto(pictureUri); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -231,7 +236,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mTakePictureUri)) { ++ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -242,21 +247,32 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(); ++ cropPhoto(mPreCropPictureUri); + } + }.execute(); + } + +- private void cropPhoto() { ++ private void cropPhoto(final Uri pictureUri) { + Intent intent = new Intent(ACTION_CROP); +- intent.setDataAndType(mTakePictureUri, "image/*"); ++ intent.setDataAndType(pictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (intent.resolveActivity(mContext.getPackageManager()) != null) { +- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); +- } else { +- onPhotoCropped(mTakePictureUri, false); ++ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { ++ return; ++ } ++ onPhotoCropped(mTakePictureUri, false); ++ } ++ ++ private boolean startSystemActivityForResult(Intent intent, int code) { ++ List resolveInfos = mContext.getPackageManager() ++ .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY); ++ if (resolveInfos.isEmpty()) { ++ Log.w(TAG, "No system package activity could be found for code " + code); ++ return false; + } ++ intent.setPackage(resolveInfos.get(0).activityInfo.packageName); ++ mFragment.startActivityForResult(intent, code); ++ return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/349333.patch b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/349333.patch new file mode 100644 index 00000000..87eafd6b --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_EmergencyInfo/349333.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: James Smith +Date: Tue, 29 Nov 2022 16:00:55 +0000 +Subject: [PATCH] Removes unnecessary permission from the EmergencyInfo app. + +Test: Manually tested EmergencyInfo with multiple users. Adding +contacts, medical info, editing user name and photo and eSos all still +work. + +Bug: 248251018 +Bug: 252995513 +Change-Id: If0da54507db7341c97ff67fedc14a44a67b92289 +Merged-In: I1cdef8dd9a1a0432bbafdfe9e98756dd11cfd092 +(cherry picked from commit 73120eb678baf8285cc69587fbc6da23bab4016a) +Merged-In: If0da54507db7341c97ff67fedc14a44a67b92289 +--- + AndroidManifest.xml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index e5ce533..650cf73 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -21,7 +21,6 @@ + + + +- + + +Date: Tue, 10 May 2022 14:09:40 +0000 +Subject: [PATCH] Encode authority part of uri before showing in UI + +As per rfc2396, allowing only characters that are reserved|unreserved|@ +to be in non escaped form, all the other characters will be escaped. +This would cover all the possible characters there can be in valid +authority as per the rfc2396. android.net.Uri conforms to RFC 2396. + +Bug: 221859869 +Test: Manual +Change-Id: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +(cherry picked from commit 8550c37c186099926ce364b65b61ffbf6ed7958d) +Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed +--- + src/com/android/keychain/KeyChainActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java +index aa50888..6db4855 100644 +--- a/src/com/android/keychain/KeyChainActivity.java ++++ b/src/com/android/keychain/KeyChainActivity.java +@@ -333,7 +333,7 @@ public class KeyChainActivity extends Activity { + Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI); + if (uri != null) { + String hostMessage = String.format(res.getString(R.string.requesting_server), +- uri.getAuthority()); ++ Uri.encode(uri.getAuthority(), "$,;:@&=+")); + if (contextMessage == null) { + contextMessage = hostMessage; + } else { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Nfc/332762.patch b/Patches/LineageOS-16.0/android_packages_apps_Nfc/332762.patch new file mode 100644 index 00000000..6605d5b8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Nfc/332762.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Fri, 18 Mar 2022 17:13:05 -0700 +Subject: [PATCH] OOB read in phNciNfc_RecvMfResp() + +The size of RspBuff for Mifare shall be at least 2 bytes: +Mifare Req/Rsp Id + Status + +Bug: 221852424 +Test: build ok +Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436) +Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +--- + .../pn54x/src/mifare/phNxpExtns_MifareStd.cpp | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +index bc87ae40..f5b94225 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +@@ -1122,8 +1122,9 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + if (NULL == RspBuffInfo) { + status = NFCSTATUS_FAILED; + } else { +- if ((0 == (RspBuffInfo->wLen)) || (PH_NCINFC_STATUS_OK != wStatus) || +- (NULL == (RspBuffInfo->pBuff))) { ++ if (((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > ++ RspBuffInfo->wLen) || ++ (PH_NCINFC_STATUS_OK != wStatus) || (NULL == (RspBuffInfo->pBuff))) { + status = NFCSTATUS_FAILED; + } else { + RecvdExtnRspId = (phNciNfc_ExtnRespId_t)RspBuffInfo->pBuff[0]; +@@ -1137,10 +1138,6 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE || + NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN || + NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) { +- if (2 > RspBuffInfo->wLen) { +- android_errorWriteLog(0x534e4554, "181346550"); +- return NFCSTATUS_FAILED; +- } + uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2]; + uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) & + MAX_NUM_VALID_BITS_FOR_ACK); +@@ -1154,11 +1151,6 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + status = NFCSTATUS_SUCCESS; + uint16_t wRecvDataSz = 0; + +- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > +- RspBuffInfo->wLen) { +- android_errorWriteLog(0x534e4554, "181346550"); +- return NFCSTATUS_FAILED; +- } + /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */ + wPldDataSize = ((RspBuffInfo->wLen) - + (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE)); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Nfc/347043.patch b/Patches/LineageOS-16.0/android_packages_apps_Nfc/347043.patch new file mode 100644 index 00000000..0c9be8be --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Nfc/347043.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 26 Oct 2022 14:03:48 -0700 +Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive() + +Bug: 241387741 +Test: build ok +Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0) +Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +index f5b94225..7c0a6777 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +@@ -999,6 +999,11 @@ NFCSTATUS Mfc_Transceive(uint8_t* p_data, uint32_t len) { + return status; + } + ++ if (len > (MAX_BUFF_SIZE * 2)) { ++ android_errorWriteLog(0x534e4554, "241387741"); ++ return status; ++ } ++ + gphNxpExtns_Context.RawWriteCallBack = false; + gphNxpExtns_Context.CallBackMifare = NULL; + gphNxpExtns_Context.CallBackCtxt = NdefMap; diff --git a/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/344181.patch b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/344181.patch new file mode 100644 index 00000000..6c7e9c44 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_PackageInstaller/344181.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Evan Severson +Date: Tue, 30 Nov 2021 18:19:18 -0800 +Subject: [PATCH] Hide overlays on ReviewPermissionsAtivity + +Test: atest PermissionReviewTapjackingTest +Bug: 176094367 +Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7 +Change-Id: I9f263b947853e14d081a73ce907917e9326b6ef7 +(cherry picked from commit 725244f010c9c5ed5b169c2ec00600864fce38ab) +Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7 +--- + .../permission/ui/ReviewPermissionsActivity.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java +index 4caf4ce8a..81d9d7c4c 100644 +--- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java ++++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java +@@ -24,6 +24,8 @@ import android.content.pm.PackageInfo; + import android.content.pm.PackageManager; + import android.os.Bundle; + import android.text.TextUtils; ++import android.view.WindowManager; ++ + import com.android.packageinstaller.DeviceUtils; + import com.android.packageinstaller.R; + import com.android.packageinstaller.permission.ui.handheld.ReviewPermissionsFragment; +@@ -37,6 +39,9 @@ public final class ReviewPermissionsActivity extends Activity + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + ++ getWindow().addPrivateFlags( ++ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + PackageInfo packageInfo = getTargetPackageInfo(); + if (packageInfo == null) { + finish(); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/330960.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/330960.patch new file mode 100644 index 00000000..e476cb0f --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/330960.patch @@ -0,0 +1,99 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: lucaslin +Date: Wed, 9 Mar 2022 10:52:43 +0800 +Subject: [PATCH] Hide private DNS settings UI in Guest mode + +Hide private DNS settings UI in Guest mode to prevent guest +users modifying global private DNS settings. + +Bug: 206987762 +Test: 1. make RunSettingsRoboTests \ + ROBOTEST_FILTER=PrivateDnsPreferenceControllerTest + 2. Switch to Guest user and check if the private DNS UI is + hidden or not. +Change-Id: Iebfb8684da3be32110decd9e8447dd07b1c40387 +(cherry picked from commit 52e863b5a212889d4f8cb89a4028c42af59c9327) +Merged-In: Iebfb8684da3be32110decd9e8447dd07b1c40387 +--- + .../PrivateDnsPreferenceController.java | 3 +++ + .../PrivateDnsPreferenceControllerTest.java | 18 ++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/src/com/android/settings/network/PrivateDnsPreferenceController.java b/src/com/android/settings/network/PrivateDnsPreferenceController.java +index 6f385696733..825ffd66f1a 100644 +--- a/src/com/android/settings/network/PrivateDnsPreferenceController.java ++++ b/src/com/android/settings/network/PrivateDnsPreferenceController.java +@@ -34,6 +34,7 @@ import android.net.Network; + import android.net.Uri; + import android.os.Handler; + import android.os.Looper; ++import android.os.UserManager; + import android.provider.Settings; + import android.support.v7.preference.Preference; + import android.support.v7.preference.PreferenceScreen; +@@ -79,6 +80,8 @@ public class PrivateDnsPreferenceController extends BasePreferenceController + + @Override + public int getAvailabilityStatus() { ++ final UserManager userManager = mContext.getSystemService(UserManager.class); ++ if (userManager.isGuestUser()) return DISABLED_FOR_USER; + return AVAILABLE; + } + +diff --git a/tests/robotests/src/com/android/settings/network/PrivateDnsPreferenceControllerTest.java b/tests/robotests/src/com/android/settings/network/PrivateDnsPreferenceControllerTest.java +index a63645ba059..ca1dcaaa6e2 100644 +--- a/tests/robotests/src/com/android/settings/network/PrivateDnsPreferenceControllerTest.java ++++ b/tests/robotests/src/com/android/settings/network/PrivateDnsPreferenceControllerTest.java +@@ -24,6 +24,9 @@ import static android.net.ConnectivityManager.PRIVATE_DNS_MODE_PROVIDER_HOSTNAME + import static android.provider.Settings.Global.PRIVATE_DNS_DEFAULT_MODE; + import static android.provider.Settings.Global.PRIVATE_DNS_MODE; + import static android.provider.Settings.Global.PRIVATE_DNS_SPECIFIER; ++import static com.android.settings.core.BasePreferenceController.AVAILABLE; ++import static com.android.settings.core.BasePreferenceController.DISABLED_FOR_USER; ++ + import static com.google.common.truth.Truth.assertThat; + import static org.mockito.ArgumentMatchers.nullable; + import static org.mockito.Matchers.any; +@@ -31,6 +34,7 @@ import static org.mockito.Matchers.anyString; + import static org.mockito.Mockito.CALLS_REAL_METHODS; + import static org.mockito.Mockito.atLeastOnce; + import static org.mockito.Mockito.doNothing; ++import static org.mockito.Mockito.doReturn; + import static org.mockito.Mockito.mock; + import static org.mockito.Mockito.reset; + import static org.mockito.Mockito.spy; +@@ -96,6 +100,8 @@ public class PrivateDnsPreferenceControllerTest { + private Network mNetwork; + @Mock + private Preference mPreference; ++ @Mock ++ private UserManager mUserManager; + @Captor + private ArgumentCaptor mCallbackCaptor; + private PrivateDnsPreferenceController mController; +@@ -113,6 +119,7 @@ public class PrivateDnsPreferenceControllerTest { + mShadowContentResolver = Shadow.extract(mContentResolver); + when(mContext.getSystemService(Context.CONNECTIVITY_SERVICE)) + .thenReturn(mConnectivityManager); ++ when(mContext.getSystemService(UserManager.class)).thenReturn(mUserManager); + doNothing().when(mConnectivityManager).registerDefaultNetworkCallback( + mCallbackCaptor.capture(), nullable(Handler.class)); + +@@ -146,6 +153,17 @@ public class PrivateDnsPreferenceControllerTest { + nc.onLinkPropertiesChanged(mNetwork, lp); + } + ++ @Test ++ public void getAvailibilityStatus_availableByDefault() { ++ assertThat(mController.getAvailabilityStatus()).isEqualTo(AVAILABLE); ++ } ++ ++ @Test ++ public void getAvailabilityStatus_disabledForGuestUser() { ++ doReturn(true).when(mUserManager).isGuestUser(); ++ assertThat(mController.getAvailabilityStatus()).isEqualTo(DISABLED_FOR_USER); ++ } ++ + @Test + public void goThroughLifecycle_shouldRegisterUnregisterSettingsObserver() { + mLifecycle.handleLifecycleEvent(ON_START); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/332763.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/332763.patch new file mode 100644 index 00000000..e6b8a38d --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/332763.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 25 Feb 2022 15:22:27 +0000 +Subject: [PATCH] Prevent exfiltration of system files via user image settings. + +This is a backport of ag/17005706. + +This adds mitigations to prevent system files being exfiltrated +via the settings content provider when a content URI is provided +as a chosen user image. + +The mitigations are: + +1) Copy the image to a new URI rather than the existing takePictureUri +prior to cropping. + +2) Only allow a system handler to respond to the CROP intent. + +Bug: 187702830 +Test: build and check functionality +Change-Id: Ia6314b6810afb5efa0329f3eeaee9ccfff791966 +Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb +(cherry picked from commit 8950a9002402de6e1218bab3da52868a51104a95) +Merged-In: Ia6314b6810afb5efa0329f3eeaee9ccfff791966 +--- + .../users/EditUserPhotoController.java | 42 +++++++++++++------ + 1 file changed, 29 insertions(+), 13 deletions(-) + +diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java +index 0f67b181de3..cdf392b9df0 100644 +--- a/src/com/android/settings/users/EditUserPhotoController.java ++++ b/src/com/android/settings/users/EditUserPhotoController.java +@@ -22,6 +22,7 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; + import android.database.Cursor; + import android.graphics.Bitmap; +@@ -75,6 +76,7 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 1002; + private static final int REQUEST_CODE_CROP_PHOTO = 1003; + ++ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -85,6 +87,7 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + ++ private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -96,6 +99,8 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; ++ ++ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -130,7 +135,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(); ++ cropPhoto(pictureUri); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -239,7 +244,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mTakePictureUri)) { ++ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -250,27 +255,38 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(); ++ cropPhoto(mPreCropPictureUri); + } + }.execute(); + } + +- private void cropPhoto() { ++ private void cropPhoto(final Uri pictureUri) { + // TODO: Use a public intent, when there is one. + Intent intent = new Intent("com.android.camera.action.CROP"); +- intent.setDataAndType(mTakePictureUri, "image/*"); ++ intent.setDataAndType(pictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (intent.resolveActivity(mContext.getPackageManager()) != null) { +- try { +- StrictMode.disableDeathOnFileUriExposure(); +- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); +- } finally { +- StrictMode.enableDeathOnFileUriExposure(); ++ try { ++ StrictMode.disableDeathOnFileUriExposure(); ++ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { ++ return; + } +- } else { +- onPhotoCropped(mTakePictureUri, false); ++ } finally { ++ StrictMode.enableDeathOnFileUriExposure(); ++ } ++ onPhotoCropped(mTakePictureUri, false); ++ } ++ ++ private boolean startSystemActivityForResult(Intent intent, int code) { ++ ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(), ++ PackageManager.MATCH_SYSTEM_ONLY); ++ if (info == null) { ++ Log.w(TAG, "No system package activity could be found for code " + code); ++ return false; + } ++ intent.setPackage(info.packageName); ++ mFragment.startActivityForResult(intent, code); ++ return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/334265.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/334265.patch new file mode 100644 index 00000000..5fa0ff7b --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/334265.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Edgar Wang +Date: Wed, 6 Apr 2022 17:30:27 +0800 +Subject: [PATCH] Fix LaunchAnyWhere in AppRestrictionsFragment + +If the intent's package equals to the app's package, this intent +will be allowed to startActivityForResult. +But this check is unsafe, because if the component of this intent +is set, the package field will just be ignored. So if we set the +component to any activity we like and set package to the app's +package, it will pass the assertSafeToStartCustomActivity check +and now we can launch anywhere. + +Bug: 223578534 +Test: robotest and manual verify +Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 +(cherry picked from commit 90e095dbe372f29823ad4788c0cc2d781ae3bb24) +(cherry picked from commit b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad) +Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 +--- + src/com/android/settings/users/AppRestrictionsFragment.java | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java +index 10d714401e9..bf0f3da8d00 100644 +--- a/src/com/android/settings/users/AppRestrictionsFragment.java ++++ b/src/com/android/settings/users/AppRestrictionsFragment.java +@@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen + } + + private void assertSafeToStartCustomActivity(Intent intent) { +- // Activity can be started if it belongs to the same app +- if (intent.getPackage() != null && intent.getPackage().equals(packageName)) { +- return; +- } ++ EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, ""); + ResolveInfo resolveInfo = mPackageManager.resolveActivity( + intent, PackageManager.MATCH_DEFAULT_ONLY); + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/335111.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/335111.patch new file mode 100644 index 00000000..ae3baed6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/335111.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Arc Wang +Date: Fri, 6 May 2022 17:42:30 +0800 +Subject: [PATCH] Verify ringtone from ringtone picker is audio + +To improve privacy. + +Bug: 221041256 +Test: atest com.android.settings.DefaultRingtonePreferenceTest +Change-Id: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +(cherry picked from commit e4c22580c9a66a3d5523782c2daa707531210227) +(cherry picked from commit 640eab60f2baa9052d395fccd4a0324103ad6c7a) +Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d +--- + .../settings/DefaultRingtonePreference.java | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 9f9f832b100..751eb8c8e7c 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -22,6 +22,7 @@ import android.content.Intent; + import android.media.RingtoneManager; + import android.net.Uri; + import android.util.AttributeSet; ++import android.util.Log; + + public class DefaultRingtonePreference extends RingtonePreference { + private static final String TAG = "DefaultRingtonePreference"; +@@ -43,6 +44,23 @@ public class DefaultRingtonePreference extends RingtonePreference { + + @Override + protected void onSaveRingtone(Uri ringtoneUri) { ++ String mimeType = getContext().getContentResolver().getType(ringtoneUri); ++ if (mimeType == null) { ++ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri ++ + " ignored: failure to find mimeType (no access from this context?)"); ++ return; ++ } ++ ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { ++ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri ++ + " ignored: associated mimeType:" + mimeType + " is not an audio type"); ++ return; ++ } ++ ++ setActualDefaultRingtoneUri(ringtoneUri); ++ } ++ ++ void setActualDefaultRingtoneUri(Uri ringtoneUri) { + RingtoneManager.setActualDefaultRingtoneUri(mUserContext, getRingtoneType(), ringtoneUri); + } + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/335112.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/335112.patch new file mode 100644 index 00000000..289d3c1b --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/335112.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hugh Chen +Date: Tue, 10 May 2022 09:39:12 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Make bluetooth not discoverable via + SliceDeepLinkTrampoline + +- Don't let device be discovered when the user launch "Connected Devices + settings" through SliceDeepLinkTrampoline. + +Bug: 228450811 +Test: make -j42 RunSettingsRoboTests and use test apk to manually test +to verify the device is not discoversable when open "Connected settings" +through test apk. + +Change-Id: I5490b58675b1fd9fc36305766867f65caa6ccb6c +(cherry picked from commit 205752dcf2062eb3deeb7f3b7d1eb8af7d8b2634) +(cherry picked from commit 06139d3ffc37cb4b7974f95ccf08512c6fcad26d) +Merged-In: I5490b58675b1fd9fc36305766867f65caa6ccb6c +--- + .../ConnectedDeviceDashboardFragment.java | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java b/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java +index 241648c3a09..432e0eea365 100644 +--- a/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java ++++ b/src/com/android/settings/connecteddevice/ConnectedDeviceDashboardFragment.java +@@ -44,6 +44,7 @@ public class ConnectedDeviceDashboardFragment extends DashboardFragment { + private static final String SETTINGS_PACKAGE_NAME = "com.android.settings"; + private static final String SYSTEMUI_PACKAGE_NAME = "com.android.systemui"; + private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); ++ private static final String SLICE_ACTION = "com.android.settings.SEARCH_RESULT_TRAMPOLINE"; + + @VisibleForTesting + static final String KEY_CONNECTED_DEVICES = "connected_device_list"; +@@ -94,15 +95,23 @@ public class ConnectedDeviceDashboardFragment extends DashboardFragment { + super.onAttach(context); + + String callingAppPackageName = getCallingAppPackageName(getActivity().getActivityToken()); ++ String action = getIntent() != null ? getIntent().getAction() : ""; + if (DEBUG) { +- Log.d(TAG, "onAttach() calling package name is : " + callingAppPackageName); ++ Log.d(TAG, "onAttach() calling package name is : " + callingAppPackageName ++ + ", action : " + action); + } + use(AvailableMediaDeviceGroupController.class).init(this); + use(ConnectedDeviceGroupController.class).init(this); + use(PreviouslyConnectedDevicePreferenceController.class).init(this); + use(DiscoverableFooterPreferenceController.class).init(this, +- TextUtils.equals(SETTINGS_PACKAGE_NAME, callingAppPackageName) +- || TextUtils.equals(SYSTEMUI_PACKAGE_NAME, callingAppPackageName)); ++ isAlwaysDiscoverable(callingAppPackageName, action)); ++ } ++ ++ @VisibleForTesting ++ boolean isAlwaysDiscoverable(String callingAppPackageName, String action) { ++ return TextUtils.equals(SLICE_ACTION, action) ? false ++ : TextUtils.equals(SETTINGS_PACKAGE_NAME, callingAppPackageName) ++ || TextUtils.equals(SYSTEMUI_PACKAGE_NAME, callingAppPackageName); + } + + private String getCallingAppPackageName(IBinder activityToken) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/335113.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/335113.patch new file mode 100644 index 00000000..290dd32f --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/335113.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lin Yuan +Date: Tue, 31 May 2022 19:13:41 -0400 +Subject: [PATCH] RESTRICT AUTOMERGE Fix: policy enforcement for location wifi + scanning + +Make DISALLOW_CONFIG_LOCATION effectively disallow wifi scanning and +bluetooth scanning settings for location services. + +screenshots: https://screenshot.googleplex.com/49nR5HQ8g5bgNVq + +Bug: 228315522 +Bug: 228315529 +Test: on device +Change-Id: I92b22567011c32f0874bcecb3898ef678bb549a1 +(cherry picked from commit 9eff8f7a8d5140a4b674fa09cf333dce07fde76c) +Merged-In: I92b22567011c32f0874bcecb3898ef678bb549a1 +--- + res/xml/location_scanning.xml | 4 ++-- + .../BluetoothScanningPreferenceController.java | 10 ++++++++++ + .../location/WifiScanningPreferenceController.java | 10 ++++++++++ + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/res/xml/location_scanning.xml b/res/xml/location_scanning.xml +index 5e7bd244520..f4847681150 100644 +--- a/res/xml/location_scanning.xml ++++ b/res/xml/location_scanning.xml +@@ -18,13 +18,13 @@ + android:title="@string/location_scanning_screen_title" + android:key="scanning_screen"> + +- + +- +Date: Mon, 16 May 2022 14:36:19 +0800 +Subject: [PATCH] Fix Settings crash when setting a null ringtone + +Ringtone picker may callback a null ringtone Uri +if users select None. + +This change pass null ringtone Uri to RingtoneManager +and return. + +Bug: 232502532 +Bug: 221041256 +Test: maunal + Settings - Sound & Vibration -> Phone ringtone + -> My Sounds -> None +Change-Id: I044b680871472a3c272f6264c4ef272df542112e +Merged-In: I044b680871472a3c272f6264c4ef272df542112e +(cherry picked from commit d94b73b3041614a5ff57c7745f50f235bf6c7783) +Merged-In: I044b680871472a3c272f6264c4ef272df542112e +--- + src/com/android/settings/DefaultRingtonePreference.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 751eb8c8e7c..226cde693b1 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -44,6 +44,11 @@ public class DefaultRingtonePreference extends RingtonePreference { + + @Override + protected void onSaveRingtone(Uri ringtoneUri) { ++ if (ringtoneUri == null) { ++ setActualDefaultRingtoneUri(ringtoneUri); ++ return; ++ } ++ + String mimeType = getContext().getContentResolver().getType(ringtoneUri); + if (mimeType == null) { + Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/335115.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/335115.patch new file mode 100644 index 00000000..7297859a --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/335115.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tsung-Mao Fang +Date: Fri, 27 May 2022 15:52:30 +0800 +Subject: [PATCH] Fix can't change notification sound for work profile. + +Use correct user id context to query the type, +so we won't get empty result unexpectedly. + +If we get the null result, then we won't set sound sucessfully. + +Bug: 233580016 +Bug: 221041256 +Test: Manual test and set work profile sound works. +Change-Id: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +(cherry picked from commit edf44161770a8d3aa5105b51d701c3abdae1776e) +Merged-In: I7f8fb737a7c6f77a380f3f075a5c89a1970e39ad +--- + src/com/android/settings/DefaultRingtonePreference.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java +index 226cde693b1..f3eeff9df25 100644 +--- a/src/com/android/settings/DefaultRingtonePreference.java ++++ b/src/com/android/settings/DefaultRingtonePreference.java +@@ -49,7 +49,7 @@ public class DefaultRingtonePreference extends RingtonePreference { + return; + } + +- String mimeType = getContext().getContentResolver().getType(ringtoneUri); ++ String mimeType = mUserContext.getContentResolver().getType(ringtoneUri); + if (mimeType == null) { + Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri + + " ignored: failure to find mimeType (no access from this context?)"); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/335116.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/335116.patch new file mode 100644 index 00000000..902935fa --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/335116.patch @@ -0,0 +1,94 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Fri, 22 Apr 2022 00:40:06 +0000 +Subject: [PATCH] Extract app label from component name in notification access + confirmation UI + +Bug: 228178437 +Test: Manually tested on POC +Change-Id: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +(cherry picked from commit 8d749c55f4efd6b2e514d90204667ffa804eb0f9) +Merged-In: I8613d9b87a53d4641c0689bca9c961c66a2e9415 +--- + ...otificationAccessConfirmationActivity.java | 36 ++++++++++++++++--- + 1 file changed, 31 insertions(+), 5 deletions(-) + +diff --git a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +index 8cef33e6fff..0465386f630 100644 +--- a/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java ++++ b/src/com/android/settings/notification/NotificationAccessConfirmationActivity.java +@@ -21,8 +21,6 @@ import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYST + + import static com.android.internal.notification.NotificationAccessConfirmationActivityContract + .EXTRA_COMPONENT_NAME; +-import static com.android.internal.notification.NotificationAccessConfirmationActivityContract +- .EXTRA_PACKAGE_TITLE; + import static com.android.internal.notification.NotificationAccessConfirmationActivityContract + .EXTRA_USER_ID; + +@@ -33,10 +31,13 @@ import android.app.NotificationManager; + import android.content.ComponentName; + import android.content.Context; + import android.content.DialogInterface; ++import android.content.pm.ApplicationInfo; ++import android.content.pm.PackageItemInfo; + import android.content.pm.PackageManager; + import android.content.pm.ServiceInfo; + import android.os.Bundle; + import android.os.UserHandle; ++import android.text.TextUtils; + import android.util.Slog; + import android.view.WindowManager; + import android.view.accessibility.AccessibilityEvent; +@@ -52,6 +53,8 @@ public class NotificationAccessConfirmationActivity extends Activity + private static final boolean DEBUG = false; + private static final String LOG_TAG = "NotificationAccessConfirmationActivity"; + ++ private static final float DEFAULT_MAX_LABEL_SIZE_PX = 500f; ++ + private int mUserId; + private ComponentName mComponentName; + private NotificationManager mNm; +@@ -66,15 +69,38 @@ public class NotificationAccessConfirmationActivity extends Activity + + mComponentName = getIntent().getParcelableExtra(EXTRA_COMPONENT_NAME); + mUserId = getIntent().getIntExtra(EXTRA_USER_ID, UserHandle.USER_NULL); +- String pkgTitle = getIntent().getStringExtra(EXTRA_PACKAGE_TITLE); ++ CharSequence mAppLabel; ++ ++ if (mComponentName == null || mComponentName.getPackageName() == null) { ++ finish(); ++ return; ++ } ++ ++ try { ++ ApplicationInfo applicationInfo = getPackageManager().getApplicationInfo( ++ mComponentName.getPackageName(), 0); ++ mAppLabel = applicationInfo.loadSafeLabel(getPackageManager(), ++ DEFAULT_MAX_LABEL_SIZE_PX, ++ PackageItemInfo.SAFE_LABEL_FLAG_TRIM ++ | PackageItemInfo.SAFE_LABEL_FLAG_FIRST_LINE); ++ } catch (PackageManager.NameNotFoundException e) { ++ Slog.e(LOG_TAG, "Couldn't find app with package name for " + mComponentName, e); ++ finish(); ++ return; ++ } ++ ++ if (TextUtils.isEmpty(mAppLabel)) { ++ finish(); ++ return; ++ } + + AlertController.AlertParams p = new AlertController.AlertParams(this); + p.mTitle = getString( + R.string.notification_listener_security_warning_title, +- pkgTitle); ++ mAppLabel); + p.mMessage = getString( + R.string.notification_listener_security_warning_summary, +- pkgTitle); ++ mAppLabel); + p.mPositiveButtonText = getString(R.string.allow); + p.mPositiveButtonListener = (a, b) -> onAllow(); + p.mNegativeButtonText = getString(R.string.deny); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/345910.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/345910.patch new file mode 100644 index 00000000..188e7712 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/345910.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Wed, 27 Jul 2022 17:17:51 +0000 +Subject: [PATCH] Revert "Prevent exfiltration of system files via user image + settings." + +This reverts commit 8950a9002402de6e1218bab3da52868a51104a95. + +Reason for revert: regression if multiple crop system crop handlers are present + +Change-Id: Ib83dbb2f1109d26b7e85192379291bffef187e77 +Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb +(cherry picked from commit c0742e745da55452a412b4bb7bd28c5ecf3a8cb2) +Merged-In: Ib83dbb2f1109d26b7e85192379291bffef187e77 +--- + .../users/EditUserPhotoController.java | 42 ++++++------------- + 1 file changed, 13 insertions(+), 29 deletions(-) + +diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java +index cdf392b9df0..0f67b181de3 100644 +--- a/src/com/android/settings/users/EditUserPhotoController.java ++++ b/src/com/android/settings/users/EditUserPhotoController.java +@@ -22,7 +22,6 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; +-import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; + import android.database.Cursor; + import android.graphics.Bitmap; +@@ -76,7 +75,6 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 1002; + private static final int REQUEST_CODE_CROP_PHOTO = 1003; + +- private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -87,7 +85,6 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + +- private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -99,8 +96,6 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; +- +- mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -135,7 +130,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(pictureUri); ++ cropPhoto(); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -244,7 +239,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { ++ OutputStream out = cr.openOutputStream(mTakePictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -255,38 +250,27 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(mPreCropPictureUri); ++ cropPhoto(); + } + }.execute(); + } + +- private void cropPhoto(final Uri pictureUri) { ++ private void cropPhoto() { + // TODO: Use a public intent, when there is one. + Intent intent = new Intent("com.android.camera.action.CROP"); +- intent.setDataAndType(pictureUri, "image/*"); ++ intent.setDataAndType(mTakePictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- try { +- StrictMode.disableDeathOnFileUriExposure(); +- if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { +- return; ++ if (intent.resolveActivity(mContext.getPackageManager()) != null) { ++ try { ++ StrictMode.disableDeathOnFileUriExposure(); ++ mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); ++ } finally { ++ StrictMode.enableDeathOnFileUriExposure(); + } +- } finally { +- StrictMode.enableDeathOnFileUriExposure(); +- } +- onPhotoCropped(mTakePictureUri, false); +- } +- +- private boolean startSystemActivityForResult(Intent intent, int code) { +- ActivityInfo info = intent.resolveActivityInfo(mContext.getPackageManager(), +- PackageManager.MATCH_SYSTEM_ONLY); +- if (info == null) { +- Log.w(TAG, "No system package activity could be found for code " + code); +- return false; ++ } else { ++ onPhotoCropped(mTakePictureUri, false); + } +- intent.setPackage(info.packageName); +- mFragment.startActivityForResult(intent, code); +- return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/345911.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/345911.patch new file mode 100644 index 00000000..a93cf2b5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/345911.patch @@ -0,0 +1,135 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 26 Aug 2022 18:29:16 +0100 +Subject: [PATCH] Prevent exfiltration of system files via avatar picker. + +This adds mitigations to prevent system files being exfiltrated +via the settings content provider when a content URI is provided +as a chosen user image. + +The mitigations are: + +1) Copy the image to a new URI rather than the existing takePictureUri +prior to cropping. + +2) Only allow a system handler to respond to the CROP intent. + +This is a fixed version of ag/17003629, to address b/239513606. + +Bug: 187702830 +Test: build and check functionality +Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb +Change-Id: I98eea867f926c508456ec9bc654e24eeeffa0e54 +(cherry picked from commit f70e351d1a3bc7765da1fa8f9e0bb52d425b27e4) +Merged-In: I98eea867f926c508456ec9bc654e24eeeffa0e54 +--- + .../users/EditUserPhotoController.java | 43 +++++++++++++------ + 1 file changed, 30 insertions(+), 13 deletions(-) + +diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java +index 0f67b181de3..a874d6a0e57 100644 +--- a/src/com/android/settings/users/EditUserPhotoController.java ++++ b/src/com/android/settings/users/EditUserPhotoController.java +@@ -22,7 +22,9 @@ import android.content.ClipData; + import android.content.ContentResolver; + import android.content.Context; + import android.content.Intent; ++import android.content.pm.ActivityInfo; + import android.content.pm.PackageManager; ++import android.content.pm.ResolveInfo; + import android.database.Cursor; + import android.graphics.Bitmap; + import android.graphics.Bitmap.Config; +@@ -75,6 +77,7 @@ public class EditUserPhotoController { + private static final int REQUEST_CODE_TAKE_PHOTO = 1002; + private static final int REQUEST_CODE_CROP_PHOTO = 1003; + ++ private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg"; + private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg"; + private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg"; + private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png"; +@@ -85,6 +88,7 @@ public class EditUserPhotoController { + private final Fragment mFragment; + private final ImageView mImageView; + ++ private final Uri mPreCropPictureUri; + private final Uri mCropPictureUri; + private final Uri mTakePictureUri; + +@@ -96,6 +100,8 @@ public class EditUserPhotoController { + mContext = view.getContext(); + mFragment = fragment; + mImageView = view; ++ ++ mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting); + mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting); + mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting); + mPhotoSize = getPhotoSize(mContext); +@@ -130,7 +136,7 @@ public class EditUserPhotoController { + case REQUEST_CODE_TAKE_PHOTO: + case REQUEST_CODE_CHOOSE_PHOTO: + if (mTakePictureUri.equals(pictureUri)) { +- cropPhoto(); ++ cropPhoto(pictureUri); + } else { + copyAndCropPhoto(pictureUri); + } +@@ -239,7 +245,7 @@ public class EditUserPhotoController { + protected Void doInBackground(Void... params) { + final ContentResolver cr = mContext.getContentResolver(); + try (InputStream in = cr.openInputStream(pictureUri); +- OutputStream out = cr.openOutputStream(mTakePictureUri)) { ++ OutputStream out = cr.openOutputStream(mPreCropPictureUri)) { + Streams.copy(in, out); + } catch (IOException e) { + Log.w(TAG, "Failed to copy photo", e); +@@ -250,27 +256,38 @@ public class EditUserPhotoController { + @Override + protected void onPostExecute(Void result) { + if (!mFragment.isAdded()) return; +- cropPhoto(); ++ cropPhoto(mPreCropPictureUri); + } + }.execute(); + } + +- private void cropPhoto() { ++ private void cropPhoto(final Uri pictureUri) { + // TODO: Use a public intent, when there is one. + Intent intent = new Intent("com.android.camera.action.CROP"); +- intent.setDataAndType(mTakePictureUri, "image/*"); ++ intent.setDataAndType(pictureUri, "image/*"); + appendOutputExtra(intent, mCropPictureUri); + appendCropExtras(intent); +- if (intent.resolveActivity(mContext.getPackageManager()) != null) { +- try { +- StrictMode.disableDeathOnFileUriExposure(); +- mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO); +- } finally { +- StrictMode.enableDeathOnFileUriExposure(); ++ try { ++ StrictMode.disableDeathOnFileUriExposure(); ++ if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) { ++ return; + } +- } else { +- onPhotoCropped(mTakePictureUri, false); ++ } finally { ++ StrictMode.enableDeathOnFileUriExposure(); ++ } ++ onPhotoCropped(mTakePictureUri, false); ++ } ++ ++ private boolean startSystemActivityForResult(Intent intent, int code) { ++ List resolveInfos = mContext.getPackageManager() ++ .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY); ++ if (resolveInfos.isEmpty()) { ++ Log.w(TAG, "No system package activity could be found for code " + code); ++ return false; + } ++ intent.setPackage(resolveInfos.get(0).activityInfo.packageName); ++ mFragment.startActivityForResult(intent, code); ++ return true; + } + + private void appendOutputExtra(Intent intent, Uri pictureUri) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/345912.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/345912.patch new file mode 100644 index 00000000..2c136766 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/345912.patch @@ -0,0 +1,124 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Milton Wu +Date: Mon, 8 Aug 2022 09:05:00 +0000 +Subject: [PATCH] Add FLAG_SECURE for ChooseLockPassword and Pattern + +Prevent ChooseLockPassword and ChooseLockPatten being projected to +remote views, add FLAG_SECURE for these screens. + +Bug: 179725730 +Test: Check these 2 screens not projected to chromecast +Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest + SetupChooseLockPasswordTest ChooseLockPasswordTest +Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca +--- + .../settings/password/ChooseLockPassword.java | 2 ++ + .../settings/password/ChooseLockPattern.java | 2 ++ + .../password/ChooseLockPasswordTest.java | 18 ++++++++++++++++++ + .../password/ChooseLockPatternTest.java | 10 ++++++++++ + 4 files changed, 32 insertions(+) + +diff --git a/src/com/android/settings/password/ChooseLockPassword.java b/src/com/android/settings/password/ChooseLockPassword.java +index e60b4e6d0e5..f883a7e9198 100644 +--- a/src/com/android/settings/password/ChooseLockPassword.java ++++ b/src/com/android/settings/password/ChooseLockPassword.java +@@ -49,6 +49,7 @@ import android.view.LayoutInflater; + import android.view.View; + import android.view.View.OnClickListener; + import android.view.ViewGroup; ++import android.view.WindowManager; + import android.view.inputmethod.EditorInfo; + import android.widget.Button; + import android.widget.LinearLayout; +@@ -166,6 +167,7 @@ public class ChooseLockPassword extends SettingsActivity { + setTitle(msg); + LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent); + layout.setFitsSystemWindows(false); ++ getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE); + } + + public static class ChooseLockPasswordFragment extends InstrumentedFragment +diff --git a/src/com/android/settings/password/ChooseLockPattern.java b/src/com/android/settings/password/ChooseLockPattern.java +index 0811a951bc2..d81d520d42e 100644 +--- a/src/com/android/settings/password/ChooseLockPattern.java ++++ b/src/com/android/settings/password/ChooseLockPattern.java +@@ -31,6 +31,7 @@ import android.view.View; + import android.view.ViewGroup; + import android.widget.LinearLayout; + import android.widget.ScrollView; ++import android.view.WindowManager; + import android.widget.TextView; + + import com.android.internal.logging.nano.MetricsProto.MetricsEvent; +@@ -146,6 +147,7 @@ public class ChooseLockPattern extends SettingsActivity { + : R.string.lockpassword_choose_your_screen_lock_header); + LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent); + layout.setFitsSystemWindows(false); ++ getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE); + } + + @Override +diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java +index 75b6bb4b14a..35847d2e43f 100644 +--- a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java ++++ b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java +@@ -16,6 +16,8 @@ + + package com.android.settings.password; + ++import static android.view.WindowManager.LayoutParams.FLAG_SECURE; ++ + import static com.google.common.truth.Truth.assertThat; + import static org.robolectric.RuntimeEnvironment.application; + +@@ -121,6 +123,22 @@ public class ChooseLockPasswordTest { + } + + @Test ++ ++ @Test ++ public void activity_shouldHaveSecureFlag() { ++ PasswordPolicy policy = new PasswordPolicy(); ++ policy.quality = PASSWORD_QUALITY_ALPHABETIC; ++ policy.length = 10; ++ ++ Intent intent = createIntentForPasswordValidation( ++ /* minMetrics */ policy.getMinMetrics(), ++ /* minComplexity= */ PASSWORD_COMPLEXITY_NONE, ++ /* passwordType= */ PASSWORD_QUALITY_ALPHABETIC); ++ ChooseLockPassword activity = buildChooseLockPasswordActivity(intent); ++ final int flags = activity.getWindow().getAttributes().flags; ++ assertThat(flags & FLAG_SECURE).isEqualTo(FLAG_SECURE); ++ } ++ + public void assertThat_chooseLockIconChanged_WhenFingerprintExtraSet() { + ShadowDrawable drawable = setActivityAndGetIconDrawable(true); + assertThat(drawable.getCreatedFromResId()).isEqualTo(R.drawable.ic_fingerprint_header); +diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java +index e07351cd34a..c53dd2ec0a2 100644 +--- a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java ++++ b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java +@@ -16,6 +16,8 @@ + + package com.android.settings.password; + ++import static android.view.WindowManager.LayoutParams.FLAG_SECURE; ++ + import static com.google.common.truth.Truth.assertThat; + import static org.robolectric.RuntimeEnvironment.application; + +@@ -118,6 +120,14 @@ public class ChooseLockPatternTest { + assertThat(iconView.getVisibility()).isEqualTo(View.GONE); + } + ++ @Test ++ public void activity_shouldHaveSecureFlag() { ++ final ChooseLockPattern activity = Robolectric.buildActivity( ++ ChooseLockPattern.class, new IntentBuilder(application).build()).setup().get(); ++ final int flags = activity.getWindow().getAttributes().flags; ++ assertThat(flags & FLAG_SECURE).isEqualTo(FLAG_SECURE); ++ } ++ + private ChooseLockPattern createActivity(boolean addFingerprintExtra) { + return Robolectric.buildActivity( + ChooseLockPattern.class, diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/351914.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/351914.patch new file mode 100644 index 00000000..079dc7f0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/351914.patch @@ -0,0 +1,158 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tsung-Mao Fang +Date: Mon, 3 Jan 2022 18:25:04 +0800 +Subject: [PATCH] FRP bypass defense in the settings app + +Over the last few years, there have been a number of +Factory Reset Protection bypass bugs in the SUW flow. +It's unlikely to defense all points from individual apps. + +Therefore, we decide to block some critical pages when +user doesn't complete the SUW flow. + +Test: Can't open the certain pages in the suw flow. +Bug: 258422561 +Fix: 200746457 +Bug: 202975040 +Fix: 213091525 +Fix: 213090835 +Fix: 201561699 +Fix: 213090827 +Fix: 213090875 +Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e +Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e +(cherry picked from commit ff5bfb40c8b09ab477efaae6a0199911a0d703dd) +Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e +--- + .../settings/SettingsPreferenceFragment.java | 22 ++++++++++++++++++- + .../accounts/AccountDashboardFragment.java | 7 +++++- + .../appinfo/AppInfoDashboardFragment.java | 5 +++++ + .../DevelopmentSettingsDashboardFragment.java | 5 +++++ + .../system/ResetDashboardFragment.java | 5 +++++ + 5 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java +index 95a039ba63b..beb7643f554 100644 +--- a/src/com/android/settings/SettingsPreferenceFragment.java ++++ b/src/com/android/settings/SettingsPreferenceFragment.java +@@ -47,6 +47,7 @@ import com.android.settings.core.instrumentation.InstrumentedDialogFragment; + import com.android.settings.search.actionbar.SearchMenuController; + import com.android.settings.support.actionbar.HelpMenuController; + import com.android.settings.support.actionbar.HelpResourceProvider; ++import com.android.settings.Utils; + import com.android.settings.widget.HighlightablePreferenceGroupAdapter; + import com.android.settings.widget.LoadingViewController; + import com.android.settingslib.CustomDialogPreference; +@@ -62,7 +63,7 @@ import java.util.UUID; + public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceFragment + implements DialogCreatable, HelpResourceProvider { + +- private static final String TAG = "SettingsPreference"; ++ private static final String TAG = "SettingsPreferenceFragment"; + + private static final String SAVE_HIGHLIGHTED_KEY = "android:preference_highlighted"; + +@@ -126,6 +127,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF + @VisibleForTesting + public boolean mPreferenceHighlighted = false; + ++ @Override ++ public void onAttach(Context context) { ++ if (shouldSkipForInitialSUW() && !Utils.isDeviceProvisioned(getContext())) { ++ Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed."); ++ finish(); ++ } ++ super.onAttach(context); ++ } ++ + @Override + public void onCreate(Bundle icicle) { + super.onCreate(icicle); +@@ -261,6 +271,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF + return 0; + } + ++ /** ++ * Whether UI should be skipped in the initial SUW flow. ++ * ++ * @return {@code true} when UI should be skipped in the initial SUW flow. ++ * {@code false} when UI should not be skipped in the initial SUW flow. ++ */ ++ protected boolean shouldSkipForInitialSUW() { ++ return false; ++ } ++ + protected void onDataSetChanged() { + highlightPreferenceIfNeeded(); + updateEmptyView(); +diff --git a/src/com/android/settings/accounts/AccountDashboardFragment.java b/src/com/android/settings/accounts/AccountDashboardFragment.java +index b97694031e6..df7056aa108 100644 +--- a/src/com/android/settings/accounts/AccountDashboardFragment.java ++++ b/src/com/android/settings/accounts/AccountDashboardFragment.java +@@ -64,6 +64,11 @@ public class AccountDashboardFragment extends DashboardFragment { + return R.string.help_url_user_and_account_dashboard; + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + @Override + protected List createPreferenceControllers(Context context) { + final List controllers = new ArrayList<>(); +@@ -142,4 +147,4 @@ public class AccountDashboardFragment extends DashboardFragment { + return Arrays.asList(sir); + } + }; +-} +\ No newline at end of file ++} +diff --git a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java +index 597884b1c23..b37f94d18c2 100755 +--- a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java ++++ b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java +@@ -522,6 +522,11 @@ public class AppInfoDashboardFragment extends DashboardFragment + return mInstantAppButtonPreferenceController.createDialog(id); + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + private void uninstallPkg(String packageName, boolean allUsers, boolean andDisable) { + stopListeningToPackageRemove(); + // Create new intent to launch Uninstaller activity +diff --git a/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java b/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java +index f2011bc612b..0090045573b 100644 +--- a/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java ++++ b/src/com/android/settings/development/DevelopmentSettingsDashboardFragment.java +@@ -175,6 +175,11 @@ public class DevelopmentSettingsDashboardFragment extends RestrictedDashboardFra + } + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + @Override + public View onCreateView(LayoutInflater inflater, ViewGroup container, + Bundle savedInstanceState) { +diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java +index 03543cc4989..0050eff5fc8 100644 +--- a/src/com/android/settings/system/ResetDashboardFragment.java ++++ b/src/com/android/settings/system/ResetDashboardFragment.java +@@ -56,6 +56,11 @@ public class ResetDashboardFragment extends DashboardFragment { + return buildPreferenceControllers(context, getLifecycle()); + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + private static List buildPreferenceControllers(Context context, + Lifecycle lifecycle) { + final List controllers = new ArrayList<>(); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/351915.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/351915.patch new file mode 100644 index 00000000..5d2f9d61 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/351915.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yanting Yang +Date: Wed, 4 Jan 2023 09:40:38 +0000 +Subject: [PATCH] Add DISALLOW_APPS_CONTROL check into uninstall app for all + users + +Settings App info page supports a "Uninstall for all users" function +when multiple users are enabled. It bypasses the restriction of +DISALLOW_APPS_CONTROL which breaks the user isolation guideline. + +To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL +restriction to provide the "Uninstall for all users" function. + +Bug: 258653813 +Test: manual & robotests +Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +(cherry picked from commit 86914bedc84474c152e4536fb3cfa2fb488030b8) +Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +--- + .../applications/appinfo/AppInfoDashboardFragment.java | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + mode change 100755 => 100644 src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java + +diff --git a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java +old mode 100755 +new mode 100644 +index b37f94d18c2..6f8072eea03 +--- a/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java ++++ b/src/com/android/settings/applications/appinfo/AppInfoDashboardFragment.java +@@ -346,7 +346,13 @@ public class AppInfoDashboardFragment extends DashboardFragment + return; + } + super.onPrepareOptionsMenu(menu); +- menu.findItem(UNINSTALL_ALL_USERS_MENU).setVisible(shouldShowUninstallForAll(mAppEntry)); ++ final MenuItem uninstallAllUsersItem = menu.findItem(UNINSTALL_ALL_USERS_MENU); ++ uninstallAllUsersItem.setVisible( ++ shouldShowUninstallForAll(mAppEntry) && !mAppsControlDisallowedBySystem); ++ if (uninstallAllUsersItem.isVisible()) { ++ RestrictedLockUtils.setMenuItemAsDisabledByAdmin(getActivity(), ++ uninstallAllUsersItem, mAppsControlDisallowedAdmin); ++ } + mUpdatedSysApp = (mAppEntry.info.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0; + final MenuItem uninstallUpdatesItem = menu.findItem(UNINSTALL_UPDATES); + final boolean uninstallUpdateDisabled = getContext().getResources().getBoolean( diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/359734.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/359734.patch new file mode 100644 index 00000000..832a55a9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/359734.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 7 Mar 2023 10:36:41 -0800 +Subject: [PATCH] Convert argument to intent in AddAccountSettings. + +Bug: 265798353 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da) +Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a +Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a +--- + src/com/android/settings/accounts/AddAccountSettings.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java +index cca15c96d3c..2e23e931241 100644 +--- a/src/com/android/settings/accounts/AddAccountSettings.java ++++ b/src/com/android/settings/accounts/AddAccountSettings.java +@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity { + addAccountOptions.putParcelable(EXTRA_USER, mUserHandle); + intent.putExtras(addAccountOptions); + intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); +- startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle); ++ startActivityForResultAsUser( ++ new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle); + } else { + setResult(RESULT_OK); + if (mPendingIntent != null) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/366136.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/366136.patch new file mode 100644 index 00000000..5c09f6f9 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/366136.patch @@ -0,0 +1,209 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Taran Singh +Date: Fri, 19 May 2023 23:17:47 +0000 +Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device + admin + +Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to +activate itself as device admin and cause various DoS attacks. + +This CL ensures KeyEvent on "Activate" button can only come from system +apps. + +Bug: 280793427 +Test: atest DeviceAdminActivationTest +(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b) +Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188 +Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188 +--- + src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++--------- + 1 file changed, 64 insertions(+), 56 deletions(-) + +diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java +index fb21deb661d..10d170ab6b5 100644 +--- a/src/com/android/settings/DeviceAdminAdd.java ++++ b/src/com/android/settings/DeviceAdminAdd.java +@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt; + import android.util.EventLog; + import android.util.Log; + import android.view.Display; ++import android.view.KeyEvent; ++import android.view.LayoutInflater; + import android.view.View; + import android.view.ViewGroup; + import android.view.ViewTreeObserver; +@@ -133,7 +135,7 @@ public class DeviceAdminAdd extends Activity { + mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE); + PackageManager packageManager = getPackageManager(); + +- if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) { ++ if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) { + Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task"); + finish(); + return; +@@ -143,7 +145,7 @@ public class DeviceAdminAdd extends Activity { + EXTRA_CALLED_FROM_SUPPORT_DIALOG, false); + + String action = getIntent().getAction(); +- ComponentName who = (ComponentName)getIntent().getParcelableExtra( ++ ComponentName who = (ComponentName) getIntent().getParcelableExtra( + DevicePolicyManager.EXTRA_DEVICE_ADMIN); + if (who == null) { + String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME); +@@ -201,7 +203,7 @@ public class DeviceAdminAdd extends Activity { + PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS); + int count = avail == null ? 0 : avail.size(); + boolean found = false; +- for (int i=0; i { ++ if (!mActionButton.isEnabled()) { ++ showPolicyTransparencyDialogIfRequired(); ++ return; ++ } ++ if (mAdding) { ++ addAndFinish(); ++ } else if (isManagedProfile(mDeviceAdmin) ++ && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) { ++ final int userId = UserHandle.myUserId(); ++ UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId, ++ new DialogInterface.OnClickListener() { ++ @Override ++ public void onClick(DialogInterface dialog, int which) { ++ UserManager um = UserManager.get(DeviceAdminAdd.this); ++ um.removeUser(userId); ++ finish(); + } +- ).show(); +- } else if (mUninstalling) { +- mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName()); +- finish(); +- } else if (!mWaitingForRemoveMsg) { +- try { +- // Don't allow the admin to put a dialog up in front +- // of us while we interact with the user. +- ActivityManager.getService().stopAppSwitches(); +- } catch (RemoteException e) { +- } +- mWaitingForRemoveMsg = true; +- mDPM.getRemoveWarning(mDeviceAdmin.getComponent(), +- new RemoteCallback(new RemoteCallback.OnResultListener() { +- @Override +- public void onResult(Bundle result) { +- CharSequence msg = result != null +- ? result.getCharSequence( +- DeviceAdminReceiver.EXTRA_DISABLE_WARNING) +- : null; +- continueRemoveAction(msg); +- } +- }, mHandler)); +- // Don't want to wait too long. +- getWindow().getDecorView().getHandler().postDelayed(new Runnable() { +- @Override public void run() { +- continueRemoveAction(null); + } +- }, 2*1000); ++ ).show(); ++ } else if (mUninstalling) { ++ mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName()); ++ finish(); ++ } else if (!mWaitingForRemoveMsg) { ++ try { ++ // Don't allow the admin to put a dialog up in front ++ // of us while we interact with the user. ++ ActivityManager.getService().stopAppSwitches(); ++ } catch (RemoteException e) { + } ++ mWaitingForRemoveMsg = true; ++ mDPM.getRemoveWarning(mDeviceAdmin.getComponent(), ++ new RemoteCallback(new RemoteCallback.OnResultListener() { ++ @Override ++ public void onResult(Bundle result) { ++ CharSequence msg = result != null ++ ? result.getCharSequence( ++ DeviceAdminReceiver.EXTRA_DISABLE_WARNING) ++ : null; ++ continueRemoveAction(msg); ++ } ++ }, mHandler)); ++ // Don't want to wait too long. ++ getWindow().getDecorView().getHandler().postDelayed( ++ () -> continueRemoveAction(null), 2 * 1000); ++ } ++ }; ++ restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> { ++ if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) { ++ Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app."); ++ // Consume event to suppress click. ++ return true; + } ++ // Fallback to view click handler. ++ return false; + }); ++ restrictedAction.setOnClickListener(restrictedActionClickListener); + } + + /** diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/370700.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/370700.patch new file mode 100644 index 00000000..b5eb3bea --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/370700.patch @@ -0,0 +1,136 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Weng Su +Date: Fri, 7 Jul 2023 19:52:04 +0800 +Subject: [PATCH] Restrict ApnEditor settings + +- Finish ApnEditor settings if user is not an admin + +- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction + +Bug: 279902472 +Test: manual test +make RunSettingsRoboTests ROBOTEST_FILTER=ApnEditorTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c2d727b8f9198bf758a4896eda7c9e5385435ff) +Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04 +Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04 +--- + .../android/settings/network/ApnEditor.java | 23 ++++++++++++++ + .../settings/network/ApnEditorTest.java | 31 ++++++++++++++++++- + 2 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/network/ApnEditor.java b/src/com/android/settings/network/ApnEditor.java +index cceb31d29e7..74a7fed07fc 100644 +--- a/src/com/android/settings/network/ApnEditor.java ++++ b/src/com/android/settings/network/ApnEditor.java +@@ -27,6 +27,7 @@ import android.database.Cursor; + import android.net.Uri; + import android.os.Bundle; + import android.os.PersistableBundle; ++import android.os.UserManager; + import android.provider.Telephony; + import android.support.annotation.VisibleForTesting; + import android.support.v14.preference.MultiSelectListPreference; +@@ -203,6 +204,11 @@ public class ApnEditor extends SettingsPreferenceFragment + @Override + public void onCreate(Bundle icicle) { + super.onCreate(icicle); ++ if (isUserRestricted()) { ++ Log.e(TAG, "This setting isn't available due to user restriction."); ++ finish(); ++ return; ++ } + + addPreferencesFromResource(R.xml.apn_editor); + +@@ -1166,6 +1172,23 @@ public class ApnEditor extends SettingsPreferenceFragment + return userEnteredApnType; + } + ++ @VisibleForTesting ++ boolean isUserRestricted() { ++ UserManager userManager = getContext().getSystemService(UserManager.class); ++ if (userManager == null) { ++ return false; ++ } ++ if (!userManager.isAdminUser()) { ++ Log.e(TAG, "User is not an admin"); ++ return true; ++ } ++ if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) { ++ Log.e(TAG, "User is not allowed to configure mobile network"); ++ return true; ++ } ++ return false; ++ } ++ + public static class ErrorDialog extends InstrumentedDialogFragment { + + public static void showError(ApnEditor editor) { +diff --git a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java +index 35f68a06698..ed82b59be5b 100644 +--- a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java ++++ b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java +@@ -32,6 +32,7 @@ import android.content.Context; + import android.content.res.Resources; + import android.database.Cursor; + import android.net.Uri; ++import android.os.UserManager; + import android.support.v14.preference.MultiSelectListPreference; + import android.support.v14.preference.SwitchPreference; + import android.support.v7.preference.EditTextPreference; +@@ -97,6 +98,8 @@ public class ApnEditorTest { + + private ApnEditor mApnEditorUT; + private Activity mActivity; ++ @Mock ++ private UserManager mUserManager; + private Resources mResources; + + @Before +@@ -111,6 +114,11 @@ public class ApnEditorTest { + doNothing().when(mApnEditorUT).finish(); + doNothing().when(mApnEditorUT).showError(); + ++ doReturn(mUserManager).when(mContext).getSystemService(UserManager.class); ++ doReturn(true).when(mUserManager).isAdminUser(); ++ doReturn(false).when(mUserManager) ++ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS); ++ + setMockPreference(mActivity); + mApnEditorUT.mApnData = new FakeApnData(APN_DATA); + mApnEditorUT.sNotSet = "Not Set"; +@@ -447,6 +455,27 @@ public class ApnEditorTest { + assertThat(ApnEditor.formatInteger("not an int")).isEqualTo("not an int"); + } + ++ @Test ++ @Config(shadows = ShadowFragment.class) ++ public void onCreate_notAdminUser_shouldFinish() { ++ doReturn(false).when(mUserManager).isAdminUser(); ++ ++ mApnEditorUT.onCreate(null); ++ ++ verify(mApnEditorUT).finish(); ++ } ++ ++ @Test ++ @Config(shadows = ShadowFragment.class) ++ public void onCreate_hasUserRestriction_shouldFinish() { ++ doReturn(true).when(mUserManager) ++ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS); ++ ++ mApnEditorUT.onCreate(null); ++ ++ verify(mApnEditorUT).finish(); ++ } ++ + private void initCursor() { + doReturn(2).when(mCursor).getColumnCount(); + doReturn(Integer.valueOf(2)).when(mCursor).getInt(CURSOR_INTEGER_INDEX); +@@ -489,4 +518,4 @@ public class ApnEditorTest { + mUri = uri; + } + } +-} +\ No newline at end of file ++} diff --git a/Patches/LineageOS-16.0/android_packages_apps_Traceur/378475.patch b/Patches/LineageOS-16.0/android_packages_apps_Traceur/378475.patch new file mode 100644 index 00000000..c1d70f41 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Traceur/378475.patch @@ -0,0 +1,120 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kevin Jeon +Date: Fri, 17 Feb 2023 20:17:54 +0000 +Subject: [PATCH] Update Traceur to check admin user status + +This change updates Traceur to check for admin user privileges wherever +a developer options check occurs. This is intended to address the case +in which developer options (a global setting not differentiated on +current user privileges) being enabled would allow guest users to open +Traceur through a 3P app and view its trace files. This would previously +be possible even when ADB debugging was disabled by the admin user. + +Traceur now listens for user changes so that its document root +(containing traces) is enabled/disabled based on the new user's admin +status. + +This change also includes a partial fix for a previous less-severe +security vulnerability (developer options checks; terminating ongoing +traces if the state of developer options changes). The entire fix is not +included because the full vulnerability did not exist in this branch. + +Because Traceur is a platform app in R, a separate change to grant +MANAGE_USERS access in the privapp permissions allowlist is /not/ +required (as in S). + +Test: On a local CF build (cf_x86_64_phone-userdebug), explictly + enable multi-user + apply aosp/1625022 and check that: + - CtsIntentSignatureTestCases passes (b/270791503) + - TraceurUiTests passes + - Traceur cannot be opened through 'am start' on a guest account + - Opening Files on a guest account no longer shows a System Traces + folder (even if Traceur's onCreate is somehow called) + - System tracing no longer appears in settings for guests +Bug: 262243665 +Bug: 262244249 +Bug: 204992293 +Bug: 160155846 +Ignore-AOSP-First: Internal-first security fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c0b30d30dfad851cdce35e1b9097b62fffabc5f) +Merged-In: I14ee42d18802e7869bae8cb437c4d0b65dbea999 +Change-Id: I14ee42d18802e7869bae8cb437c4d0b65dbea999 +--- + AndroidManifest.xml | 3 +++ + src/com/google/android/traceur/MainActivity.java | 16 ++++++++++++++++ + .../google/android/traceur/SearchProvider.java | 7 +++++-- + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 42a4296..101e623 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -26,6 +26,9 @@ + + + ++ ++ ++ + + + +diff --git a/src/com/google/android/traceur/MainActivity.java b/src/com/google/android/traceur/MainActivity.java +index a8c8a2b..ef1577e 100644 +--- a/src/com/google/android/traceur/MainActivity.java ++++ b/src/com/google/android/traceur/MainActivity.java +@@ -16,7 +16,9 @@ package com.android.traceur; + */ + + import android.app.Activity; ++import android.provider.Settings; + import android.os.Bundle; ++import android.os.UserManager; + + public class MainActivity extends Activity { + @Override +@@ -24,4 +26,18 @@ public class MainActivity extends Activity { + super.onCreate(savedInstanceState); + setContentView(R.layout.activity); + } ++ ++ @Override ++ protected void onStart() { ++ super.onStart(); ++ boolean developerOptionsIsEnabled = ++ Settings.Global.getInt(getContentResolver(), ++ Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0; ++ boolean isAdminUser = getApplicationContext() ++ .getSystemService(UserManager.class).isAdminUser(); ++ ++ if (!developerOptionsIsEnabled || !isAdminUser) { ++ finish(); ++ } ++ } + } +diff --git a/src/com/google/android/traceur/SearchProvider.java b/src/com/google/android/traceur/SearchProvider.java +index 202d2b0..9098e89 100644 +--- a/src/com/google/android/traceur/SearchProvider.java ++++ b/src/com/google/android/traceur/SearchProvider.java +@@ -31,6 +31,7 @@ import android.content.Context; + import android.content.Intent; + import android.database.Cursor; + import android.database.MatrixCursor; ++import android.os.UserManager; + import android.provider.SearchIndexablesProvider; + import android.provider.Settings; + +@@ -69,9 +70,11 @@ public class SearchProvider extends SearchIndexablesProvider { + boolean developerOptionsIsEnabled = + Settings.Global.getInt(getContext().getContentResolver(), + Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0; ++ boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser(); + +- // If developer options is not enabled, System Tracing shouldn't be searchable. +- if (!developerOptionsIsEnabled) { ++ // System Tracing shouldn't be searchable if developer options are not enabled or if the ++ // user is not an admin. ++ if (!developerOptionsIsEnabled || !isAdminUser) { + MatrixCursor cursor = new MatrixCursor(NON_INDEXABLES_KEYS_COLUMNS); + Object[] row = new Object[] {getContext().getString(R.string.system_tracing)}; + cursor.addRow(row); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Traceur/378476.patch b/Patches/LineageOS-16.0/android_packages_apps_Traceur/378476.patch new file mode 100644 index 00000000..0b81d0b1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Traceur/378476.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kevin Jeon +Date: Wed, 29 Mar 2023 16:38:23 -0400 +Subject: [PATCH] Add DISALLOW_DEBUGGING_FEATURES check + +This change adds a check for the DISALLOW_DEBUGGING_FEATURES restriction +wherever a developer options or admin-privileges check exists. + +Test: Apply this change to the relevant branches and verify that Traceur + cannot be opened through the researcher-provided APK. +Bug: 270050064 +Bug: 270050191 +Ignore-AOSP-First: Internal-first security fix. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44480ce656dfa33a63bda978b4067bb4e67ee312) +Merged-In: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa +Change-Id: I95d308f6e73a19e489f5eb09558275ca6fb3c4aa +--- + src/com/google/android/traceur/MainActivity.java | 10 +++++++--- + src/com/google/android/traceur/SearchProvider.java | 7 +++++-- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/com/google/android/traceur/MainActivity.java b/src/com/google/android/traceur/MainActivity.java +index ef1577e..b0d5297 100644 +--- a/src/com/google/android/traceur/MainActivity.java ++++ b/src/com/google/android/traceur/MainActivity.java +@@ -33,10 +33,14 @@ public class MainActivity extends Activity { + boolean developerOptionsIsEnabled = + Settings.Global.getInt(getContentResolver(), + Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0; +- boolean isAdminUser = getApplicationContext() +- .getSystemService(UserManager.class).isAdminUser(); + +- if (!developerOptionsIsEnabled || !isAdminUser) { ++ UserManager userManager = getApplicationContext() ++ .getSystemService(UserManager.class); ++ boolean isAdminUser = userManager.isAdminUser(); ++ boolean debuggingDisallowed = userManager.hasUserRestriction( ++ UserManager.DISALLOW_DEBUGGING_FEATURES); ++ ++ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) { + finish(); + } + } +diff --git a/src/com/google/android/traceur/SearchProvider.java b/src/com/google/android/traceur/SearchProvider.java +index 9098e89..8e96dc6 100644 +--- a/src/com/google/android/traceur/SearchProvider.java ++++ b/src/com/google/android/traceur/SearchProvider.java +@@ -70,11 +70,14 @@ public class SearchProvider extends SearchIndexablesProvider { + boolean developerOptionsIsEnabled = + Settings.Global.getInt(getContext().getContentResolver(), + Settings.Global.DEVELOPMENT_SETTINGS_ENABLED, 0) != 0; +- boolean isAdminUser = getContext().getSystemService(UserManager.class).isAdminUser(); ++ UserManager userManager = getContext().getSystemService(UserManager.class); ++ boolean isAdminUser = userManager.isAdminUser(); ++ boolean debuggingDisallowed = userManager.hasUserRestriction( ++ UserManager.DISALLOW_DEBUGGING_FEATURES); + + // System Tracing shouldn't be searchable if developer options are not enabled or if the + // user is not an admin. +- if (!developerOptionsIsEnabled || !isAdminUser) { ++ if (!developerOptionsIsEnabled || !isAdminUser || debuggingDisallowed) { + MatrixCursor cursor = new MatrixCursor(NON_INDEXABLES_KEYS_COLUMNS); + Object[] row = new Object[] {getContext().getString(R.string.system_tracing)}; + cursor.addRow(row); diff --git a/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/366137.patch b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/366137.patch new file mode 100644 index 00000000..b2c9716c --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/366137.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 1 Jun 2023 18:12:44 -0700 +Subject: [PATCH] Fix permission issue in legacy shortcut + +When building legacy shortcut, Launcher calls +PackageManager#resolveActivity to retrieve necessary permission to +launch the intent. + +However, when the source app wraps an arbitrary intent within +Intent#createChooser, the existing logic will fail because launching +Chooser doesn't require additional permission. + +This CL fixes the security vulnerability by performing the permission +check against the intent that is wrapped within. + +Bug: 270152142 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442) +Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0 +Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0 +--- + .../android/launcher3/util/PackageManagerHelper.java | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java +index 0b3b632c02..4eac947fd0 100644 +--- a/src/com/android/launcher3/util/PackageManagerHelper.java ++++ b/src/com/android/launcher3/util/PackageManagerHelper.java +@@ -116,6 +116,18 @@ public class PackageManagerHelper { + * any permissions + */ + public boolean hasPermissionForActivity(Intent intent, String srcPackage) { ++ // b/270152142 ++ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { ++ final Bundle extras = intent.getExtras(); ++ if (extras == null) { ++ return true; ++ } ++ // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT ++ intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); ++ if (intent == null) { ++ return true; ++ } ++ } + ResolveInfo target = mPm.resolveActivity(intent, 0); + if (target == null) { + // Not a valid target diff --git a/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377775.patch b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377775.patch new file mode 100644 index 00000000..76e37478 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377775.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Tue, 12 Sep 2023 22:37:16 +0000 +Subject: [PATCH] Fix permission bypass in legacy shortcut + +Intent created for Chooser should not be allowed in legacy shortcuts +since it doesn't make sense for user to tap on a shortcut in homescreen +to share, the expected share flow started from ShareSheet. + +Bug: 295334906, 295045199 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305) +Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa +Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa +--- + .../android/launcher3/util/PackageManagerHelper.java | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java +index 4eac947fd0..96c636a8e7 100644 +--- a/src/com/android/launcher3/util/PackageManagerHelper.java ++++ b/src/com/android/launcher3/util/PackageManagerHelper.java +@@ -118,15 +118,8 @@ public class PackageManagerHelper { + public boolean hasPermissionForActivity(Intent intent, String srcPackage) { + // b/270152142 + if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { +- final Bundle extras = intent.getExtras(); +- if (extras == null) { +- return true; +- } +- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT +- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); +- if (intent == null) { +- return true; +- } ++ // Chooser shortcuts is not a valid target ++ return false; + } + ResolveInfo target = mPm.resolveActivity(intent, 0); + if (target == null) { diff --git a/Patches/LineageOS-16.0/android_packages_apps_TvSettings/359735.patch b/Patches/LineageOS-16.0/android_packages_apps_TvSettings/359735.patch new file mode 100644 index 00000000..01bf6bab --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_TvSettings/359735.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 7 Mar 2023 10:55:07 -0800 +Subject: [PATCH] Convert argument to intent in addAccount TvSettings. + +Bug: 265798353 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac) +Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e +Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e +--- + .../tv/settings/accounts/AddAccountWithTypeActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java +index a608bc4fa..ff71ac93b 100644 +--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java ++++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java +@@ -52,7 +52,7 @@ public class AddAccountWithTypeActivity extends Activity { + Log.e(TAG, "Failed to retrieve add account intent from authenticator"); + setResultAndFinish(Activity.RESULT_CANCELED); + } else { +- startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT); ++ startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT); + } + } catch (IOException|AuthenticatorException|OperationCanceledException e) { + Log.e(TAG, "Failed to get add account intent: ", e); diff --git a/Patches/LineageOS-16.0/android_packages_providers_ContactsProvider/335110.patch b/Patches/LineageOS-16.0/android_packages_providers_ContactsProvider/335110.patch new file mode 100644 index 00000000..1c81551b --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_providers_ContactsProvider/335110.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 28 Apr 2022 16:53:40 -0700 +Subject: [PATCH] enforce stricter CallLogProvider query + +changes: +- phoneNumber is now a selectionArgument +- if the user makes a query request for the CALLS_FILTER case, + throw a SE if the cursor is empty && SQL is detected + +Bug: 224771921 +Test: 2 manual, + manual 1: test app 1 can still make valid call filter query + manual 2: test app 2 with invalid query crashes b/c of SE + + 2 CTS tests, + test 1: ensures the existing functionality still works + test 2: ensures a SE is thrown on an invalid query for call filter + +Change-Id: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +(cherry picked from commit c8b6397d364c2741baf5d850bfdd1693782af940) +Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96 +--- + .../providers/contacts/CallLogProvider.java | 77 ++++++++++++++++++- + 1 file changed, 75 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/providers/contacts/CallLogProvider.java b/src/com/android/providers/contacts/CallLogProvider.java +index 3d221bf2..04fc9998 100644 +--- a/src/com/android/providers/contacts/CallLogProvider.java ++++ b/src/com/android/providers/contacts/CallLogProvider.java +@@ -34,6 +34,7 @@ import android.database.Cursor; + import android.database.DatabaseUtils; + import android.database.sqlite.SQLiteDatabase; + import android.database.sqlite.SQLiteQueryBuilder; ++import android.database.sqlite.SQLiteTokenizer; + import android.net.Uri; + import android.os.Binder; + import android.os.UserHandle; +@@ -45,6 +46,7 @@ import android.telecom.PhoneAccountHandle; + import android.telecom.TelecomManager; + import android.text.TextUtils; + import android.util.ArrayMap; ++import android.util.EventLog; + import android.util.Log; + + import com.android.internal.annotations.VisibleForTesting; +@@ -59,6 +61,9 @@ import java.io.PrintWriter; + import java.util.ArrayList; + import java.util.Arrays; + import java.util.List; ++import java.util.Locale; ++import java.util.Set; ++import java.util.UUID; + import java.util.concurrent.CountDownLatch; + + /** +@@ -333,9 +338,10 @@ public class CallLogProvider extends ContentProvider { + List pathSegments = uri.getPathSegments(); + String phoneNumber = pathSegments.size() >= 2 ? pathSegments.get(2) : null; + if (!TextUtils.isEmpty(phoneNumber)) { +- qb.appendWhere("PHONE_NUMBERS_EQUAL(number, "); +- qb.appendWhereEscapeString(phoneNumber); ++ qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ?"); + qb.appendWhere(mUseStrictPhoneNumberComparation ? ", 1)" : ", 0)"); ++ selectionArgs = copyArrayAndAppendElement(selectionArgs, ++ "'" + phoneNumber + "'"); + } else { + qb.appendWhere(Calls.NUMBER_PRESENTATION + "!=" + + Calls.PRESENTATION_ALLOWED); +@@ -357,12 +363,79 @@ public class CallLogProvider extends ContentProvider { + final SQLiteDatabase db = mDbHelper.getReadableDatabase(); + final Cursor c = qb.query(db, projection, selectionBuilder.build(), selectionArgs, null, + null, sortOrder, limitClause); ++ ++ if (match == CALLS_FILTER && selectionArgs.length > 0) { ++ // throw SE if the user is sending requests that try to bypass voicemail permissions ++ examineEmptyCursorCause(c, selectionArgs[selectionArgs.length - 1]); ++ } ++ + if (c != null) { + c.setNotificationUri(getContext().getContentResolver(), CallLog.CONTENT_URI); + } + return c; + } + ++ /** ++ * Helper method for queryInternal that appends an extra argument to the existing selection ++ * arguments array. ++ * ++ * @param oldSelectionArguments the existing selection argument array in queryInternal ++ * @param phoneNumber the phoneNumber that was passed into queryInternal ++ * @return the new selection argument array with the phoneNumber as the last argument ++ */ ++ private String[] copyArrayAndAppendElement(String[] oldSelectionArguments, String phoneNumber) { ++ if (oldSelectionArguments == null) { ++ return new String[]{phoneNumber}; ++ } ++ String[] newSelectionArguments = new String[oldSelectionArguments.length + 1]; ++ System.arraycopy(oldSelectionArguments, 0, newSelectionArguments, 0, ++ oldSelectionArguments.length); ++ newSelectionArguments[oldSelectionArguments.length] = phoneNumber; ++ return newSelectionArguments; ++ } ++ ++ /** ++ * Helper that throws a Security Exception if the Cursor object is empty && the phoneNumber ++ * appears to have SQL. ++ * ++ * @param cursor returned from the query. ++ * @param phoneNumber string to check for SQL. ++ */ ++ private void examineEmptyCursorCause(Cursor cursor, String phoneNumber) { ++ // checks if the cursor is empty ++ if ((cursor == null) || !cursor.moveToFirst()) { ++ try { ++ // tokenize the phoneNumber and run each token through a checker ++ SQLiteTokenizer.tokenize(phoneNumber, SQLiteTokenizer.OPTION_NONE, ++ this::enforceStrictPhoneNumber); ++ } catch (IllegalArgumentException e) { ++ EventLog.writeEvent(0x534e4554, "224771921", Binder.getCallingUid(), ++ ("invalid phoneNumber passed to queryInternal")); ++ throw new SecurityException("invalid phoneNumber passed to queryInternal"); ++ } ++ } ++ } ++ ++ private void enforceStrictPhoneNumber(String token) { ++ boolean isAllowedKeyword = SQLiteTokenizer.isKeyword(token); ++ switch (token.toUpperCase(Locale.US)) { ++ case "SELECT": ++ case "FROM": ++ case "WHERE": ++ case "GROUP": ++ case "HAVING": ++ case "WINDOW": ++ case "VALUES": ++ case "ORDER": ++ case "LIMIT": ++ isAllowedKeyword = false; ++ break; ++ } ++ if (!isAllowedKeyword) { ++ throw new IllegalArgumentException("Invalid token " + token); ++ } ++ } ++ + private void queryForTesting(Uri uri) { + if (!uri.getBooleanQueryParameter(PARAM_KEY_QUERY_FOR_TESTING, false)) { + return; diff --git a/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/383567.patch b/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/383567.patch new file mode 100644 index 00000000..d82cd0ac --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_providers_DownloadProvider/383567.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sergey Nikolaienkov +Date: Mon, 3 Jul 2023 17:09:28 +0200 +Subject: [PATCH] DO NOT MERGE: Consolidate queryChildDocumentsXxx() + implementations + +Make sure to override the single right variant of the +FileSystemProvider#queryChildDocuments() method: the one that takes the +"includeHidden" boolean argument. + +Bug: 200034476 +Bug: 220066255 +Bug: 283962634 +Test: make, install and run manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e11e4ca6eef7e77042f2b27fce4fdb8a0b3d0371) +Merged-In: I4c00693e28f3d50d716350a65e9e6bfd7482b085 +Change-Id: I4c00693e28f3d50d716350a65e9e6bfd7482b085 +--- + .../downloads/DownloadStorageProvider.java | 25 +++++-------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/src/com/android/providers/downloads/DownloadStorageProvider.java b/src/com/android/providers/downloads/DownloadStorageProvider.java +index b8f47a85..f7f8a21f 100644 +--- a/src/com/android/providers/downloads/DownloadStorageProvider.java ++++ b/src/com/android/providers/downloads/DownloadStorageProvider.java +@@ -245,34 +245,21 @@ public class DownloadStorageProvider extends FileSystemProvider { + } + } + +- @Override +- public Cursor queryChildDocuments(String parentDocId, String[] projection, String sortOrder) +- throws FileNotFoundException { +- return queryChildDocuments(parentDocId, projection, sortOrder, false); +- } +- +- @Override +- public Cursor queryChildDocumentsForManage( +- String parentDocId, String[] projection, String sortOrder) +- throws FileNotFoundException { +- return queryChildDocuments(parentDocId, projection, sortOrder, true); +- } +- +- private Cursor queryChildDocuments(String parentDocId, String[] projection, +- String sortOrder, boolean manage) throws FileNotFoundException { ++ protected Cursor queryChildDocuments(String documentId, String[] projection, ++ String sortOrder, boolean includeHidden) throws FileNotFoundException { + + // Delegate to real provider + final long token = Binder.clearCallingIdentity(); + Cursor cursor = null; + try { +- if (RawDocumentsHelper.isRawDocId(parentDocId)) { +- return super.queryChildDocuments(parentDocId, projection, sortOrder); ++ if (RawDocumentsHelper.isRawDocId(documentId)) { ++ return super.queryChildDocuments(documentId, projection, sortOrder); + } + +- assert (DOC_ID_ROOT.equals(parentDocId)); ++ assert (DOC_ID_ROOT.equals(documentId)); + final DownloadsCursor result = new DownloadsCursor(projection, + getContext().getContentResolver()); +- if (manage) { ++ if (includeHidden) { + cursor = mDm.query( + new DownloadManager.Query().setOnlyIncludeVisibleInDownloadsUi(true)); + } else { diff --git a/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/344182.patch b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/344182.patch new file mode 100644 index 00000000..418f90d3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/344182.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 17 Aug 2022 23:21:18 +0000 +Subject: [PATCH] Check dir path before updating permissions. + +Bug: 240685104 +Test: atest android.telephonyprovider.cts.MmsPartTest + atest CtsTelephonyTestCases + Sanity check - sending and receiving sms and mms manually +Change-Id: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +(cherry picked from commit 0c3e2ce2810e4f5988b342f96bdd600c293c3187) +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +--- + .../providers/telephony/MmsProvider.java | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 30158c34..6ba775ba 100644 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -44,7 +44,10 @@ import android.provider.Telephony.Mms.Part; + import android.provider.Telephony.Mms.Rate; + import android.provider.Telephony.MmsSms; + import android.provider.Telephony.Threads; ++import android.system.ErrnoException; ++import android.system.Os; + import android.text.TextUtils; ++import android.util.EventLog; + import android.util.Log; + + import com.google.android.mms.pdu.PduHeaders; +@@ -815,11 +818,21 @@ public class MmsProvider extends ContentProvider { + case MMS_PART_RESET_FILE_PERMISSION: + String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' + + uri.getPathSegments().get(1); +- // Reset the file permission back to read for everyone but me. +- int result = FileUtils.setPermissions(path, 0644, -1, -1); +- if (LOCAL_LOGV) { +- Log.d(TAG, "MmsProvider.update setPermissions result: " + result + +- " for path: " + path); ++ try { ++ String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath(); ++ if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) { ++ EventLog.writeEvent(0x534e4554, "240685104", ++ Binder.getCallingUid(), (TAG + " update: path " + path + ++ " does not start with " + partsDirPath)); ++ return 0; ++ } ++ // Reset the file permission back to read for everyone but me. ++ Os.chmod(path, 0644); ++ if (LOCAL_LOGV) { ++ Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path); ++ } ++ } catch (ErrnoException | IOException e) { ++ Log.e(TAG, "Exception in chmod: " + e); + } + return 0; + diff --git a/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/364616.patch b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/364616.patch new file mode 100644 index 00000000..e68278ce --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/364616.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 10 May 2023 21:54:43 +0000 +Subject: [PATCH] Update file permissions using canonical path + +Bug: 264880895 +Bug: 264880689 +Test: atest android.telephonyprovider.cts.MmsPartTest + atest CtsTelephonyTestCases + Sanity check - sending and receiving sms and mms manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6743638a096c32627f398efd2ea78f08b8a2db8c) +Merged-In: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686 +Change-Id: I8dd888ea31ec07c9f0de38eb8e8170d3ed255686 +--- + src/com/android/providers/telephony/MmsProvider.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 6ba775ba..7546c246 100644 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -819,15 +819,16 @@ public class MmsProvider extends ContentProvider { + String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' + + uri.getPathSegments().get(1); + try { ++ File canonicalFile = new File(path).getCanonicalFile(); + String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath(); +- if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) { ++ if (!canonicalFile.getPath().startsWith(partsDirPath + '/')) { + EventLog.writeEvent(0x534e4554, "240685104", + Binder.getCallingUid(), (TAG + " update: path " + path + + " does not start with " + partsDirPath)); + return 0; + } + // Reset the file permission back to read for everyone but me. +- Os.chmod(path, 0644); ++ Os.chmod(canonicalFile.getPath(), 0644); + if (LOCAL_LOGV) { + Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path); + } diff --git a/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/374920.patch b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/374920.patch new file mode 100644 index 00000000..0cdbb90f --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_providers_TelephonyProvider/374920.patch @@ -0,0 +1,826 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 23 Aug 2023 18:30:46 +0000 +Subject: [PATCH] DO NOT MERGE Block access to sms/mms db from work profile. + +Bug: 289242655 +Test: Manually verified work profile cannot access personal sms by +following steps mentioned in b/289242655#comment26 +- atest SmsProviderTest +- atest MmsProviderTest +- atest SmsBackupRestoreTest +- QA performed regression testing and confirmed fix is working as intended here: b/294459052#comment30 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:950a7e5a4bf1b38e846fe00642105479efded57d) +Merged-In: Ib1c9ec75f77e8412b53df50f5414caa0e5aaa277 +Change-Id: Ib1c9ec75f77e8412b53df50f5414caa0e5aaa277 + +Change-Id: Ic6aca29053bf3208f5b9e5573293bb9e17103776 +--- + .../providers/telephony/MmsProvider.java | 41 ++++- + .../telephony/MmsSmsDatabaseHelper.java | 157 +++++++++------- + .../providers/telephony/MmsSmsProvider.java | 42 ++++- + .../providers/telephony/SmsProvider.java | 35 ++++ + .../providers/telephony/MmsProviderTest.java | 173 ++++++++++++++++++ + .../telephony/MmsProviderTestable.java | 77 ++++++++ + .../providers/telephony/SmsProviderTest.java | 55 ++++++ + 7 files changed, 508 insertions(+), 72 deletions(-) + create mode 100644 tests/src/com/android/providers/telephony/MmsProviderTest.java + create mode 100644 tests/src/com/android/providers/telephony/MmsProviderTestable.java + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 7546c246..9f58fc33 100644 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -25,6 +25,7 @@ import android.content.Context; + import android.content.Intent; + import android.content.UriMatcher; + import android.database.Cursor; ++import android.database.MatrixCursor; + import android.database.sqlite.SQLiteDatabase; + import android.database.sqlite.SQLiteException; + import android.database.sqlite.SQLiteOpenHelper; +@@ -34,6 +35,7 @@ import android.os.Binder; + import android.os.FileUtils; + import android.os.ParcelFileDescriptor; + import android.os.UserHandle; ++import android.os.UserManager; + import android.provider.BaseColumns; + import android.provider.Telephony; + import android.provider.Telephony.CanonicalAddressesColumns; +@@ -50,6 +52,8 @@ import android.text.TextUtils; + import android.util.EventLog; + import android.util.Log; + ++import com.android.internal.annotations.VisibleForTesting; ++ + import com.google.android.mms.pdu.PduHeaders; + import com.google.android.mms.util.DownloadDrmHelper; + +@@ -94,6 +98,16 @@ public class MmsProvider extends ContentProvider { + @Override + public Cursor query(Uri uri, String[] projection, + String selection, String[] selectionArgs, String sortOrder) { ++ Cursor emptyCursor = new MatrixCursor((projection == null) ? ++ (new String[] {}) : projection); ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to query mms, return empty cursor. ++ Log.e(TAG, "Managed profile is not allowed to query MMS."); ++ return emptyCursor; ++ } ++ + // First check if a restricted view of the "pdu" table should be used based on the + // caller's identity. Only system, phone or the default sms app can have full access + // of mms data. For other apps, we present a restricted view which only contains sent +@@ -307,6 +321,14 @@ public class MmsProvider extends ContentProvider { + + @Override + public Uri insert(Uri uri, ContentValues values) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to insert mms, return null. ++ Log.e(TAG, "Managed profile is not allowed to insert MMS."); ++ return null; ++ } ++ + final int callerUid = Binder.getCallingUid(); + final String callerPkg = getCallingPackage(); + int msgBox = Mms.MESSAGE_BOX_ALL; +@@ -622,6 +644,14 @@ public class MmsProvider extends ContentProvider { + @Override + public int delete(Uri uri, String selection, + String[] selectionArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to delete mms, return 0. ++ Log.e(TAG, "Managed profile is not allowed to delete MMS."); ++ return 0; ++ } ++ + int match = sURLMatcher.match(uri); + if (LOCAL_LOGV) { + Log.v(TAG, "Delete uri=" + uri + ", match=" + match); +@@ -774,6 +804,14 @@ public class MmsProvider extends ContentProvider { + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to update mms, return 0. ++ Log.e(TAG, "Managed profile is not allowed to update MMS."); ++ return 0; ++ } ++ + // The _data column is filled internally in MmsProvider, so this check is just to avoid + // it from being inadvertently set. This is not supposed to be a protection against + // malicious attack, since sql injection could still be attempted to bypass the check. On +@@ -1062,7 +1100,8 @@ public class MmsProvider extends ContentProvider { + sURLMatcher.addURI("mms", "resetFilePerm/*", MMS_PART_RESET_FILE_PERMISSION); + } + +- private SQLiteOpenHelper mOpenHelper; ++ @VisibleForTesting ++ public SQLiteOpenHelper mOpenHelper; + + private static String concatSelections(String selection1, String selection2) { + if (TextUtils.isEmpty(selection1)) { +diff --git a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java +index 738963ed..41ab4dbd 100644 +--- a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java ++++ b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java +@@ -708,78 +708,97 @@ public class MmsSmsDatabaseHelper extends SQLiteOpenHelper { + } + } + ++ @VisibleForTesting ++ public static String CREATE_ADDR_TABLE_STR = ++ "CREATE TABLE " + MmsProvider.TABLE_ADDR + " (" + ++ Addr._ID + " INTEGER PRIMARY KEY," + ++ Addr.MSG_ID + " INTEGER," + ++ Addr.CONTACT_ID + " INTEGER," + ++ Addr.ADDRESS + " TEXT," + ++ Addr.TYPE + " INTEGER," + ++ Addr.CHARSET + " INTEGER);"; ++ ++ @VisibleForTesting ++ public static String CREATE_PART_TABLE_STR = ++ "CREATE TABLE " + MmsProvider.TABLE_PART + " (" + ++ Part._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," + ++ Part.MSG_ID + " INTEGER," + ++ Part.SEQ + " INTEGER DEFAULT 0," + ++ Part.CONTENT_TYPE + " TEXT," + ++ Part.NAME + " TEXT," + ++ Part.CHARSET + " INTEGER," + ++ Part.CONTENT_DISPOSITION + " TEXT," + ++ Part.FILENAME + " TEXT," + ++ Part.CONTENT_ID + " TEXT," + ++ Part.CONTENT_LOCATION + " TEXT," + ++ Part.CT_START + " INTEGER," + ++ Part.CT_TYPE + " TEXT," + ++ Part._DATA + " TEXT," + ++ Part.TEXT + " TEXT);"; ++ ++ public static String CREATE_PDU_TABLE_STR = ++ "CREATE TABLE " + MmsProvider.TABLE_PDU + " (" + ++ Mms._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," + ++ Mms.THREAD_ID + " INTEGER," + ++ Mms.DATE + " INTEGER," + ++ Mms.DATE_SENT + " INTEGER DEFAULT 0," + ++ Mms.MESSAGE_BOX + " INTEGER," + ++ Mms.READ + " INTEGER DEFAULT 0," + ++ Mms.MESSAGE_ID + " TEXT," + ++ Mms.SUBJECT + " TEXT," + ++ Mms.SUBJECT_CHARSET + " INTEGER," + ++ Mms.CONTENT_TYPE + " TEXT," + ++ Mms.CONTENT_LOCATION + " TEXT," + ++ Mms.EXPIRY + " INTEGER," + ++ Mms.MESSAGE_CLASS + " TEXT," + ++ Mms.MESSAGE_TYPE + " INTEGER," + ++ Mms.MMS_VERSION + " INTEGER," + ++ Mms.MESSAGE_SIZE + " INTEGER," + ++ Mms.PRIORITY + " INTEGER," + ++ Mms.READ_REPORT + " INTEGER," + ++ Mms.REPORT_ALLOWED + " INTEGER," + ++ Mms.RESPONSE_STATUS + " INTEGER," + ++ Mms.STATUS + " INTEGER," + ++ Mms.TRANSACTION_ID + " TEXT," + ++ Mms.RETRIEVE_STATUS + " INTEGER," + ++ Mms.RETRIEVE_TEXT + " TEXT," + ++ Mms.RETRIEVE_TEXT_CHARSET + " INTEGER," + ++ Mms.READ_STATUS + " INTEGER," + ++ Mms.CONTENT_CLASS + " INTEGER," + ++ Mms.RESPONSE_TEXT + " TEXT," + ++ Mms.DELIVERY_TIME + " INTEGER," + ++ Mms.DELIVERY_REPORT + " INTEGER," + ++ Mms.LOCKED + " INTEGER DEFAULT 0," + ++ Mms.SUBSCRIPTION_ID + " INTEGER DEFAULT " ++ + SubscriptionManager.INVALID_SUBSCRIPTION_ID + ", " + ++ Mms.SEEN + " INTEGER DEFAULT 0," + ++ Mms.CREATOR + " TEXT," + ++ Mms.TEXT_ONLY + " INTEGER DEFAULT 0);"; ++ ++ @VisibleForTesting ++ public static String CREATE_RATE_TABLE_STR = ++ "CREATE TABLE " + MmsProvider.TABLE_RATE + " (" + ++ Rate.SENT_TIME + " INTEGER);"; ++ ++ @VisibleForTesting ++ public static String CREATE_DRM_TABLE_STR = ++ "CREATE TABLE " + MmsProvider.TABLE_DRM + " (" + ++ BaseColumns._ID + " INTEGER PRIMARY KEY," + ++ "_data TEXT);"; ++ ++ @VisibleForTesting + private void createMmsTables(SQLiteDatabase db) { + // N.B.: Whenever the columns here are changed, the columns in + // {@ref MmsSmsProvider} must be changed to match. +- db.execSQL("CREATE TABLE " + MmsProvider.TABLE_PDU + " (" + +- Mms._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," + +- Mms.THREAD_ID + " INTEGER," + +- Mms.DATE + " INTEGER," + +- Mms.DATE_SENT + " INTEGER DEFAULT 0," + +- Mms.MESSAGE_BOX + " INTEGER," + +- Mms.READ + " INTEGER DEFAULT 0," + +- Mms.MESSAGE_ID + " TEXT," + +- Mms.SUBJECT + " TEXT," + +- Mms.SUBJECT_CHARSET + " INTEGER," + +- Mms.CONTENT_TYPE + " TEXT," + +- Mms.CONTENT_LOCATION + " TEXT," + +- Mms.EXPIRY + " INTEGER," + +- Mms.MESSAGE_CLASS + " TEXT," + +- Mms.MESSAGE_TYPE + " INTEGER," + +- Mms.MMS_VERSION + " INTEGER," + +- Mms.MESSAGE_SIZE + " INTEGER," + +- Mms.PRIORITY + " INTEGER," + +- Mms.READ_REPORT + " INTEGER," + +- Mms.REPORT_ALLOWED + " INTEGER," + +- Mms.RESPONSE_STATUS + " INTEGER," + +- Mms.STATUS + " INTEGER," + +- Mms.TRANSACTION_ID + " TEXT," + +- Mms.RETRIEVE_STATUS + " INTEGER," + +- Mms.RETRIEVE_TEXT + " TEXT," + +- Mms.RETRIEVE_TEXT_CHARSET + " INTEGER," + +- Mms.READ_STATUS + " INTEGER," + +- Mms.CONTENT_CLASS + " INTEGER," + +- Mms.RESPONSE_TEXT + " TEXT," + +- Mms.DELIVERY_TIME + " INTEGER," + +- Mms.DELIVERY_REPORT + " INTEGER," + +- Mms.LOCKED + " INTEGER DEFAULT 0," + +- Mms.SUBSCRIPTION_ID + " INTEGER DEFAULT " +- + SubscriptionManager.INVALID_SUBSCRIPTION_ID + ", " + +- Mms.SEEN + " INTEGER DEFAULT 0," + +- Mms.CREATOR + " TEXT," + +- Mms.TEXT_ONLY + " INTEGER DEFAULT 0" + +- ");"); +- +- db.execSQL("CREATE TABLE " + MmsProvider.TABLE_ADDR + " (" + +- Addr._ID + " INTEGER PRIMARY KEY," + +- Addr.MSG_ID + " INTEGER," + +- Addr.CONTACT_ID + " INTEGER," + +- Addr.ADDRESS + " TEXT," + +- Addr.TYPE + " INTEGER," + +- Addr.CHARSET + " INTEGER);"); +- +- db.execSQL("CREATE TABLE " + MmsProvider.TABLE_PART + " (" + +- Part._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," + +- Part.MSG_ID + " INTEGER," + +- Part.SEQ + " INTEGER DEFAULT 0," + +- Part.CONTENT_TYPE + " TEXT," + +- Part.NAME + " TEXT," + +- Part.CHARSET + " INTEGER," + +- Part.CONTENT_DISPOSITION + " TEXT," + +- Part.FILENAME + " TEXT," + +- Part.CONTENT_ID + " TEXT," + +- Part.CONTENT_LOCATION + " TEXT," + +- Part.CT_START + " INTEGER," + +- Part.CT_TYPE + " TEXT," + +- Part._DATA + " TEXT," + +- Part.TEXT + " TEXT);"); +- +- db.execSQL("CREATE TABLE " + MmsProvider.TABLE_RATE + " (" + +- Rate.SENT_TIME + " INTEGER);"); +- +- db.execSQL("CREATE TABLE " + MmsProvider.TABLE_DRM + " (" + +- BaseColumns._ID + " INTEGER PRIMARY KEY," + +- "_data TEXT);"); ++ db.execSQL(CREATE_PDU_TABLE_STR); ++ ++ db.execSQL(CREATE_ADDR_TABLE_STR); ++ ++ db.execSQL(CREATE_PART_TABLE_STR); ++ ++ db.execSQL(CREATE_RATE_TABLE_STR); ++ ++ db.execSQL(CREATE_DRM_TABLE_STR); + + // Restricted view of pdu table, only sent/received messages without wap pushes + db.execSQL("CREATE VIEW " + MmsProvider.VIEW_PDU_RESTRICTED + " AS " + +diff --git a/src/com/android/providers/telephony/MmsSmsProvider.java b/src/com/android/providers/telephony/MmsSmsProvider.java +index 1653cd98..a311eb4d 100644 +--- a/src/com/android/providers/telephony/MmsSmsProvider.java ++++ b/src/com/android/providers/telephony/MmsSmsProvider.java +@@ -23,6 +23,7 @@ import android.content.Context; + import android.content.UriMatcher; + import android.database.Cursor; + import android.database.DatabaseUtils; ++import android.database.MatrixCursor; + import android.database.sqlite.SQLiteDatabase; + import android.database.sqlite.SQLiteOpenHelper; + import android.database.sqlite.SQLiteQueryBuilder; +@@ -30,6 +31,7 @@ import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; + import android.os.UserHandle; ++import android.os.UserManager; + import android.provider.BaseColumns; + import android.provider.Telephony; + import android.provider.Telephony.CanonicalAddressesColumns; +@@ -323,6 +325,16 @@ public class MmsSmsProvider extends ContentProvider { + @Override + public Cursor query(Uri uri, String[] projection, + String selection, String[] selectionArgs, String sortOrder) { ++ Cursor emptyCursor = new MatrixCursor((projection == null) ? ++ (new String[] {}) : projection); ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to query mms/sms, return empty cursor. ++ Log.e(LOG_TAG, "Managed profile is not allowed to query MMS/SMS."); ++ return emptyCursor; ++ } ++ + // First check if restricted views of the "sms" and "pdu" tables should be used based on the + // caller's identity. Only system, phone or the default sms app can have full access + // of sms/mms data. For other apps, we present a restricted view which only contains sent +@@ -1216,6 +1228,14 @@ public class MmsSmsProvider extends ContentProvider { + @Override + public int delete(Uri uri, String selection, + String[] selectionArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to delete mms/sms, return 0. ++ Log.e(LOG_TAG, "Managed profile is not allowed to delete MMS/SMS."); ++ return 0; ++ } ++ + SQLiteDatabase db = mOpenHelper.getWritableDatabase(); + Context context = getContext(); + int affectedRows = 0; +@@ -1272,8 +1292,18 @@ public class MmsSmsProvider extends ContentProvider { + + @Override + public Uri insert(Uri uri, ContentValues values) { +- if (URI_MATCHER.match(uri) == URI_PENDING_MSG) { +- SQLiteDatabase db = mOpenHelper.getWritableDatabase(); ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to insert mms/sms, return null. ++ Log.e(LOG_TAG, "Managed profile is not allowed to insert MMS/SMS."); ++ return null; ++ } ++ ++ SQLiteDatabase db = mOpenHelper.getWritableDatabase(); ++ int matchIndex = URI_MATCHER.match(uri); ++ ++ if (matchIndex == URI_PENDING_MSG) { + long rowId = db.insert(TABLE_PENDING_MSG, null, values); + return Uri.parse(uri + "/" + rowId); + } +@@ -1283,6 +1313,14 @@ public class MmsSmsProvider extends ContentProvider { + @Override + public int update(Uri uri, ContentValues values, + String selection, String[] selectionArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to update mms/sms, return 0. ++ Log.e(LOG_TAG, "Managed profile is not allowed to update MMS/SMS."); ++ return 0; ++ } ++ + final int callerUid = Binder.getCallingUid(); + final String callerPkg = getCallingPackage(); + SQLiteDatabase db = mOpenHelper.getWritableDatabase(); +diff --git a/src/com/android/providers/telephony/SmsProvider.java b/src/com/android/providers/telephony/SmsProvider.java +index 2b40d7eb..986c93a1 100644 +--- a/src/com/android/providers/telephony/SmsProvider.java ++++ b/src/com/android/providers/telephony/SmsProvider.java +@@ -32,6 +32,7 @@ import android.database.sqlite.SQLiteQueryBuilder; + import android.net.Uri; + import android.os.Binder; + import android.os.UserHandle; ++import android.os.UserManager; + import android.provider.Contacts; + import android.provider.Telephony; + import android.provider.Telephony.MmsSms; +@@ -113,6 +114,16 @@ public class SmsProvider extends ContentProvider { + @Override + public Cursor query(Uri url, String[] projectionIn, String selection, + String[] selectionArgs, String sort) { ++ Cursor emptyCursor = new MatrixCursor((projectionIn == null) ? ++ (new String[] {}) : projectionIn); ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to query sms, return empty cursor. ++ Log.e(TAG, "Managed profile is not allowed to query SMS."); ++ return emptyCursor; ++ } ++ + // First check if a restricted view of the "sms" table should be used based on the + // caller's identity. Only system, phone or the default sms app can have full access + // of sms data. For other apps, we present a restricted view which only contains sent +@@ -458,6 +469,14 @@ public class SmsProvider extends ContentProvider { + } + + private Uri insertInner(Uri url, ContentValues initialValues, int callerUid, String callerPkg) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to insert sms, return null. ++ Log.e(TAG, "Managed profile is not allowed to insert SMS."); ++ return null; ++ } ++ + ContentValues values; + long rowID; + int type = Sms.MESSAGE_TYPE_ALL; +@@ -651,6 +670,14 @@ public class SmsProvider extends ContentProvider { + + @Override + public int delete(Uri url, String where, String[] whereArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to delete sms, return 0. ++ Log.e(TAG, "Managed profile is not allowed to delete SMS."); ++ return 0; ++ } ++ + int count; + int match = sURLMatcher.match(url); + SQLiteDatabase db = getWritableDatabase(match); +@@ -753,6 +780,14 @@ public class SmsProvider extends ContentProvider { + + @Override + public int update(Uri url, ContentValues values, String where, String[] whereArgs) { ++ UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE); ++ if ((userManager != null) && (userManager.isManagedProfile( ++ Binder.getCallingUserHandle().getIdentifier()))) { ++ // If work profile is trying to update sms, return 0. ++ Log.e(TAG, "Managed profile is not allowed to update SMS."); ++ return 0; ++ } ++ + final int callerUid = Binder.getCallingUid(); + final String callerPkg = getCallingPackage(); + int count = 0; +diff --git a/tests/src/com/android/providers/telephony/MmsProviderTest.java b/tests/src/com/android/providers/telephony/MmsProviderTest.java +new file mode 100644 +index 00000000..e1010e01 +--- /dev/null ++++ b/tests/src/com/android/providers/telephony/MmsProviderTest.java +@@ -0,0 +1,173 @@ ++/* ++ * Copyright (C) 2023 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package com.android.providers.telephony; ++ ++import static org.mockito.ArgumentMatchers.anyInt; ++import static org.mockito.ArgumentMatchers.anyString; ++import static org.mockito.ArgumentMatchers.eq; ++import static org.mockito.Mockito.mock; ++import static org.mockito.Mockito.when; ++ ++import android.app.AppOpsManager; ++import android.content.ContentValues; ++import android.content.Context; ++import android.content.pm.PackageManager; ++import android.content.pm.ProviderInfo; ++import android.database.ContentObserver; ++import android.database.Cursor; ++import android.net.Uri; ++import android.os.UserManager; ++import android.provider.Telephony; ++import android.telephony.TelephonyManager; ++import android.test.mock.MockContentResolver; ++import android.util.Log; ++ ++import junit.framework.TestCase; ++ ++import org.junit.Test; ++import org.mockito.Mock; ++import org.mockito.MockitoAnnotations; ++ ++public class MmsProviderTest extends TestCase { ++ private static final String TAG = "MmsProviderTest"; ++ ++ @Mock private Context mContext; ++ private MockContentResolver mContentResolver; ++ private MmsProviderTestable mMmsProviderTestable; ++ @Mock private PackageManager mPackageManager; ++ ++ private int notifyChangeCount; ++ private UserManager mUserManager; ++ ++ @Override ++ protected void setUp() throws Exception { ++ super.setUp(); ++ MockitoAnnotations.initMocks(this); ++ mMmsProviderTestable = new MmsProviderTestable(); ++ mUserManager = mock(UserManager.class); ++ ++ // setup mocks ++ when(mContext.getSystemService(eq(Context.APP_OPS_SERVICE))) ++ .thenReturn(mock(AppOpsManager.class)); ++ when(mContext.getSystemService(eq(Context.TELEPHONY_SERVICE))) ++ .thenReturn(mock(TelephonyManager.class)); ++ when(mContext.getSystemService(eq(Context.USER_SERVICE))) ++ .thenReturn(mUserManager); ++ ++ when(mContext.checkCallingOrSelfPermission(anyString())) ++ .thenReturn(PackageManager.PERMISSION_GRANTED); ++ when(mContext.getUserId()).thenReturn(0); ++ when(mContext.getPackageManager()).thenReturn(mPackageManager); ++ ++ /** ++ * This is used to give the MmsProviderTest a mocked context which takes a ++ * SmsProvider and attaches it to the ContentResolver with telephony authority. ++ * The mocked context also gives WRITE_APN_SETTINGS permissions ++ */ ++ mContentResolver = new MockContentResolver() { ++ @Override ++ public void notifyChange(Uri uri, ContentObserver observer, boolean syncToNetwork, ++ int userHandle) { ++ notifyChangeCount++; ++ } ++ }; ++ when(mContext.getContentResolver()).thenReturn(mContentResolver); ++ ++ // Add authority="mms" to given mmsProvider ++ ProviderInfo providerInfo = new ProviderInfo(); ++ providerInfo.authority = "mms"; ++ ++ // Add context to given mmsProvider ++ mMmsProviderTestable.attachInfoForTesting(mContext, providerInfo); ++ Log.d(TAG, "MockContextWithProvider: mmsProvider.getContext(): " ++ + mMmsProviderTestable.getContext()); ++ ++ // Add given MmsProvider to mResolver with authority="mms" so that ++ // mResolver can send queries to mMmsProvider ++ mContentResolver.addProvider("mms", mMmsProviderTestable); ++ Log.d(TAG, "MockContextWithProvider: Add MmsProvider to mResolver"); ++ notifyChangeCount = 0; ++ } ++ ++ @Override ++ protected void tearDown() throws Exception { ++ super.tearDown(); ++ mMmsProviderTestable.closeDatabase(); ++ } ++ ++ @Test ++ public void testInsertMms() { ++ final ContentValues values = new ContentValues(); ++ values.put(Telephony.Mms.READ, 1); ++ values.put(Telephony.Mms.SEEN, 1); ++ values.put(Telephony.Mms.SUBSCRIPTION_ID, 1); ++ values.put(Telephony.Mms.MESSAGE_BOX, Telephony.Mms.MESSAGE_BOX_ALL); ++ values.put(Telephony.Mms.TEXT_ONLY, 1); ++ values.put(Telephony.Mms.THREAD_ID, 1); ++ ++ Uri expected = Uri.parse("content://mms/1"); ++ Uri actual = mContentResolver.insert(Telephony.Mms.CONTENT_URI, values); ++ ++ assertEquals(expected, actual); ++ assertEquals(1, notifyChangeCount); ++ } ++ ++ @Test ++ public void testInsertUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertNull(mContentResolver.insert(Telephony.Mms.CONTENT_URI, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Error inserting mms: " + e); ++ } ++ } ++ ++ @Test ++ public void testQueryUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try (Cursor cursor = mContentResolver.query(Telephony.Mms.CONTENT_URI, ++ null, null, null, null)) { ++ assertEquals(0, cursor.getCount()); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in getting count: " + e); ++ } ++ } ++ ++ @Test ++ public void testUpdateUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertEquals(0, mContentResolver.update(Telephony.Mms.CONTENT_URI, null, null, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in updating mms: " + e); ++ } ++ } ++ ++ @Test ++ public void testDeleteUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertEquals(0, mContentResolver.delete(Telephony.Mms.CONTENT_URI, null, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in deleting mms: " + e); ++ } ++ } ++} +diff --git a/tests/src/com/android/providers/telephony/MmsProviderTestable.java b/tests/src/com/android/providers/telephony/MmsProviderTestable.java +new file mode 100644 +index 00000000..cea411be +--- /dev/null ++++ b/tests/src/com/android/providers/telephony/MmsProviderTestable.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (C) 2023 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package com.android.providers.telephony; ++ ++import static com.android.providers.telephony.MmsSmsDatabaseHelper.CREATE_ADDR_TABLE_STR; ++import static com.android.providers.telephony.MmsSmsDatabaseHelper.CREATE_DRM_TABLE_STR; ++import static com.android.providers.telephony.MmsSmsDatabaseHelper.CREATE_PART_TABLE_STR; ++import static com.android.providers.telephony.MmsSmsDatabaseHelper.CREATE_PDU_TABLE_STR; ++import static com.android.providers.telephony.MmsSmsDatabaseHelper.CREATE_RATE_TABLE_STR; ++ ++import android.database.sqlite.SQLiteDatabase; ++import android.database.sqlite.SQLiteOpenHelper; ++import android.util.Log; ++ ++/** ++ * A subclass of MmsProvider used for testing on an in-memory database ++ */ ++public class MmsProviderTestable extends MmsProvider { ++ private static final String TAG = "MmsProviderTestable"; ++ ++ @Override ++ public boolean onCreate() { ++ Log.d(TAG, "onCreate called: mDbHelper = new InMemoryMmsProviderDbHelper()"); ++ mOpenHelper = new InMemoryMmsProviderDbHelper(); ++ return true; ++ } ++ ++ // close mDbHelper database object ++ protected void closeDatabase() { ++ mOpenHelper.close(); ++ } ++ ++ /** ++ * An in memory DB for MmsProviderTestable to use ++ */ ++ public static class InMemoryMmsProviderDbHelper extends SQLiteOpenHelper { ++ ++ ++ public InMemoryMmsProviderDbHelper() { ++ super(null, // no context is needed for in-memory db ++ null, // db file name is null for in-memory db ++ null, // CursorFactory is null by default ++ 1); // db version is no-op for tests ++ Log.d(TAG, "InMemoryMmsProviderDbHelper creating in-memory database"); ++ } ++ ++ @Override ++ public void onCreate(SQLiteDatabase db) { ++ // Set up the mms tables ++ Log.d(TAG, "InMemoryMmsProviderDbHelper onCreate creating the mms tables"); ++ db.execSQL(CREATE_PDU_TABLE_STR); ++ db.execSQL(CREATE_ADDR_TABLE_STR); ++ db.execSQL(CREATE_PART_TABLE_STR); ++ db.execSQL(CREATE_RATE_TABLE_STR); ++ db.execSQL(CREATE_DRM_TABLE_STR); ++ } ++ ++ @Override ++ public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion) { ++ Log.d(TAG, "InMemorySmsProviderDbHelper onUpgrade doing nothing"); ++ } ++ } ++} +diff --git a/tests/src/com/android/providers/telephony/SmsProviderTest.java b/tests/src/com/android/providers/telephony/SmsProviderTest.java +index ba632039..13d9ae98 100644 +--- a/tests/src/com/android/providers/telephony/SmsProviderTest.java ++++ b/tests/src/com/android/providers/telephony/SmsProviderTest.java +@@ -16,6 +16,10 @@ + + package com.android.providers.telephony; + ++ ++import static org.mockito.ArgumentMatchers.anyInt; ++import static org.mockito.Mockito.when; ++ + import android.app.AppOpsManager; + import android.content.ContentResolver; + import android.content.ContentValues; +@@ -26,6 +30,7 @@ import android.content.res.Resources; + import android.database.ContentObserver; + import android.database.Cursor; + import android.net.Uri; ++import android.os.UserManager; + import android.provider.Telephony; + import android.telephony.TelephonyManager; + import android.test.mock.MockContentResolver; +@@ -57,6 +62,7 @@ public class SmsProviderTest extends TestCase { + private MockContextWithProvider mContext; + private MockContentResolver mContentResolver; + private SmsProviderTestable mSmsProviderTestable; ++ private UserManager mUserManager; + + private int notifyChangeCount; + +@@ -115,6 +121,8 @@ public class SmsProviderTest extends TestCase { + return Mockito.mock(AppOpsManager.class); + case Context.TELEPHONY_SERVICE: + return Mockito.mock(TelephonyManager.class); ++ case Context.USER_SERVICE: ++ return mUserManager; + default: + return null; + } +@@ -148,6 +156,8 @@ public class SmsProviderTest extends TestCase { + mSmsProviderTestable = new SmsProviderTestable(); + mContext = new MockContextWithProvider(mSmsProviderTestable); + mContentResolver = mContext.getContentResolver(); ++ mUserManager = Mockito.mock(UserManager.class); ++ + notifyChangeCount = 0; + } + +@@ -254,6 +264,51 @@ public class SmsProviderTest extends TestCase { + cursor.close(); + } + ++ @Test ++ public void testInsertUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertNull(mContentResolver.insert(Telephony.Sms.CONTENT_URI, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Error inserting sms: " + e); ++ } ++ } ++ ++ @Test ++ public void testQueryUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try (Cursor cursor = mContentResolver.query(Telephony.Sms.CONTENT_URI, ++ null, null, null, null)) { ++ assertEquals(0, cursor.getCount()); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in getting count: " + e); ++ } ++ } ++ ++ @Test ++ public void testUpdateUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertEquals(0, mContentResolver.update(Telephony.Sms.CONTENT_URI, null, null, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in updating sms: " + e); ++ } ++ } ++ ++ @Test ++ public void testDeleteUsingManagedProfile() { ++ when(mUserManager.isManagedProfile(anyInt())).thenReturn(true); ++ ++ try { ++ assertEquals(0, mContentResolver.delete(Telephony.Sms.CONTENT_URI, null, null)); ++ } catch (Exception e) { ++ Log.d(TAG, "Exception in deleting sms: " + e); ++ } ++ } ++ + private ContentValues getFakeRawValue() { + ContentValues values = new ContentValues(); + values.put("pdu", mFakePdu); diff --git a/Patches/LineageOS-16.0/android_packages_services_BuiltInPrintService/374919.patch b/Patches/LineageOS-16.0/android_packages_services_BuiltInPrintService/374919.patch new file mode 100644 index 00000000..d3018a0c --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_BuiltInPrintService/374919.patch @@ -0,0 +1,122 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Glade Diviney +Date: Sun, 22 Nov 2020 17:42:27 -0800 +Subject: [PATCH] Adjust APIs for CUPS 2.3.3 + +Bug: 168903843 +Test: Build the code, flash the device and run fuzzer +Test: Perform a print job +Signed-off-by: Glade Diviney +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:78aedf410610768bdfd8f6c87a704e82a4fd1526) +Merged-In: I0000b0950bf38e0b09e47a4bdf970b0e2b2684d1 +Change-Id: I0000b0950bf38e0b09e47a4bdf970b0e2b2684d1 +--- + jni/include/lib_wprint.h | 2 ++ + jni/ipphelper/ipp_print.c | 15 ++++++++------- + jni/ipphelper/ipphelper.c | 14 ++++++++------ + 3 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/jni/include/lib_wprint.h b/jni/include/lib_wprint.h +index 0d2fd12..57cf9f3 100644 +--- a/jni/include/lib_wprint.h ++++ b/jni/include/lib_wprint.h +@@ -53,6 +53,8 @@ + #define MAX_ID_STRING_LENGTH (64) + #define MAX_NAME_LENGTH (255) + ++#define HTTP_TIMEOUT_MILLIS 30000 ++ + #ifdef __cplusplus + extern "C" + { +diff --git a/jni/ipphelper/ipp_print.c b/jni/ipphelper/ipp_print.c +index 36b7015..8ea4a20 100644 +--- a/jni/ipphelper/ipp_print.c ++++ b/jni/ipphelper/ipp_print.c +@@ -98,17 +98,20 @@ static status_t _init(const ifc_print_job_t *this_p, const char *printer_address + ipp_scheme = (use_secure_uri) ? IPPS_PREFIX : IPP_PREFIX; + + httpAssembleURIf(HTTP_URI_CODING_ALL, ipp_job->printer_uri, sizeof(ipp_job->printer_uri), +- ipp_scheme, NULL, printer_address, ippPortNumber, printer_uri); ++ ipp_scheme, NULL, printer_address, ippPortNumber, "%s", printer_uri); + getResourceFromURI(ipp_job->printer_uri, ipp_job->http_resource, 1024); + if (use_secure_uri) { +- ipp_job->http = httpConnectEncrypt(printer_address, ippPortNumber, HTTP_ENCRYPTION_ALWAYS); ++ ipp_job->http = httpConnect2(printer_address, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_ALWAYS, 1, HTTP_TIMEOUT_MILLIS, NULL); + + // If ALWAYS doesn't work, fall back to REQUIRED + if (ipp_job->http == NULL) { +- ipp_job->http = httpConnectEncrypt(printer_address, ippPortNumber, HTTP_ENCRYPT_REQUIRED); ++ ipp_job->http = httpConnect2(printer_address, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_REQUIRED, 1, HTTP_TIMEOUT_MILLIS, NULL); + } + } else { +- ipp_job->http = httpConnectEncrypt(printer_address, ippPortNumber, HTTP_ENCRYPTION_IF_REQUESTED); ++ ipp_job->http = httpConnect2(printer_address, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_IF_REQUESTED, 1, HTTP_TIMEOUT_MILLIS, NULL); + } + + httpSetTimeout(ipp_job->http, DEFAULT_IPP_TIMEOUT, NULL, 0); +@@ -514,8 +517,6 @@ static status_t _start_job(const ifc_print_job_t *this_p, const wprint_job_param + ippDelete(request); + continue; + } +- +- _cupsSetHTTPError(ipp_job->status); + } + ippDelete(request); + LOGI("_start_job httpPrint fd %d status %d ipp_status %d", ipp_job->http->fd, +@@ -615,4 +616,4 @@ static status_t _end_job(const ifc_print_job_t *this_p) { + LOGD("_end_job: exit status %d job_id %d", ipp_job->status, job_id); + + return result; +-} +\ No newline at end of file ++} +diff --git a/jni/ipphelper/ipphelper.c b/jni/ipphelper/ipphelper.c +index d9803e7..cd71725 100644 +--- a/jni/ipphelper/ipphelper.c ++++ b/jni/ipphelper/ipphelper.c +@@ -1209,19 +1209,22 @@ http_t *ipp_cups_connect(const wprint_connect_info_t *connect_info, char *printe + int ippPortNumber = ((connect_info->port_num == IPP_PORT) ? ippPort() : connect_info->port_num); + + if (strstr(connect_info->uri_scheme,IPPS_PREFIX) != NULL) { +- curl_http = httpConnectEncrypt(connect_info->printer_addr, ippPortNumber, HTTP_ENCRYPTION_ALWAYS); ++ curl_http = httpConnect2(connect_info->printer_addr, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_ALWAYS, 1, HTTP_TIMEOUT_MILLIS, NULL); + + // If ALWAYS doesn't work, fall back to REQUIRED + if (curl_http == NULL) { +- curl_http = httpConnectEncrypt(connect_info->printer_addr, ippPortNumber, HTTP_ENCRYPT_REQUIRED); ++ curl_http = httpConnect2(connect_info->printer_addr, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_REQUIRED, 1, HTTP_TIMEOUT_MILLIS, NULL); + } + } else { +- curl_http = httpConnectEncrypt(connect_info->printer_addr, ippPortNumber, HTTP_ENCRYPTION_IF_REQUESTED); ++ curl_http = httpConnect2(connect_info->printer_addr, ippPortNumber, NULL, AF_UNSPEC, ++ HTTP_ENCRYPTION_IF_REQUESTED, 1, HTTP_TIMEOUT_MILLIS, NULL); + } + + httpSetTimeout(curl_http, (double)connect_info->timeout / 1000, NULL, 0); + httpAssembleURIf(HTTP_URI_CODING_ALL, printer_uri, uriLength, connect_info->uri_scheme, NULL, +- connect_info->printer_addr, ippPortNumber, uri_path); ++ connect_info->printer_addr, ippPortNumber, "%s", uri_path); + + if (curl_http == NULL) { + LOGD("ipp_cups_connect failed addr=%s port=%d", connect_info->printer_addr, ippPortNumber); +@@ -1253,7 +1256,6 @@ static ipp_t *ippSendRequest(http_t *http, ipp_t *request, char *resource) { + LOGD("ippSendRequest: (Continue with NULL response) Retry"); + retry = true; + } else if (result == HTTP_ERROR || result >= HTTP_BAD_REQUEST) { +- _cupsSetHTTPError(result); + break; + } + +@@ -1356,4 +1358,4 @@ ipp_t *ipp_doCupsRequest(http_t *http, ipp_t *request, char *http_resource, char + } while (1); + + return response; +-} +\ No newline at end of file ++} diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/330959.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/330959.patch new file mode 100644 index 00000000..bd996ebb --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/330959.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tyler Gunn +Date: Mon, 7 Mar 2022 09:32:42 -0800 +Subject: [PATCH] Handle null bindings returned from ConnectionService. + +When a ConnectionService returns a null binding, immediately unbind from +the ConnectionService and cancel any ongoing calls related to it. + +Bug: 211114016 +Test: Added new CTS test to verify auto unbind from null binding ConnectionService. +Test: Manually tested using test app which implements null binding ConnectionService and verified via telecom log inspection that the service is unbound and the call is terminated. +Change-Id: I0757557e66725dddfd871cd9857071a8749bd7ba +(cherry picked from commit 410ce026004bb485c39afcc7d86e89d26ff1af94) +Merged-In: I0757557e66725dddfd871cd9857071a8749bd7ba +--- + .../android/server/telecom/ServiceBinder.java | 25 ++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/server/telecom/ServiceBinder.java b/src/com/android/server/telecom/ServiceBinder.java +index f15570b44..7866fa01f 100644 +--- a/src/com/android/server/telecom/ServiceBinder.java ++++ b/src/com/android/server/telecom/ServiceBinder.java +@@ -146,7 +146,6 @@ abstract class ServiceBinder { + Log.i(this, "Service bound %s", componentName); + + Log.addEvent(mCall, LogUtils.Events.CS_BOUND, componentName); +- mCall = null; + + // Unbind request was queued so unbind immediately. + if (mIsBindingAborted) { +@@ -188,6 +187,30 @@ abstract class ServiceBinder { + Log.endSession(); + } + } ++ ++ /** ++ * Handles the case where the {@link ConnectionService} we bound to returned a null binding. ++ * We want to unbind from the service and cleanup and call resources at this time. ++ * @param componentName The component of the {@link ConnectionService}. ++ */ ++ @Override ++ public void onNullBinding(ComponentName componentName) { ++ try { ++ Log.startSession("SBC.oNB"); ++ synchronized (mLock) { ++ Log.w(this, "Null binding %s", componentName); ++ Log.addEvent(mCall, "NULL_BINDING", componentName); ++ String componentStr = componentName == null ? "null" : componentName.toString(); ++ android.util.EventLog.writeEvent(0x534e4554, "211114016", -1, componentStr); ++ logServiceDisconnected("onNullBinding"); ++ mContext.unbindService(this); ++ clearAbort(); ++ handleFailedConnection(); ++ } ++ } finally { ++ Log.endSession(); ++ } ++ } + } + + private void handleDisconnect() { diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/332764.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/332764.patch new file mode 100644 index 00000000..b2a48db4 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/332764.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Sat, 15 Jan 2022 01:15:29 +0000 +Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10 + +bug: 209814693 +Bug: 217934478 +Test: CTS +Change-Id: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +(cherry picked from commit eb3394e3a8e21cd07c4f7a7ad43494ba14a8cbf4) +Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af +--- + .../server/telecom/PhoneAccountRegistrar.java | 23 +++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java +index d84fca5f1..b94e5b85a 100644 +--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java ++++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java +@@ -138,6 +138,7 @@ public class PhoneAccountRegistrar { + private static final String FILE_NAME = "phone-account-registrar-state.xml"; + @VisibleForTesting + public static final int EXPECTED_STATE_VERSION = 9; ++ public static final int MAX_PHONE_ACCOUNT_REGISTRATIONS = 10; + + /** Keep in sync with the same in SipSettings.java */ + private static final String SIP_SHARED_PREFERENCES = "SIP_PREFERENCES"; +@@ -650,8 +651,13 @@ public class PhoneAccountRegistrar { + return getPhoneAccountHandles(0, null, packageName, false, userHandle); + } + +- // TODO: Should we implement an artificial limit for # of accounts associated with a single +- // ComponentName? ++ /** ++ * Performs checks before calling addOrReplacePhoneAccount(PhoneAccount) ++ * ++ * @param account The {@code PhoneAccount} to add or replace. ++ * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE permission ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached ++ */ + public void registerPhoneAccount(PhoneAccount account) { + // Enforce the requirement that a connection service for a phone account has the correct + // permission. +@@ -662,6 +668,19 @@ public class PhoneAccountRegistrar { + throw new SecurityException("PhoneAccount connection service requires " + + "BIND_TELECOM_CONNECTION_SERVICE permission."); + } ++ //Enforce an upper bound on the number of PhoneAccount's a package can register. ++ // Most apps should only require 1-2. ++ if (getPhoneAccountsForPackage( ++ account.getAccountHandle().getComponentName().getPackageName(), ++ account.getAccountHandle().getUserHandle()).size() ++ >= MAX_PHONE_ACCOUNT_REGISTRATIONS) { ++ Log.w(this, "Phone account %s reached max registration limit for package", ++ account.getAccountHandle()); ++ throw new IllegalArgumentException( ++ "Error, cannot register phone account " + account.getAccountHandle() ++ + " because the limit, " + MAX_PHONE_ACCOUNT_REGISTRATIONS ++ + ", has been reached"); ++ } + + addOrReplacePhoneAccount(account); + } diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/344183.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/344183.patch new file mode 100644 index 00000000..c6e47b84 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/344183.patch @@ -0,0 +1,248 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:20:30 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +(cherry picked from commit 960147d4bba558c87a26df6f0328df637a30479b) +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +--- + .../server/telecom/TelecomServiceImpl.java | 51 +++++++++++-------- + .../telecom/tests/TelecomServiceImplTest.java | 21 +++++--- + 2 files changed, 43 insertions(+), 29 deletions(-) + +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index 0db17643b..8c28a7b6f 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -34,6 +34,8 @@ import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; + import android.content.res.Resources; ++import android.content.pm.ParceledListSlice; ++import android.content.pm.ResolveInfo; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -150,19 +152,20 @@ public class TelecomServiceImpl { + } + + @Override +- public List getCallCapablePhoneAccounts( ++ public ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage) { + try { + Log.startSession("TSI.gCCPA"); + if (!canReadPhoneState(callingPackage, "getDefaultOutgoingPhoneAccount")) { +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, +- includeDisabledAccounts, callingUserHandle); ++ return new ParceledListSlice<>( ++ mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, ++ includeDisabledAccounts, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getCallCapablePhoneAccounts"); + throw e; +@@ -176,7 +179,8 @@ public class TelecomServiceImpl { + } + + @Override +- public List getSelfManagedPhoneAccounts(String callingPackage) { ++ public ParceledListSlice getSelfManagedPhoneAccounts( ++ String callingPackage) { + try { + Log.startSession("TSI.gSMPA"); + if (!canReadPhoneState(callingPackage, "Requires READ_PHONE_STATE permission.")) { +@@ -186,8 +190,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getSelfManagedPhoneAccounts( +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getSelfManagedPhoneAccounts(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getSelfManagedPhoneAccounts"); + throw e; +@@ -200,10 +204,11 @@ public class TelecomServiceImpl { + } + } + ++ + @Override +- public List getPhoneAccountsSupportingScheme(String uriScheme, +- String callingPackage) { +- try { ++ public ParceledListSlice getPhoneAccountsSupportingScheme( ++ String uriScheme, String callingPackage) { ++ try { + Log.startSession("TSI.gPASS"); + try { + enforceModifyPermission( +@@ -211,15 +216,16 @@ public class TelecomServiceImpl { + } catch (SecurityException e) { + EventLog.writeEvent(0x534e4554, "62347125", Binder.getCallingUid(), + "getPhoneAccountsSupportingScheme: " + callingPackage); +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(uriScheme, false, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getCallCapablePhoneAccounts(uriScheme, false, ++ callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsSupportingScheme %s", uriScheme); + throw e; +@@ -233,7 +239,8 @@ public class TelecomServiceImpl { + } + + @Override +- public List getPhoneAccountsForPackage(String packageName) { ++ public ParceledListSlice getPhoneAccountsForPackage( ++ String packageName) { + //TODO: Deprecate this in S + try { + enforceCallingPackage(packageName); +@@ -256,8 +263,8 @@ public class TelecomServiceImpl { + long token = Binder.clearCallingIdentity(); + try { + Log.startSession("TSI.gPAFP"); +- return mPhoneAccountRegistrar.getPhoneAccountsForPackage(packageName, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getPhoneAccountsForPackage(packageName, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsForPackage %s", packageName); + throw e; +@@ -308,7 +315,7 @@ public class TelecomServiceImpl { + synchronized (mLock) { + try { + // This list is pre-filtered for the calling user. +- return getAllPhoneAccounts().size(); ++ return getAllPhoneAccounts().getList().size(); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccountsCount"); + throw e; +@@ -321,7 +328,7 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccounts() { ++ public ParceledListSlice getAllPhoneAccounts() { + synchronized (mLock) { + try { + Log.startSession("TSI.gAPA"); +@@ -337,7 +344,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getAllPhoneAccounts(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccounts(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +@@ -351,7 +359,7 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccountHandles() { ++ public ParceledListSlice getAllPhoneAccountHandles() { + try { + Log.startSession("TSI.gAPAH"); + try { +@@ -367,7 +375,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getAllPhoneAccountHandles(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccountHandles(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index cbca5e175..092227b47 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -299,9 +299,12 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(fullPHList, +- mTSIBinder.getCallCapablePhoneAccounts(true, DEFAULT_DIALER_PACKAGE)); +- assertEquals(smallPHList, +- mTSIBinder.getCallCapablePhoneAccounts(false, DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getCallCapablePhoneAccounts( ++ true, DEFAULT_DIALER_PACKAGE).getList()); ++ ++ assertEquals(smallPHList, ++ mTSIBinder.getCallCapablePhoneAccounts( ++ false, DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -316,7 +319,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + + List result = null; + try { +- result = mTSIBinder.getCallCapablePhoneAccounts(true, ""); ++ result = mTSIBinder.getCallCapablePhoneAccounts(true, "").getList(); + } catch (SecurityException e) { + // intended behavior + } +@@ -344,9 +347,11 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(telPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("tel", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "tel", DEFAULT_DIALER_PACKAGE).getList()); + assertEquals(sipPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("sip", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "sip", DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -362,7 +367,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + assertEquals(phoneAccountHandleList, + mTSIBinder.getPhoneAccountsForPackage( +- TEL_PA_HANDLE_16.getComponentName().getPackageName())); ++ TEL_PA_HANDLE_16.getComponentName().getPackageName()).getList()); + } + + @SmallTest +@@ -385,7 +390,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + when(mFakePhoneAccountRegistrar.getAllPhoneAccounts(any(UserHandle.class))) + .thenReturn(phoneAccountList); + +- assertEquals(2, mTSIBinder.getAllPhoneAccounts().size()); ++ assertEquals(2, mTSIBinder.getAllPhoneAccounts().getList().size()); + } + + @SmallTest diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/345913.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/345913.patch new file mode 100644 index 00000000..ec91e2f8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/345913.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tyler Gunn +Date: Tue, 27 Sep 2022 15:19:05 -0700 +Subject: [PATCH] Hide overlay windows when showing phone account + enable/disable screen. + +Hide any system alert window overlays when the screen that lets the user +enable/disable phone accounts is shown. + +Test: Manual test with overlay shown from test app; verify that the overlay +is hidden when the phone account selection screen is opened. +Bug: 246933359 + +Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68 +(cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035) +Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68 +--- + AndroidManifest.xml | 2 ++ + .../telecom/settings/EnableAccountPreferenceActivity.java | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index ab18b8ef8..0794d06e5 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -22,6 +22,8 @@ + + + ++ ++ + +diff --git a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java +index 2367825b3..662e56f61 100644 +--- a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java ++++ b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java +@@ -25,11 +25,15 @@ import android.telecom.Log; + import android.telecom.PhoneAccountHandle; + import android.telecom.TelecomManager; + import android.view.MenuItem; ++import android.view.WindowManager; + + public class EnableAccountPreferenceActivity extends Activity { + @Override + public void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); ++ getWindow().addPrivateFlags( ++ android.view.WindowManager.LayoutParams ++ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + + getFragmentManager().beginTransaction() + .replace(android.R.id.content, new EnableAccountPreferenceFragment()) diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/347042.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/347042.patch new file mode 100644 index 00000000..371a2b4a --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/347042.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Grace Jia +Date: Thu, 22 Sep 2022 14:20:57 -0700 +Subject: [PATCH] Fix security vulnerability when register phone accounts. + +Currently if the registered self-managed phone account updated to a call +provider phone account, the enable state will be directly copied to the +updated one so that malicious app can perform call spoofing attack +without any permission requirements. Fix this by disallowing change a +self-managed phone account to a managed phone account. + +Bug: 246930197 +Test: CtsTelecomTestCases:SelfManagedConnectionSreviceTest +Change-Id: I8f7984cd491632b3219133044438b82ca4dec80e +Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e +(cherry picked from commit 833dd8480adc773e36d388521a14fd8cd11d6a30) +Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e +--- + .../server/telecom/PhoneAccountRegistrar.java | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java +index b94e5b85a..0864683be 100644 +--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java ++++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java +@@ -48,6 +48,7 @@ import android.telephony.TelephonyManager; + import android.text.TextUtils; + import android.util.AtomicFile; + import android.util.Base64; ++import android.util.EventLog; + import android.util.Xml; + + // TODO: Needed for move to system service: import com.android.internal.R; +@@ -702,6 +703,7 @@ public class PhoneAccountRegistrar { + + PhoneAccount oldAccount = getPhoneAccountUnchecked(account.getAccountHandle()); + if (oldAccount != null) { ++ enforceSelfManagedAccountUnmodified(account, oldAccount); + mState.accounts.remove(oldAccount); + isEnabled = oldAccount.isEnabled(); + Log.i(this, "Modify account: %s", getAccountDiffString(account, oldAccount)); +@@ -760,6 +762,19 @@ public class PhoneAccountRegistrar { + } + } + ++ private void enforceSelfManagedAccountUnmodified(PhoneAccount newAccount, ++ PhoneAccount oldAccount) { ++ if (oldAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED) && ++ (!newAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED))) { ++ EventLog.writeEvent(0x534e4554, "246930197"); ++ Log.w(this, "Self-managed phone account %s replaced by a non self-managed one", ++ newAccount.getAccountHandle()); ++ throw new IllegalArgumentException("Error, cannot change a self-managed " ++ + "phone account " + newAccount.getAccountHandle() ++ + " to other kinds of phone account"); ++ } ++ } ++ + /** + * Un-registers all phone accounts associated with a specified package. + * diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/356150.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/356150.patch new file mode 100644 index 00000000..ca4f5052 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/356150.patch @@ -0,0 +1,449 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Mon, 21 Nov 2022 17:36:52 -0800 +Subject: [PATCH] enforce stricter rules when registering phoneAccounts + +- include disable accounts when looking up accounts for a package to + check if the limit is reached (10) +- put a new limit of 10 supported schemes +- put a new limit of 256 characters per scheme +- put a new limit of 256 characters per address +- ensure the Icon can write to memory w/o an exception + +bug: 259064622 +bug: 256819769 +Test: cts + unit +Change-Id: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de +Merged-In: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de +(cherry picked from commit on googleplex-android-review.googlesource.com host: 56ef9e15506f71ae555a4535d5c0ac9bd3f587f1) +Merged-In: I5eb2a127a44d5ec725d0ba39cb0ef478b12013de +--- + .../server/telecom/PhoneAccountRegistrar.java | 185 ++++++++++++++++-- + .../server/telecom/TelecomServiceImpl.java | 4 +- + .../tests/PhoneAccountRegistrarTest.java | 101 ++++++++++ + .../telecom/tests/TelecomServiceImplTest.java | 2 +- + 4 files changed, 276 insertions(+), 16 deletions(-) + +diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java +index 0864683be..a077e4a4b 100644 +--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java ++++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java +@@ -17,6 +17,7 @@ + package com.android.server.telecom; + + import android.Manifest; ++import android.annotation.NonNull; + import android.content.ComponentName; + import android.content.Context; + import android.content.Intent; +@@ -28,6 +29,7 @@ import android.graphics.Bitmap; + import android.graphics.BitmapFactory; + import android.graphics.drawable.Icon; + import android.net.Uri; ++import android.os.Binder; + import android.os.Bundle; + import android.os.AsyncTask; + import android.os.PersistableBundle; +@@ -137,9 +139,14 @@ public class PhoneAccountRegistrar { + } + + private static final String FILE_NAME = "phone-account-registrar-state.xml"; ++ public static final String ICON_ERROR_MSG = ++ "Icon cannot be written to memory. Try compressing or downsizing"; + @VisibleForTesting + public static final int EXPECTED_STATE_VERSION = 9; + public static final int MAX_PHONE_ACCOUNT_REGISTRATIONS = 10; ++ public static final int MAX_PHONE_ACCOUNT_EXTRAS_KEY_PAIR_LIMIT = 100; ++ public static final int MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT = 256; ++ public static final int MAX_SCHEMES_PER_ACCOUNT = 10; + + /** Keep in sync with the same in SipSettings.java */ + private static final String SIP_SHARED_PREFERENCES = "SIP_PREFERENCES"; +@@ -652,12 +659,25 @@ public class PhoneAccountRegistrar { + return getPhoneAccountHandles(0, null, packageName, false, userHandle); + } + ++ ++ /** ++ * includes disabled, includes crossUserAccess ++ */ ++ public List getAllPhoneAccountHandlesForPackage(UserHandle userHandle, ++ String packageName) { ++ return getPhoneAccountHandles(0, null, packageName, true /* includeDisabled */, userHandle); ++ } ++ ++ + /** + * Performs checks before calling addOrReplacePhoneAccount(PhoneAccount) + * + * @param account The {@code PhoneAccount} to add or replace. +- * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE permission ++ * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE ++ * permission + * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT is reached ++ * @throws IllegalArgumentException if writing the Icon to memory will cause an Exception + */ + public void registerPhoneAccount(PhoneAccount account) { + // Enforce the requirement that a connection service for a phone account has the correct +@@ -669,21 +689,155 @@ public class PhoneAccountRegistrar { + throw new SecurityException("PhoneAccount connection service requires " + + "BIND_TELECOM_CONNECTION_SERVICE permission."); + } +- //Enforce an upper bound on the number of PhoneAccount's a package can register. +- // Most apps should only require 1-2. +- if (getPhoneAccountsForPackage( +- account.getAccountHandle().getComponentName().getPackageName(), +- account.getAccountHandle().getUserHandle()).size() ++ enforceCharacterLimit(account); ++ enforceIconSizeLimit(account); ++ enforceMaxPhoneAccountLimit(account); ++ addOrReplacePhoneAccount(account); ++ } ++ ++ /** ++ * Enforce an upper bound on the number of PhoneAccount's a package can register. ++ * Most apps should only require 1-2. * Include disabled accounts. ++ * ++ * @param account to enforce check on ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached ++ */ ++ private void enforceMaxPhoneAccountLimit(@NonNull PhoneAccount account) { ++ final PhoneAccountHandle accountHandle = account.getAccountHandle(); ++ final UserHandle user = accountHandle.getUserHandle(); ++ final ComponentName componentName = accountHandle.getComponentName(); ++ ++ if (getPhoneAccountHandles(0, null, componentName.getPackageName(), ++ true /* includeDisabled */, user).size() + >= MAX_PHONE_ACCOUNT_REGISTRATIONS) { +- Log.w(this, "Phone account %s reached max registration limit for package", +- account.getAccountHandle()); ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceMaxPhoneAccountLimit"); + throw new IllegalArgumentException( + "Error, cannot register phone account " + account.getAccountHandle() + + " because the limit, " + MAX_PHONE_ACCOUNT_REGISTRATIONS + + ", has been reached"); + } ++ } ++ /** ++ * determine if there will be an issue writing the icon to memory ++ * ++ * @param account to enforce check on ++ * @throws IllegalArgumentException if writing the Icon to memory will cause an Exception ++ */ ++ @VisibleForTesting ++ public void enforceIconSizeLimit(PhoneAccount account) { ++ if (account.getIcon() == null) { ++ return; ++ } ++ String text = ""; ++ // convert the icon into a Base64 String ++ try { ++ text = XmlSerialization.writeIconToBase64String(account.getIcon()); ++ } catch (IOException e) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceIconSizeLimit"); ++ throw new IllegalArgumentException(ICON_ERROR_MSG); ++ } ++ } + +- addOrReplacePhoneAccount(account); ++ /** ++ * All {@link PhoneAccount} and{@link PhoneAccountHandle} String and Char-Sequence fields ++ * should be restricted to character limit of MAX_PHONE_ACCOUNT_CHAR_LIMIT to prevent exceptions ++ * when writing large character streams to XML-Serializer. ++ * ++ * @param account to enforce character limit checks on ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT reached ++ */ ++ public void enforceCharacterLimit(PhoneAccount account) { ++ if (account == null) { ++ return; ++ } ++ PhoneAccountHandle handle = account.getAccountHandle(); ++ ++ String[] fields = ++ {"Package Name", "Class Name", "PhoneAccountHandle Id", "Label", "ShortDescription", ++ "GroupId", "Address", "SubscriptionAddress"}; ++ CharSequence[] args = {handle.getComponentName().getPackageName(), ++ handle.getComponentName().getClassName(), handle.getId(), account.getLabel(), ++ account.getShortDescription(), account.getGroupId(), ++ (account.getAddress() != null ? account.getAddress().toString() : ""), ++ (account.getSubscriptionAddress() != null ? ++ account.getSubscriptionAddress().toString() : "")}; ++ ++ for (int i = 0; i < fields.length; i++) { ++ if (args[i] != null && args[i].length() > MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceCharacterLimit"); ++ throw new IllegalArgumentException("The PhoneAccount or PhoneAccountHandle" ++ + fields[i] + " field has an invalid character count. PhoneAccount and " ++ + "PhoneAccountHandle String and Char-Sequence fields are limited to " ++ + MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT + " characters."); ++ } ++ } ++ ++ // Enforce limits on the URI Schemes provided ++ enforceLimitsOnSchemes(account); ++ ++ // Enforce limit on the PhoneAccount#mExtras ++ Bundle extras = account.getExtras(); ++ if (extras != null) { ++ if (extras.keySet().size() > MAX_PHONE_ACCOUNT_EXTRAS_KEY_PAIR_LIMIT) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceCharacterLimit"); ++ throw new IllegalArgumentException("The PhoneAccount#mExtras is limited to " + ++ MAX_PHONE_ACCOUNT_EXTRAS_KEY_PAIR_LIMIT + " (key,value) pairs."); ++ } ++ ++ for (String key : extras.keySet()) { ++ Object value = extras.get(key); ++ ++ if ((key != null && key.length() > MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT) || ++ (value instanceof String && ++ ((String) value).length() > MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT)) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceCharacterLimit"); ++ throw new IllegalArgumentException("The PhoneAccount#mExtras contains a String" ++ + " key or value that has an invalid character count. PhoneAccount and " ++ + "PhoneAccountHandle String and Char-Sequence fields are limited to " ++ + MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT + " characters."); ++ } ++ } ++ } ++ } ++ ++ /** ++ * Enforce a character limit on all PA and PAH string or char-sequence fields. ++ * ++ * @param account to enforce check on ++ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT reached ++ */ ++ @VisibleForTesting ++ public void enforceLimitsOnSchemes(@NonNull PhoneAccount account) { ++ List schemes = account.getSupportedUriSchemes(); ++ ++ if (schemes == null) { ++ return; ++ } ++ ++ if (schemes.size() > MAX_SCHEMES_PER_ACCOUNT) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceLimitsOnSchemes"); ++ throw new IllegalArgumentException( ++ "Error, cannot register phone account " + account.getAccountHandle() ++ + " because the URI scheme limit of " ++ + MAX_SCHEMES_PER_ACCOUNT + " has been reached"); ++ } ++ ++ for (String scheme : schemes) { ++ if (scheme.length() > MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT) { ++ EventLog.writeEvent(0x534e4554, "259064622", Binder.getCallingUid(), ++ "enforceLimitsOnSchemes"); ++ throw new IllegalArgumentException( ++ "Error, cannot register phone account " + account.getAccountHandle() ++ + " because the max scheme limit of " ++ + MAX_PHONE_ACCOUNT_FIELD_CHAR_LIMIT + " has been reached"); ++ } ++ } + } + + /** +@@ -1396,17 +1550,20 @@ public class PhoneAccountRegistrar { + protected void writeIconIfNonNull(String tagName, Icon value, XmlSerializer serializer) + throws IOException { + if (value != null) { +- ByteArrayOutputStream stream = new ByteArrayOutputStream(); +- value.writeToStream(stream); +- byte[] iconByteArray = stream.toByteArray(); +- String text = Base64.encodeToString(iconByteArray, 0, iconByteArray.length, 0); +- ++ String text = writeIconToBase64String(value); + serializer.startTag(null, tagName); + serializer.text(text); + serializer.endTag(null, tagName); + } + } + ++ public static String writeIconToBase64String(Icon icon) throws IOException { ++ ByteArrayOutputStream stream = new ByteArrayOutputStream(); ++ icon.writeToStream(stream); ++ byte[] iconByteArray = stream.toByteArray(); ++ return Base64.encodeToString(iconByteArray, 0, iconByteArray.length, 0); ++ } ++ + protected void writeLong(String tagName, long value, XmlSerializer serializer) + throws IOException { + serializer.startTag(null, tagName); +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index 8c28a7b6f..74a7d840b 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -60,7 +60,9 @@ import com.android.server.telecom.settings.BlockedNumbersActivity; + import java.io.FileDescriptor; + import java.io.PrintWriter; + import java.util.Collections; ++import java.util.HashSet; + import java.util.List; ++import java.util.Set; + + // TODO: Needed for move to system service: import com.android.internal.R; + +@@ -264,7 +266,7 @@ public class TelecomServiceImpl { + try { + Log.startSession("TSI.gPAFP"); + return new ParceledListSlice<>(mPhoneAccountRegistrar +- .getPhoneAccountsForPackage(packageName, callingUserHandle)); ++ .getAllPhoneAccountHandlesForPackage(callingUserHandle, packageName)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsForPackage %s", packageName); + throw e; +diff --git a/tests/src/com/android/server/telecom/tests/PhoneAccountRegistrarTest.java b/tests/src/com/android/server/telecom/tests/PhoneAccountRegistrarTest.java +index f8acb9d2c..b223cdc12 100644 +--- a/tests/src/com/android/server/telecom/tests/PhoneAccountRegistrarTest.java ++++ b/tests/src/com/android/server/telecom/tests/PhoneAccountRegistrarTest.java +@@ -57,6 +57,8 @@ import java.io.BufferedOutputStream; + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.File; ++import java.io.IOException; ++import java.io.OutputStream; + import java.util.Arrays; + import java.util.List; + import java.util.Map; +@@ -68,8 +70,18 @@ import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; + import static org.junit.Assert.assertTrue; + import static org.junit.Assert.fail; ++import static org.mockito.ArgumentMatchers.any; ++import static org.mockito.ArgumentMatchers.anyObject; ++import static org.mockito.ArgumentMatchers.isA; + import static org.mockito.Matchers.anyInt; + import static org.mockito.Matchers.anyString; ++import static org.mockito.Mockito.clearInvocations; ++import static org.mockito.Mockito.doThrow; ++import static org.mockito.Mockito.mock; ++import static org.mockito.Mockito.never; ++import static org.mockito.Mockito.spy; ++import static org.mockito.Mockito.times; ++import static org.mockito.Mockito.verify; + import static org.mockito.Mockito.when; + + @RunWith(JUnit4.class) +@@ -78,6 +90,9 @@ public class PhoneAccountRegistrarTest extends TelecomTestCase { + private static final int MAX_VERSION = Integer.MAX_VALUE; + private static final String FILE_NAME = "phone-account-registrar-test-1223.xml"; + private static final String TEST_LABEL = "right"; ++ private static final String TEST_ID = "123"; ++ private final String PACKAGE_1 = "PACKAGE_1"; ++ private final String PACKAGE_2 = "PACKAGE_2"; + private PhoneAccountRegistrar mRegistrar; + @Mock private TelecomManager mTelecomManager; + @Mock private DefaultDialerCache mDefaultDialerCache; +@@ -909,6 +924,92 @@ public class PhoneAccountRegistrarTest extends TelecomTestCase { + assertEquals(account1, account2); + } + ++ /** ++ * Ensure an IllegalArgumentException is thrown when adding more than 10 schemes for a single ++ * account ++ */ ++ @Test ++ public void testLimitOnSchemeCount() { ++ PhoneAccountHandle handle = makeQuickAccountHandle(TEST_ID); ++ PhoneAccount.Builder builder = new PhoneAccount.Builder(handle, TEST_LABEL); ++ for (int i = 0; i < PhoneAccountRegistrar.MAX_PHONE_ACCOUNT_REGISTRATIONS + 1; i++) { ++ builder.addSupportedUriScheme(Integer.toString(i)); ++ } ++ try { ++ mRegistrar.enforceLimitsOnSchemes(builder.build()); ++ fail("should have hit exception in enforceLimitOnSchemes"); ++ } catch (IllegalArgumentException e) { ++ // pass test ++ } ++ } ++ ++ /** ++ * Ensure an IllegalArgumentException is thrown when adding more 256 chars for a single ++ * account ++ */ ++ @Test ++ public void testLimitOnSchemeLength() { ++ PhoneAccountHandle handle = makeQuickAccountHandle(TEST_ID); ++ PhoneAccount.Builder builder = new PhoneAccount.Builder(handle, TEST_LABEL); ++ builder.addSupportedUriScheme(generateStringOfLen(257)); ++ try { ++ mRegistrar.enforceLimitsOnSchemes(builder.build()); ++ fail("should have hit exception in enforceLimitOnSchemes"); ++ } catch (IllegalArgumentException e) { ++ // pass test ++ } ++ } ++ ++ /** ++ * Ensure an IllegalArgumentException is thrown when adding an address over the limit ++ */ ++ @Test ++ public void testLimitOnAddress() { ++ String text = generateStringOfLen(100); ++ PhoneAccountHandle handle = makeQuickAccountHandle(TEST_ID); ++ PhoneAccount.Builder builder = new PhoneAccount.Builder(handle,TEST_LABEL) ++ .setAddress(Uri.fromParts(text, text, text)); ++ try { ++ mRegistrar.enforceCharacterLimit(builder.build()); ++ fail("failed to throw IllegalArgumentException"); ++ } catch (IllegalArgumentException e) { ++ // pass test ++ } ++ finally { ++ mRegistrar.unregisterPhoneAccount(handle); ++ } ++ } ++ ++ /** ++ * Ensure an IllegalArgumentException is thrown when an Icon that throws an IOException is given ++ */ ++ @Test ++ public void testLimitOnIcon() throws Exception { ++ Icon mockIcon = mock(Icon.class); ++ // GIVEN ++ PhoneAccount.Builder builder = new PhoneAccount.Builder( ++ makeQuickAccountHandle(TEST_ID), TEST_LABEL).setIcon(mockIcon); ++ try { ++ // WHEN ++ Mockito.doThrow(new IOException()) ++ .when(mockIcon).writeToStream(any(OutputStream.class)); ++ //THEN ++ mRegistrar.enforceIconSizeLimit(builder.build()); ++ fail("failed to throw IllegalArgumentException"); ++ } catch (IllegalArgumentException e) { ++ // pass test ++ assertTrue(e.getMessage().contains(PhoneAccountRegistrar.ICON_ERROR_MSG)); ++ } ++ } ++ ++ private String generateStringOfLen(int len){ ++ StringBuilder sb = new StringBuilder(); ++ for(int i=0; i < len; i++){ ++ sb.append("a"); ++ } ++ return sb.toString(); ++ } ++ + private static ComponentName makeQuickConnectionServiceComponentName() { + return new ComponentName( + "com.android.server.telecom.tests", +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index 092227b47..521d05aae 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -362,7 +362,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + add(SIP_PA_HANDLE_17); + }}; + when(mFakePhoneAccountRegistrar +- .getPhoneAccountsForPackage(anyString(), any(UserHandle.class))) ++ .getAllPhoneAccountHandlesForPackage(any(UserHandle.class), anyString())) + .thenReturn(phoneAccountHandleList); + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + assertEquals(phoneAccountHandleList, diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/364617.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/364617.patch new file mode 100644 index 00000000..f57214b6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/364617.patch @@ -0,0 +1,706 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Thu, 25 May 2023 20:49:21 +0000 +Subject: [PATCH] Resolve StatusHints image exploit across user. + +Because of the INTERACT_ACROSS_USERS permission, an app that implements +a ConnectionService can upload an image icon belonging to another user +by setting it in the StatusHints. Validating the construction of the +StatusHints on the calling user would prevent a malicious app from +registering a connection service with the embedded image icon from a +different user. + +From additional feedback, this CL also addresses potential +vulnerabilities in an app being able to directly invoke the binder for a +means to manipulate the contents of the bundle that are passed with it. +The targeted points of entry are in ConnectionServiceWrapper for the +following APIs: handleCreateConnectionComplete, setStatusHints, +addConferenceCall, and addExistingConnection. + +Fixes: 280797684 +Test: Manual (verified that original exploit is no longer an issue). +Test: Unit test for validating image in StatusHints constructor. +Test: Unit tests to address vulnerabilities via the binder. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49d19dd265bee669b230efa29bf98c83650efea6) +Merged-In: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c +Change-Id: Ie1f6a8866d31d5f1099dd0630cf8e9ee782d389c +--- + .../telecom/ConnectionServiceWrapper.java | 32 ++++ + .../server/telecom/tests/BasicCallTests.java | 165 +++++++++++++++++- + .../server/telecom/tests/CallExtrasTest.java | 6 +- + .../tests/ConnectionServiceFixture.java | 21 ++- + .../telecom/tests/TelecomSystemTest.java | 63 +++++-- + .../server/telecom/tests/VideoCallTests.java | 16 +- + 6 files changed, 264 insertions(+), 39 deletions(-) + +diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java +index 6dd9a3a08..1b86842af 100644 +--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java ++++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java +@@ -19,6 +19,7 @@ package com.android.server.telecom; + import android.app.AppOpsManager; + import android.content.ComponentName; + import android.content.Context; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -73,10 +74,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void handleCreateConnectionComplete(String callId, ConnectionRequest request, + ParcelableConnection connection, Session.Info sessionInfo) { + Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE); ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { + logIncoming("handleCreateConnectionComplete %s", callId); ++ // Check status hints image for cross user access ++ if (connection.getStatusHints() != null) { ++ Icon icon = connection.getStatusHints().getIcon(); ++ connection.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, callingUserHandle)); ++ } + ConnectionServiceWrapper.this + .handleCreateConnectionComplete(callId, request, connection); + +@@ -415,6 +423,15 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void addConferenceCall(String callId, ParcelableConference parcelableConference, + Session.Info sessionInfo) { + Log.startSession(sessionInfo, LogUtils.Sessions.CSW_ADD_CONFERENCE_CALL); ++ ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); ++ // Check status hints image for cross user access ++ if (parcelableConference.getStatusHints() != null) { ++ Icon icon = parcelableConference.getStatusHints().getIcon(); ++ parcelableConference.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, callingUserHandle)); ++ } ++ + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { +@@ -637,10 +654,17 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + public void setStatusHints(String callId, StatusHints statusHints, + Session.Info sessionInfo) { + Log.startSession(sessionInfo, "CSW.sSH"); ++ UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + synchronized (mLock) { + logIncoming("setStatusHints %s %s", callId, statusHints); ++ // Check status hints image for cross user access ++ if (statusHints != null) { ++ Icon icon = statusHints.getIcon(); ++ statusHints.setIcon(StatusHints.validateAccountIconUserBoundary( ++ icon, callingUserHandle)); ++ } + Call call = mCallIdMapper.getCall(callId); + if (call != null) { + call.setStatusHints(statusHints); +@@ -819,6 +843,14 @@ public class ConnectionServiceWrapper extends ServiceBinder implements + } else { + connectIdToCheck = callId; + } ++ ++ // Check status hints image for cross user access ++ if (connection.getStatusHints() != null) { ++ Icon icon = connection.getStatusHints().getIcon(); ++ connection.getStatusHints().setIcon(StatusHints. ++ validateAccountIconUserBoundary(icon, userHandle)); ++ } ++ + // Check to see if this Connection has already been added. + Call alreadyAddedConnection = mCallsManager + .getAlreadyAddedConnection(connectIdToCheck); +diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +index e304d3416..190604a75 100644 +--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java +@@ -16,9 +16,12 @@ + + package com.android.server.telecom.tests; + ++import static com.android.server.telecom.tests.ConnectionServiceFixture.STATUS_HINTS_EXTRA; ++ + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertFalse; + import static org.junit.Assert.assertNull; ++import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertTrue; + import static org.mockito.Matchers.any; + import static org.mockito.Matchers.anyInt; +@@ -34,6 +37,8 @@ import static org.mockito.Mockito.when; + + import android.content.Context; + import android.content.IContentProvider; ++import android.content.Intent; ++import android.graphics.drawable.Icon; + import android.media.AudioManager; + import android.net.Uri; + import android.os.Bundle; +@@ -50,12 +55,15 @@ import android.telecom.Log; + import android.telecom.ParcelableCall; + import android.telecom.PhoneAccount; + import android.telecom.PhoneAccountHandle; ++import android.telecom.StatusHints; + import android.telecom.TelecomManager; + import android.telecom.VideoProfile; + import android.support.test.filters.FlakyTest; + import android.test.suitebuilder.annotation.LargeTest; + import android.test.suitebuilder.annotation.MediumTest; + ++import androidx.test.filters.SmallTest; ++ + import com.android.internal.telecom.IInCallAdapter; + import com.android.internal.telephony.CallerInfo; + +@@ -179,7 +187,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingVideoCall() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -208,7 +216,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingVideoCallAsAudio() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -236,7 +244,7 @@ public class BasicCallTests extends TelecomSystemTest { + @Test + public void testTelecomManagerAcceptRingingInvalidVideoState() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureX.getCall(ids.mCallId).getState()); + assertEquals(Call.STATE_RINGING, mInCallServiceFixtureY.getCall(ids.mCallId).getState()); +@@ -629,13 +637,13 @@ public class BasicCallTests extends TelecomSystemTest { + @MediumTest + @Test + public void testBasicConferenceCall() throws Exception { +- makeConferenceCall(); ++ makeConferenceCall(null, null); + } + + @MediumTest + @Test + public void testAddCallToConference1() throws Exception { +- ParcelableCall conferenceCall = makeConferenceCall(); ++ ParcelableCall conferenceCall = makeConferenceCall(null, null); + IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); + // testAddCallToConference{1,2} differ in the order of arguments to InCallAdapter#conference +@@ -653,7 +661,7 @@ public class BasicCallTests extends TelecomSystemTest { + @MediumTest + @Test + public void testAddCallToConference2() throws Exception { +- ParcelableCall conferenceCall = makeConferenceCall(); ++ ParcelableCall conferenceCall = makeConferenceCall(null, null); + IdPair callId3 = startAndMakeActiveOutgoingCall("650-555-1214", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); + mInCallServiceFixtureX.getInCallAdapter() +@@ -909,7 +917,7 @@ public class BasicCallTests extends TelecomSystemTest { + public void testOutgoingCallSelectPhoneAccountVideo() throws Exception { + startOutgoingPhoneCallPendingCreateConnection("650-555-1212", + null, mConnectionServiceFixtureA, +- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL); ++ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + assert(call.isVideoCallingSupported()); +@@ -932,7 +940,7 @@ public class BasicCallTests extends TelecomSystemTest { + public void testOutgoingCallSelectPhoneAccountNoVideo() throws Exception { + startOutgoingPhoneCallPendingCreateConnection("650-555-1212", + null, mConnectionServiceFixtureA, +- Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL); ++ Process.myUserHandle(), VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + assert(call.isVideoCallingSupported()); +@@ -1134,4 +1142,145 @@ public class BasicCallTests extends TelecomSystemTest { + assertTrue(muteValues.get(0)); + assertFalse(muteValues.get(1)); + } ++ ++ /** ++ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#addConferenceCall ++ * when the image doesn't belong to the calling user. Simulates a scenario where an app ++ * could manipulate the contents of the bundle and send it via the binder to upload an image ++ * from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_addConferenceCall() throws Exception { ++ Intent callIntent1 = new Intent(); ++ // Stub intent for call2 ++ Intent callIntent2 = new Intent(); ++ Bundle callExtras1 = new Bundle(); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ // Load StatusHints extra into TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS to be processed ++ // as the call extras. This will be leveraged in ConnectionServiceFixture to set the ++ // StatusHints for the given connection. ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ callExtras1.putParcelable(STATUS_HINTS_EXTRA, statusHints); ++ callIntent1.putExtra(TelecomManager.EXTRA_OUTGOING_CALL_EXTRAS, callExtras1); ++ ++ // Start conference call to invoke ConnectionServiceWrapper#addConferenceCall. ++ // Note that the calling user would be User 0. ++ ParcelableCall conferenceCall = makeConferenceCall(callIntent1, callIntent2); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId) ++ .getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(mInCallServiceFixtureX.mLatestCallId) ++ .getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ++ * ConnectionServiceWrapper#handleCreateConnectionComplete when the image doesn't belong to the ++ * calling user. Simulates a scenario where an app could manipulate the contents of the ++ * bundle and send it via the binder to upload an image from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_handleCreateConnectionComplete() throws Exception { ++ Bundle extras = new Bundle(); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ // Load the bundle with the test extra in order to simulate an app directly invoking the ++ // binder on ConnectionServiceWrapper#handleCreateConnectionComplete. ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ extras.putParcelable(STATUS_HINTS_EXTRA, statusHints); ++ ++ // Start incoming call with StatusHints extras ++ // Note that the calling user in ConnectionServiceWrapper#handleCreateConnectionComplete ++ // would be User 0. ++ IdPair ids = startIncomingPhoneCallWithExtras("650-555-1212", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, extras); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(ids.mCallId).getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ConnectionServiceWrapper#setStatusHints ++ * when the image doesn't belong to the calling user. Simulates a scenario where an app ++ * could manipulate the contents of the bundle and send it via the binder to upload an image ++ * from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_setStatusHints() throws Exception { ++ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ ++ // Modify existing connection with StatusHints image exploit ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ StatusHints statusHints = new StatusHints(icon); ++ assertNotNull(statusHints.getIcon()); ++ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA ++ .mConnectionById.get(outgoing.mConnectionId); ++ connectionInfo.statusHints = statusHints; ++ ++ // Invoke ConnectionServiceWrapper#setStatusHints. ++ // Note that the calling user would be User 0. ++ mConnectionServiceFixtureA.sendSetStatusHints(outgoing.mConnectionId); ++ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(), ++ TEST_TIMEOUT); ++ ++ // Ensure that StatusHints was set. ++ assertNotNull(mInCallServiceFixtureX.getCall(outgoing.mCallId).getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mInCallServiceFixtureX.getCall(outgoing.mCallId) ++ .getStatusHints().getIcon()); ++ } ++ ++ /** ++ * Verifies that StatusHints image is validated in ++ * ConnectionServiceWrapper#addExistingConnection when the image doesn't belong to the calling ++ * user. Simulates a scenario where an app could manipulate the contents of the bundle and ++ * send it via the binder to upload an image from another user. ++ * ++ * @throws Exception ++ */ ++ @SmallTest ++ @Test ++ public void testValidateStatusHintsImage_addExistingConnection() throws Exception { ++ IdPair outgoing = startAndMakeActiveOutgoingCall("650-555-1214", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ Connection existingConnection = mConnectionServiceFixtureA.mLatestConnection; ++ ++ // Modify existing connection with StatusHints image exploit ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ StatusHints modifiedStatusHints = new StatusHints(icon); ++ assertNotNull(modifiedStatusHints.getIcon()); ++ ConnectionServiceFixture.ConnectionInfo connectionInfo = mConnectionServiceFixtureA ++ .mConnectionById.get(outgoing.mConnectionId); ++ connectionInfo.statusHints = modifiedStatusHints; ++ ++ // Invoke ConnectionServiceWrapper#addExistingConnection. ++ // Note that the calling user would be User 0. ++ mConnectionServiceFixtureA.sendAddExistingConnection(outgoing.mConnectionId); ++ waitForHandlerAction(mConnectionServiceFixtureA.mConnectionServiceDelegate.getHandler(), ++ TEST_TIMEOUT); ++ ++ // Ensure that StatusHints was set. Due to test setup, the ParcelableConnection object that ++ // is passed into sendAddExistingConnection is instantiated on invocation. The call's ++ // StatusHints are not updated at the time of completion, so instead, we can verify that ++ // the ParcelableConnection object was modified. ++ assertNotNull(mConnectionServiceFixtureA.mLatestParcelableConnection.getStatusHints()); ++ // Ensure that the StatusHints image icon was disregarded. ++ assertNull(mConnectionServiceFixtureA.mLatestParcelableConnection ++ .getStatusHints().getIcon()); ++ } + } +diff --git a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java +index 44578c519..219a81e63 100644 +--- a/tests/src/com/android/server/telecom/tests/CallExtrasTest.java ++++ b/tests/src/com/android/server/telecom/tests/CallExtrasTest.java +@@ -357,7 +357,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @LargeTest + @Test + public void testConferenceSetExtras() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + + Conference conference = mConnectionServiceFixtureA.mLatestConference; +@@ -400,7 +400,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @LargeTest + @Test + public void testConferenceExtraOperations() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + Conference conference = mConnectionServiceFixtureA.mLatestConference; + assertNotNull(conference); +@@ -436,7 +436,7 @@ public class CallExtrasTest extends TelecomSystemTest { + @LargeTest + @Test + public void testConferenceICS() throws Exception { +- ParcelableCall call = makeConferenceCall(); ++ ParcelableCall call = makeConferenceCall(null, null); + String conferenceId = call.getId(); + Conference conference = mConnectionServiceFixtureA.mLatestConference; + +diff --git a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java +index 3154b7d0d..f91863fbe 100644 +--- a/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java ++++ b/tests/src/com/android/server/telecom/tests/ConnectionServiceFixture.java +@@ -67,6 +67,7 @@ public class ConnectionServiceFixture implements TestFixture + static int INVALID_VIDEO_STATE = -1; + public CountDownLatch mExtrasLock = new CountDownLatch(1); + static int NOT_SPECIFIED = 0; ++ public static final String STATUS_HINTS_EXTRA = "updateStatusHints"; + + /** + * Implementation of ConnectionService that performs no-ops for tasks normally meant for +@@ -101,6 +102,11 @@ public class ConnectionServiceFixture implements TestFixture + if (mProperties != NOT_SPECIFIED) { + fakeConnection.setConnectionProperties(mProperties); + } ++ // Testing for StatusHints image icon cross user access ++ if (request.getExtras() != null) { ++ fakeConnection.setStatusHints( ++ request.getExtras().getParcelable(STATUS_HINTS_EXTRA)); ++ } + + return fakeConnection; + } +@@ -117,6 +123,11 @@ public class ConnectionServiceFixture implements TestFixture + if (mProperties != NOT_SPECIFIED) { + fakeConnection.setConnectionProperties(mProperties); + } ++ // Testing for StatusHints image icon cross user access ++ if (request.getExtras() != null) { ++ fakeConnection.setStatusHints( ++ request.getExtras().getParcelable(STATUS_HINTS_EXTRA)); ++ } + return fakeConnection; + } + +@@ -133,6 +144,12 @@ public class ConnectionServiceFixture implements TestFixture + Conference fakeConference = new FakeConference(); + fakeConference.addConnection(cxn1); + fakeConference.addConnection(cxn2); ++ if (cxn1.getStatusHints() != null || cxn2.getStatusHints() != null) { ++ // For testing purposes, pick one of the status hints that isn't null. ++ StatusHints statusHints = cxn1.getStatusHints() != null ++ ? cxn1.getStatusHints() : cxn2.getStatusHints(); ++ fakeConference.setStatusHints(statusHints); ++ } + mLatestConference = fakeConference; + addConference(fakeConference); + } else { +@@ -438,6 +455,7 @@ public class ConnectionServiceFixture implements TestFixture + + public String mLatestConnectionId; + public Connection mLatestConnection; ++ public ParcelableConnection mLatestParcelableConnection; + public Conference mLatestConference; + public final Set mConnectionServiceAdapters = new HashSet<>(); + public final Map mConnectionById = new HashMap<>(); +@@ -672,7 +690,7 @@ public class ConnectionServiceFixture implements TestFixture + } + + private ParcelableConnection parcelable(ConnectionInfo c) { +- return new ParcelableConnection( ++ mLatestParcelableConnection = new ParcelableConnection( + c.request.getAccountHandle(), + c.state, + c.capabilities, +@@ -692,5 +710,6 @@ public class ConnectionServiceFixture implements TestFixture + c.disconnectCause, + c.conferenceableConnectionIds, + c.extras); ++ return mLatestParcelableConnection; + } + } +diff --git a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java +index 4cf76444a..c98b7e699 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomSystemTest.java +@@ -374,12 +374,13 @@ public class TelecomSystemTest extends TelecomTestCase { + super.tearDown(); + } + +- protected ParcelableCall makeConferenceCall() throws Exception { +- IdPair callId1 = startAndMakeActiveOutgoingCall("650-555-1212", +- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ protected ParcelableCall makeConferenceCall( ++ Intent callIntentExtras1, Intent callIntentExtras2) throws Exception { ++ IdPair callId1 = startAndMakeActiveOutgoingCallWithExtras("650-555-1212", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras1); + +- IdPair callId2 = startAndMakeActiveOutgoingCall("650-555-1213", +- mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA); ++ IdPair callId2 = startAndMakeActiveOutgoingCallWithExtras("650-555-1213", ++ mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, callIntentExtras2); + + IInCallAdapter inCallAdapter = mInCallServiceFixtureX.getInCallAdapter(); + inCallAdapter.conference(callId1.mCallId, callId2.mCallId); +@@ -582,17 +583,17 @@ public class TelecomSystemTest extends TelecomTestCase { + throws Exception { + + return startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture, +- initiatingUser, VideoProfile.STATE_AUDIO_ONLY); ++ initiatingUser, VideoProfile.STATE_AUDIO_ONLY, null); + } + + protected IdPair startOutgoingPhoneCall(String number, PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState) throws Exception { ++ int videoState, Intent callIntentExtras) throws Exception { + int startingNumConnections = connectionServiceFixture.mConnectionById.size(); + int startingNumCalls = mInCallServiceFixtureX.mCallById.size(); + + startOutgoingPhoneCallPendingCreateConnection(number, phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState); ++ connectionServiceFixture, initiatingUser, videoState, callIntentExtras); + + verify(connectionServiceFixture.getTestDouble(), timeout(TEST_TIMEOUT)) + .createConnectionComplete(anyString(), any()); +@@ -631,7 +632,7 @@ public class TelecomSystemTest extends TelecomTestCase { + mIsEmergencyCall = true; + // Call will not use the ordered broadcaster, since it is an Emergency Call + startOutgoingPhoneCallWaitForBroadcaster(number, phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/); ++ connectionServiceFixture, initiatingUser, videoState, true /*isEmergency*/, null); + + return outgoingCallCreateConnectionComplete(startingNumConnections, startingNumCalls, + phoneAccountHandle, connectionServiceFixture); +@@ -640,7 +641,7 @@ public class TelecomSystemTest extends TelecomTestCase { + protected void startOutgoingPhoneCallWaitForBroadcaster(String number, + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState, boolean isEmergency) throws Exception { ++ int videoState, boolean isEmergency, Intent actionCallIntent) throws Exception { + reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(), + mInCallServiceFixtureY.getTestDouble()); + +@@ -653,7 +654,9 @@ public class TelecomSystemTest extends TelecomTestCase { + + boolean hasInCallAdapter = mInCallServiceFixtureX.mInCallAdapter != null; + +- Intent actionCallIntent = new Intent(); ++ if (actionCallIntent == null) { ++ actionCallIntent = new Intent(); ++ } + actionCallIntent.setData(Uri.parse("tel:" + number)); + actionCallIntent.putExtra(Intent.EXTRA_PHONE_NUMBER, number); + if(isEmergency) { +@@ -699,9 +702,9 @@ public class TelecomSystemTest extends TelecomTestCase { + protected String startOutgoingPhoneCallPendingCreateConnection(String number, + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture, UserHandle initiatingUser, +- int videoState) throws Exception { ++ int videoState, Intent callIntentExtras) throws Exception { + startOutgoingPhoneCallWaitForBroadcaster(number,phoneAccountHandle, +- connectionServiceFixture, initiatingUser, videoState, false /*isEmergency*/); ++ connectionServiceFixture, initiatingUser, videoState, false /*isEmergency*/, callIntentExtras); + + ArgumentCaptor newOutgoingCallIntent = + ArgumentCaptor.forClass(Intent.class); +@@ -798,14 +801,24 @@ public class TelecomSystemTest extends TelecomTestCase { + PhoneAccountHandle phoneAccountHandle, + final ConnectionServiceFixture connectionServiceFixture) throws Exception { + return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY, +- connectionServiceFixture); ++ connectionServiceFixture, null); ++ } ++ ++ protected IdPair startIncomingPhoneCallWithExtras( ++ String number, ++ PhoneAccountHandle phoneAccountHandle, ++ final ConnectionServiceFixture connectionServiceFixture, ++ Bundle extras) throws Exception { ++ return startIncomingPhoneCall(number, phoneAccountHandle, VideoProfile.STATE_AUDIO_ONLY, ++ connectionServiceFixture, extras); + } + + protected IdPair startIncomingPhoneCall( + String number, + PhoneAccountHandle phoneAccountHandle, + int videoState, +- final ConnectionServiceFixture connectionServiceFixture) throws Exception { ++ final ConnectionServiceFixture connectionServiceFixture, ++ Bundle extras) throws Exception { + reset(connectionServiceFixture.getTestDouble(), mInCallServiceFixtureX.getTestDouble(), + mInCallServiceFixtureY.getTestDouble()); + +@@ -822,7 +835,9 @@ public class TelecomSystemTest extends TelecomTestCase { + new IncomingCallAddedListener(incomingCallAddedLatch); + mTelecomSystem.getCallsManager().addListener(callAddedListener); + +- Bundle extras = new Bundle(); ++ if (extras == null) { ++ extras = new Bundle(); ++ } + extras.putParcelable( + TelecomManager.EXTRA_INCOMING_CALL_ADDRESS, + Uri.fromParts(PhoneAccount.SCHEME_TEL, number, null)); +@@ -916,7 +931,16 @@ public class TelecomSystemTest extends TelecomTestCase { + PhoneAccountHandle phoneAccountHandle, + ConnectionServiceFixture connectionServiceFixture) throws Exception { + return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture, +- VideoProfile.STATE_AUDIO_ONLY); ++ VideoProfile.STATE_AUDIO_ONLY, null); ++ } ++ ++ protected IdPair startAndMakeActiveOutgoingCallWithExtras( ++ String number, ++ PhoneAccountHandle phoneAccountHandle, ++ ConnectionServiceFixture connectionServiceFixture, ++ Intent callIntentExtras) throws Exception { ++ return startAndMakeActiveOutgoingCall(number, phoneAccountHandle, connectionServiceFixture, ++ VideoProfile.STATE_AUDIO_ONLY, callIntentExtras); + } + + // A simple outgoing call, verifying that the appropriate connection service is contacted, +@@ -924,9 +948,10 @@ public class TelecomSystemTest extends TelecomTestCase { + protected IdPair startAndMakeActiveOutgoingCall( + String number, + PhoneAccountHandle phoneAccountHandle, +- ConnectionServiceFixture connectionServiceFixture, int videoState) throws Exception { ++ ConnectionServiceFixture connectionServiceFixture, int videoState, ++ Intent callIntentExtras) throws Exception { + IdPair ids = startOutgoingPhoneCall(number, phoneAccountHandle, connectionServiceFixture, +- Process.myUserHandle(), videoState); ++ Process.myUserHandle(), videoState, callIntentExtras); + + connectionServiceFixture.sendSetDialing(ids.mConnectionId); + if (phoneAccountHandle != mPhoneAccountSelfManaged.getAccountHandle()) { +diff --git a/tests/src/com/android/server/telecom/tests/VideoCallTests.java b/tests/src/com/android/server/telecom/tests/VideoCallTests.java +index 97e71d18b..84beedc0f 100644 +--- a/tests/src/com/android/server/telecom/tests/VideoCallTests.java ++++ b/tests/src/com/android/server/telecom/tests/VideoCallTests.java +@@ -105,7 +105,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + + verifyAudioRoute(CallAudioState.ROUTE_SPEAKER); + } +@@ -121,7 +121,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_TX_ENABLED); ++ VideoProfile.STATE_TX_ENABLED, null); + + verifyAudioRoute(CallAudioState.ROUTE_SPEAKER); + } +@@ -137,7 +137,7 @@ public class VideoCallTests extends TelecomSystemTest { + // Start an incoming video call. + IdPair ids = startAndMakeActiveOutgoingCall("650-555-1212", + mPhoneAccountA0.getAccountHandle(), mConnectionServiceFixtureA, +- VideoProfile.STATE_AUDIO_ONLY); ++ VideoProfile.STATE_AUDIO_ONLY, null); + + verifyAudioRoute(CallAudioState.ROUTE_EARPIECE); + } +@@ -165,7 +165,7 @@ public class VideoCallTests extends TelecomSystemTest { + @Test + public void testIncomingVideoCallMissedCheckVideoHistory() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -182,7 +182,7 @@ public class VideoCallTests extends TelecomSystemTest { + @Test + public void testIncomingVideoCallRejectedCheckVideoHistory() throws Exception { + IdPair ids = startIncomingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), +- VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA); ++ VideoProfile.STATE_BIDIRECTIONAL, mConnectionServiceFixtureA, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -201,7 +201,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallCanceledCheckVideoHistory() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -219,7 +219,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallRejectedCheckVideoHistory() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + +@@ -237,7 +237,7 @@ public class VideoCallTests extends TelecomSystemTest { + public void testOutgoingVideoCallAnsweredAsAudio() throws Exception { + IdPair ids = startOutgoingPhoneCall("650-555-1212", mPhoneAccountA0.getAccountHandle(), + mConnectionServiceFixtureA, Process.myUserHandle(), +- VideoProfile.STATE_BIDIRECTIONAL); ++ VideoProfile.STATE_BIDIRECTIONAL, null); + com.android.server.telecom.Call call = mTelecomSystem.getCallsManager().getCalls() + .iterator().next(); + diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/377776.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/377776.patch new file mode 100644 index 00000000..a4ef1b8e --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telecomm/377776.patch @@ -0,0 +1,108 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Wed, 5 Apr 2023 21:36:12 +0000 +Subject: [PATCH] Resolve account image icon profile boundary exploit. + +Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit +is possible where the user can upload an image icon (belonging to +another user) via registering a phone account. This CL provides a +lightweight solution for parsing the image URI to detect profile +exploitation. + +Fixes: 273502295 +Fixes: 296915211 +Test: Unit test to enforce successful/failure path +(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) +(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) +Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 +Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 +--- + .../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++ + .../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index 74a7d840b..14804f0d3 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -36,6 +36,7 @@ import android.content.pm.PackageManager; + import android.content.res.Resources; + import android.content.pm.ParceledListSlice; + import android.content.pm.ResolveInfo; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -469,6 +470,9 @@ public class TelecomServiceImpl { + enforceRegisterMultiUser(); + } + enforceUserHandleMatchesCaller(account.getAccountHandle()); ++ // Validate the profile boundary of the given image URI. ++ validateAccountIconUserBoundary(account.getIcon()); ++ + final long token = Binder.clearCallingIdentity(); + try { + mPhoneAccountRegistrar.registerPhoneAccount(account); +@@ -1820,4 +1824,22 @@ public class TelecomServiceImpl { + // If only TX or RX were set (or neither), the video state is valid. + return remainingState == 0; + } ++ ++ private void validateAccountIconUserBoundary(Icon icon) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI ++ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ if (userId != UserHandle.getUserId(Binder.getCallingUid())) { ++ // If we are transcending the profile boundary, throw an error. ++ throw new IllegalArgumentException("Attempting to register a phone account with" ++ + " an image icon belonging to another user."); ++ } ++ } ++ } ++ } + } +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index 521d05aae..8aa6f806c 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -29,6 +29,7 @@ import android.content.Context; + import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -501,6 +502,26 @@ public class TelecomServiceImplTest extends TelecomTestCase { + } + } + ++ @SmallTest ++ @Test ++ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException { ++ String packageNameToUse = "com.android.officialpackage"; ++ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName( ++ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle()); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); ++ doReturn(PackageManager.PERMISSION_GRANTED) ++ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE); ++ ++ // This should fail; security exception will be thrown. ++ registerPhoneAccountTestHelper(phoneAccount, false); ++ ++ icon = Icon.createWithContentUri("content://0@media/external/images/media/"); ++ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); ++ // This should succeed. ++ registerPhoneAccountTestHelper(phoneAccount, true); ++ } ++ + @SmallTest + @Test + public void testUnregisterPhoneAccount() throws RemoteException { diff --git a/Patches/LineageOS-16.0/android_packages_services_Telephony/347041.patch b/Patches/LineageOS-16.0/android_packages_services_Telephony/347041.patch new file mode 100644 index 00000000..47fabdb3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_services_Telephony/347041.patch @@ -0,0 +1,108 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Wed, 28 Sep 2022 09:40:14 -0700 +Subject: [PATCH] prevent overlays on the phone settings + +A report came in showing a 3rd party app could overlay a button +on the phone settings causing unwanted behavior. In order to prevent +this, a new system flag has been added that only allows system overlays. + +bug: 246933785 +Test: manual +Change-Id: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +(cherry picked from commit e827d8f13c1c92622474fa2bf9e41a1f4ce21e2c) +Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +--- + AndroidManifest.xml | 3 +++ + .../phone/settings/AccessibilitySettingsActivity.java | 8 ++++++-- + .../phone/settings/PhoneAccountSettingsActivity.java | 4 ++++ + .../android/phone/settings/VoicemailSettingsActivity.java | 4 ++++ + 4 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 9e2764762..64d7d64ca 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -203,6 +203,9 @@ + + + ++ ++ ++ + +Date: Fri, 26 May 2023 14:18:46 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple + settings. + + - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user. + - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user. + +Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not. + +Bug: b/256591023 , b/256819787 + +Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data. +Test2: Able to import contact from the primary user or uri with no user id +(These settings are not available for secondary users) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d) +Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 +Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1 +--- + .../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++ + .../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++ + .../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++ + 3 files changed, 39 insertions(+) + +diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java +index 77cc6cca6..aa1c797d4 100644 +--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java ++++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java +@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface; + import com.android.internal.telephony.Phone; + + import android.app.ActionBar; ++import android.content.ContentProvider; + import android.content.Intent; + import android.database.Cursor; + import android.os.Bundle; ++import android.os.Process; ++import android.os.UserHandle; + import android.preference.Preference; + import android.preference.PreferenceScreen; + import android.telephony.CarrierConfigManager; +@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity { + } + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { ++ ++ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ return; ++ } + cursor = getContentResolver().query(data.getData(), + NUM_PROJECTION, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { +diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java +index 0f58d195b..af9a746ed 100644 +--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java ++++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java +@@ -17,6 +17,7 @@ + package com.android.phone.settings; + + import android.app.Dialog; ++import android.content.ContentProvider; + import android.content.DialogInterface; + import android.content.Intent; + import android.database.Cursor; +@@ -25,6 +26,8 @@ import android.os.Bundle; + import android.os.Handler; + import android.os.Message; + import android.os.PersistableBundle; ++import android.os.Process; ++import android.os.UserHandle; + import android.os.UserManager; + import android.preference.Preference; + import android.preference.PreferenceActivity; +@@ -522,6 +525,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity + + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) { ++ ++ if (DBG) { ++ log("onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ } ++ return; ++ } + cursor = getContentResolver().query(data.getData(), + new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { +diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +index 921e947e4..e733e82bb 100644 +--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java ++++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java +@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn; + + import static android.view.Window.PROGRESS_VISIBILITY_OFF; + import static android.view.Window.PROGRESS_VISIBILITY_ON; ++import static android.app.Activity.RESULT_OK; ++ + + import android.app.Activity; + import android.content.AsyncQueryHandler; ++import android.content.ContentProvider; + import android.content.ContentResolver; + import android.content.ContentValues; + import android.content.Intent; +@@ -29,6 +32,8 @@ import android.database.Cursor; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; ++import android.os.Process; ++import android.os.UserHandle; + import android.provider.Contacts.PeopleColumns; + import android.provider.Contacts.PhonesColumns; + import android.provider.ContactsContract.CommonDataKinds; +@@ -154,6 +159,14 @@ public class EditFdnContactScreen extends Activity { + } + Cursor cursor = null; + try { ++ // check if the URI returned by the user belongs to the user ++ final int currentUser = UserHandle.getUserId(Process.myUid()); ++ if (currentUser ++ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) { ++ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, " ++ + "cannot access"); ++ return; ++ } + cursor = getContentResolver().query(intent.getData(), + NUM_PROJECTION, null, null, null); + if ((cursor == null) || (!cursor.moveToFirst())) { diff --git a/Patches/LineageOS-16.0/android_system_bt/334266.patch b/Patches/LineageOS-16.0/android_system_bt/334266.patch new file mode 100644 index 00000000..de5c3bad --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/334266.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chen Chen +Date: Fri, 15 Apr 2022 14:24:48 -0700 +Subject: [PATCH] Security: Fix out of bound write in HFP client + +Bug: 224536184 +Test: build +Tag: #security +Ignore-AOSP-First: Security bug +Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda +(cherry picked from commit 01136338f6d739226e027716b6e5304df379fa4c) +Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda +--- + bta/hf_client/bta_hf_client_at.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index 5bcc68ecb..2e5a68b1a 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -332,6 +332,10 @@ static void bta_hf_client_handle_cind_list_item(tBTA_HF_CLIENT_CB* client_cb, + + APPL_TRACE_DEBUG("%s: %lu.%s <%lu:%lu>", __func__, index, name, min, max); + ++ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) { ++ return; ++ } ++ + /* look for a matching indicator on list of supported ones */ + for (i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++) { + if (strcmp(name, BTA_HF_CLIENT_INDICATOR_SERVICE) == 0) { diff --git a/Patches/LineageOS-16.0/android_system_bt/334267.patch b/Patches/LineageOS-16.0/android_system_bt/334267.patch new file mode 100644 index 00000000..0ca46180 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/334267.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: William Escande +Date: Mon, 2 May 2022 09:48:59 -0700 +Subject: [PATCH] Check Avrcp packet vendor length before extracting length + +Bug: 205571133 +Test: build + ag/18105403 for sts test +Ignore-AOSP-First: Security vulnerability +Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e +(cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3) +Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e +--- + stack/avrc/avrc_pars_tg.cc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc +index 82f0269c8..ebeff219e 100644 +--- a/stack/avrc/avrc_pars_tg.cc ++++ b/stack/avrc/avrc_pars_tg.cc +@@ -43,6 +43,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, + tAVRC_COMMAND* p_result) { + tAVRC_STS status = AVRC_STS_NO_ERROR; + ++ if (p_msg->vendor_len < 4) { // 4 == pdu + reserved byte + len as uint16 ++ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", ++ __func__, p_msg->vendor_len); ++ android_errorWriteLog(0x534e4554, "205571133"); ++ return AVRC_STS_INTERNAL_ERR; ++ } + uint8_t* p = p_msg->p_vendor_data; + p_result->pdu = *p++; + AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu); diff --git a/Patches/LineageOS-16.0/android_system_bt/334268.patch b/Patches/LineageOS-16.0/android_system_bt/334268.patch new file mode 100644 index 00000000..e641c061 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/334268.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josh Wu +Date: Fri, 29 Apr 2022 00:02:23 -0700 +Subject: [PATCH] Security: Fix out of bound read in AT_SKIP_REST + +Bug: 220732646 +Test: build +Tag: #security +Ignore-AOSP-First: Security bug +Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4 +(cherry picked from commit 4ce5a3c374fb5d24f367a202a6a3dcab4ba4dffd) +Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4 +--- + bta/hf_client/bta_hf_client_at.cc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index 2e5a68b1a..ecdf0daec 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -787,9 +787,9 @@ void bta_hf_client_binp(tBTA_HF_CLIENT_CB* client_cb, char* number) { + } while (0) + + /* skip rest of AT string up to */ +-#define AT_SKIP_REST(buf) \ +- do { \ +- while (*(buf) != '\r') (buf)++; \ ++#define AT_SKIP_REST(buf) \ ++ do { \ ++ while (*(buf) != '\r' && *(buf) != '\0') (buf)++; \ + } while (0) + + static char* bta_hf_client_parse_ok(tBTA_HF_CLIENT_CB* client_cb, diff --git a/Patches/LineageOS-16.0/android_system_bt/335109.patch b/Patches/LineageOS-16.0/android_system_bt/335109.patch new file mode 100644 index 00000000..d965fa7f --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/335109.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Roopa Sattiraju +Date: Wed, 25 May 2022 21:00:01 +0000 +Subject: [PATCH] Removing bonded device when auth fails due to missing keys + +Bug: 231161832 +Test: Test against trying to connect using the same address +Change-Id: I2a23440303758faf281989abdb2a614708f05d36 +Merged-In: I2a23440303758faf281989abdb2a614708f05d36 +(cherry picked from commit 21df1076a4b9c1d1bbe3f5ecb475fe0b7c1b8c2a) +Merged-In: I2a23440303758faf281989abdb2a614708f05d36 +--- + btif/src/btif_dm.cc | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc +index f2347cc64..56d1cec7d 100644 +--- a/btif/src/btif_dm.cc ++++ b/btif/src/btif_dm.cc +@@ -1163,14 +1163,12 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { + break; + + case HCI_ERR_PAIRING_NOT_ALLOWED: +- btif_storage_remove_bonded_device(&bd_addr); + status = BT_STATUS_AUTH_REJECTED; + break; + + /* map the auth failure codes, so we can retry pairing if necessary */ + case HCI_ERR_AUTH_FAILURE: + case HCI_ERR_KEY_MISSING: +- btif_storage_remove_bonded_device(&bd_addr); + case HCI_ERR_HOST_REJECT_SECURITY: + case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE: + case HCI_ERR_UNIT_KEY_USED: +@@ -1200,7 +1198,6 @@ static void btif_dm_auth_cmpl_evt(tBTA_DM_AUTH_CMPL* p_auth_cmpl) { + /* Remove Device as bonded in nvram as authentication failed */ + BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram", + __func__); +- btif_storage_remove_bonded_device(&bd_addr); + } + bond_state_changed(status, bd_addr, state); + } diff --git a/Patches/LineageOS-16.0/android_system_bt/338350.patch b/Patches/LineageOS-16.0/android_system_bt/338350.patch new file mode 100644 index 00000000..79c9fec2 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/338350.patch @@ -0,0 +1,114 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chienyuan +Date: Tue, 12 Feb 2019 16:01:00 +0800 +Subject: [PATCH] Fix OOB in bnep_is_packet_allowed + +Bug: 112050983 +Test: PoC +Change-Id: I5d331f46cdba86c8e61de206a2ede1d2b348d7e4 +(cherry picked from commit 230f252b8a1a1073ec1a4081545b2ff62393d16d) +CRs-Fixed: 3155069 +--- + stack/bnep/bnep_api.cc | 13 +++++++++++-- + stack/bnep/bnep_int.h | 4 ++-- + stack/bnep/bnep_utils.cc | 12 +++++++++++- + 3 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc +index 0e7b69208..aaa97603f 100644 +--- a/stack/bnep/bnep_api.cc ++++ b/stack/bnep/bnep_api.cc +@@ -349,7 +349,7 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr, + /* Check if the packet should be filtered out */ + p_data = (uint8_t*)(p_buf + 1) + p_buf->offset; + if (bnep_is_packet_allowed(p_bcb, p_dest_addr, protocol, fw_ext_present, +- p_data) != BNEP_SUCCESS) { ++ p_data, p_buf->len) != BNEP_SUCCESS) { + /* + ** If packet is filtered and ext headers are present + ** drop the data and forward the ext headers +@@ -361,6 +361,11 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr, + org_len = p_buf->len; + new_len = 0; + do { ++ if ((new_len + 2) > org_len) { ++ osi_free(p_buf); ++ return BNEP_IGNORE_CMD; ++ } ++ + ext = *p_data++; + length = *p_data++; + p_data += length; +@@ -448,7 +453,7 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr, + + /* Check if the packet should be filtered out */ + if (bnep_is_packet_allowed(p_bcb, p_dest_addr, protocol, fw_ext_present, +- p_data) != BNEP_SUCCESS) { ++ p_data, len) != BNEP_SUCCESS) { + /* + ** If packet is filtered and ext headers are present + ** drop the data and forward the ext headers +@@ -461,6 +466,10 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr, + new_len = 0; + p = p_data; + do { ++ if ((new_len + 2) > org_len) { ++ return BNEP_IGNORE_CMD; ++ } ++ + ext = *p_data++; + length = *p_data++; + p_data += length; +diff --git a/stack/bnep/bnep_int.h b/stack/bnep/bnep_int.h +index 2587147cc..5bba15da8 100644 +--- a/stack/bnep/bnep_int.h ++++ b/stack/bnep/bnep_int.h +@@ -229,7 +229,7 @@ extern void bnep_sec_check_complete(const RawAddress* bd_addr, + extern tBNEP_RESULT bnep_is_packet_allowed(tBNEP_CONN* p_bcb, + const RawAddress& p_dest_addr, + uint16_t protocol, +- bool fw_ext_present, +- uint8_t* p_data); ++ bool fw_ext_present, uint8_t* p_data, ++ uint16_t org_len); + + #endif +diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc +index 48fd5d12b..f8c0203a9 100644 +--- a/stack/bnep/bnep_utils.cc ++++ b/stack/bnep/bnep_utils.cc +@@ -1259,23 +1259,33 @@ void bnep_sec_check_complete(UNUSED_ATTR const RawAddress* bd_addr, + tBNEP_RESULT bnep_is_packet_allowed(tBNEP_CONN* p_bcb, + const RawAddress& p_dest_addr, + uint16_t protocol, bool fw_ext_present, +- uint8_t* p_data) { ++ uint8_t* p_data, uint16_t org_len) { + if (p_bcb->rcvd_num_filters) { + uint16_t i, proto; + + /* Findout the actual protocol to check for the filtering */ + proto = protocol; + if (proto == BNEP_802_1_P_PROTOCOL) { ++ uint16_t new_len = 0; + if (fw_ext_present) { + uint8_t len, ext; + /* parse the extension headers and findout actual protocol */ + do { ++ if ((new_len + 2) > org_len) { ++ return BNEP_IGNORE_CMD; ++ } ++ + ext = *p_data++; + len = *p_data++; + p_data += len; + ++ new_len += (len + 2); ++ + } while (ext & 0x80); + } ++ if ((new_len + 4) > org_len) { ++ return BNEP_IGNORE_CMD; ++ } + p_data += 2; + BE_STREAM_TO_UINT16(proto, p_data); + } diff --git a/Patches/LineageOS-16.0/android_system_bt/338351.patch b/Patches/LineageOS-16.0/android_system_bt/338351.patch new file mode 100644 index 00000000..d83b9239 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/338351.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chienyuan +Date: Wed, 30 Jan 2019 19:17:03 +0800 +Subject: [PATCH] Fix OOB in BNEP_Write + +Bug: 112050583 +Test: PoC +Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0 +(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7) +CRs-Fixed: 3155069 +--- + stack/bnep/bnep_api.cc | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc +index aaa97603f..56551d4e9 100644 +--- a/stack/bnep/bnep_api.cc ++++ b/stack/bnep/bnep_api.cc +@@ -340,10 +340,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr, + p_bcb = &(bnep_cb.bcb[handle - 1]); + /* Check MTU size */ + if (p_buf->len > BNEP_MTU_SIZE) { +- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len, ++ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len, + BNEP_MTU_SIZE); + osi_free(p_buf); + return (BNEP_MTU_EXCEDED); ++ } else if (p_buf->len < 2) { ++ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__, ++ p_buf->len); ++ osi_free(p_buf); ++ return BNEP_IGNORE_CMD; + } + + /* Check if the packet should be filtered out */ +@@ -442,9 +447,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr, + + /* Check MTU size. Consider the possibility of having extension headers */ + if (len > BNEP_MTU_SIZE) { +- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len, ++ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len, + BNEP_MTU_SIZE); + return (BNEP_MTU_EXCEDED); ++ } else if (len < 2) { ++ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__, ++ len); ++ return BNEP_IGNORE_CMD; + } + + if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE); diff --git a/Patches/LineageOS-16.0/android_system_bt/338352.patch b/Patches/LineageOS-16.0/android_system_bt/338352.patch new file mode 100644 index 00000000..04b3ebef --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/338352.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Venkata Jagadeesh Garaga +Date: Tue, 22 Mar 2022 13:35:43 +0530 +Subject: [PATCH] Fix OOB in reassemble_and_dispatch + +Fix OOB while reading L2cap length in HCI pkt + +Change-Id: I7f32b171e8c68b9724f95fcf2327959539e2d0d5 +CRs-Fixed: 3155132 +--- + hci/src/packet_fragmenter.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc +index 87d1df596..a945c24a3 100644 +--- a/hci/src/packet_fragmenter.cc ++++ b/hci/src/packet_fragmenter.cc +@@ -125,12 +125,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { + if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) { + uint8_t* stream = packet->data; + uint16_t handle; +- uint16_t l2cap_length; + uint16_t acl_length; + + STREAM_TO_UINT16(handle, stream); + STREAM_TO_UINT16(acl_length, stream); +- STREAM_TO_UINT16(l2cap_length, stream); + + CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE); + +@@ -165,6 +163,9 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { + return; + } + ++ uint16_t l2cap_length; ++ STREAM_TO_UINT16(l2cap_length, stream); ++ + uint16_t full_length = + l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE; + diff --git a/Patches/LineageOS-16.0/android_system_bt/342097.patch b/Patches/LineageOS-16.0/android_system_bt/342097.patch new file mode 100644 index 00000000..4550ed9d --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/342097.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ted Wang +Date: Fri, 1 Apr 2022 11:22:34 +0800 +Subject: [PATCH] Fix potential interger overflow when parsing vendor response + +Add check for str_len to prevent potential OOB read in vendor response. + +Bug: 205570663 +Tag: #security +Test: net_test_stack:StackAvrcpTest +Ignore-AOSP-First: Security +Change-Id: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc +Merged-In: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc +(cherry picked from commit 96ef1fc9cbe38f1224b4e4a2dca3ecfb44a6aece) +Merged-In: Iea2c3e17c2c8cc56468c4456822e1c4c5c15f5bc +--- + stack/avrc/avrc_pars_ct.cc | 19 ++++++++++--- + stack/test/stack_avrcp_test.cc | 50 ++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 4 deletions(-) + +diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc +index 1ab547913..3ea798f38 100644 +--- a/stack/avrc/avrc_pars_ct.cc ++++ b/stack/avrc/avrc_pars_ct.cc +@@ -228,7 +228,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + } + BE_STREAM_TO_UINT8(pdu, p); + uint16_t pkt_len; +- int min_len = 0; ++ uint16_t min_len = 0; + /* read the entire packet len */ + BE_STREAM_TO_UINT16(pkt_len, p); + +@@ -371,8 +371,14 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + /* Parse the name now */ + BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); + BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); ++ if (static_cast(min_len + attr_entry->name.str_len) < ++ min_len) { ++ // Check for overflow ++ android_errorWriteLog(0x534e4554, "205570663"); ++ } ++ if (pkt_len - min_len < attr_entry->name.str_len) ++ goto browse_length_error; + min_len += attr_entry->name.str_len; +- if (pkt_len < min_len) goto browse_length_error; + attr_entry->name.p_str = (uint8_t*)osi_malloc( + attr_entry->name.str_len * sizeof(uint8_t)); + BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, +@@ -775,8 +781,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); + BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); + BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); +- min_len += p_attrs[i].name.str_len; +- if (len < min_len) { ++ if (static_cast(min_len + p_attrs[i].name.str_len) < ++ min_len) { ++ // Check for overflow ++ android_errorWriteLog(0x534e4554, "205570663"); ++ } ++ if (len - min_len < p_attrs[i].name.str_len) { + for (int j = 0; j < i; j++) { + osi_free(p_attrs[j].name.p_str); + } +@@ -784,6 +794,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + p_result->get_attrs.num_attrs = 0; + goto length_error; + } ++ min_len += p_attrs[i].name.str_len; + if (p_attrs[i].name.str_len > 0) { + p_attrs[i].name.p_str = + (uint8_t*)osi_calloc(p_attrs[i].name.str_len); +diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc +index d3a51658d..bca30cd1c 100644 +--- a/stack/test/stack_avrcp_test.cc ++++ b/stack/test/stack_avrcp_test.cc +@@ -27,6 +27,56 @@ class StackAvrcpTest : public ::testing::Test { + virtual ~StackAvrcpTest() = default; + }; + ++TEST_F(StackAvrcpTest, test_avrcp_ctrl_parse_vendor_rsp) { ++ uint8_t scratch_buf[512]{}; ++ uint16_t scratch_buf_len = 512; ++ tAVRC_MSG msg{}; ++ tAVRC_RESPONSE result{}; ++ uint8_t vendor_rsp_buf[512]{}; ++ ++ msg.hdr.opcode = AVRC_OP_VENDOR; ++ msg.hdr.ctype = AVRC_CMD_STATUS; ++ ++ memset(vendor_rsp_buf, 0, sizeof(vendor_rsp_buf)); ++ vendor_rsp_buf[0] = AVRC_PDU_GET_ELEMENT_ATTR; ++ uint8_t* p = &vendor_rsp_buf[2]; ++ UINT16_TO_BE_STREAM(p, 0x0009); // parameter length ++ UINT8_TO_STREAM(p, 0x01); // number of attributes ++ UINT32_TO_STREAM(p, 0x00000000); // attribute ID ++ UINT16_TO_STREAM(p, 0x0000); // character set ID ++ UINT16_TO_STREAM(p, 0xffff); // attribute value length ++ msg.vendor.p_vendor_data = vendor_rsp_buf; ++ msg.vendor.vendor_len = 13; ++ EXPECT_EQ( ++ AVRC_Ctrl_ParsResponse(&msg, &result, scratch_buf, &scratch_buf_len), ++ AVRC_STS_INTERNAL_ERR); ++} ++ ++TEST_F(StackAvrcpTest, test_avrcp_parse_browse_rsp) { ++ uint8_t scratch_buf[512]{}; ++ uint16_t scratch_buf_len = 512; ++ tAVRC_MSG msg{}; ++ tAVRC_RESPONSE result{}; ++ uint8_t browse_rsp_buf[512]{}; ++ ++ msg.hdr.opcode = AVRC_OP_BROWSE; ++ ++ memset(browse_rsp_buf, 0, sizeof(browse_rsp_buf)); ++ browse_rsp_buf[0] = AVRC_PDU_GET_ITEM_ATTRIBUTES; ++ uint8_t* p = &browse_rsp_buf[1]; ++ UINT16_TO_BE_STREAM(p, 0x000a); // parameter length; ++ UINT8_TO_STREAM(p, 0x04); // status ++ UINT8_TO_STREAM(p, 0x01); // number of attribute ++ UINT32_TO_STREAM(p, 0x00000000); // attribute ID ++ UINT16_TO_STREAM(p, 0x0000); // character set ID ++ UINT16_TO_STREAM(p, 0xffff); // attribute value length ++ msg.browse.p_browse_data = browse_rsp_buf; ++ msg.browse.browse_len = 13; ++ EXPECT_EQ( ++ AVRC_Ctrl_ParsResponse(&msg, &result, scratch_buf, &scratch_buf_len), ++ AVRC_STS_BAD_CMD); ++} ++ + TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) { + uint8_t scratch_buf[512]{}; + tAVRC_MSG msg{}; diff --git a/Patches/LineageOS-16.0/android_system_bt/344184.patch b/Patches/LineageOS-16.0/android_system_bt/344184.patch new file mode 100644 index 00000000..5e0706c3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/344184.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 12 Aug 2022 17:26:19 +0000 +Subject: [PATCH] Add negative length check in process_service_search_rsp + +Bug: 225876506 +Test: run supplied POC (updated to Android T) +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +(cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f) +Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +--- + stack/sdp/sdp_discovery.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc +index 0c99495fc..420259800 100644 +--- a/stack/sdp/sdp_discovery.cc ++++ b/stack/sdp/sdp_discovery.cc +@@ -292,7 +292,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + + orig = p_ccb->num_handles; + p_ccb->num_handles += cur_handles; +- if (p_ccb->num_handles == 0) { ++ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) { + SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches"); + sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH); + return; diff --git a/Patches/LineageOS-16.0/android_system_bt/344185.patch b/Patches/LineageOS-16.0/android_system_bt/344185.patch new file mode 100644 index 00000000..08410794 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/344185.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Sat, 13 Aug 2022 02:01:14 +0000 +Subject: [PATCH] Add buffer in pin_reply in bluetooth.cc + +Bug: 228602963 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +(cherry picked from commit 0dc1c1c34961822f2f3f0a1e8e0b4819c823951b) +Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +--- + btif/src/bluetooth.cc | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc +index 6fc418bdb..fa695e323 100644 +--- a/btif/src/bluetooth.cc ++++ b/btif/src/bluetooth.cc +@@ -293,10 +293,12 @@ static int get_connection_state(const RawAddress* bd_addr) { + + static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, + bt_pin_code_t* pin_code) { ++ bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (!interface_ready()) return BT_STATUS_NOT_READY; + +- return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code); ++ memcpy(&tmp_pin_code, pin_code, pin_len); ++ return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); + } + + static int ssp_reply(const RawAddress* bd_addr, bt_ssp_variant_t variant, diff --git a/Patches/LineageOS-16.0/android_system_bt/345914.patch b/Patches/LineageOS-16.0/android_system_bt/345914.patch new file mode 100644 index 00000000..0832278e --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/345914.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ted Wang +Date: Thu, 4 Aug 2022 09:41:24 +0800 +Subject: [PATCH] Add length check when copy AVDTP packet + +Bug: 232023771 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f) +Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +--- + stack/avdt/avdt_msg.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc +index cf517d125..e1ba9aefb 100644 +--- a/stack/avdt/avdt_msg.cc ++++ b/stack/avdt/avdt_msg.cc +@@ -1223,6 +1223,10 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { + * would have allocated smaller buffer. + */ + p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); ++ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { ++ android_errorWriteLog(0x534e4554, "232023771"); ++ return NULL; ++ } + memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); + + /* Free original buffer */ diff --git a/Patches/LineageOS-16.0/android_system_bt/345915.patch b/Patches/LineageOS-16.0/android_system_bt/345915.patch new file mode 100644 index 00000000..1508b754 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/345915.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 25 Aug 2022 18:52:28 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Added max buffer length check + +Bug: 230867224 +Test: Manual -- paired Bluetooth headset and played audio +Tags: #security +Ignore-AOSP-First: Security +Change-Id: I740038288143715a1c06db781efd674b269a7f3e +(cherry picked from commit 769f55450bd2eb94ddb9080f730e404de7716bda) +Merged-In: I740038288143715a1c06db781efd674b269a7f3e +--- + stack/avct/avct_lcb_act.cc | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc +index faa098b80..81ae79d63 100644 +--- a/stack/avct/avct_lcb_act.cc ++++ b/stack/avct/avct_lcb_act.cc +@@ -30,6 +30,7 @@ + #include "bt_types.h" + #include "bt_utils.h" + #include "btm_api.h" ++#include "osi/include/log.h" + #include "osi/include/osi.h" + + /* packet header length lookup table */ +@@ -58,7 +59,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { + pkt_type = AVCT_PKT_TYPE(p); + + /* quick sanity check on length */ +- if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) { ++ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || ++ (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { ++ if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > ++ BT_DEFAULT_BUFFER_SIZE) { ++ android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); ++ } + osi_free(p_buf); + AVCT_TRACE_WARNING("Bad length during reassembly"); + p_ret = NULL; diff --git a/Patches/LineageOS-16.0/android_system_bt/345916.patch b/Patches/LineageOS-16.0/android_system_bt/345916.patch new file mode 100644 index 00000000..0a459b6c --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/345916.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 25 Aug 2022 20:39:08 +0000 +Subject: [PATCH] Add missing increment in bnep_api.cc + +Bug: 228450451 +Test: manual, pair BT and play audio +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36 +(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d) +Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36 +--- + stack/bnep/bnep_api.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc +index 56551d4e9..1f2cfc905 100644 +--- a/stack/bnep/bnep_api.cc ++++ b/stack/bnep/bnep_api.cc +@@ -259,6 +259,7 @@ tBNEP_RESULT BNEP_ConnectResp(uint16_t handle, tBNEP_RESULT resp) { + p = (uint8_t*)(p_bcb->p_pending_data + 1) + p_bcb->p_pending_data->offset; + while (extension_present && p && rem_len) { + ext_type = *p++; ++ rem_len--; + extension_present = ext_type >> 7; + ext_type &= 0x7F; + diff --git a/Patches/LineageOS-16.0/android_system_bt/345917.patch b/Patches/LineageOS-16.0/android_system_bt/345917.patch new file mode 100644 index 00000000..16e5b9bd --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/345917.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Tue, 16 Aug 2022 21:41:03 +0000 +Subject: [PATCH] Add length check when copy AVDT and AVCT packet + +Previous fix for AVDT causing memory leak. +And missing similar fix for AVCT packet. + +Bug: 232023771 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +(cherry picked from commit a4311b284639bbd2c6c2c72d35d8444d40fb2d12) +Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +--- + stack/avct/avct_lcb_act.cc | 8 +++++++- + stack/avdt/avdt_msg.cc | 6 ++++-- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc +index 81ae79d63..28f378138 100644 +--- a/stack/avct/avct_lcb_act.cc ++++ b/stack/avct/avct_lcb_act.cc +@@ -85,13 +85,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { + if (p_lcb->p_rx_msg != NULL) + AVCT_TRACE_WARNING("Got start during reassembly"); + +- osi_free(p_lcb->p_rx_msg); ++ osi_free_and_reset((void**)&p_lcb->p_rx_msg); + + /* + * Allocate bigger buffer for reassembly. As lower layers are + * not aware of possible packet size after reassembly, they + * would have allocated smaller buffer. + */ ++ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { ++ android_errorWriteLog(0x534e4554, "232023771"); ++ osi_free(p_buf); ++ p_ret = NULL; ++ return p_ret; ++ } + p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); + +diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc +index e1ba9aefb..453e18642 100644 +--- a/stack/avdt/avdt_msg.cc ++++ b/stack/avdt/avdt_msg.cc +@@ -1222,11 +1222,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { + * not aware of possible packet size after reassembly, they + * would have allocated smaller buffer. + */ +- p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { + android_errorWriteLog(0x534e4554, "232023771"); +- return NULL; ++ osi_free(p_buf); ++ p_ret = NULL; ++ return p_ret; + } ++ p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); + + /* Free original buffer */ diff --git a/Patches/LineageOS-16.0/android_system_bt/345918.patch b/Patches/LineageOS-16.0/android_system_bt/345918.patch new file mode 100644 index 00000000..b12ee4fb --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/345918.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Mon, 22 Aug 2022 19:44:10 +0000 +Subject: [PATCH] Fix integer overflow when parsing avrc response + +Convert min_len from 16 bits to 32 bits to avoid +length checking overflow. +Also, use calloc instead of malloc for list allocation +since caller need to clean up string memory in the list items + +Bug: 242459126 +Test: fuzz_avrc +Tag: #security +Ignore-AOSP-First: Security +Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4 +Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4 +(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501) +Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4 +--- + stack/avdt/avdt_scb_act.cc | 2 +- + stack/avrc/avrc_pars_ct.cc | 29 +++++++++-------------------- + 2 files changed, 10 insertions(+), 21 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index 9ff926509..31745bb2f 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -308,7 +308,7 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { + uint8_t* p_start = p; + uint32_t ssrc; + uint8_t o_v, o_p, o_cc; +- uint16_t min_len = 0; ++ uint32_t min_len = 0; + AVDT_REPORT_TYPE pt; + tAVDT_REPORT_DATA report; + +diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc +index 3ea798f38..4e77a575d 100644 +--- a/stack/avrc/avrc_pars_ct.cc ++++ b/stack/avrc/avrc_pars_ct.cc +@@ -141,7 +141,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + + tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len, + tAVRC_REG_NOTIF_RSP* p_rsp) { +- uint16_t min_len = 1; ++ uint32_t min_len = 1; + + if (len < min_len) goto length_error; + BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); +@@ -228,7 +228,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + } + BE_STREAM_TO_UINT8(pdu, p); + uint16_t pkt_len; +- uint16_t min_len = 0; ++ uint32_t min_len = 0; + /* read the entire packet len */ + BE_STREAM_TO_UINT16(pkt_len, p); + +@@ -270,7 +270,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + get_item_rsp->uid_counter, get_item_rsp->item_count); + + /* get each of the items */ +- get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc( ++ get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc( + get_item_rsp->item_count * (sizeof(tAVRC_ITEM))); + tAVRC_ITEM* curr_item = get_item_rsp->p_item_list; + for (int i = 0; i < get_item_rsp->item_count; i++) { +@@ -360,7 +360,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + __func__, media->type, media->name.charset_id, + media->name.str_len, media->attr_count); + +- media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc( ++ media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc( + media->attr_count * sizeof(tAVRC_ATTR_ENTRY)); + for (int jk = 0; jk < media->attr_count; jk++) { + tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]); +@@ -371,14 +371,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + /* Parse the name now */ + BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); + BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); +- if (static_cast(min_len + attr_entry->name.str_len) < +- min_len) { +- // Check for overflow +- android_errorWriteLog(0x534e4554, "205570663"); +- } +- if (pkt_len - min_len < attr_entry->name.str_len) +- goto browse_length_error; + min_len += attr_entry->name.str_len; ++ if (pkt_len < min_len) goto browse_length_error; + attr_entry->name.p_str = (uint8_t*)osi_malloc( + attr_entry->name.str_len * sizeof(uint8_t)); + BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, +@@ -447,7 +441,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, + __func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items, + set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth); + +- set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc( ++ set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc( + set_br_pl_rsp->num_items * sizeof(tAVRC_NAME)); + + /* Read each of the folder in the depth */ +@@ -507,7 +501,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + p++; /* skip the reserved/packe_type byte */ + + uint16_t len; +- uint16_t min_len = 0; ++ uint32_t min_len = 0; + BE_STREAM_TO_UINT16(len, p); + AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__, + p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len); +@@ -781,12 +775,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); + BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); + BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); +- if (static_cast(min_len + p_attrs[i].name.str_len) < +- min_len) { +- // Check for overflow +- android_errorWriteLog(0x534e4554, "205570663"); +- } +- if (len - min_len < p_attrs[i].name.str_len) { ++ min_len += p_attrs[i].name.str_len; ++ if (len < min_len) { + for (int j = 0; j < i; j++) { + osi_free(p_attrs[j].name.p_str); + } +@@ -794,7 +784,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, + p_result->get_attrs.num_attrs = 0; + goto length_error; + } +- min_len += p_attrs[i].name.str_len; + if (p_attrs[i].name.str_len > 0) { + p_attrs[i].name.p_str = + (uint8_t*)osi_calloc(p_attrs[i].name.str_len); diff --git a/Patches/LineageOS-16.0/android_system_bt/347127.patch b/Patches/LineageOS-16.0/android_system_bt/347127.patch new file mode 100644 index 00000000..6cf1fd6a --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/347127.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raghavender Reddy Bujala +Date: Thu, 2 Dec 2021 16:04:19 +0530 +Subject: [PATCH] BT: Once AT command is retrieved, return from method. + +- Observed SIGSEV issue in Defensics, when received +buf is more than BTA_HF_CLIENT_AT_PARSER_MAX_LEN. + +- Commented recover cut data, after AT command is +retrieved because leftover data/buf is more than +BTA_HF_CLIENT_AT_PARSER_MAX_LEN and leading to +offset corruption. + +CRs-Fixed: 3052411 +Change-Id: I6375d00eebfbf97ffc40456622a6d39e4388f4b2 +--- + bta/hf_client/bta_hf_client_at.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index ecdf0daec..8c285fbe7 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -1615,9 +1615,13 @@ void bta_hf_client_at_parse(tBTA_HF_CLIENT_CB* client_cb, char* buf, + bta_hf_client_at_parse_start(client_cb); + bta_hf_client_at_clear_buf(client_cb); + +- /* recover cut data */ +- memcpy(client_cb->at_cb.buf, tmp_buff, tmp); +- client_cb->at_cb.offset += tmp; ++ /* TODO: recover cut data */ ++ // memcpy(client_cb->at_cb.buf, tmp_buff, tmp); ++ // client_cb->at_cb.offset += tmp; ++ // Observed SIGSEV issue in Defensics, when received buf is more than ++ // BTA_HF_CLIENT_AT_PARSER_MAX_LEN. ++ // Assuming to return from here, Once AT command is retrieved. ++ return; + } + + memcpy(client_cb->at_cb.buf + client_cb->at_cb.offset, buf, len); diff --git a/Patches/LineageOS-16.0/android_system_bt/347128.patch b/Patches/LineageOS-16.0/android_system_bt/347128.patch new file mode 100644 index 00000000..e3800917 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/347128.patch @@ -0,0 +1,78 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sagar Verma +Date: Sun, 12 Jun 2022 00:05:07 +0530 +Subject: [PATCH] AVRC: Validating msg size before accessing fields + +This change adds buffer length validation during the parsing of AVRCP +browse commands. + +Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba +--- + stack/avrc/avrc_pars_tg.cc | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc +index ebeff219e..b8b225702 100644 +--- a/stack/avrc/avrc_pars_tg.cc ++++ b/stack/avrc/avrc_pars_tg.cc +@@ -406,6 +406,12 @@ tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) { + return status; + } + ++#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \ ++ if (!(_b_)) { \ ++ AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__); \ ++ return _status_; \ ++ } ++ + /******************************************************************************* + * + * Function avrc_pars_browsing_cmd +@@ -424,6 +430,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + tAVRC_STS status = AVRC_STS_NO_ERROR; + uint8_t* p = p_msg->p_browse_data; + int count; ++ uint16_t min_len = 3; + + p_result->pdu = *p++; + AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu); +@@ -437,6 +444,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + break; + + case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */ ++ min_len += 10; + STREAM_TO_UINT8(p_result->get_items.scope, p); + // To be modified later here (Scope) when all browsing commands are + // supported +@@ -457,6 +465,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + if (buf_len < (count << 2)) + p_result->get_items.attr_count = count = (buf_len >> 2); + for (int idx = 0; idx < count; idx++) { ++ min_len += 4; ++ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, ++ (p_msg->browse_len >= min_len), ++ "msg too short"); ++ + BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p); + } + } +@@ -473,6 +486,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + break; + + case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */ ++ min_len += 12; + BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p); + if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) { + status = AVRC_STS_BAD_SCOPE; +@@ -489,6 +503,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + p_result->get_attrs.attr_count = count = (buf_len >> 2); + for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count; + idx++) { ++ min_len += 4; ++ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, ++ (p_msg->browse_len >= min_len), ++ "msg too short"); ++ + BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p); + if (AVRC_IS_VALID_MEDIA_ATTRIBUTE( + p_result->get_attrs.p_attr_list[count])) { diff --git a/Patches/LineageOS-16.0/android_system_bt/349334.patch b/Patches/LineageOS-16.0/android_system_bt/349334.patch new file mode 100644 index 00000000..4ea90220 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/349334.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 2 Dec 2022 00:41:24 +0000 +Subject: [PATCH] Report failure when not able to connect to AVRCP + +A crash may occur when creating a bluetooth AVRCP connection to a +device. + +The code fails to check a return value from an AVRCP function +being used to index into an array. The return value may exceed the +size of the array causing memory outside the bounds of the array to be +accessed leading to memory corruption and a crash. + +The fix is to ensure the return value is within the bounds of the +array before accessing the array contents. If the return value is +not within the bounds of the array report it as a failure to the +bluetooth stack. + +This change is relevant for android automotive because the IVI +(in-vehicle infotainment system) acts as the an AVRCP controller +which still executes this code. + +Note: this is a backport of b/214569798, inducted as a non-security +issue. Per b/226927612 it has been found to have security impact +and should be backported to earlier branches. + +Bug: 226927612 +Test: Manual - set return value to be out of bounds, verify no crash +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c +Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c +(cherry picked from commit 86112bf0535f3f5a4c6a0a137e67b0eebd9bbdf5) +Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c +--- + bta/av/bta_av_act.cc | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc +index 5625f90bf..112645ecf 100644 +--- a/bta/av/bta_av_act.cc ++++ b/bta/av/bta_av_act.cc +@@ -1840,7 +1840,21 @@ void bta_av_rc_disc_done(UNUSED_ATTR tBTA_AV_DATA* p_data) { + if (p_lcb) { + rc_handle = bta_av_rc_create(p_cb, AVCT_INT, + (uint8_t)(p_scb->hdi + 1), p_lcb->lidx); +- p_cb->rcb[rc_handle].peer_features = peer_features; ++ if (rc_handle < BTA_AV_NUM_RCB) { ++ p_cb->rcb[rc_handle].peer_features = peer_features; ++ } else { ++ /* cannot create valid rc_handle for current device. report failure ++ */ ++ APPL_TRACE_ERROR("%s: no link resources available", __func__); ++ p_scb->use_rc = false; ++ tBTA_AV_RC_OPEN rc_open; ++ rc_open.peer_addr = p_scb->PeerAddress(); ++ rc_open.peer_features = 0; ++ rc_open.status = BTA_AV_FAIL_RESOURCES; ++ tBTA_AV bta_av_data; ++ bta_av_data.rc_open = rc_open; ++ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data); ++ } + } else { + APPL_TRACE_ERROR("%s: can not find LCB!!", __func__); + } diff --git a/Patches/LineageOS-16.0/android_system_bt/349335.patch b/Patches/LineageOS-16.0/android_system_bt/349335.patch new file mode 100644 index 00000000..71672e10 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/349335.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 27 Sep 2022 22:05:08 +0000 +Subject: [PATCH] Add bounds check in avdt_scb_act.cc + +Bug: 242535997 +Test: BT unit tests, validated against researcher POC +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 +(cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd) +Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 +--- + stack/avdt/avdt_scb_act.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index 31745bb2f..ce53c45eb 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -977,6 +977,11 @@ void avdt_scb_hdl_write_req(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { + + /* Build a media packet, and add an RTP header if required. */ + if (add_rtp_header) { ++ if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) { ++ android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0); ++ return; ++ } ++ + ssrc = avdt_scb_gen_ssrc(p_scb); + + p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE; diff --git a/Patches/LineageOS-16.0/android_system_bt/351916.patch b/Patches/LineageOS-16.0/android_system_bt/351916.patch new file mode 100644 index 00000000..028e9948 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/351916.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 28 Dec 2022 00:32:37 +0000 +Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate + +this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084 + +Bug: 258652631 +Test: manual +Tag: #security +Ignore-AOSP-First: security +Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66 +(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03) +Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66 +--- + stack/gatt/gatt_cl.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc +index 46572dd06..f8d5bab92 100644 +--- a/stack/gatt/gatt_cl.cc ++++ b/stack/gatt/gatt_cl.cc +@@ -573,7 +573,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d", + gatt_dbg_op_name(op_code), len); + +- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) { ++ if (len < GATT_PREP_WRITE_RSP_MIN_LEN || ++ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) { + LOG(ERROR) << "illegal prepare write response length, discard"; + gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value); + return; +@@ -582,7 +583,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + STREAM_TO_UINT16(value.handle, p); + STREAM_TO_UINT16(value.offset, p); + +- value.len = len - 4; ++ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN; + + memcpy(value.value, p, value.len); + diff --git a/Patches/LineageOS-16.0/android_system_bt/351917.patch b/Patches/LineageOS-16.0/android_system_bt/351917.patch new file mode 100644 index 00000000..df471629 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/351917.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Mon, 2 Jan 2023 22:05:45 +0000 +Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc + +In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the +`-=` operation on it may result in integer underflow and +OOB write with the computed pointer passed to +A2DP_BuildMediaPayloadHeaderSbc. + +This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb +Test: atest net_test_stack_a2dp_codecs_native +Ignore-AOSP-First: security +Tag:#security + +Bug: 186803518 +Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec +(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7) +Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec +--- + stack/a2dp/a2dp_sbc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc +index d6c38d0ea..665e7e03b 100644 +--- a/stack/a2dp/a2dp_sbc.cc ++++ b/stack/a2dp/a2dp_sbc.cc +@@ -676,6 +676,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info, + BT_HDR* p_buf, uint16_t frames_per_packet) { + uint8_t* p; + ++ // there is a timestamp right following p_buf ++ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) { ++ return false; ++ } ++ + p_buf->offset -= A2DP_SBC_MPL_HDR_LEN; + p = (uint8_t*)(p_buf + 1) + p_buf->offset; + p_buf->len += A2DP_SBC_MPL_HDR_LEN; diff --git a/Patches/LineageOS-16.0/android_system_bt/351918.patch b/Patches/LineageOS-16.0/android_system_bt/351918.patch new file mode 100644 index 00000000..e619f4f6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/351918.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 4 Jan 2023 22:45:13 +0000 +Subject: [PATCH] Fix an OOB write in SDP_AddAttribute + +When the `attr_pad` becomes full, it is possible +that un index of `-1` is computed write +a zero byte to `p_val`, rusulting OOB write. + +``` + p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0'; +``` + +This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b + +Bug: 261867748 +Test: manual +Tag: #security +Ignore-AOSP-First: security +Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1 +(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2) +Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1 +--- + stack/sdp/sdp_db.cc | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc +index 769e7d83f..3929e830a 100644 +--- a/stack/sdp/sdp_db.cc ++++ b/stack/sdp/sdp_db.cc +@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + uint16_t xx, yy, zz; + tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0]; + ++ if (p_val == nullptr) { ++ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped"); ++ return (false); ++ } ++ + if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) { + if ((attr_type == UINT_DESC_TYPE) || + (attr_type == TWO_COMP_INT_DESC_TYPE) || +@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + if (p_rec->record_handle == handle) { + tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0]; + ++ // error out early, no need to look up ++ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) { ++ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is " ++ "full, skip adding the attribute", handle); ++ return (false); ++ } ++ + /* Found the record. Now, see if the attribute already exists */ + for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) { + /* The attribute exists. replace it */ +@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + attr_len = 0; + } + +- if ((attr_len > 0) && (p_val != 0)) { ++ if (attr_len > 0) { + p_attr->len = attr_len; + memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len); + p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr]; + p_rec->free_pad_ptr += attr_len; +- } else if ((attr_len == 0 && +- p_attr->len != +- 0) || /* if truncate to 0 length, simply don't add */ +- p_val == 0) { ++ } else if (attr_len == 0 && p_attr->len != 0) { ++ /* if truncate to 0 length, simply don't add */ + SDP_TRACE_ERROR( + "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ", + attr_id, attr_len); diff --git a/Patches/LineageOS-16.0/android_system_bt/354246.patch b/Patches/LineageOS-16.0/android_system_bt/354246.patch new file mode 100644 index 00000000..fae2a270 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/354246.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 8 Dec 2022 01:08:11 +0000 +Subject: [PATCH] Fix OOB access in avdt_scb_hdl_pkt_no_frag + +This is a back port of the following 2 CLs: +- Id13b1ebde8f603123c8b7a49922b2f1378ab788f +- If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4 + +Regression test: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54 + +Bug: 142546355 258057241 +Test: atest net_test_stack_avdtp +Ignore-AOSP-First: security +Change-Id: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +(cherry picked from commit b0b968e8c6214e20a5dc3617d66567225df0884f) +Merged-In: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +--- + stack/avdt/avdt_scb_act.cc | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index ce53c45eb..f2de4ba35 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -255,19 +255,24 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { + if (offset > len) goto length_error; + p += 2; + BE_STREAM_TO_UINT16(ex_len, p); +- offset += ex_len * 4; + p += ex_len * 4; + } + ++ if ((p - p_start) >= len) { ++ AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__); ++ osi_free_and_reset((void**)&p_data->p_pkt); ++ return; ++ } ++ offset = p - p_start; ++ + /* adjust length for any padding at end of packet */ + if (o_p) { + /* padding length in last byte of packet */ +- pad_len = *(p_start + p_data->p_pkt->len); ++ pad_len = *(p_start + len - 1); + } + + /* do sanity check */ +- if ((offset > p_data->p_pkt->len) || +- ((pad_len + offset) > p_data->p_pkt->len)) { ++ if (pad_len >= (len - offset)) { + AVDT_TRACE_WARNING("Got bad media packet"); + osi_free_and_reset((void**)&p_data->p_pkt); + } diff --git a/Patches/LineageOS-16.0/android_system_bt/354247.patch b/Patches/LineageOS-16.0/android_system_bt/354247.patch new file mode 100644 index 00000000..efdad53e --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/354247.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 20 Jan 2023 19:39:30 +0000 +Subject: [PATCH] Fix an OOB bug in register_notification_rsp + +This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f +to rvc-dev. + +Bug: 245916076 +Test: manual +Ignore-AOSP-First: security +Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765 +(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf) +Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765 +--- + btif/src/btif_rc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc +index c226b5f21..9bc30599c 100644 +--- a/btif/src/btif_rc.cc ++++ b/btif/src/btif_rc.cc +@@ -1889,6 +1889,11 @@ static bt_status_t register_notification_rsp( + dump_rc_notification_event_id(event_id)); + std::unique_lock lock(btif_rc_cb.lock); + ++ if (event_id > MAX_RC_NOTIFICATIONS) { ++ BTIF_TRACE_ERROR("Invalid event id"); ++ return BT_STATUS_PARM_INVALID; ++ } ++ + memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP)); + + avrc_rsp.reg_notif.event_id = event_id; diff --git a/Patches/LineageOS-16.0/android_system_bt/359736.patch b/Patches/LineageOS-16.0/android_system_bt/359736.patch new file mode 100644 index 00000000..bbaf8638 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/359736.patch @@ -0,0 +1,107 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 11 Oct 2022 21:23:22 +0000 +Subject: [PATCH] Prevent use-after-free of HID reports + +BTA sends the the HID report pointer to BTIF and deallocates it immediately. +This is now prevented by providing a deep copy callback function for HID +reports when tranferring context from BTA to BTIF. + +This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825, +already merged on T for b/227620181. + +Bug: 228837201 +Test: Validated against researcher POC, ran BT unit tests, played audio +manually. +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42) +Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19 +Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19 +--- + btif/src/btif_hh.cc | 50 ++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 45 insertions(+), 5 deletions(-) + +diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc +index c5a90218a..b6441e1cc 100644 +--- a/btif/src/btif_hh.cc ++++ b/btif/src/btif_hh.cc +@@ -1073,6 +1073,38 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + } + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_hsdata_rpt_copy_cb ++ * ++ * Description Deep copies the tBTA_HH_HSDATA structure ++ * ++ * Returns void ++ * ++ ******************************************************************************/ ++ ++static void btif_hh_hsdata_rpt_copy_cb(uint16_t event, char* p_dest, ++ char* p_src) { ++ tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest; ++ tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src; ++ BT_HDR* hdr; ++ ++ if (!p_src) { ++ BTIF_TRACE_ERROR("%s: Nothing to copy", __func__); ++ return; ++ } ++ ++ memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA)); ++ ++ hdr = p_src_data->rsp_data.p_rpt_data; ++ if (hdr != NULL) { ++ uint8_t* p_data = ((uint8_t*)p_dst_data) + sizeof(tBTA_HH_HSDATA); ++ memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len); ++ ++ p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data; ++ } ++} ++ + /******************************************************************************* + * + * Function bte_hh_evt +@@ -1086,6 +1118,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) { + bt_status_t status; + int param_len = 0; ++ tBTIF_COPY_CBACK* p_copy_cback = NULL; + + if (BTA_HH_ENABLE_EVT == event) + param_len = sizeof(tBTA_HH_STATUS); +@@ -1097,11 +1130,18 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) { + param_len = sizeof(tBTA_HH_CBDATA); + else if (BTA_HH_GET_DSCP_EVT == event) + param_len = sizeof(tBTA_HH_DEV_DSCP_INFO); +- else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event) || +- (BTA_HH_GET_IDLE_EVT == event)) ++ else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event)) ++ param_len = sizeof(tBTA_HH_HSDATA); ++ else if (BTA_HH_GET_RPT_EVT == event) { ++ BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data; + param_len = sizeof(tBTA_HH_HSDATA); +- else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || +- (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event)) ++ ++ if (hdr != NULL) { ++ p_copy_cback = btif_hh_hsdata_rpt_copy_cb; ++ param_len += BT_HDR_SIZE + hdr->offset + hdr->len; ++ } ++ } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || ++ (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event)) + param_len = sizeof(tBTA_HH_CBDATA); + else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event)) + param_len = sizeof(tBTA_HH_DEV_INFO); +@@ -1110,7 +1150,7 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) { + /* switch context to btif task context (copy full union size for convenience) + */ + status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event, +- (char*)p_data, param_len, NULL); ++ (char*)p_data, param_len, p_copy_cback); + + /* catch any failed context transfers */ + ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status); diff --git a/Patches/LineageOS-16.0/android_system_bt/359737.patch b/Patches/LineageOS-16.0/android_system_bt/359737.patch new file mode 100644 index 00000000..0b685f89 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/359737.patch @@ -0,0 +1,141 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 21 Mar 2023 22:35:35 +0000 +Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length + in sdpu_build_uuid_seq"" + +This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6. + +Reason for revert: Reinstate original change for QPR +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec) +Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8 +Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8 +--- + stack/sdp/sdp_discovery.cc | 65 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 58 insertions(+), 7 deletions(-) + +diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc +index 420259800..ffc9586cd 100644 +--- a/stack/sdp/sdp_discovery.cc ++++ b/stack/sdp/sdp_discovery.cc +@@ -74,10 +74,15 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db, + * + ******************************************************************************/ + static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids, +- Uuid* p_uuid_list) { ++ Uuid* p_uuid_list, uint16_t& bytes_left) { + uint16_t xx; + uint8_t* p_len; + ++ if (bytes_left < 2) { ++ DCHECK(0) << "SDP: No space for data element header"; ++ return (p_out); ++ } ++ + /* First thing is the data element header */ + UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE); + +@@ -85,9 +90,20 @@ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids, + p_len = p_out; + p_out += 1; + ++ /* Account for data element header and length */ ++ bytes_left -= 2; ++ + /* Now, loop through and put in all the UUID(s) */ + for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) { + int len = p_uuid_list->GetShortestRepresentationSize(); ++ ++ if (len + 1 > bytes_left) { ++ DCHECK(0) << "SDP: Too many UUIDs for internal buffer"; ++ break; ++ } else { ++ bytes_left -= (len + 1); ++ } ++ + if (len == Uuid::kNumBytes16) { + UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES); + UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit()); +@@ -124,6 +140,7 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len, + uint8_t *p, *p_start, *p_param_len; + BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE); + uint16_t param_len; ++ uint16_t bytes_left = SDP_DATA_BUF_SIZE; + + /* Prepare the buffer for sending the packet to L2CAP */ + p_cmd->offset = L2CAP_MIN_OFFSET; +@@ -138,13 +155,30 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len, + p_param_len = p; + p += 2; + +-/* Build the UID sequence. */ ++ /* Account for header size, max service record count and ++ * continuation state */ ++ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET + ++ 3u + /* service search request header */ ++ 2u + /* param len */ ++ 3u + ((p_cont) ? cont_len : 0)); ++ ++ if (base_bytes > bytes_left) { ++ DCHECK(0) << "SDP: Overran SDP data buffer"; ++ osi_free(p_cmd); ++ return; ++ } ++ ++ bytes_left -= base_bytes; ++ ++ /* Build the UID sequence. */ + #if (SDP_BROWSE_PLUS == TRUE) + p = sdpu_build_uuid_seq(p, 1, +- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]); ++ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx], ++ bytes_left); + #else ++ /* Build the UID sequence. */ + p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters, +- p_ccb->p_db->uuid_filters); ++ p_ccb->p_db->uuid_filters, bytes_left); + #endif + + /* Set max service record count */ +@@ -636,6 +670,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + if ((cont_request_needed) || (!p_reply)) { + BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE); + uint8_t* p; ++ uint16_t bytes_left = SDP_DATA_BUF_SIZE; + + p_msg->offset = L2CAP_MIN_OFFSET; + p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET; +@@ -649,13 +684,29 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + p_param_len = p; + p += 2; + +-/* Build the UID sequence. */ ++ /* Account for header size, max service record count and ++ * continuation state */ ++ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET + ++ 3u + /* service search request header */ ++ 2u + /* param len */ ++ 3u + /* max service record count */ ++ ((p_reply) ? (*p_reply) : 0)); ++ ++ if (base_bytes > bytes_left) { ++ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); ++ return; ++ } ++ ++ bytes_left -= base_bytes; ++ ++ /* Build the UID sequence. */ + #if (SDP_BROWSE_PLUS == TRUE) + p = sdpu_build_uuid_seq(p, 1, +- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]); ++ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx], ++ bytes_left); + #else + p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters, +- p_ccb->p_db->uuid_filters); ++ p_ccb->p_db->uuid_filters, bytes_left); + #endif + + /* Max attribute byte count */ diff --git a/Patches/LineageOS-16.0/android_system_bt/359738.patch b/Patches/LineageOS-16.0/android_system_bt/359738.patch new file mode 100644 index 00000000..8674368f --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/359738.patch @@ -0,0 +1,82 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 21 Mar 2023 22:39:16 +0000 +Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades + (P_256->P_192)"" + +This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f. + +Function btm_sec_encrypt_change() is called at most places +with argument "encr_enable" treated as bool and not as per +(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The +function has special handling for "encr_enable=1" to downgrade +the link key type for BR/EDR case. This gets executed even +when the caller/context did not mean/expect so. It appears +this handling in btm_sec_encrypt_change() is not necessary and +is removed by this commit to prevent accidental execution of it. + +Test: Verified re-pairing with an iPhone works fine now + +Issue Reproduction Steps: +1. Enable Bluetooth Hotspot on Android device (DUT). +2. Pair and connect an iPhone to DUT. +3. Forget this pairing on DUT. +4. On iPhone settings, click on old DUT's paired entry to connect. +5. iPhone notifies to click 'Forget Device' and try fresh pairing. +6. On iPhone, after doing 'Forget Device', discover DUT again. +7. Attempt pairing to DUT by clicking on discovered DUT entry. + Pairing will be unsuccessful. + +Issue Cause: +During re-pairing, DUT is seen to downgrade +BR/EDR link key unexpectedly from link key type 0x8 +(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB). + +Log snippet (re-pairing time): +btm_sec_link_key_notification set new_encr_key_256 to 1 +btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1 +btm_sec_encrypt_change new_encr_key_256 is 1 +--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed--- +btm_sec_encrypt_change new_encr_key_256 is 0 +updated link key type to 5 +btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1 + +This is a backport of the following patch: aosp/1890096 + +Bug: 258834033 + +Reason for revert: Reinstate original change for QPR +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f) +Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6 +Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6 +--- + stack/btm/btm_sec.cc | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 168750140..899b6b908 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -4030,22 +4030,6 @@ void btm_sec_encrypt_change(uint16_t handle, uint8_t status, + SMP_BR_PairWith(p_dev_rec->bd_addr); + } + } +- } else { +- // BR/EDR is successfully encrypted. Correct LK type if needed +- // (BR/EDR LK derived from LE LTK was used for encryption) +- if ((encr_enable == 1) && /* encryption is ON for SSP */ +- /* LK type is for BR/EDR SC */ +- (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 || +- p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) { +- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) +- p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; +- else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */ +- p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB; +- +- BTM_TRACE_DEBUG("updated link key type to %d", +- p_dev_rec->link_key_type); +- btm_send_link_key_notif(p_dev_rec); +- } + } + } + diff --git a/Patches/LineageOS-16.0/android_system_bt/361252.patch b/Patches/LineageOS-16.0/android_system_bt/361252.patch new file mode 100644 index 00000000..6dd75430 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/361252.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: tyiu +Date: Tue, 28 Mar 2023 18:40:51 +0000 +Subject: [PATCH] Fix gatt_end_operation buffer overflow + +Added boundary check for gatt_end_operation to prevent writing out of +boundary. + +Since response of the GATT server is handled in +gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum +lenth that can be passed into the handlers is bounded by +GATT_MAX_MTU_SIZE, which is set to 517, which is greater than +GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec +that gaurentees MTU response to be less than or equal to 512 bytes can +cause a buffer overflow when performing memcpy without length check. + +Bug: 261068592 +Test: No test since not affecting behavior +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200) +Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +--- + stack/gatt/gatt_utils.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc +index 9e8d3b930..52891efc4 100644 +--- a/stack/gatt/gatt_utils.cc ++++ b/stack/gatt/gatt_utils.cc +@@ -1193,6 +1193,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) { + cb_data.att_value.handle = p_clcb->s_handle; + cb_data.att_value.len = p_clcb->counter; + ++ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) { ++ LOG(WARNING) << __func__ ++ << StringPrintf(" Large cb_data.att_value, size=%d", ++ cb_data.att_value.len); ++ cb_data.att_value.len = GATT_MAX_ATTR_LEN; ++ } ++ + if (p_data && p_clcb->counter) + memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len); + } diff --git a/Patches/LineageOS-16.0/android_system_bt/366131.patch b/Patches/LineageOS-16.0/android_system_bt/366131.patch new file mode 100644 index 00000000..c1572aa0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/366131.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 16 May 2023 21:24:07 +0000 +Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl + +This is a backport of +Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +to rvc-dev + +Bug: 280633699 +Test: manual +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639) +Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2 +--- + stack/avdt/avdt_msg.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc +index 453e18642..3576b74e6 100644 +--- a/stack/avdt/avdt_msg.cc ++++ b/stack/avdt/avdt_msg.cc +@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { + * NOTE: The buffer is allocated above at the beginning of the + * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE. + */ +- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); ++ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); + + /* adjust offset and len of fragment for header byte */ + p_buf->offset += AVDT_LEN_TYPE_CONT; + p_buf->len -= AVDT_LEN_TYPE_CONT; + + /* verify length */ +- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) { ++ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) { + /* won't fit; free everything */ + AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__); + osi_free_and_reset((void**)&p_ccb->p_rx_msg); diff --git a/Patches/LineageOS-16.0/android_system_bt/366132.patch b/Patches/LineageOS-16.0/android_system_bt/366132.patch new file mode 100644 index 00000000..e07747c5 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/366132.patch @@ -0,0 +1,64 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 19 May 2023 19:17:16 +0000 +Subject: [PATCH] Fix integer overflow in build_read_multi_rsp + +Local variables tracking structure size in build_read_multi_rsp are of +uint16 type but accept a full uint16 range from function arguments while +appending a fixed-length offset. This can lead to an integer overflow +and unexpected behavior. + +Change the locals to size_t, and add a check during reasssignment. + +Bug: 273966636 +Test: atest bluetooth_test_gd_unit, net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0) +Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9 +Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9 +--- + stack/gatt/gatt_sr.cc | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index b9921fee6..d4e3c046b 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -113,7 +113,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) { + ******************************************************************************/ + static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + tGATTS_RSP* p_msg, uint16_t mtu) { +- uint16_t ii, total_len, len; ++ uint16_t ii; ++ size_t total_len, len; + uint8_t* p; + bool is_overflow = false; + +@@ -168,16 +169,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + len = p_rsp->attr_value.len - (total_len - mtu); + is_overflow = true; + VLOG(1) << StringPrintf( +- "multi read overflow available len=%d val_len=%d", len, ++ "multi read overflow available len=%zu val_len=%d", len, + p_rsp->attr_value.len); + } else { + len = p_rsp->attr_value.len; + } + + if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { +- memcpy(p, p_rsp->attr_value.value, len); +- if (!is_overflow) p += len; +- p_buf->len += len; ++ // check for possible integer overflow ++ if (p_buf->len + len <= UINT16_MAX) { ++ memcpy(p, p_rsp->attr_value.value, len); ++ if (!is_overflow) p += len; ++ p_buf->len += len; ++ } else { ++ p_cmd->status = GATT_NOT_FOUND; ++ break; ++ } + } else { + p_cmd->status = GATT_NOT_FOUND; + break; diff --git a/Patches/LineageOS-16.0/android_system_bt/366133.patch b/Patches/LineageOS-16.0/android_system_bt/366133.patch new file mode 100644 index 00000000..21cf69d7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/366133.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 27 Apr 2023 20:43:58 +0000 +Subject: [PATCH] Fix potential abort in btu_av_act.cc + +Partner analysis shows that bta_av_rc_msg does not respect handling +established for a null browse packet, instead dispatching the null +pointer to bta_av_rc_free_browse_msg. Strictly speaking this does +not cause a UAF, as osi_free_and_reset will find the null and abort, +but it will lead to improper program termination. + +Handle the case instead. + +Bug: 269253349 +Test: atest bluetooth_test_gd_unit +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9) +Merged-In: I4df7045798b663fbefd7434288dc9383216171a7 +Change-Id: I4df7045798b663fbefd7434288dc9383216171a7 +--- + bta/av/bta_av_act.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc +index 112645ecf..0cd7b5d00 100644 +--- a/bta/av/bta_av_act.cc ++++ b/bta/av/bta_av_act.cc +@@ -997,7 +997,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) { + av.remote_cmd.rc_handle = p_data->rc_msg.handle; + (*p_cb->p_cback)(evt, &av); + /* If browsing message, then free the browse message buffer */ +- bta_av_rc_free_browse_msg(p_cb, p_data); ++ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE && ++ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) { ++ bta_av_rc_free_browse_msg(p_cb, p_data); ++ } + } + } + diff --git a/Patches/LineageOS-16.0/android_system_bt/366134.patch b/Patches/LineageOS-16.0/android_system_bt/366134.patch new file mode 100644 index 00000000..b2a5a4b0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/366134.patch @@ -0,0 +1,80 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Qiyu Hu +Date: Wed, 13 Jun 2018 08:08:17 -0700 +Subject: [PATCH] Fix reliable write. + +We cannot simply assume the write is terminated in reliable write. When +the reliable write value is longer than MTU allows, the current +implementation can only send whatever MTU allows and naively set the +status to GATT_SUCCESS, in the name of "application should verify handle +offset and value are matched or not". That's why MTU negotiation is a +workaround as people mention in b/37031096, which just fits all the write +value into a single request. + +This also blocks our test on CtsVerifier. + +Bug: 37031096 +Test: Manual test and confirm that we don't simply send partial value +Change-Id: I907877608f4672f24c002e630e58bf9133937a5e +--- + stack/gatt/gatt_cl.cc | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc +index f8d5bab92..16a7171f6 100644 +--- a/stack/gatt/gatt_cl.cc ++++ b/stack/gatt/gatt_cl.cc +@@ -297,7 +297,7 @@ void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + tGATT_VALUE* p_rsp_value) { + tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf; +- bool exec = false; ++ bool terminate = false; + tGATT_EXEC_FLAG flag = GATT_PREP_WRITE_EXEC; + + VLOG(1) << __func__; +@@ -310,19 +310,18 @@ bool gatt_check_write_long_terminate(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + /* data does not match */ + p_clcb->status = GATT_ERROR; + flag = GATT_PREP_WRITE_CANCEL; +- exec = true; ++ terminate = true; + } else /* response checking is good */ + { + p_clcb->status = GATT_SUCCESS; + /* update write offset and check if end of attribute value */ +- if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) exec = true; ++ if ((p_attr->offset += p_rsp_value->len) >= p_attr->len) terminate = true; + } + } +- if (exec) { ++ if (terminate && p_clcb->op_subtype != GATT_WRITE_PREPARE) { + gatt_send_queue_write_cancel(tcb, p_clcb, flag); +- return true; + } +- return false; ++ return terminate; + } + + /** Send prepare write */ +@@ -587,15 +586,15 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + + memcpy(value.value, p, value.len); + ++ if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) { ++ gatt_send_prepare_write(tcb, p_clcb); ++ return; ++ } ++ + if (p_clcb->op_subtype == GATT_WRITE_PREPARE) { +- p_clcb->status = GATT_SUCCESS; + /* application should verify handle offset + and value are matched or not */ +- + gatt_end_operation(p_clcb, p_clcb->status, &value); +- } else if (p_clcb->op_subtype == GATT_WRITE) { +- if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) +- gatt_send_prepare_write(tcb, p_clcb); + } + } + /******************************************************************************* diff --git a/Patches/LineageOS-16.0/android_system_bt/366135.patch b/Patches/LineageOS-16.0/android_system_bt/366135.patch new file mode 100644 index 00000000..7bb1170f --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/366135.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 1 Jun 2023 23:57:58 +0000 +Subject: [PATCH] Fix UAF in gatt_cl.cc + +gatt_cl.cc accesses a header field after the buffer holding it may have +been freed. + +Track the relevant state as a local variable instead. + +Bug: 274617156 +Test: atest: bluetooth, validated against fuzzer +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244) +Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 +Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724 +--- + stack/gatt/gatt_cl.cc | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc +index 16a7171f6..5e4837020 100644 +--- a/stack/gatt/gatt_cl.cc ++++ b/stack/gatt/gatt_cl.cc +@@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + + memcpy(value.value, p, value.len); + ++ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE); ++ + if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) { + gatt_send_prepare_write(tcb, p_clcb); + return; + } + +- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) { ++ // We now know that we have not terminated, or else we would have returned ++ // early. We free the buffer only if the subtype is not equal to ++ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF. ++ if (subtype_is_write_prepare) { + /* application should verify handle offset + and value are matched or not */ + gatt_end_operation(p_clcb, p_clcb->status, &value); diff --git a/Patches/LineageOS-16.0/android_system_bt/377777.patch b/Patches/LineageOS-16.0/android_system_bt/377777.patch new file mode 100644 index 00000000..5bef4988 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377777.patch @@ -0,0 +1,99 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:20:10 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [1] + +Rejecct access to services running on l2cap + +Backport of +Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) +Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 +Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 +--- + stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 899b6b908..a4d916cc3 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -98,7 +98,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, + uint32_t mx_proto_id, + uint32_t mx_chan_id); + +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, +@@ -140,7 +140,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { + * Returns bool true or false + * + ******************************************************************************/ +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { + if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { + return (true); + } +@@ -214,6 +214,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, + return (false); + } + ++/******************************************************************************* ++ * ++ * Function access_secure_service_from_temp_bond ++ * ++ * Description a utility function to test whether an access to ++ * secure service from temp bonding is happening ++ * ++ * Returns true if the aforementioned condition holds, ++ * false otherwise ++ * ++ ******************************************************************************/ ++static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, ++ bool locally_initiated, ++ uint16_t security_req) { ++ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && ++ btm_dev_authenticated(p_dev_rec) && ++ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; ++} ++ + /******************************************************************************* + * + * Function BTM_SecRegister +@@ -2075,9 +2094,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + } + + if (rc == BTM_SUCCESS) { ++ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + if (p_callback) +- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); +- return (BTM_SUCCESS); ++ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); ++ return (rc); + } + } + +@@ -5133,6 +5156,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + } + } + ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ p_dev_rec->is_originator, ++ p_dev_rec->security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ return (BTM_FAILED_ON_SECURITY); ++ } ++ + /* All required security procedures already established */ + p_dev_rec->security_required &= + ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-16.0/android_system_bt/377778.patch b/Patches/LineageOS-16.0/android_system_bt/377778.patch new file mode 100644 index 00000000..b0e8c4b4 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377778.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:27:29 +0000 +Subject: [PATCH] Reject access to secure services authenticated from temp + bonding [2] + +Reject access to service running on rfcomm + +this is a backport of +I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) +Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +--- + stack/btm/btm_sec.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index a4d916cc3..bce9eae06 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2423,6 +2423,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, + mx_chan_id, p_callback, p_ref_data); + } else /* rc == BTM_SUCCESS */ + { ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + /* access granted */ + if (p_callback) { + (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-16.0/android_system_bt/377779.patch b/Patches/LineageOS-16.0/android_system_bt/377779.patch new file mode 100644 index 00000000..d85ba587 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377779.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 12 Sep 2023 23:47:48 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [3] + +Allow access to rfcomm PSM by default + +Original bug +Bug: 294854926 + +Nearby regressions: +Bug: 298539299 + +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) +Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +--- + stack/btm/btm_sec.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index bce9eae06..41f81631e 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2117,15 +2117,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + btm_cb.security_mode == BTM_SEC_MODE_SC) { + if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { + if (is_originator) { +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_OUT_ENCRYPT; + } else /* acceptor */ + { + /* SM4 to SM4: the acceptor needs to make sure the authentication is + * already done */ + chk_acp_auth_done = true; +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_IN_ENCRYPT; + } + } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { + /* the remote features are not known yet */ diff --git a/Patches/LineageOS-16.0/android_system_bt/377780.patch b/Patches/LineageOS-16.0/android_system_bt/377780.patch new file mode 100644 index 00000000..0ec4548a --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377780.patch @@ -0,0 +1,128 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 12 Sep 2023 23:54:08 +0000 +Subject: [PATCH] Reorganize the code for checking auth requirement + +Original bug +Bug: 294854926 + +regressions: +Bug: 299570702 + +Test: Test: m com.android.btservices +Test: QA validation +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91) +Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 +Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 +--- + stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 37 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 41f81631e..b8a423d28 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -5076,46 +5076,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + + /* If connection is not authenticated and authentication is required */ + /* start authentication and return PENDING to the caller */ +- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) && +- ((p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) || +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) || +- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) && +- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { +-/* +- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, +- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the +- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM +- * authenticated connections, hence we cannot distinguish here. +- */ +- +- BTM_TRACE_EVENT("Security Manager: Start authentication"); ++ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) { ++ bool start_auth = false; ++ ++ // Check link status of BR/EDR ++ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { ++ if (p_dev_rec->is_originator) { ++ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { ++ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); ++ start_auth = true; ++ } ++ } else { ++ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { ++ LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); ++ start_auth = true; ++ } ++ } ++ } + +- /* +- * If we do have a link-key, but we end up here because we need an +- * upgrade, then clear the link-key known and authenticated flag before +- * restarting authentication. +- * WARNING: If the controller has link-key, it is optional and +- * recommended for the controller to send a Link_Key_Request. +- * In case we need an upgrade, the only alternative would be to delete +- * the existing link-key. That could lead to very bad user experience +- * or even IOP issues, if a reconnect causes a new connection that +- * requires an upgrade. +- */ +- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && +- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { +- p_dev_rec->sec_flags &= +- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | +- BTM_SEC_AUTHENTICATED); ++ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) { ++ /* ++ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, ++ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the ++ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM ++ * authenticated connections, hence we cannot distinguish here. ++ */ ++ if (!p_dev_rec->is_originator) { ++ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) { ++ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required"); ++ start_auth = true; ++ } ++ } + } + +- btm_sec_start_authentication(p_dev_rec); +- return (BTM_CMD_STARTED); ++ if (start_auth) { ++ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication"); ++ ++ /* ++ * If we do have a link-key, but we end up here because we need an ++ * upgrade, then clear the link-key known and authenticated flag before ++ * restarting authentication. ++ * WARNING: If the controller has link-key, it is optional and ++ * recommended for the controller to send a Link_Key_Request. ++ * In case we need an upgrade, the only alternative would be to delete ++ * the existing link-key. That could lead to very bad user experience ++ * or even IOP issues, if a reconnect causes a new connection that ++ * requires an upgrade. ++ */ ++ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && ++ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && ++ (!p_dev_rec->is_originator && ++ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { ++ p_dev_rec->sec_flags &= ++ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | ++ BTM_SEC_AUTHENTICATED); ++ } ++ ++ btm_sec_start_authentication(p_dev_rec); ++ return (BTM_CMD_STARTED); ++ } + } + + /* If connection is not encrypted and encryption is required */ diff --git a/Patches/LineageOS-16.0/android_system_bt/377781.patch b/Patches/LineageOS-16.0/android_system_bt/377781.patch new file mode 100644 index 00000000..e097021b --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377781.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 13 Sep 2023 00:00:44 +0000 +Subject: [PATCH] Enforce authentication if encryption is required + +Original bug +Bug: 294854926 + +regressions: +Bug: 299570702 +Bug: 299561281 + +Test: Test: m com.android.btservices +Test: QA validation +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553) +Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa +Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa +--- + stack/btm/btm_sec.cc | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index b8a423d28..71f737ebf 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -5082,13 +5082,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + // Check link status of BR/EDR + if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { + if (p_dev_rec->is_originator) { +- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { +- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); ++ if (p_dev_rec->security_required & ++ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) { ++ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required"); + start_auth = true; + } + } else { +- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { +- LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); ++ if (p_dev_rec->security_required & ++ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) { ++ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required"); + start_auth = true; + } + } diff --git a/Patches/LineageOS-16.0/android_system_bt/377782.patch b/Patches/LineageOS-16.0/android_system_bt/377782.patch new file mode 100644 index 00000000..cd39cffe --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/377782.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 3 Oct 2023 21:27:49 +0000 +Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature + +BTM_BleVerifySignature uses a stock memcmp, allowing signature contents +to be deduced through a side-channel attack. + +Change to CRYPTO_memcmp, which is hardened against this attack, to +eliminate this attack. + +Bug: 274478807 +Test: atest bluetooth_test_gd_unit +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) +Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c +Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c +--- + stack/Android.bp | 1 + + stack/btm/btm_ble.cc | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/stack/Android.bp b/stack/Android.bp +index 03e2c940b..93c989ff5 100644 +--- a/stack/Android.bp ++++ b/stack/Android.bp +@@ -179,6 +179,7 @@ cc_library_static { + "libcutils", + "liblog", + "libstatslog", ++ "libcrypto", + ], + required: [ + "libldacBT_enc", +diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc +index 48f4496b1..82699286a 100644 +--- a/stack/btm/btm_ble.cc ++++ b/stack/btm/btm_ble.cc +@@ -41,6 +41,7 @@ + #include "hcimsgs.h" + #include "log/log.h" + #include "l2c_int.h" ++#include "openssl/mem.h" + #include "osi/include/log.h" + #include "osi/include/osi.h" + #include "smp_api.h" +@@ -2261,7 +2262,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, + + if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, + BTM_CMAC_TLEN_SIZE, p_mac)) { +- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { ++ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { + btm_ble_increment_sign_ctr(bd_addr, false); + verified = true; + } diff --git a/Patches/LineageOS-16.0/android_system_bt/379796.patch b/Patches/LineageOS-16.0/android_system_bt/379796.patch new file mode 100644 index 00000000..52828875 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/379796.patch @@ -0,0 +1,135 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 23 May 2023 23:23:11 +0000 +Subject: [PATCH] Fix some OOB errors in BTM parsing + +Some HCI BLE events are missing bounds checks, leading to possible OOB +access. Add the appropriate bounds checks on the packets. + +Bug: 279169188 +Test: atest bluetooth_test_gd_unit, net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066) +Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57 +Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57 +--- + stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++---------- + stack/btu/btu_hcif.cc | 6 +++++ + 2 files changed, 44 insertions(+), 12 deletions(-) + +diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc +index 4e8471261..8a2c53c30 100644 +--- a/stack/btm/btm_ble_gap.cc ++++ b/stack/btm/btm_ble_gap.cc +@@ -1879,19 +1879,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + advertising_sid; + int8_t rssi, tx_power; + uint16_t event_type, periodic_adv_int, direct_address_type; ++ size_t bytes_to_process; + + /* Only process the results if the inquiry is still active */ + if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return; + ++ bytes_to_process = 1; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for num reports"; ++ return; ++ } ++ + /* Extract the number of reports in this event. */ + STREAM_TO_UINT8(num_reports, p); + + while (num_reports--) { +- if (p > data + data_len) { +- // TODO(jpawlowski): we should crash the stack here +- BTM_TRACE_ERROR( +- "Malformed LE Extended Advertising Report Event from controller - " +- "can't loop the data"); ++ bytes_to_process += 24; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for metadata"; + return; + } + +@@ -1911,8 +1919,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the next packet*/ +- if (p > data + data_len) { +- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ ++ bytes_to_process += pkt_data_len; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for packet data"; + return; + } + +@@ -1941,17 +1952,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + uint8_t* p = data; + uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len; + int8_t rssi; ++ size_t bytes_to_process; + + /* Only process the results if the inquiry is still active */ + if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return; + ++ bytes_to_process = 1; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) ++ << "Malformed LE advertising packet: not enough room for num reports"; ++ return; ++ } ++ + /* Extract the number of reports in this event. */ + STREAM_TO_UINT8(num_reports, p); + + while (num_reports--) { +- if (p > data + data_len) { +- // TODO(jpawlowski): we should crash the stack here +- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller"); ++ bytes_to_process += 9; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) ++ << "Malformed LE advertising packet: not enough room for metadata"; + return; + } + +@@ -1963,8 +1985,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the rssi byte */ +- if (p > data + data_len - sizeof(rssi)) { +- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ ++ // include rssi for this check ++ bytes_to_process += pkt_data_len + 1; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE advertising packet: not enough room for " ++ "packet data and/or RSSI"; + return; + } + +diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc +index 720bab266..8c83fa10e 100644 +--- a/stack/btu/btu_hcif.cc ++++ b/stack/btu/btu_hcif.cc +@@ -1810,6 +1810,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) { + return; + } + ++ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len ++ if (evt_len < 8) { ++ LOG_ERROR(LOG_TAG, "Event packet too short"); ++ return; ++ } ++ + STREAM_TO_UINT16(handle, p); + STREAM_TO_UINT16(tx_data_len, p); + p += 2; /* Skip the TxTimer */ diff --git a/Patches/LineageOS-16.0/android_system_bt/383565.patch b/Patches/LineageOS-16.0/android_system_bt/383565.patch new file mode 100644 index 00000000..fac37519 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/383565.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 29 Nov 2023 00:53:33 +0000 +Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and + attp_build_value_cmd + +this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 + +Bug: 276898739 +Test: manual +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e) +Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 +Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 +--- + btif/src/btif_gatt_util.cc | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc +index 16f227511..a0798df15 100644 +--- a/btif/src/btif_gatt_util.cc ++++ b/btif/src/btif_gatt_util.cc +@@ -18,6 +18,8 @@ + + #define LOG_TAG "bt_btif_gatt" + ++#include ++ + #include "btif_gatt_util.h" + + #include +@@ -48,9 +50,9 @@ using bluetooth::Uuid; + void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) { + p_dest->attr_value.auth_req = p_src->attr_value.auth_req; + p_dest->attr_value.handle = p_src->attr_value.handle; +- p_dest->attr_value.len = p_src->attr_value.len; ++ p_dest->attr_value.len = std::min(p_src->attr_value.len, GATT_MAX_ATTR_LEN); + p_dest->attr_value.offset = p_src->attr_value.offset; +- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN); ++ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len); + } + + /******************************************************************************* diff --git a/Patches/LineageOS-16.0/android_system_bt/383566.patch b/Patches/LineageOS-16.0/android_system_bt/383566.patch new file mode 100644 index 00000000..0fa6022d --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/383566.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 29 Nov 2023 18:23:53 +0000 +Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd + +This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e + +Bug: 297524203 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7) +Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181 +Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181 +--- + stack/gatt/att_protocol.cc | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc +index 142216cc9..5bd814c88 100644 +--- a/stack/gatt/att_protocol.cc ++++ b/stack/gatt/att_protocol.cc +@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size, + tGATT_FIND_TYPE_VALUE* p_value_type) { + uint8_t* p; + uint16_t len = p_value_type->value_len; +- BT_HDR* p_buf = +- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); ++ BT_HDR* p_buf = nullptr; ++ ++ if (payload_size < 5) { ++ return nullptr; ++ } ++ ++ p_buf = ++ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + + p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; + p_buf->offset = L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-16.0/android_system_bt/385675.patch b/Patches/LineageOS-16.0/android_system_bt/385675.patch new file mode 100644 index 00000000..354a7e81 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/385675.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ugo Yu +Date: Thu, 29 Nov 2018 17:55:40 +0800 +Subject: [PATCH] Fix OOB caused by invalid SMP packet length + +Bug: 111850706 +Bug: 111213909 +Bug: 111214770 +Bug: 111214470 +Test: PoC, Manully +Change-Id: I889d2de97b1aab706c850a950f668aba558f240f +--- + stack/smp/smp_act.cc | 34 ++++++++++++++++++++++++++++++++++ + stack/smp/smp_int.h | 1 + + stack/smp/smp_utils.cc | 27 +++++++++++++++++++++++++++ + 3 files changed, 62 insertions(+) + +diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc +index 8335adc0d..235e3bb07 100644 +--- a/stack/smp/smp_act.cc ++++ b/stack/smp/smp_act.cc +@@ -510,6 +510,14 @@ void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + + p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; + ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111850706"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + STREAM_TO_UINT8(p_cb->peer_io_caps, p); + STREAM_TO_UINT8(p_cb->peer_oob_flag, p); + STREAM_TO_UINT8(p_cb->peer_auth_req, p); +@@ -792,6 +800,14 @@ void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + + p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; + ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111213909"); ++ smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + STREAM_TO_UINT8(p_cb->peer_io_caps, p); + STREAM_TO_UINT8(p_cb->peer_oob_flag, p); + STREAM_TO_UINT8(p_cb->peer_auth_req, p); +@@ -1001,6 +1017,15 @@ void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + tBTM_LE_KEY_VALUE pid_key; + + SMP_TRACE_DEBUG("%s", __func__); ++ ++ if (smp_command_has_invalid_parameters(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111214770"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true); + + STREAM_TO_UINT8(pid_key.pid_key.addr_type, p); +@@ -1027,6 +1052,15 @@ void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + tBTM_LE_KEY_VALUE le_key; + + SMP_TRACE_DEBUG("%s", __func__); ++ ++ if (smp_command_has_invalid_parameters(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111214470"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true); + + /* save CSRK to security record */ +diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h +index 1685ffe20..e0e27a4b2 100644 +--- a/stack/smp/smp_int.h ++++ b/stack/smp/smp_int.h +@@ -479,6 +479,7 @@ extern void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b); + extern bool smp_encrypt_data(uint8_t* key, uint8_t key_len, uint8_t* plain_text, + uint8_t pt_len, tSMP_ENC* p_out); + extern bool smp_command_has_invalid_parameters(tSMP_CB* p_cb); ++extern bool smp_command_has_invalid_length(tSMP_CB* p_cb); + extern void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr); + extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb); + extern void smp_reverse_array(uint8_t* arr, uint8_t len); +diff --git a/stack/smp/smp_utils.cc b/stack/smp/smp_utils.cc +index 5027e3d97..a13134e60 100644 +--- a/stack/smp/smp_utils.cc ++++ b/stack/smp/smp_utils.cc +@@ -945,6 +945,33 @@ void smp_proc_pairing_cmpl(tSMP_CB* p_cb) { + if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data); + } + ++/******************************************************************************* ++ * ++ * Function smp_command_has_invalid_length ++ * ++ * Description Checks if the received SMP command has invalid length ++ * It returns true if the command has invalid length. ++ * ++ * Returns true if the command has invalid length, false otherwise. ++ * ++ ******************************************************************************/ ++bool smp_command_has_invalid_length(tSMP_CB* p_cb) { ++ uint8_t cmd_code = p_cb->rcvd_cmd_code; ++ ++ if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || ++ (cmd_code < SMP_OPCODE_MIN)) { ++ SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x", ++ __func__, cmd_code); ++ return true; ++ } ++ ++ if (!smp_command_has_valid_fixed_length(p_cb)) { ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function smp_command_has_invalid_parameters diff --git a/Patches/LineageOS-16.0/android_system_bt/385676.patch b/Patches/LineageOS-16.0/android_system_bt/385676.patch new file mode 100644 index 00000000..f923eeff --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/385676.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 28 Nov 2023 19:57:20 +0000 +Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req + +This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d + +Bug: 300903400 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef) +Merged-In: Id4c65801ff8519aff18b24007e344934493cab55 +Change-Id: Id4c65801ff8519aff18b24007e344934493cab55 +--- + stack/smp/smp_act.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc +index 235e3bb07..f530218fb 100644 +--- a/stack/smp/smp_act.cc ++++ b/stack/smp/smp_act.cc +@@ -420,6 +420,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + * Description process security request. + ******************************************************************************/ + void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data; + tBTM_BLE_SEC_REQ_ACT sec_req_act; + diff --git a/Patches/LineageOS-16.0/android_system_bt/385677.patch b/Patches/LineageOS-16.0/android_system_bt/385677.patch new file mode 100644 index 00000000..b893c364 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/385677.patch @@ -0,0 +1,115 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 15 Dec 2023 22:55:33 +0000 +Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd + +This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285 + +Bug: 295887535 +Bug: 315127634 +Test: m com.android.btservices +Test: atest net_test_stack_gatt +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c) +Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72 +Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72 +--- + stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++-------- + 1 file changed, 45 insertions(+), 11 deletions(-) + +diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc +index 5bd814c88..286dc8844 100644 +--- a/stack/gatt/att_protocol.cc ++++ b/stack/gatt/att_protocol.cc +@@ -278,46 +278,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { + BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, + uint16_t handle, uint16_t offset, uint16_t len, + uint8_t* p_data) { +- uint8_t *p, *pp, pair_len, *p_pair_len; ++ uint8_t *p, *pp, *p_pair_len; ++ size_t pair_len; ++ size_t size_now = 1; ++ ++#define CHECK_SIZE() \ ++ do { \ ++ if (size_now > payload_size) { \ ++ LOG(ERROR) << "payload size too small"; \ ++ osi_free(p_buf); \ ++ return nullptr; \ ++ } \ ++ } while (false) ++ + BT_HDR* p_buf = + (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + + p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; ++ ++ CHECK_SIZE(); + UINT8_TO_STREAM(p, op_code); + p_buf->offset = L2CAP_MIN_OFFSET; +- p_buf->len = 1; + + if (op_code == GATT_RSP_READ_BY_TYPE) { +- p_pair_len = p; ++ p_pair_len = p++; + pair_len = len + 2; +- UINT8_TO_STREAM(p, pair_len); +- p_buf->len += 1; ++ size_now += 1; ++ CHECK_SIZE(); ++ // this field will be backfilled in the end of this function + } ++ + if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { ++ size_now += 2; ++ CHECK_SIZE(); + UINT16_TO_STREAM(p, handle); +- p_buf->len += 2; + } + + if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { ++ size_now += 2; ++ CHECK_SIZE(); + UINT16_TO_STREAM(p, offset); +- p_buf->len += 2; + } + + if (len > 0 && p_data != NULL) { + /* ensure data not exceed MTU size */ +- if (payload_size - p_buf->len < len) { +- len = payload_size - p_buf->len; ++ if (payload_size - size_now < len) { ++ len = payload_size - size_now; + /* update handle value pair length */ +- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); ++ if (op_code == GATT_RSP_READ_BY_TYPE) { ++ pair_len = (len + 2); ++ } + + LOG(WARNING) << StringPrintf( + "attribute value too long, to be truncated to %d", len); + } + ++ size_now += len; ++ CHECK_SIZE(); + ARRAY_TO_STREAM(p, p_data, len); +- p_buf->len += len; + } + ++ // backfill pair len field ++ if (op_code == GATT_RSP_READ_BY_TYPE) { ++ if (pair_len > UINT8_MAX) { ++ LOG(ERROR) << StringPrintf("pair_len greater than %d", UINT8_MAX); ++ osi_free(p_buf); ++ return nullptr; ++ } ++ ++ *p_pair_len = (uint8_t)pair_len; ++ } ++ ++#undef CHECK_SIZE ++ ++ p_buf->len = (uint16_t)size_now; + return p_buf; + } + diff --git a/Patches/LineageOS-16.0/android_system_bt/385678.patch b/Patches/LineageOS-16.0/android_system_bt/385678.patch new file mode 100644 index 00000000..368f6ccb --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/385678.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 9 Jan 2024 22:38:20 +0000 +Subject: [PATCH] Fix a security bypass issue in + access_secure_service_from_temp_bond + +Backport I48df2c2d77810077e97d4131540277273d441998 +to rvc-dev + +Bug: 318374503 +Test: m com.android.btservices | manual test against PoC | QA +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8) +Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f +Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f +--- + stack/btm/btm_sec.cc | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 71f737ebf..e054b3111 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -229,8 +229,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r + bool locally_initiated, + uint16_t security_req) { + return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && +- btm_dev_authenticated(p_dev_rec) && +- p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; ++ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; + } + + /******************************************************************************* diff --git a/Patches/LineageOS-16.0/android_system_core/332765.patch b/Patches/LineageOS-16.0/android_system_core/332765.patch new file mode 100644 index 00000000..95232247 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_core/332765.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shaju Mathew +Date: Tue, 5 Apr 2022 04:01:04 -0700 +Subject: [PATCH] Backport of Win-specific suppression of potentially rogue + construct that can engage in directory traversal on the host. + +Bug:209438553 + +Ignore-AOSP-First: Resolution for potential security exploit. + +Test: Synced just system/core, therefore relying on presubmits for now. +Will followup with a full-fledged sync and manual cursory test. + +Signed-off-by: Shaju Mathew +Change-Id: I993a00ce6130478b7becfdbea816c348824f319f +Merged-In: Ie1f82db2fb14e1bdd183bf8d3d93d5e9f974be5d +(cherry picked from commit a36a342ec9721240e5a48ca50e833b9a35bef256) +Merged-In: I993a00ce6130478b7becfdbea816c348824f319f +--- + adb/file_sync_client.cpp | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/adb/file_sync_client.cpp b/adb/file_sync_client.cpp +index 26f8d831c..57704c866 100644 +--- a/adb/file_sync_client.cpp ++++ b/adb/file_sync_client.cpp +@@ -629,6 +629,18 @@ static bool sync_ls(SyncConnection& sc, const char* path, + if (!ReadFdExactly(sc.fd, buf, len)) return false; + buf[len] = 0; + ++ // Address the unlikely scenario wherein a ++ // compromised device/service might be able to ++ // traverse across directories on the host. Let's ++ // shut that door! ++ if (strchr(buf, '/') ++#if defined(_WIN32) ++ || strchr(buf, '\\') ++#endif ++ ) { ++ return false; ++ } ++ + func(msg.dent.mode, msg.dent.size, msg.dent.time, buf); + } + } diff --git a/Patches/LineageOS-16.0/android_system_netd/378480.patch b/Patches/LineageOS-16.0/android_system_netd/378480.patch new file mode 100644 index 00000000..00051db8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_netd/378480.patch @@ -0,0 +1,114 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lin Lee +Date: Mon, 7 Aug 2023 09:34:41 +0000 +Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run + +Use thread join to avoid thread exiting after instance +recycled. + +Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds. + +Test: m, fuzzing +Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer + +Bug: 272382770 +Ignore-AOSP-First: Security Issue +(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd) +Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138 +Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138 +--- + server/MDnsSdListener.cpp | 36 ++++++++++++++++++++++++------------ + server/MDnsSdListener.h | 4 +++- + 2 files changed, 27 insertions(+), 13 deletions(-) + +diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp +index b54014cd..e3dd616d 100644 +--- a/server/MDnsSdListener.cpp ++++ b/server/MDnsSdListener.cpp +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #define LOG_TAG "MDnsDS" + #define DBG 1 +@@ -524,10 +525,17 @@ MDnsSdListener::Monitor::Monitor() { + socketpair(AF_LOCAL, SOCK_STREAM, 0, mCtrlSocketPair); + pthread_mutex_init(&mHeadMutex, NULL); + +- const int rval = ::android::net::threadLaunch(this); +- if (rval != 0) { +- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval); +- } ++ mRescanThread = new std::thread(&Monitor::run, this); ++ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread."); ++} ++ ++MDnsSdListener::Monitor::~Monitor() { ++ if (VDBG) ALOGD("Monitor recycling"); ++ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will ++ // be 17 = POLLIN | POLLHUP ++ mRescanThread->join(); ++ delete mRescanThread; ++ if (VDBG) ALOGD("Monitor recycled"); + } + + #define NAP_TIME 200 // 200 ms between polls +@@ -617,14 +625,18 @@ void MDnsSdListener::Monitor::run() { + } + } + if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents); +- switch (mPollFds[0].revents) { +- case POLLIN: { +- char readBuf[2]; +- read(mCtrlSocketPair[0], &readBuf, 1); +- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); +- if (memcmp(RESCAN, readBuf, 1) == 0) { +- pollCount = rescan(); +- } ++ if (mPollFds[0].revents & POLLHUP) { ++ free(mPollFds); ++ free(mPollRefs); ++ if (VDBG) ALOGD("Monitor thread leaving."); ++ return; ++ } ++ if (mPollFds[0].revents == POLLIN) { ++ char readBuf[2]; ++ read(mCtrlSocketPair[0], &readBuf, 1); ++ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); ++ if (memcmp(RESCAN, readBuf, 1) == 0) { ++ pollCount = rescan(); + } + } + mPollFds[0].revents = 0; +diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h +index 8c6096e8..2b3cb5e2 100644 +--- a/server/MDnsSdListener.h ++++ b/server/MDnsSdListener.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #include "NetdCommand.h" + +@@ -71,7 +72,7 @@ private: + class Monitor { + public: + Monitor(); +- virtual ~Monitor() {} ++ ~Monitor(); + DNSServiceRef *allocateServiceRef(int id, Context *c); + void startMonitoring(int id); + DNSServiceRef *lookupServiceRef(int id); +@@ -101,6 +102,7 @@ private: + int mPollSize; + int mCtrlSocketPair[2]; + pthread_mutex_t mHeadMutex; ++ std::thread* mRescanThread; + }; + + class Handler : public NetdCommand { diff --git a/Patches/LineageOS-16.0/android_system_nfc/332766.patch b/Patches/LineageOS-16.0/android_system_nfc/332766.patch new file mode 100644 index 00000000..79b77f86 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/332766.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 17 Mar 2022 15:39:20 -0700 +Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config + +Bug: 221216105 +Test: build ok +Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99) +Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +--- + src/nfa/dm/nfa_dm_main.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/nfa/dm/nfa_dm_main.cc b/src/nfa/dm/nfa_dm_main.cc +index f73d9c0..0c42da7 100644 +--- a/src/nfa/dm/nfa_dm_main.cc ++++ b/src/nfa/dm/nfa_dm_main.cc +@@ -25,6 +25,7 @@ + + #include + #include ++#include + + #include "nfa_api.h" + #include "nfa_dm_int.h" +@@ -234,6 +235,12 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list, + len = *(p_tlv_list + xx + 1); + p_value = p_tlv_list + xx + 2; + p_cur_len = NULL; ++ if (len > (tlv_list_len - xx - 2)) { ++ LOG(ERROR) << StringPrintf("error: invalid TLV length: t:0x%x, l:%d", ++ type, len); ++ android_errorWriteLog(0x534e4554, "221216105"); ++ return NFA_STATUS_FAILED; ++ } + + switch (type) { + /* diff --git a/Patches/LineageOS-16.0/android_system_nfc/332767.patch b/Patches/LineageOS-16.0/android_system_nfc/332767.patch new file mode 100644 index 00000000..dd96d2b7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/332767.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 8 Mar 2022 17:27:34 -0800 +Subject: [PATCH] Double Free in ce_t4t_data_cback + +Bug: 221862119 +Test: build ok +Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e) +Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +--- + src/nfc/tags/ce_t4t.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc +index 9b859e2..b3b9842 100644 +--- a/src/nfc/tags/ce_t4t.cc ++++ b/src/nfc/tags/ce_t4t.cc +@@ -630,6 +630,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event, + } else { + GKI_freebuf(p_c_apdu); + ce_t4t_send_status(T4T_RSP_NOT_FOUND); ++ return; + } + } else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) { + DLOG_IF(INFO, nfc_debug_enabled) diff --git a/Patches/LineageOS-16.0/android_system_nfc/332768.patch b/Patches/LineageOS-16.0/android_system_nfc/332768.patch new file mode 100644 index 00000000..204a786d --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/332768.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Mon, 21 Mar 2022 19:31:28 -0700 +Subject: [PATCH] OOBR in nfc_ncif_proc_ee_discover_req() + +Bug: 221856662 +Test: build ok +Change-Id: If4b4872e4101fc65172596b4f7579b259b6f6b63 +(cherry picked from commit 1c6ab25b3d76c2ced764dc649bec6cf05aecd198) +Merged-In: If4b4872e4101fc65172596b4f7579b259b6f6b63 +--- + src/nfc/nfc/nfc_ncif.cc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc +index 6d6607d..4bb6ba6 100644 +--- a/src/nfc/nfc/nfc_ncif.cc ++++ b/src/nfc/nfc/nfc_ncif.cc +@@ -1179,6 +1179,12 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + + DLOG_IF(INFO, nfc_debug_enabled) + << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); ++ ++ if (!plen) { ++ android_errorWriteLog(0x534e4554, "221856662"); ++ return; ++ } ++ + if (p_cback) { + u8 = *p; + ee_disc_req.status = NFC_STATUS_OK; diff --git a/Patches/LineageOS-16.0/android_system_nfc/342098.patch b/Patches/LineageOS-16.0/android_system_nfc/342098.patch new file mode 100644 index 00000000..5af90806 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/342098.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 Aug 2022 13:32:30 -0700 +Subject: [PATCH] The length of a packet should be non-zero + +Bug: 221856662 +Bug: 237079835 +Test: no functional changes, the build is ok +Change-Id: I6defe4025c962ae7dde2e673e2bfcfc15785cc12 +(cherry picked from commit 396ac0e081ae67a1d743e0373257ec869692912c) +Merged-In: I6defe4025c962ae7dde2e673e2bfcfc15785cc12 +--- + src/nfc/nfc/nfc_ncif.cc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc +index 4bb6ba6..fafd0c1 100644 +--- a/src/nfc/nfc/nfc_ncif.cc ++++ b/src/nfc/nfc/nfc_ncif.cc +@@ -1177,14 +1177,14 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + tNFC_EE_DISCOVER_INFO* p_info; + uint8_t u8; + +- DLOG_IF(INFO, nfc_debug_enabled) +- << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); +- + if (!plen) { + android_errorWriteLog(0x534e4554, "221856662"); + return; + } + ++ DLOG_IF(INFO, nfc_debug_enabled) ++ << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); ++ + if (p_cback) { + u8 = *p; + ee_disc_req.status = NFC_STATUS_OK; diff --git a/Patches/LineageOS-16.0/android_system_nfc/354248.patch b/Patches/LineageOS-16.0/android_system_nfc/354248.patch new file mode 100644 index 00000000..7c5418d3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/354248.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + src/nfc/nci/nci_hmsgs.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc +index 245b06a..d97f725 100644 +--- a/src/nfc/nci/nci_hmsgs.cc ++++ b/src/nfc/nci/nci_hmsgs.cc +@@ -630,6 +630,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=FALSE and num routing entries=0) */ diff --git a/Patches/LineageOS-16.0/android_system_nfc/361251.patch b/Patches/LineageOS-16.0/android_system_nfc/361251.patch new file mode 100644 index 00000000..b0624a9b --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_nfc/361251.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 May 2023 14:20:57 -0700 +Subject: [PATCH] OOBW in rw_i93_send_to_upper() + +Bug: 271849189 +Test: tag r/w +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8) +Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 +Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 +--- + src/nfc/tags/rw_i93.cc | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc +index acf28a6..232a4dd 100644 +--- a/src/nfc/tags/rw_i93.cc ++++ b/src/nfc/tags/rw_i93.cc +@@ -507,6 +507,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) { + case I93_CMD_GET_MULTI_BLK_SEC: + case I93_CMD_EXT_GET_MULTI_BLK_SEC: + ++ if (UINT16_MAX - length < NFC_HDR_SIZE) { ++ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED; ++ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd; ++ rw_cb.tcb.i93.sent_cmd = 0; ++ ++ event = RW_I93_CMD_CMPL_EVT; ++ break; ++ } ++ + /* forward tag data or security status */ + p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE)); + diff --git a/Patches/LineageOS-16.0/android_tools_apksig/361280.patch b/Patches/LineageOS-16.0/android_tools_apksig/361280.patch new file mode 100644 index 00000000..c51361d8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_tools_apksig/361280.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Khaled Abdelmohsen +Date: Mon, 24 Feb 2020 16:59:21 +0000 +Subject: [PATCH] Create source stamp verifier + +Bug: 148005911 +Test: gradlew test +Change-Id: I7008c9567ad5e8b63e7f6ba192d38b10c5c9a2dc +Merged-In: I7008c9567ad5e8b63e7f6ba192d38b10c5c9a2dc +(cherry picked from commit a3970357d65d59b70c6ccf2c5c55000cb4310953) +--- + .../internal/apk/ApkSigningBlockUtils.java | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java +index 2330f6d..f15597b 100644 +--- a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java ++++ b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java +@@ -998,6 +998,20 @@ public class ApkSigningBlockUtils { + return false; + } + ++ public boolean containsWarnings() { ++ if (!mWarnings.isEmpty()) { ++ return true; ++ } ++ if (!signers.isEmpty()) { ++ for (SignerInfo signer : signers) { ++ if (signer.containsWarnings()) { ++ return true; ++ } ++ } ++ } ++ return false; ++ } ++ + public void addError(ApkVerifier.Issue msg, Object... parameters) { + mErrors.add(new ApkVerifier.IssueWithParams(msg, parameters)); + } +@@ -1042,6 +1056,10 @@ public class ApkSigningBlockUtils { + return !mErrors.isEmpty(); + } + ++ public boolean containsWarnings() { ++ return !mWarnings.isEmpty(); ++ } ++ + public List getErrors() { + return mErrors; + } diff --git a/Patches/LineageOS-16.0/android_tools_apksig/361281.patch b/Patches/LineageOS-16.0/android_tools_apksig/361281.patch new file mode 100644 index 00000000..f7339f8f --- /dev/null +++ b/Patches/LineageOS-16.0/android_tools_apksig/361281.patch @@ -0,0 +1,1441 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Groover +Date: Fri, 31 Mar 2023 14:30:21 -0500 +Subject: [PATCH] Limit the number of supported v1 and v2 signers + +The v1 and v2 APK Signature Schemes support multiple signers; this +was intended to allow multiple entities to sign an APK. Previously, +there were no limits placed on the number of signers that could +sign an APK, but this commit sets a hard limit of 10 supported +signers for these signature schemes to ensure a large number of +signers does not place undue burden on the platform. + +Bug: 266580022 +Test: gradlew test +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea0632935646f2f6bf5822a5e9c97885269780bd) +Merged-In: I77f4218599511ff4f9f3790e4942a329d5a18da4 +Change-Id: I77f4218599511ff4f9f3790e4942a329d5a18da4 + +Change-Id: I604ce656e6dcd750e664adcb814c5c66f7b80ce1 +--- + .../java/com/android/apksig/ApkVerifier.java | 29 +++++ + .../internal/apk/v1/V1SchemeSigner.java | 7 ++ + .../internal/apk/v1/V1SchemeVerifier.java | 7 ++ + .../internal/apk/v2/V2SchemeSigner.java | 6 ++ + .../internal/apk/v2/V2SchemeVerifier.java | 4 + + .../com/android/apksig/ApkSignerTest.java | 100 ++++++++++++++++++ + .../com/android/apksig/ApkVerifierTest.java | 31 ++++++ + .../com/android/apksig/v1-only-10-signers.apk | Bin 0 -> 18389 bytes + .../com/android/apksig/v1-only-11-signers.apk | Bin 0 -> 22297 bytes + .../com/android/apksig/v2-only-10-signers.apk | Bin 0 -> 20688 bytes + .../com/android/apksig/v2-only-11-signers.apk | Bin 0 -> 24784 bytes + 11 files changed, 184 insertions(+) + create mode 100644 src/test/resources/com/android/apksig/v1-only-10-signers.apk + create mode 100644 src/test/resources/com/android/apksig/v1-only-11-signers.apk + create mode 100644 src/test/resources/com/android/apksig/v2-only-10-signers.apk + create mode 100644 src/test/resources/com/android/apksig/v2-only-11-signers.apk + +diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java +index 5e458ef..62b132a 100644 +--- a/src/main/java/com/android/apksig/ApkVerifier.java ++++ b/src/main/java/com/android/apksig/ApkVerifier.java +@@ -620,6 +620,15 @@ public class ApkVerifier { + } + + private void mergeFrom(ApkSigningBlockUtils.Result source) { ++ if (source == null) { ++ return; ++ } ++ if (source.containsErrors()) { ++ mErrors.addAll(source.getErrors()); ++ } ++ if (source.containsWarnings()) { ++ mWarnings.addAll(source.getWarnings()); ++ } + switch (source.signatureSchemeVersion) { + case ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2: + mVerifiedUsingV2Scheme = source.verified; +@@ -897,6 +906,16 @@ public class ApkVerifier { + */ + JAR_SIG_NO_SIGNATURES("No JAR signatures"), + ++ /** ++ * APK signature scheme v1 has exceeded the maximum number of jar signers. ++ *

    ++ *
  • Parameter 1: maximum allowed signers ({@code Integer})
  • ++ *
  • Parameter 2: total number of signers ({@code Integer})
  • ++ *
++ */ ++ JAR_SIG_MAX_SIGNATURES_EXCEEDED( ++ "APK Signature Scheme v1 only supports a maximum of %1$d signers, found %2$d"), ++ + /** + * APK does not contain any entries covered by JAR signatures. + */ +@@ -1325,6 +1344,16 @@ public class ApkVerifier { + "APK Signature Scheme v2 signature %1$s indicates the APK is signed using %2$s but " + + "no such signature was found. Signature stripped?"), + ++ /** ++ * APK signature scheme v2 has exceeded the maximum number of signers. ++ *
    ++ *
  • Parameter 1: maximum allowed signers ({@code Integer})
  • ++ *
  • Parameter 2: total number of signers ({@code Integer})
  • ++ *
++ */ ++ V2_SIG_MAX_SIGNATURES_EXCEEDED( ++ "APK Signature Scheme V2 only supports a maximum of %1$d signers, found %2$d"), ++ + /** + * APK Signature Scheme v2 signature contains no signers. + */ +diff --git a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java +index f900211..05721ed 100644 +--- a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java ++++ b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java +@@ -246,9 +246,16 @@ public abstract class V1SchemeSigner { + String createdBy) + throws NoSuchAlgorithmException, ApkFormatException, InvalidKeyException, + CertificateException, SignatureException { ++ ++ int MAX_APK_SIGNERS = 10; + if (signerConfigs.isEmpty()) { + throw new IllegalArgumentException("At least one signer config must be provided"); + } ++ if (signerConfigs.size() > MAX_APK_SIGNERS) { ++ throw new IllegalArgumentException( ++ "APK Signature Scheme v1 only supports a maximum of " + MAX_APK_SIGNERS + ", " ++ + signerConfigs.size() + " provided"); ++ } + OutputManifestFile manifest = + generateManifestFile( + jarEntryDigestAlgorithm, jarEntryDigests, sourceManifestBytes); +diff --git a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java +index a828bcc..8e49dd3 100644 +--- a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java ++++ b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeVerifier.java +@@ -16,6 +16,7 @@ + + package com.android.apksig.internal.apk.v1; + ++ + import com.android.apksig.ApkVerifier.Issue; + import com.android.apksig.ApkVerifier.IssueWithParams; + import com.android.apksig.apk.ApkFormatException; +@@ -249,6 +250,7 @@ public abstract class V1SchemeVerifier { + // * All JAR entries listed in JAR manifest are present in the APK. + + // Identify signers ++ int MAX_APK_SIGNERS = 10; + List signers = new ArrayList<>(sigBlockEntries.size()); + for (CentralDirectoryRecord sigBlockEntry : sigBlockEntries) { + String sigBlockEntryName = sigBlockEntry.getName(); +@@ -277,6 +279,11 @@ public abstract class V1SchemeVerifier { + result.addError(Issue.JAR_SIG_NO_SIGNATURES); + return; + } ++ if (signers.size() > MAX_APK_SIGNERS) { ++ result.addError(Issue.JAR_SIG_MAX_SIGNATURES_EXCEEDED, MAX_APK_SIGNERS, ++ signers.size()); ++ return; ++ } + + // Verify each signer's signature block file .(RSA|DSA|EC) against the corresponding + // signature file .SF. Any error encountered for any signer terminates verification, to +diff --git a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java +index 6d001e7..375ff91 100644 +--- a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java ++++ b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java +@@ -161,6 +161,12 @@ public abstract class V2SchemeSigner { + throws NoSuchAlgorithmException, InvalidKeyException, SignatureException { + // FORMAT: + // * length-prefixed sequence of length-prefixed signer blocks. ++ int MAX_APK_SIGNERS = 10; ++ if (signerConfigs.size() > MAX_APK_SIGNERS) { ++ throw new IllegalArgumentException( ++ "APK Signature Scheme v2 only supports a maximum of " + MAX_APK_SIGNERS + ", " ++ + signerConfigs.size() + " provided"); ++ } + + List signerBlocks = new ArrayList<>(signerConfigs.size()); + int signerNumber = 0; +diff --git a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java +index e1be06e..39b205b 100644 +--- a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java ++++ b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeVerifier.java +@@ -180,6 +180,7 @@ public abstract class V2SchemeVerifier { + int maxSdkVersion, + ApkSigningBlockUtils.Result result) throws NoSuchAlgorithmException { + ByteBuffer signers; ++ int MAX_APK_SIGNERS = 10; + try { + signers = ApkSigningBlockUtils.getLengthPrefixedSlice(apkSignatureSchemeV2Block); + } catch (ApkFormatException e) { +@@ -221,6 +222,9 @@ public abstract class V2SchemeVerifier { + return; + } + } ++ if (signerCount > MAX_APK_SIGNERS) { ++ result.addError(Issue.V2_SIG_MAX_SIGNATURES_EXCEEDED, MAX_APK_SIGNERS, signerCount); ++ } + } + + /** +diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java +index 80f35ba..ccdb02a 100644 +--- a/src/test/java/com/android/apksig/ApkSignerTest.java ++++ b/src/test/java/com/android/apksig/ApkSignerTest.java +@@ -339,6 +339,106 @@ public class ApkSignerTest { + } catch (ApkFormatException expected) {} + } + ++ @Test ++ public void testV1SigningAllowedWithMaximumNumberOfSigners() throws Exception { ++ // The APK Signature Scheme v1 supports a maximum of 10 signers; this test verifies a ++ // signing config with the maximum number of signers is allowed to sign the APK. ++ List signers = List.of( ++ getDefaultSignerConfigFromResources("dsa-1024"), ++ getDefaultSignerConfigFromResources("dsa-2048"), ++ getDefaultSignerConfigFromResources("dsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-1024"), ++ getDefaultSignerConfigFromResources("rsa-2048"), ++ getDefaultSignerConfigFromResources("rsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-4096"), ++ getDefaultSignerConfigFromResources("rsa-8192"), ++ getDefaultSignerConfigFromResources("ec-p256"), ++ getDefaultSignerConfigFromResources("ec-p384") ++ ); ++ sign("original.apk", ++ new ApkSigner.Builder(signers) ++ .setV1SigningEnabled(true) ++ .setV2SigningEnabled(false) ++ .setV3SigningEnabled(false) ++ .setV4SigningEnabled(false)); ++ } ++ ++ @Test ++ public void testV1SigningRejectedWithMoreThanMaximumNumberOfSigners() throws Exception { ++ // This test ensures a v1 signing config with more than the maximum supported number ++ // of signers will fail to sign. ++ List signers = List.of( ++ getDefaultSignerConfigFromResources("dsa-1024"), ++ getDefaultSignerConfigFromResources("dsa-2048"), ++ getDefaultSignerConfigFromResources("dsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-1024"), ++ getDefaultSignerConfigFromResources("rsa-2048"), ++ getDefaultSignerConfigFromResources("rsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-4096"), ++ getDefaultSignerConfigFromResources("rsa-8192"), ++ getDefaultSignerConfigFromResources("ec-p256"), ++ getDefaultSignerConfigFromResources("ec-p384"), ++ getDefaultSignerConfigFromResources("ec-p521") ++ ); ++ assertThrows(IllegalArgumentException.class, () -> ++ sign("original.apk", ++ new ApkSigner.Builder(signers) ++ .setV1SigningEnabled(true) ++ .setV2SigningEnabled(false) ++ .setV3SigningEnabled(false) ++ .setV4SigningEnabled(false))); ++ } ++ ++ @Test ++ public void testV2SigningAllowedWithMaximumNumberOfSigners() throws Exception { ++ // The APK Signature Scheme v2 supports a maximum of 10 signers; this test verifies a ++ // signing config with the maximum number of signers is allowed to sign the APK. ++ List signers = List.of( ++ getDefaultSignerConfigFromResources("dsa-1024"), ++ getDefaultSignerConfigFromResources("dsa-2048"), ++ getDefaultSignerConfigFromResources("dsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-1024"), ++ getDefaultSignerConfigFromResources("rsa-2048"), ++ getDefaultSignerConfigFromResources("rsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-4096"), ++ getDefaultSignerConfigFromResources("rsa-8192"), ++ getDefaultSignerConfigFromResources("ec-p256"), ++ getDefaultSignerConfigFromResources("ec-p384") ++ ); ++ sign("original.apk", ++ new ApkSigner.Builder(signers) ++ .setV1SigningEnabled(false) ++ .setV2SigningEnabled(true) ++ .setV3SigningEnabled(false) ++ .setV4SigningEnabled(false)); ++ } ++ ++ @Test ++ public void testV2SigningRejectedWithMoreThanMaximumNumberOfSigners() throws Exception { ++ // This test ensures a v2 signing config with more than the maximum supported number ++ // of signers will fail to sign. ++ List signers = List.of( ++ getDefaultSignerConfigFromResources("dsa-1024"), ++ getDefaultSignerConfigFromResources("dsa-2048"), ++ getDefaultSignerConfigFromResources("dsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-1024"), ++ getDefaultSignerConfigFromResources("rsa-2048"), ++ getDefaultSignerConfigFromResources("rsa-3072"), ++ getDefaultSignerConfigFromResources("rsa-4096"), ++ getDefaultSignerConfigFromResources("rsa-8192"), ++ getDefaultSignerConfigFromResources("ec-p256"), ++ getDefaultSignerConfigFromResources("ec-p384"), ++ getDefaultSignerConfigFromResources("ec-p521") ++ ); ++ assertThrows(IllegalArgumentException.class, () -> ++ sign("original.apk", ++ new ApkSigner.Builder(signers) ++ .setV1SigningEnabled(false) ++ .setV2SigningEnabled(true) ++ .setV3SigningEnabled(false) ++ .setV4SigningEnabled(false))); ++ } ++ + @Test + public void testWeirdZipCompressionMethod() throws Exception { + // Any ZIP compression method other than STORED is treated as DEFLATED by Android. +diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java +index 6f6c04d..0546f0f 100644 +--- a/src/test/java/com/android/apksig/ApkVerifierTest.java ++++ b/src/test/java/com/android/apksig/ApkVerifierTest.java +@@ -239,6 +239,20 @@ public class ApkVerifierTest { + "v1-only-with-dsa-sha256-2.16.840.1.101.3.4.3.2-%s.apk", DSA_KEY_NAMES); + } + ++ @Test ++ public void testV1MaxSupportedSignersAccepted() throws Exception { ++ // The APK Signature Scheme V1 supports a maximum of 10 signers; this test ensures an ++ // APK signed with that many signers successfully verifies. ++ assertVerified(verify("v1-only-10-signers.apk")); ++ } ++ ++ @Test ++ public void testV1MoreThanMaxSupportedSignersRejected() throws Exception { ++ // This test ensure an APK signed with more than the supported number of signers fails ++ // to verify. ++ assertVerificationFailure("v1-only-11-signers.apk", Issue.JAR_SIG_MAX_SIGNATURES_EXCEEDED); ++ } ++ + @Test + public void testV2StrippedRejected() throws Exception { + // APK signed with v1 and v2 schemes, but v2 signature was stripped from the file (by using +@@ -471,6 +485,23 @@ public class ApkVerifierTest { + Issue.V2_SIG_NO_SUPPORTED_SIGNATURES); + } + ++ @Test ++ public void testV2MaxSupportedSignersAccepted() throws Exception { ++ // The APK Signature Scheme v2 supports a maximum of 10 signers; this test ensures an ++ // APK signed with that many signers successfully verifies. ++ assertVerified(verifyForMinSdkVersion("v2-only-10-signers.apk", AndroidSdkVersion.N)); ++ } ++ ++ @Test ++ public void testV2MoreThanMaxSupportedSignersRejected() throws Exception { ++ // This test ensure an APK signed with more than the supported number of signers fails ++ // to verify. ++ assertVerificationFailure( ++ verifyForMinSdkVersion("v2-only-11-signers.apk", AndroidSdkVersion.N), ++ Issue.V2_SIG_MAX_SIGNATURES_EXCEEDED); ++ } ++ ++ + @Test + public void testCorrectCertUsedFromPkcs7SignedDataCertsSet() throws Exception { + // Obtained by prepending the rsa-1024 certificate to the PKCS#7 SignedData certificates set +diff --git a/src/test/resources/com/android/apksig/v1-only-10-signers.apk b/src/test/resources/com/android/apksig/v1-only-10-signers.apk +new file mode 100644 +index 0000000000000000000000000000000000000000..198beeb651079d24338984de7f32e8e0c7b4ff78 +GIT binary patch +literal 18389 +zcmeHvWl&w&67I$c77|>7O9<}n76Jr$+nJIs>}1x-$qY%=HLt +z9V`fJ4XyR`)Bpm$HP47O&$4eoYn~-*o)HAUy}@s3`KN1r3+q2!3(Cp3=1-IUDcPtwEZt<%dDj0#I( +z0{)Uf2nGE4YcFsiI1Zf@O|6vJmhca7aBvu?t^k@w2Zr=J>5~@}o;F9IuINf?%st26 +zt!0-(9sL)C5&TH7(%tc}1)3juI9ygOo{a>$>D)@Vl7)x8f +zF$LmuI-9UKvU_9V#!=HJ*UWCeZCE7t*pla>J1-M!Lx)>Y%FE5GbG&s(~xy&FwKMhm@< +zdCRcAiAernz)+^duvpSh;VvxO8y77)tt>0LJ^75oE(QU^>AkM=c`Zrriz(cbEs5|? +z{q)R}#4lRwYpFS`wt6Qwdxy7qMdPGy-qSIcY;&?rsxYb8&v6WfkNDBs1>5%?}dsoc$S&fowqt)cdp8*DS|(Uq1_f%?i|%Ka=kAA%OLMBemAf${9_D +z7@M?FZ*kG`*qrK?=)`WoGtX;@px}YVW6(nG6XIY_>*naNzVJrds)R|7{RtT#7O= +zRMuUmIeg5q6((SN; +zD%}f0)r7IaO-=5kbOJ4ok^^g&H!Zunh|}a<&zltM`mPejA(}W>2`-tO)^x9yWW%aZ +z_O#%m1rnasAxTOvpAQ?3UJ8ZsIaC&@$uw*%BYZA8dN)G2Lt;j?6r=e)nX&VA>$lm$ +zNtcA)@a~Zkx5e7<869z-e44PyEtYX^;yx;uHtWw08ebAp5q+j4!n4MQ?t8K +zHMA8o2Xdlu&7;CY=2^edlrySa`>YJ#n<*~tx8CXFsC1ks`95ncE1>o;CR6kba%aAh +zQ5h%a487E)J`FB6Fs?Jq4$2`SPowEg+>^0G7?+h#O^PJ5iE3owZIH`!;Sb18WtxJt +z1(yOXnfU(L&O~0$8cZ3>IFbdIz0v}pXD%Az;%YEtbQ9yWptiV3Cn2fviIaw`bpIG0 +zwsNCH*%TvU>hmme&l4DdSkbfNwr?DooeD^V{}#CZ%^~1-*KfhTK#B$i0G?pL_aG`M +zEXPkR_Ev;eNS2?Po{oWuMpncOByQo&2S9%2eDdg}gX2Ral0(A%Rk{X>5)L&Yc}d=3 +zP|!Xe_RcxX2xa1eC9#vWnz;9QpuZM#cW87`P0X=$G-^RVPz9Tjtuoh#Q)tWMt;?oe)(_D(nYq$5YJlm;h;A;Ag?&2v)XR|S8bEc=& +z)ySBGn@Ig=GAsPOwDf9k3>)^GLss6_ZWfvyohS2fq}K8j +z06+tPUzkxymY>m3`>odcr17cYEoiV0RFe_JKA9239vKuh7P;aXAI6wD>_Z=$=ob_f +z+wO^z8EM6jGNIr@mKVnN{-bANP*hM*^s2@n6|Kl|Ha2vM={}#|7L`&0qAwy8;?-P& +zpmKr}n@li@9U@|=1j0s_6XGyJXc!`*WY`cQVpf-vWGEsP!f@vM{iGz!daz2CAwv-Y +z(eT2`C@qGSecmwVXS`f87{U+1HN4RT*E^&3r=?FWxBTYZ*wF@DGWX*-*B43x;Oot& +zJXrU-26Ch87PSK%b-%8%GAx*s)SJ86zI=53oU2$>J5h&|pq?IAn>HL#o1(!Z +zww`oSUV4;&^g3-g`D-i4%3m@(a>ErXe_Rp~@6;J@8%KmICv8&FWQ?7n3R`*A9Ja7iJ#qpR3>Krgvr)G>0tMG==4{bGf?m<%cv>`hjhS +zt`UpJNnY*mxGtKE@7ASO9%9E&^{ +zxWAH3o2%PcTo%)cc1TaBJ05*hrGy+WtGXCDY0yVz$PY0nJ70cM%kIM9vd^2kF_hT$ +z=vH)`Gjn<I!T+MurE`H=08?2+$l7L?>P- +z!TM%*cf6;Rw}NlA?zIbvakmnLc1a;v4qAw)NN4a4tmW$8XV?oY7BI^&y$X6|ihGeG5LYjEA|G7&GY#O^ge)O#LO@pb~X^^U%bCXbGU +zxLwuXB03K8_r>SGsPmT|h=GoY?H>>HcRY}hP_W1bBmhuD{lWu%H{)*}XiE1_9!P#5 +zBS=2?WWhbM +zaBVMj7tf-53>vO(AdnLGG(MGTtzlD-q*8vT$ZVyhYhCL(hr3j7pC!!gKpA(kBv)Fb +z(e!n-7A88qgj22Q4rIWcKYUDx*4Pb`wNvE!AP!I(hWsXrYSukIVvN0`iyT%j4N5!(mI8&#Jb3_@JQ)8bF6+rJhx5AskLr=Odt +z*57E3n7iU}9+*Q$BW+Wouw)MK&=?udKw_@K`X +zR7PJ1bt&REHQ!4Uve3%BFHaUAlM*?$Vrm_0VrlD-c +zkQ?Qt$u}O{)3+y#Bvr-v@)WBxAhXaR3tHN%d}GqXwQ0`E^?kqdsfYd!KTuE{mN@4w +zZwPk@{Yae*T=?1z&b!5gsLv!HrDqx^$@45sO7k3p+KT#jFN@XOH&YuoJiG_{^7kIv +zYokNSq1&_VFDft(6&a~+PVmy>Q&pz53)ve|UMk7KdqFT@7r9QGb6m?DqqrEuT +zSCpgOTeQ(+DP~8-%_?+jV6(5((rM$@d0IijApJ>&h#;QLkQB{(aHwnG(;AX(ly~dN +z^RhIf@aXuU#rdQAC_j+nZR}i3{)LZlBgdm)=?LwJ+{5 +zPL=oWQN%AVF~qL-hQ(*m|1Z&nk&cz&pXl;;qRSCvnVdB=0F*-iBD#DxqmV4WS*(#< +zGz_}`sUGvQ3N3OHWGEt&D*=KGPv2ngQ32ptWpFnU1S%1#a&Q(hxHl@Ca1o-R;CLWm +z37ia?zp!N16dy{YymAf!LO2x|NgxF%k^LZXJ>qtq`?BG3g!{;aA6+I;NOkLGqs$om +z<;!@#4Nt0#2x%b06oNTwo7Tq7Gn$SKm5=XJsfQO3?}rJY92hmMZKWj*zzGZb3QWL3 +zuqI&&5x+~$7=l8AuzRUwiSryCJiy2_NFul*+Z%+G5#&YY2Q5>G8VoLgU%~+ifFJ#l~4O +zIFX10XK)odFb3^9?2a_1CA*@M!`eoe;cie;bY9GCq~@58Ez)zjSl~=fflC{hvwlk! +z-jHEQY%uxsd8}NItEk&*YuQXKU1R;*r9Ee=l_08kJwK>t8o6bt!YU~rQGIX2d@#9= +zBBw3TG?_0W$5f|#pu)eU8FC2mKdq4U>b|!GQy~5xFH4gU0mYc)3Rge)J-;Ny^>mVX>UpJ +z(5F?qm2^mp-47{VxYW&0NhN=Z%IokFEaVe#UPRdOsS$*6sxz?St=NpL##$OK*=p6;UoD~Z|dbT)4P +zg1nTXf$OM=mE*G(i6%+5zWm;4d^IyrU`0x<)B^3BndcN=T +zK(M)<3vJ53Qf8_fnCG-!URk!;klYn397l_}U(A1ILLl+Je}{A^wlQ5m9CL&VDwbcw +zLP3H)c{VdoFdUZcjW7kN1L+iKCp&vSjQ4-C;=dtJ(%+)&Z7@}-9j89xG>LjQpuPcq +zy>Di^*_H>jntNipc(TQdbf}Ik<~4kmDF>~%_Th~7awgUA)q;gsJ(GkxilU8+k<}<9 +z7vh|saH)v{mqFOY$Jdji%qe=~b?ik)Iqup4<73cxMke!c?^ma)lCRz +zw>wU#H(=M6p`UxH#m#}Kq?~N$ +zcsHdYzd{x>>~Ap36380GwZ_LA_hPB;E>^+I;-;N8pQrw1{s$88vBS68Ii1D!Zxo&- +z$X8s$@vVsxUmrz1dX%rxKJg(U_$mVZM1-wE~L!MHrbU;w}g{@c;(e^^mikkL?^!QfBZNU_e0AThtc*hcDj +z@uTP{cRt)U)bLWC6cHA!#0vE +z4;@At3HB4%a}BV!dKCw&D~2u6)O#{mUbW};izD(3+dtzQ%6+DuN8 +z+L@}Yc}FhwE&kiN0h@d&Q};gW;zVnF_gJi9>80Lfo905_)a$sxxV>@=7|biIKJe1$ +z?+fMzBGaTw#(BP)h1Z#1%`NlId|R=EYfc@+)_R)a4Ol> +z`IR-A%+BhJ&OQmnhHx_F_r-<4q=$j$P=H2vfKbfPlVULh6{l5vZLXR-IWo3(FQHW_ +zd$AJzLOJn+rS@`CVdYUGs?bOIO?Qi7i`0etH@t4vBzxmLlIA@}UJ}XWbxyQSSLM)u +zcfI^Ohcx~n(cdA_uye8eE*JoCf&Y|N|F;>xv#3h*&n%kA2oj6^D;8z)qv+5e!_)rG +zqHWkEN*ALEGWoy5B6R3Y{~rHMGXK19$rurWGO!pE0_~T&1i)D5lPMGnU1TGIp&lfb +z_@HOTV2s3^)hG}lB_kAZS+x@@bInd8P2(&^;-4ym_1A};a@!3w+%M;y)3q+k_G7_D +zRGydH9KDNw`#e^y_}0+l`KhvB6?9@z1I?SKztf32<~yAVQygWJgVrO&FBR)3kE9+R +zv#dC1mih2VN{5KF2&M_Fg=d*`3~Ia#>!So#i}AJ|$4U&|V*Z%9L;}};3Jsx126a9( +zg;PJodp4DG($^?9_(4zc5pg`xF3Ban?sRX4F#-#gfr8=vn=5Kc+O$)f+j2cirkURA(n85)c{#Rk@n-#wkENQ5xaB6exA~ilL +z)rcQOHiREV76OGho3IUx7RNv!8Aj(7BRmQ*r4JaZ0O7hfSx+srWGJPVk_8we3NZ=_ +zd1n;e5zNvXgDQlNvuvJlBXd=Bj5x4ZaF|~!=>w|hPAl@s_Ruj^6EORNPO+1)FmZ6O +zldy3Tl0<_}lQ40VFp~rul+I(YU@IzpB=xj)b*9X9wWPJ*YHK#Q6E)c8x0tR%MjuWS +zhm6p@T{a(d8e3b+Vmukq1#uYPy)hnnbdpq7()~hUAciDcM2z^3eq=)_lq7r%^&XEt!S6K-$0SoJqH~`6p%!eO4 +zny~ZndcJZ`)u7J~FS7oAB14gh-EKTg+#aXRta1TVv{r9Xq(7AEHi%Cv?~>nnKCDva +z4^{9*dmB1GHkv>LOh8dE}B2~YbBNjB$;n&Q!Lu)ZV=Yv2t_^F +zhGoA0RXS(BZp&xwo5lbGJk=wQO7jm7-bXg~`4V~z1ug7ts{>?vA`|TNv5Yn^NV6S6 +znlQd_J+q$Vw4x_J4sCqg4-#$V#KKcIJLg!RDs1Zbi*WcKOG;)2`hTL~--(8J5+D8Y +zzySaT;ulNGZ&v)yRek+G1;d>Xev}CqG7%9$cL;SBkT1*A9yxtqvD=u3d+I={yST^jO=rWg@QdW_ +z(%uib8qbHzO%5DPR(II?s}@b8JM?_=qe{l9G&=AK=yxG$KeEW*5BLd%dE)EG*Bk4v +z%vw7^AHh$nd%4?}H)79pI_*IT4V~rpU*>Vdwz^k-)u|M9`&4%{z9bM*j83HvIy3w2 +z&~LQ6%9To+is(^ohKIdPq20-$Yoki4kX+9;zUAJK;OPei{U|zQlTT%yFgbh)ep8-_ +zQOCU2m<+5JbeK%`bnNtZ_Y3o9WCQj0HW-7e0pyA#G-YvpMHOyG$1K!u-q@tZ4L(+5 +z<(uTGUk->H2RGrZ?_Z}j@G>t89ZxspZyh$6#(aJp*yt+QllyqL7rK}hKqXeJ;fI5c +zV|TZ8SZGr`U+od{DN}m0ZO?aJ@u0XwpEGUTNk7i70^X;4Ep_!BOL`ZGN~!Vwq{NcH +zvnK>PY|E3Piw{p#f{+|C6cRFoPXRiv$2>4S{N)q#Gu1}gMa#-Nt$X?B;V_&Z9STVf +z=hy^$UCRecM@Bx%3hic}PmMgDQXHt?((jtr56HXJaSoiuX)vm@bZg#VD`uoqsg)gB +z@T%uKo~&K$_a^S=*2zk_s0e*cPD{Hbpn3hO%&oWeDwYg-1}-J%b`u02QX*sfz!JMu +zH`MibUK`tX@ZP-v{4botw*tg}@04U@`Tse&{M)q?Tu&PANgx3r5b~$o^1sa}^SyS$ +z=+Ctixsw?|xqn$Zq2WW8mkuo%`V@nXk)DCxis38~dt*@#^&V*)M!v5PagyBhrQxTM +z9^8SBq0V=5DFr6Fn%Y_fRP@FQzOV+A82W1>vjMw9CUCD +z<}W>^_pt1ho-F#} +z*n6hh4$W>wF{Chrt+`iDeke$e%H{5s9!Aa1wN8#x5mFIwC=Ab)$r;qY4g}7rj~&Ez +z5zy*Z9E3!!KyOB{@_sF&p;YE%7dd~Nv*~%ZMZ^8lLXo$@G)hL}Ou4WqAKryU*;cZ# +zqSCGPHTfeFqDZ%ew+9;jo{)v3TS`!3l$X`-g$dib-wPAE5^Y1EcB%DM;aWg4i$k;M +zg~Z7g|HVbA_%ir-Cmp*CjF?GEb;Y|#X(*=8Tutm;?r-grlX22%NL{zK$Pj%PlUfc- +z%$~h1yQ#L*=kl<1l%Ex^#k1wr3Q0UFyeLy+eu_l^fs +zHsd{4(LUKECOmpo1f4hvvCkI^ +z=*x$~2mY-QE7NqVRV|(S?oT_p=tgAuZEP*J=~zWyxF+5%@NR5^N3AuW4?Hu1_l;Ix +zkkE4J*-XGV&fIMm?evi_L2})Um}0HHFFaQ)b&>q3sRJsij +z_Q`*|eM(MqW-^yA$~`$ZZEwDITeb(ag}-BH9eAX~#wxlS+v*~)cu})P^za6+e|Cur +z7X|6nE6gpj`O1+RF>zA~l;zFg1S{d0qkxN(Wr}iEwX&f*#{u)Do;);T(ibD{X+MIEH}7bsqw`EmWiPmi9<9dIxG!^4;Yo4ycOfl4-Y^|^c1!2=%L|1mX19xW2Q? +zd1kO@SZL$oN^CV@Xk>z8cacF_kSz>rtXLfW8g>f3aMZ4sW4Gv4mSIVaKeMS^OcrQ* +zcs@gZ?QUlXwEtj#vvu1#ath)+;yMMRAgb)h;$WhjPlA+#?8yndgOm~S){=gS4fX~$ +zq;aAoW7!gbM)UU6euT}GfU7{10l;2+x#@OjNn=W&en7sHh#}inyxP1~g+*I9%^ZD= +zOo-5i@TvRKZ}EaH94hRLUyuDs4NqWu#+Y-XztX*l^>ZZz!$6j+rn}Z4aM}CIla}ny +zsF>hYGb>NCKV?KZC8Dp*Xv$svrrM0SHcU=jEsT*&BQlpm64VHTHT2Md!lA}cp+f6mk^v`n +z_(eG0Y?)w-CkkVm^v0)Q_-}Xemo#m^b?}`HGPu +zXf9NL8A(WmC6B~PwzOMDoxuH(5oP50J#)|FYoo9ZD+dhi!QATjb8b=m#}C7HoWUux +zQS9BUX8Yz%N|Oe6p37U0^DJhV<8{$oYng!c7M`LqH&C{%X +zqNT=>j~BOKAI2!j|k;mRk^HB2qKeWlWi~AK!|F>X1o~lVy{kB>t7q +zbJaE#-bavd6r6JuT5dih`~wLA{A>6+4EK5I;%oj!U)K9k5v$YC!Y0;&6SETNKA)WkQLl83oBcHVY3Wl6*?$=$`P_ +zd;wnk>e?3nt`1IImgsHf_*ON(OUJozYY6@sn!d?{oy?+z>^OF#-|C>?FAei3$L0_7O%UkDcrlsjpvErcHFmhZ0&mU(^4pO +zTzZDWb=^(Dlt>&*+n5XPOUyGrR=N7ZN5l}Tp^NHm_#b=(Lqj1qxwZ_~(PTu%UKK;- +zGV`!KeIOls&&69?^2OAo>{#iUd1ro5qT7y24wKt1_E=k`NrMZcd*W+YdnDFmIEXph +zT-eoU5%*m@p1Txr)U(v~M+p`#Tfgt8;Xw%1`nIb}F%j2sDm98*GzCKsr~ +zp7C~({%|cPs(LCmZsa=UavsVCckSk1kUFHFrdKU0q3PX(%q2m_XIm*E*Rk9L-@T{H(sE9< +zv`DH!OV^T%lPBik*^2d|K97`D<9Hxe7_24nGWpU-xW`3pp6NqLT!D@1O-7A=d?j#|JjKcO?A0^l!-ZLy1KQ>eD5)j6Vt +zw&G9{bEZlH?>w^Fy2GPr?_9~9@(8@L`0&8n3BVy(^KOpsw-`uRoUcZXp;S6liVV^CGAO0ieUg(tAF-c4S?23Y=h3}_Y{n^{)LkQuC9mi(891O(0>rI-=Fm1e +zxSiz4?&KY%KDr(P&mvi&n09t8E}dB=TaBvt&>8CA-4XL8v(c~S6Kz$3Zfj3D840VY +z?wcE{`~rg7Zt^%7QG>hQ`h1O7NOJyVU-qh_CQ!0wqQ=NJ2~GDbyFW+qG$<2{IDBRj +z!fV;VFUXM{^WHy+CsEtp4AXhe7!WsRdoC +zFF2fo3LdP7Je1ATmz6Yu<}|iF$|7QZi-W;Lfe@dv#ud+dEI$kx>MM(&JtT^F +zwFZMs4!6*ZZy$(G_7Qz1&T_4JA6q33u9(YOnd%*PN6LCHT$8T93sX@t?i{b2S`K$6 +z&tmAjtM4jkb+gfuhVJ=S3Ysq+D)bQ0yNm@i@cbp`RHej*4y +zjvvy{O?p3&iX>Gc^spe1It%I*#spO{1!Iw?<=b#)NNwGNT0Lga&fX32*DEp`V32}kjnLkLWf5N@#^*%!j{ +z3Vjwn7kCJFk2%6vRwN*(?2m3Y^BH|T3I+BiIGugZ#4|wRg74Ld44V#YMDMDE6=Ze` +z-iZt(R}F^23G*F&5ICyGf~(ETNO0W_mQyA+sE?3M!igS?86cbVo_gApykOEyqZcY= +zm*)7yUK9r8LbsgGw6?k{qP;FuI}`g#V-w(m%$&9qxvq7Rdnj`phwd$L7x%Bi&(yu8BHx)pl{Ruj(28HfTMzkxb~v}snYQ9!NsLDpAoRK#=n|0a +z=%wxR`b5A_E^?TW&^YTK>D~&#@Re$rgfvB6{GKO~bmK&FmyOj0uId+9lsVr2bO+k|vvYuLHQqPj#H7>{>CuY=#AxmB5V1}Q%+bf+*OKqYAK#fKni19XwK +zkzoOx6>ik4FO$3CG-d5i5bq=6wd^-k9yb?MOdX6TmnP)#!FY)fzlmP&HBKB6l+g56L#k*R8{bG-{oJ!n%WEkOeXsOKEhee%%#!&Vp* +z9B5Y3qKxrDh+KD{Uv*6ki|W5VEZ8xE#WBAxHS%UC30a%50lDQ!N`|E&jU)7B%g%g! +zOHW@|+gV!qjx@1=d0ZDoy7(lKKTNEiFdC^5UWb^zJ$t_W%gnSH@hcR`IbmEV3FA*s +zCOl1NS+v-sQaAV2M)0)vcuf>5E2fnvqw2GmKM5o_8-+j%l=q0s3)Cfdnh5JL)%Mes +zc2HM6pMGakyfBb^@kU?g3Eze$@w%M7sbs%vy>~WnpWL`^$^n&gAz16a1-ru0|HvGg +z0X$JntRLA!43}3Q0RvU6<#RtK@e_dg9Ir?oT_A=Ei94*`RjA7!<anL$jMc$G_QM$Kv{$?yE`M +z-SO%(xTP-mxr +z`ySU3sZ(f3HbOGWCf&EqSj*LW7)e64F%*J)i}%!xKk%I^D;;?=QF6GAl+3+I^(v|K8#~W1(*s{& +zU}%47O`9}&|5|8!!|J>zc!+_D=mF}_Aya6~Z1f%gfOkJPuu1a26%!Gbm7|dq(HoK! +z_vHgTSDQY2d{v@yFKuiTfZ=5^R%S+|ZtD6h!BW7;z?ipCK0@?zb`Sn28t`60#xVB7 +z?2Wk!F2t%rrH6#{Hg2pQ$1dr@)LXhlFGZ +z);ggy85|uPUsua8Pff*Mw>N9`<}D@cJdj?y&DvCOojfhuQ)+hX-6w?`TF&X4)0_GL +zV)d|{fB-$4AyA>|pFo|t1%a{ij;K>3k<^uH>-ajgaLGA;_~aUbl%^^f`ACelW~)6M +z4BnG0ZpZuV@_OBkBrm~xXg?U8-0RT%?as@A>=$Ft7e$s+{H2y6ZlI*a!NB2w|Nd}> +zKg)kUs^Q!HsK5`+;y?7`emfHTLnm#{-`aNn5CiBxHSzxI#{bqS^oJBb +z`62uML+9ep2tT*!{UIlCzd{g_<^LJt$0DC(>#KiBE}A>f3+LilSP{%i$2;-3(HtL^w%g`W!<{t#V~UjY0s8Vr#A +z1n}F5_0Jmod_4PyAiw+tz+Y?dXHIOr`T^kI=Q;m54nLm({UJ0|ze14tUx?{P_Y=hL +z+25b-@N=s34;iBW6~h0d1Uvgr5dVdkKkr@s5KoR@A^bv#pF`pwV#@ae#18>dS{w@c +T+qWrmRsh#uzxV&Y;DP)YO8`I-% +zF)p$aVBjbKXy_lm3!nY>Xg}D-XJue#ZE7H;Yh`L=XzxJnVrdbs*ldN&hr-pI${I-2 +z$Lp)#&l!RO{m~qh3{Mal6iL(vR1k(;KTStBExt7(1_lNO9mO4hs@;VyD<^yL{-d}3 +z8L%g|k_zL&zB6Oin12?;TaVz3!-z?R0JU~-#@2}6z+UHbSX%1<<>CB +zn7X8@lX0me$h|t&OLS-NG{&-gXdzhIE&phz>=xLJpx<<5asK90H}+w!s0})k=Vy~B +z)5&(A$MJoC&FO?PVJ5A8cmm0@8DZ17#hZJ`=RiE-~u`kT}b)=Gq +zulj)uBj(TVFF4e-#ZNCpX(k2u&10Ev2J82o3%T+a-HP{YOrE@<%?--!(KjKj4nLMr +zR1dA0FPCrC@ssbD*hSW5WW=}_i(4Kt*ATktxu(ZHt+FT$aD6%VZ<(&3>mzp`g1cxP +z;x;5G0)h>^KQerXk6vBbzw@s*Sn1H0RyZ6ww77UOxQV$R;;DK1f}t_(#@8yv*(Kny +z#trUz2pHByR19V#zy}5A19wGnJ+)i%;rYbYDwW1@@6$b;vgPTMd9bCCNL9IW@Ojb3 +zT~ls60}(asIZm2>YZspM#hAWKm43N&@S~@YLVrT6$gG-z$o}*@cE>n4bk|P?pRa3) +z`rpssTI<3yA?zF%@95EI^ +z=NRHNXwvNQXscYl`CS6}YDl>Jc>mruLHp)&h5Jlu><-Om`}!y1vr~u<)@O&>vJz0x +zfD0{MCr|+33*=utwy*#IK;J^w-rmrj+Q85yJWk34nGdCZ&B}tf%tUF5#63w_W2qN8*r+vA4^ +z?JF*`*~!8YO9CICvR!X|)B4(y?vd=uX3V|FV*{t`h01N*O6nKtY(?YY;=Hvau4h}y +zsL1w)gclRATM$9Q=kWmVt%>(cXMj4D2R!SjOi?J{fe`%wG<`@IK00E^cJ%OoqrscT;AMdi1d+j?LRHc8VP<`X +z(aOPei9qeb<#JJjDb!~;tQ5BPn$ngK=yAc7{iNfu<4&MUuY%$-$;`>HEyvB_@AWF= +zFyzNd4wj+}(@l072tM4gg7@H+&Gp84)wB{WxCG +zmleNQxAmAKlyZyjTW%XY!3On(43Q|EEz!OoTO7TR%gyEM*?=uA%?9r77~qXVG!phX +z&d__&hnmCfs*%081)wXndp_j{MDDEz9Yxd1&2=@{{wxWJfURyn7uEB8sZZIP*+I3Z +zaakf);0KG93~Jc9S7_hd>N8;Sz9e*qJ3=@|=4&^LC%lqZ#XjUPbPu3)fXa`@V +zjd($HEz=R8DZJ%x&B6`D`b^;SS)1|eDz;SNZNDr(@SU5sgoGv(3GLJ*4X`~S%2iNi +za_XWnJ2Nnjo3-3DSs~4okm@>{)cXR8KVIbOy!{7<=4XPEVShNTe{l%#>(p<}wnU5y +z0swe}0Df_zQbLM+RASP?G=d6zRCKiTjMNIkmOu$>UtR$CI>(z=AAM{;0^wXDuJ5un +z5EL*dk*O<6&cgyuiO^4f+JLr=Mz( +z$v6e83XNA&o+Q*2%fQbNii`wc`NrT_b;?I=AlH*Ojk;?``cLJ~uO*=qPLb??*);hU +zE_7Gtcur8SZ77y7`?VwC0{)e@yKcbCS~X;1!o}f68b8JJkiZ9If}r98^t{Re=+I#U +z`&dp3Tse*oWLw9%#P2%MMmi8%4BCvd$Zks;N%LzA?Q8jl!{d0=P@d!3JajkvM0@j= +zsJq1sqb1AR_HJy#*+aN~Je39ZSypzVKaLe^!8tpB?=TzHk=C1OG)i}MhT_?Ix&ikpsJ2^NyI5>7gdzg|&_&f&-GR@+cH(-xa +zH3{Ay9s>SuAxS_j$(2<;1lbWDK1>pByT=uN6fP_r9$qSZ1Rg%S$5ko}o)T^}>(g;c +z3PwFhCG&`hFrG+6QDw9){n{~4_~&;#obu>GFCjHNv3U0f<4%{~-rVj5EO@Y?4!LC= +zCvt2pl?K7qTg`Z}9Q6$4#nvtBeQ`1PzTtVA9;iaUWL{ct<>5f~>b{<*QdK)uhn=LA +znNXWC8d;mB%`LW-a#8;6tl&&EV>I=98_+gTDk5sz9kXCk3jV|8XUrignib}?F`}Vy +z?xpnGyXDQ^@TH)Z4?4f+L!jGg7zi +z=@EIN6YeuxBCw5&s2|cf?^bM$GHV9R-Dw_v(bC^C5BHWLwGOQA +zmD`DhNhP%1BdzfHP9bBVZhLuEOgGj!Gn4jw{8fVje6pp74HE5FN_PueZ=XybN?LZq +zd(|FQ!H2gRwpT9*@ndnwNe{}_&lWe0#l~>ke3L_zNRWE)^QhmwQJ||UuxJ_RUqr-p +zMjqfG*(C`se2_zoET5iuE-4-bq;;S5iU@J`k^~Ql!I)242`Gu@KAhMo)_?ly#J^

usBO(Kpj**^$-lla~_RW=?_EcIk(+d +z%<^H^)v#(sQL4$QFxl!F*wuP3;H=a; +zWeagRQzTrhD1Ix}ZvMVe3l*DL%Awi(1T^L<7(FLRo5Qta-_d!{-EoY}X$EVnr93U$ +zLey>JUR$Qw-CUEJz1TBevpT3tZ8xMa)(H$d9F9~`Q2Oxcv1#*r4atjxRK_ksvgkKu +z();^4rB%BXAcf1j0)=U{Sv$^os*cl=jbr2bNb|+9J5&=*LZ=`l)9SL5VX&J-8r*3u +zCs6^bU@zrKx`nxFqwSW+g*!gBxO$x`4f|btD-xkVHm}-D6Xx^QL5)p?j~?0Fnl$nb +zPR>V{g7*l4r4Y5>VmfT}DyHemBVw*OE5}yG&$2{=hK@6xTf?%g3qHPZR?lqJ^a6up +z!Lr{zTgR<Em+KxjmMqFkmJsn2byzTfIweC^l9IaU}~)XQu&+r6*CqzXIT +z`&974-J(O>Z#ha+!o0i2;`x0^;tu$_M7?XQY#?Rqa&s`asntw4W_TQ%Kf8UtGCzpE +z=WaKc9TJ}(Uv#ZB?6PIS%)Ry+8)yOBxv@U-90%^ajR*IY8Tc4IrY>P^5c*{#$P)yV&>H+X17 +zHKCyF34fG`3tVrcH2r?jOQjv@5d=3|)9RGex!g0*2au+1?v2Y%)-Oi(Wp-WJ- +zzx=aQgi>+Pao4mLeQ8SLV1VNxXTP@qCl{`VbWquKxSg7Vy_NJOCFwOTR3mr0q7%Fe +zo)sbEMEz~^NDf2jgWAfpxEI&#;{^jzRY`%;$Bj9lW!Q){4b5GF8S&}nEJx+malrM= +z%V1XkFgO8Ig5!`Ul&h3(tWF*#V)Fr8ZaFD>ov1-}u4$Sy-`f0JzDsa>@!;WYiKgdn +zdegR-@9;pu(MxA-Y#1qoXMBWV`lvSf8KWsMB91tn!h(8_EV$*?m9W=kePa^<#sj9N +z^AfY8|4#qi!lQvtj}m5v*tLkZc6+^Pz+gEoCO(*JR1JNozmF=I69gw7L>FZ#oAwFq2Oc}c{H**RqE=u^Xb2>AflJ;P$$4kWHlj1^&KAR +z8S2HQ_O6ht=JQRKN@OKLM2j-((K}u4r{KYW9LW(t9eUar;$>Zx3=TBV4-n47N1OO26Ef-hV7i`N +z79uUUFX)?q1}wt2#o)a7Q5;{F;UOWe1~7P`K)4|N%uYkZLP_KSDx@7YD`4LIbV`1E4@RDS0Md`rd0|akg34xd=n;;41 +z=ln|+PY2#RY1sB&0b@BXjVV*dRy!M+ZbChWi;0fg!B}^PYzuc?#!bBL`aW7}5IX(V +z$fZ_O#0F0R)WcIx>)WNzei^avmJYWp$H8BOgFPMIwQj~73{Y@Ib95IUIK9kN=fV74wFKLaCa9P-$-8nhk_oN#WLV7QbB#LmuX$;(T +z?GSHE9Y>vT&5NV4xEwpw;_BhhEW4TCqi^Uv?gHig@+?7iC=`_Rb#jFEE*?jqV-`9_ +zo17R36i}y?tV56 +zyFMt%n#X1PUWrps`ff>QsW(V5xQDO_;9ija<%s#EhgIBxN~MTNmw2a$_*C#7JIaVQ +zP5q`tCtpi^qn6BoSrq+gy#sHKq?6+r@8Sh^?34MdiS-J3ZtYfJqR#T9vChnMu{q{v +zm1?M_o2%!&x7X`hHU&P4G0pu3b27^?13sL +z&q^J!&r4EV4`*vUV$?-KgMF>hrS)*s)mr;&&3@VJ@hd)WP^|h6(R<-*jBo04Tofv4 +z$TW+29F@o5N-{`SAFygQTXa2L*WTABm~K}=TRwi`(k1_v1n-JJu=>p~S>e%lIDeLc +z3#PpaIoaS2FF|bYOvld4gZN9aY(<5+NE;?c1$#0``m0b8TuE;}rWUp-`--w_5-%Y} +zLA#V$Lv<6q5l9-uNk3k_L+@CU0+^LNlL4}X=#*M6_y|^hNIdYS0t4!k2D-{_+-Q<) +zp)d3|6wSn868*sj`~a-RJQQ$QLaxC51z1RPg`OE`twKDM{fbt$&QOjl-bg}fNJu~H +zatxpHxg@+}Hh-TOXMwfblh5)68>t&ivchBAo`VHoeBSrcZOP`{aJmmef+6vNdoI}a +zPWPCx=vJSX9m{Y#o+s-3F~I^GaUmIB0arRU02s)U*O-R!NZyW(_Yw&MSczT;m`|T< +zvRAv%rHbW(4ti(I=RA_-8xb8lvxKVrP&P$GXpis8YTM1xp$u@JEl$5UGW80RCmo)3 +z_OrI0lI+EUy7qFE13J8DV_vcDUvJ4@;$)$5z&YUV_`gTLcq){xc(@0SMmIrazD0j} +zus^Gu2nf1ha4}DVq_h3tJ6CkgR{UOy4E=HWh=No0`aCN>@k`qL(BVCW$S0b}F_|ZX +zKc-=RA4~q&$oN+_OGto9mY#|Ef6o5zIQwd1r1}vM0Dv9zADgfLWVK2ny-`k4W;k +zXs`)FIN#`Zfh0*j8l=(h0!d}AXvi*$V;zNLjI2HehAIXQx(dor^cp4hlaHKP$sXYw +z948Po0nHSfbGa#+R~imhU3pZGxY7$l_60H)o&$Cz$#%G&@tC8sEB&kXEk*w6_X)!Z +zN9E{H7F|U^yl1 +zqTQ^=_!9wjHgdHl>-OCf4|+Kp(anq6g>A3}_K;EScu%qk3FxXoQ(c)TMJ0DuGZr@Z>V%=ixy8UK+)-Cu*n0{)6b +zS$xR))QGS&zmjMldWFKxbc#gj?~n)$ayPIqaF--7|3@}P7_ST@&KysV%m5EC(fwuy +z+1dcn6mO&tfjKewof!xNAxAYbSZL|k$As+KskMa`*RkeFW>bld$`GTiQP;dqV{Omd +z#m||#w`IriAYU|2w-P`j6;i^HoP^?1yy_mQ@t~L@a<9L* +z?6F5$Df|@D8rxTAE-tWr(slr=1@adh`!_em!1}*Em%l}^V8n(kCQtw%>CfEM4=et{ +zu#~R8qM6-^oAku!bW=WLg%Unw1wv%P9Q<|=8f;_!R49FN23TZ53O^7Qe*7(8lD=9< +zsW1v3RcjCiWI|+Q((Y*5GpH4D<0`m@c~)w_gbU{_LmlXvhM`#!t +zNf-mcmsly77}(fYDOlJ^DI&p_DHzzQ7%2jcs@HLt&=r+_Qigg4`ZHDry0UuGdOD4s +z1dR>_tri>Lv8S_yp<}ett5(CV6Pqj93>RYtKz6eyakH^kS1C1BgB==pC5@?tYoMj0 +z(-i-8h9#opOM8i`;Y~BVFViULc4Lrm=Z*u_s?{zCT3n|y8~Ud^=r#*$4kq5 +z-R^GPYen3Us9gm0NbuNm7>s4$eI-7eb>D>|xWi0>0yrqZB%1ih$1j{iZ>l8EUh%86aH0d9CDE@hRIgeUlUuiJ*XOMIz}iG`1Jhv0GW8&T+e(**Er5lZ*hTboeuz; +zV_ua+m|6Km7!A^Jw~rYTEwJZdC>(1Kq7f}^{`=0vPL#q?=*#7i;^~#fgZV5jFr4Oa +zUeKB=f$}-V#8cC}T?1C8Uo2tAC>4bon={-X-sm3bhBsV})TOhw=um~4$PE06wz)-# +z;ju4an88K6;s)lb+HGd0;R8^E22U@aN2-lwrs(QAGypf0>kzEYBk>eX{Zp;Zxm~_> +zC>Y!moPiH@!Y>Z>{;cU{@V*uX*i1;0=poMaF{kl2=&1#xNc`8+k4| +zCkd$sa&bA28Rme$s*sQhYZi3vXd7?ea2klIKa($4%olF)ILoAK%w#-kfFlIZziN_B +zx0z`hGA*6Q0U4?({WUQt(azu^tL}-Mj5;Sz5{(03v6!`JO*mmC@gXnf^&i7@aT~>%g8JXhx@BU6ZFjq*5IXMeeY$HCwJ9|Ef(l5x_RYKzgvHX7;l<;SRkc}OF+w+~0z +zwbxxI`j&R|8~EKD%e@b?pk@NRaHjHBWTu}6U9>UK&fVPXSHbe25-2!~$`{}Kg)je6 +zh4`;vNnU~Pf7_RTyMTi8P2)2WH~{bk{HFx-zsxBAO96%H9}6h*roRT~{bd1#wjW7; +zCZtr@Tl8P&h^u6*?PWuhXM{;8rGWwXX;KR^la8@IoT09fZaKxYLURKhJzYFfpt*^W +zj)jGZiJqC29wsr+T+c#B*92ilZ*ID$(BFb}Ty8`v>NcN#DXs8+m1qHcY{l$*i9Q`QTeXSo9(3U4YG1hkJ^s0yM^YoD*ZMy6WkGA=B)$ia#-QRPG-?fUHfiPUuN?2!%MLGSYx)1OJpw*VSZ)=q&h?$UC4NuOQ +ze=K{bb~NJja&S?am#F>Vz@r*pkh|~;(C1} +z4!MGSAo=(bie>HOLr_)_`0PXY-HrMTwyLIxOtF2wRX1J6u>$4*+o+@@;8QVLeGY){lN8`kD)NEtRZh- +zieC8k#%wJzZ8voFpL;tF^3Y643ffs)9WpVCcQ~h{mw2{!L8CVt(T3ic!urQ*ElKLS +z_3b91pJyF*igf!)nj^UHM$WL*J{Mi9d~;K{!&(I$El>4|W9C*6a~T|N7f^i+74j>1 +zeSAwwePzB-Ai_1hFzaNs`B-)Yv4?wLV)x}tm6b*0Fuu)=fBB|nli)@C!{Gc1Ck`?K +zIXT82$ztVLjhKXmB=YL+Xp*ha+*#1g#p=g$7R|DeCzm0smA-sbGvfDSo*A6`bX%Qg +zw-0jEv$6T+779091h2Lenq0Se>9EAuMu*_m4G)ax-MzB;eG5mCs_MP{W^=+t5E{cR +zE;k1*c>m4p%t*`jzl`ADTE1l)g|f0k0RUg1{$zIk#f+bM14FAx^!hRBvE1zpCsc*_Eqk7A2py+moBr$MG^7g +z+Tl8SZv&QZSR)|9ulNkv-qdh^>HIqJxhYWf+1w6E70%=f^Ih{(TQI1?^X)}z&N>PP +zXw}@>+nkQCQO*TXByR_Dbxk*JQ@oP6TuEs*M(U`zPX=omW;x+>0{JCjO^FAo`9Tak +zBibrfHZX;a^cXC-s>Q1<32Va@B{ahsNVKE!*rk9?P?#exUC8X3^cCtf&gNfX#7=jF +z5-nHp_L$%Bg7RE_avz`9Rm*EmJK*-E$=VFhy*wUC#S*YF+r-;7TiGBJdn1r+{fy}>y2vQfQL?oxg?`a;XPTVhWAH+l +z(JF$VI&(get-`lnc`ZE8R|e!Uq-UnSS5edOE?Z}Gz2Us-#A_}Q+}D^bbp`WokIw$1DcH&j`Aqcs +zV!e9u<<&3A#Oj?tg)hiUjIUW}1r%gD6v>#lTY&|K?j!tA0#WOC_ +z!g~&p0V>9+KIhfPgE@y0t*og5WqF0c=E5~IJ!TZS$BAv2D9%}Q*xB}9RVBXTdv7?T +z!} +z{N4fgsSZX$fj~NIa<3ZKt?OE-Efn_()yVwCQGVH4;Q|NhvkZf$lS_kGh?N{s-W(9h +zfSP1#GN_l8^pQrG;ce1vXCZsn5_!wT@_mopN6%hTvqb`!1J8YZ2gm+`jI@vXZha#W +z2A&omszlBf?M#KwrB+!DRqp<U{EHk5Bp +z1NRT%U90}lpGR^)-Fx|#WKQX3=`@NpmnluN1aHZ!$2dy*GH2qvCfgNa_x%0Pq#Zw>rkPD_1+w=%3L*+On&P +zeWpwS?LM>Jd;0LPvwJOX#_P+Sb<7J-Hvk6Cj%RoBxYbzF`g$X30=d$;8W*Y@t7Vxw +z`H%?yr86Y?=qt~%81{N{sc!p~TUspgOB(7#*~`!+-$+QJR;bL!M5rqh$)rK^n0)aX +zTM~G)+u*cX&uI?20{B6?RQc~@pU001a~Nj)(hp6wSA1f_*4b@@Ew5e}^j)jWk^$uoHpj5C +z7t1L(Ma%4MCG{68YKJ~GVX=Va;Sho^U>(_$D%br=Q#>CSmip^BR$Ti7f4&bQ`mwoGZUjzhP5wE9SA;!qckIhO3Omqbk=ggV{jr=cSQWsx+e1d-&MP>7^3 +zOD(ugU(iSz(B=|sHd~Id)DvJzIPKIZ<+!@iw)$b34FcU5i&JqHcoa2rxw5!#L;MHT +zW^ael=dV_c*r$y@m}q*YMu&vI;{NAN%zuk0|5vi~cT4hB-r7_&LI42JKbI{1h$w$C +zp(VIpyWFr1%DOa_{H +ze+;p3N+nz$GaT_}0mGuW;3~!tOwx=3d-lC+_Gj0#=Qg*~##>KZK|X>g4To6Em;iYI +zjF#v-jX*LzP*%YDcod3Vs7w_+FXTHLUN}gxCn#{3kL&D$AS(DU%k_x_L+V4G->%E#95~A)yra(t$7Fjy1mccVO*I#!*S0v%@JaQK+#UMF>gyug0y*_v?kOdfHyNpWapF}8Pl +zxX|{&DfK2yp$YgEba|&BsGoT`ERxWdZIr-wB<_B^ct*UJolqRTfT0wYdKyPW +zK>Kzi1^ewF1h7@9JB>19>iUOM5== +zizwPj0>#^=>Oyy|8%zqnFFfu>M=h%Rh8cOKN5=@Gi`bV-2Vn`#uv1MFix@3oEW@}J +z6PedXUfG@QEXWY$09ek))q&D)g@es?WVD})xSOxG1Ml%O3KE4->uf`85WPW&MY0GH +zjV>LMG7;^d7n+LelBuD*a$$F`3UtdY=j4>Jd%)_<>b`Vi(XvZo)!FbmP-aY52ZxC;f&ZubtYjPndz +zRHHYRwFk_2A*qvsdL}}wTY?SUzj*m5CcGeoCZ)>WQd$0kG3SBfF)LT}Jl>V~2Y6&6 +zqE!LP^lTed#YaDpHGP3zh}@`j&5ecrrIkL^nTyuop+b~v_Spd?$iY!t^eJ{!TUil? +z#9(;Nr*-n4sZkLl(bK{MQ)q0f=WnLI^rfMjbM`=wTq&vW41`IzfgFXo25CCFqT23n +zm2$+%g-nwM$g(9D$$a5r_4u&}O|bfebe%biojY^0mW1TUQVT*j5RzscZ>GF0=9zU_ +zWzu(#HOD^a9r2i}R94KYO-I*fGj;GMeKrk+IubXKr5+w+pybG1T{>I9out%O&kpZlU;mQ%Ma!$?aARf+eX}7^XyY{D8*HH_mb%{! +zzmN}`#DNha(DLcq)`ieou!lj7eci@*&cIbVT^*|9>^1Jg@fIfM_e_5s!rrcTPfkU? +z$rUq}G{bd?{l*;P&lBN$*-rv91D2#}2W*t9&vT7Qg@)B|?U9vfiekZ|c}dx^Lqty_T*E%Q20iz=kI7s@ +zg0te2P&6Azw_vVTAEBoR*2aAl;9bUre&w~Mk}|6b@(F)0b}D2yrrDzuXI5D&S$sb% +z-`8eKEMKFiS>Y@8B3o?dDHX$et)_bB%SgfQF;=?pKHaCZGGOBRtED068a;g{nH^2a +z__L_s{Dc~P<@>k7d{fQ3Cti2};0yepg!#Xi@rTPyaAicX +zzz!P4K&A_=A{th$?t{}iR^zWS6m!B-<98ybU#;{faEms?$hHt$NF+0&3<#vxUn9j= +z>jTcY0iA*MX}4p0o@Hwur|q75{F``mI%q|#-3{-d*HI87{rvH4qX2jSZ(n?T9kfJN +zfeuSyM8u9BZ-eKz&>dSzkx{I>TtovNUh(ZuV>L0Gp_IQG9@HSqxUiQd@ +zaiIIY8+&4X0RzDxFIqQ%pUBglub-ZCYE?uG;BuPaA+z^GlZE7NIHvzCyz<+795flSsJGhBik9(S0d-U&t4C`t?7HG3 +zmwVL-iS-#_M!tK-CRx^0&-?!`T8>^pP=GEo-wr(Zd~dXR(Nu+>D&nS^Q-Weg^(FXPcBOiHeOtdeIgBM +zx3=xT!!B1V_{ANa-R;oQlP!dlQC17pZ(7D!Z3Y#o+boiAU88b@he`MZtXc;s+n#vC +z7VmO3Gm1n?vYjPA;SOCW&M9{^#Z6#_(B$kEra!GVTuL9bBah-W +zV9oP-g`g?2(O(~`5l^^wNR3)x(wTYzD$ljj^j8DfFC0~kZB}8Hqs&y^&NdLBp^bO7 +zl$vi}Kb7~s#Ra)j0199xfWXDII**#;;9Qz6&?)q+1mKGxqx2xd&o(S;U>8!*k?eiP +zv$VN*lvv@ac^fZ_iJIT$u!q$+QW`EWDM_315NaW|Q-#-O(Ng)rB_^)s%ur#y*;$Of +zek;$~us>E9OfpjDYD3@!Os7JA1ojTX7FRQ3K# +zmi1v{A>*i}1;Oj3$`AucUh!oLB@&HD0yq{|_=57S2*=LI8nlD><0paDg4vy&BpZgX +z-ou&o(LOZ1Kq{t>68EDa4K)$mjzGPm_fDBeAoF)z`>ej3qvzah&0bpYNwc=(2^id$ +zHJ|IHE)y0UP(~-^?{vF;ozF;igxb#RRee-lGOjq!tV>iLVpj3dX-IWF8gh`qcjT +zK&0b+x@!g?+mOIRFLax5!iaxIj)*iGlZ+piTAaF%4_6#YMYBJ-dhbg^_b#=s2h0Gp +z4ghf^I$!jKXQuNlgsl%N&X(J?A7#W_!Tas@ax|dgAP8Y?)R*>lA>O^HPjatt70>W# +z5OnyMAl|XB6pVfCC4I40qtjcI1lfd`fa6bo?Z_5yz82AW=1OGeTVabL6P3s)Qc7-= +z#I?c_M>oWWMW)lHy328+Z%$ipd1{32$~)|74m5Owu2G~av@zNRo`NB(RL9jky)XY{ +zwzzWBkLG7V@t`VE>_%{`WI}NGy*HsSpP%~CiIoCdBP3ryY`dpH)0)-4LVf|;3dPl# +z+@)5?hCMq|h2HowRN{kx4Ixt`z9=6Oj4+q4%K3YKPjC^(C6D1HX9Z%coeBDqt!(Z2 +zr#n+NjAvwWx+EfUyUtH|^BcQ27881@Po!MpCMBKybLWq=E+sIPg|ygH) +z+z3O4hWu&)>k5NiO+GGaMQ$Q46x_~kxy--lq3U?y^l&qiLx|R{T2I@l9LaFRdUbY| +zf31Y(iW##Lsl38^6i@D(jH>5}k{Y2YUWUK)H;3>xRod|D4Ea4!6!I>B@2K=SW(~J< +zXPr`2hnY*h4n(oGXOO~Uh*TzMb*H^tKatf1xkVGkj0kY55}lY)awH^Pg$mx^`i8c< +zhbG)3I<(thk98T^IhxC5-34A)K(A=~M2?t?zWZO?-Q{xW%Mr-IFu4@#y9Yk5|6zxT&Q`M#P^yc!F>TFSp3(c8_N#FT=$8Pjs_Q7~gyImoSD-3A2DOyoBXq4tn}zxCrA@mv}B*~J114#^M^ +z5t+M`q@ZtvD5VWez0U&D_*1hD0gvonc-9DPx!93^Dhj{ +zW&U;pM1ybTRj7>$0s_li*F52gS}zHN3hJHU2k7;>9xxb7lgGS1s8pkVBA%AfWb$^5 +zPxD)@fa+b_}J)uFnK_zRy@ZpPxZH8@;tZP?5 +z#^8Ob`G?RYXX*m&vh6t@(j;wOv9-o7UW(-HFp^K(7RS6aDX;%%0)_{?;Y=cn~9}hz`mV|~t#G!+R +z`%i!1dDhZE)gADt?yQ>>HB+D-({JmTi^5%3|BedsY?GtDEtN3v$&6~X-%6tVVwN7} +z{W9ZtJTxg1G1AvkgHh0{k?z2_d5CY-Xhw(XnB-r{PVn3~jm(95539+$T=tC_gcG7; +z+z=(=9k9STUakk}7r+ipaM?B846v)@p140TRxj+ +z$pdguLm~U@&OXZC+PLpV+0Se_O*L+)A`G$MBj3^31wP;7Hw=z=U#Nr4L +z?CC%k|9Kb91*dJ<8x`Um?LS7Yf)keG&j0{G?&tn1Qhd^4!a@p))KbERBT^Fnya4Zw +z=5?>{s+6AJnwt2bc$m%9nBb|Jd)6hH3mNDc@|ViT2*~D-V9#O!zH5l+W&s%ead#m_ +zm{llr;NZSyE-wffMlFjGA;G+1-dc@A7$%={1>?fwKq@`ws)!^$VnmgLgVTrTUQn11 +zj}K37X@0dzPsiGFvTXC^`G((pBD?vRy{qg#eOY#-+TzlGObj!!nme#yI1>Y8@p6~~ +z1HPNXQ>PxBLYaF6g0S(7X;C2%)qT^`_jhgORQw#%;U0>Rp&=FZN{G4Xpf?%<+LtQf +z$n);@e#?U>KgoCGI0TK<=hRC2fNUt|{RGmo@M>D1%u3_~gscPzC=B2~_ZIx4{ClUt +zANQjGe%I^lckQHp)N}qO6<~kb`Rr$a-}ln_(RJ!KF^2p@52}CO_-B=*Kl1v&Ny(ev +z)s6kG@y^c(KX;k=O)g;m3_(zV?`MeLpOE^a5>yC3LHyc#CBCjkGA1|uXt +z0sN!f`ezM(t}XsekjVZ7;IB3KBPWi@e+TfdO2mI3ho7q#e-j4EKSPlJZ-^N}`xC^k +zbxS|n;pZZq-(-UB&k+7ACAissg7^=_{CU^yHwj?>Glc(230vNuAbw5l{%nb#^O(O$ +r1K*z^{D~4j`{mz+Lgsf6zw^?v5)hC-zJ&$A0u(_40O~(_jspGJJ0p?1cm1z}eiz!Ohv!+=bKF*~RorF91-0_4Qi_0006gKqUYGcGme!AOJA`@%Bsz +z001%o09;%RD|=5GDMv>d3kPQ!84Yzn!=c-m-BI3A)zM7T5!~^#<0(zoy^gxhM4FD! +z&g{-i8V7rG8drA*8dpnab8~$_BRTIMGw)x1W@z5OblyLP=GzBSj*dU+77oro=`tGX +z-}JK!g3>^qK>_ds02l*%U0axG&IDsi}1ulRS +zxB@F+4?O>9_upS=AZKF1OWQ)?*Ra40021L*wxh;prX3C +zI$PP_`r3#6+t7a#2mmxc^g%~Ac62nfH?}he01CwgxIeT#(+U6hy)!()&%T2y0iz#2 +zQv(19{$TIFDqn#Oz5@I!O#jKgxxJRue`5cuPyEC68#`-B|0nj(#zjpL1}6mQ=x6_n +zR`^G2XWk}dZ|3Y^Wu|OwZ)IWb;>zh^XB(x_Xip$TDAt%N7((AAi8SpN4JSlrv4Jwv +z$Pz&DL9eE^YRJBivgwH-IPg42|-?6ND6eM|y>zbvHe&ncA^{ArD-F?7QEi`?$0iEe7Cg2nlUcSs|S>62aCZ4AAR3v0RZjwF1(UY4;|BQ1k>-XC_?e0Xu= +zVg|w`Dv9yL`r?yeTZ}{0lQo@7m9kf?6{}>1I1@kQ42AKV)-frqotlR5^xK?J?uh6Z +zDty?HzceBvZ4=M;>3RK%d!bnVq<8VMqvf$bx{X^d$<@W`(~Gs!+$(NQS2PIgp2ns}%j(@p@p3P<)#X;k@PyqGut+@h%)It$>ANY%DR!2XqFbMH +z@r_-id|F@2A?&o=J+{<6up%Lsq;457b5ggOu)w%szxG#Drn9D8v_H)a|JD;6y +zRLpNF672R~sd&F~=#*sm$*a<5JT?B^B`=ryV}{KSC{zxcYldoyXy{#VObC6BTg^;?5$^Vv?s&K_OevT+mGWu`VK7RPfu(|I +zMyWeT*#7!7CtPMkFFLhgt<<}7c_m@n83+h8A>R9+*!K2)+g6>FYG +zD6r<4y5P>0-hSXfH_F>hZQRsdC~Jl(8nWCs3WsWTM0w$es2M;6D& +zp2sH-6oWK2tUnr*4n@G@Qcm|IjvZ2uZED*kW!lKatMa`$4h#p3lN*lVmf9;61?*Vri=B}!rwCVM53p3_+@VsouaAEWAG^x|*(mDvIU?=5-++$hq_Wp{X($|=Y{B6JX$u8X&6i5oiygf2Edz=uL-cm0O0SwnT{0rL@y_E7tHEWC2 +z{mTij2R%7`^4Y0y#TSl@G_0!T=d{mtXDKQMFLVTYXl>^!>t)Ypht_^b$dcQIuTEC+ +zXkWPshv)OX`SnLvfGEH*8c$!g%ok&3m@B@h1JN2l|ZBE$}yp=r6dQ +z3iqX(v#3MJz32kG40$u(Tu?6D?^cr@#Pc>(RMbafM2wDH8f;05^^{c|8Qp2f&Im~m +z7p$;)pq^%Rkz+5L$$tk;I#F(SyXDM>UX6!7ICmDfP=BQQ-|}02%WwHDzvVxa1Bq`2 +z>i?KakcVP8RR{yH2M1se3ck+m&gS$G*tdDz67zhN5?W-jX{p%IYSpQAmw~=t$>JL0 +zj@H|DPL;Uc1}FfvPyi4}XcYnpb;^W6Ay6m=_!5+&03qpQMqr?#v4+SG3c_Is0xmqn +zc~qDt9EOE%=3>mjh2Z8zP?2DB@gsP6xVZSZ1-KA8B-p$>2th7^Kh$4$LPF{gNC?|^ +z(+~s_LIn*70P#4f#{ryL2lD3G+DFU~6NYvHer5w +z@u+q)`LSs#w$Y}q)O}G~e6kD*X}4;B`Sd8@E;KSF&;lg_p{a7%-46pF*hiO$`&&2? +zR5>N|K?D4qscX(x+t?SyP2gOgQL|HViQ=TudRV%5g=5HoD{msNM{7pwUAI`h +z2=8QUp5RPuS$)N4X@b1Pr;^z^_Alz~BDj+z-!8PWhr~S2;Sr;vcLH>W+^W$8qzBEWjg{H=uNV*V9d6#W6xh_Y8Q3yMttK? +zY+U>4WFfA_I7&>4(o2L!S~%82k>=PtwoO)%5V-i?c6F>2hpesiWp@N`9g=tdaz=`36F&)C_QJ*!bt*CGlH#jR&(H=7NBdE{5 +zz6d8p5c~hS0oGXq0yqi+27#RZ05I4kfMACbQeTU8PO18MYPE;<7K7lD3;8qjK`5ag +znOb%87y&s|sIF`$hdb__*pR;OzI5gb{C|L+6M(N)Y}|?6{J2FeWMm&iD*7~pjb1>} +zff8DI3p$ZAg=0i?5;dt+WtK52ZlXVdoWcJ$BL90LQXU`=q~nJ8ZY}NxNez>^7W#U{Woesw@+-@F`*JRRvApk2 +z!SqK?=|_gV7!&i=y^?%eMHBL!jcT8Qaw2@u31Jf%0xEhhPO3$yhf=44BE&OlYB8=^ +zQZTG;kDJraz1%D8NJ5^!#ex+WMxo6bEKQv;LBD}HW$(CR!0vqac2Kwa6*ciauGFQe +zZWf9AN7qDrh^JBL9&w1Rwn~hSwz1{6GgIZNTAOrHuBY6$-PEhvx~Pfm7=ItCm|1vCut8BR=ph1k5=s3r1`a^F!`t +zh(N;IO`7p2uI7ew1zc+I(eO$>G_`IuZpNeLpg0|6 +z*dm{yC$}V!m8e%(#lNDU!xC$h46(X0sVx7r9Z?#xE_ok@grI`2fN3P|bf65K_k|RF +zT0A#pn(>ilR``J9KI(^)PMx&XxJnAVHffFU`1|+clKL{{t^Dd=878bxmTes=uj9Ks +z<|d`{dyQVq&@O(1=@1k@sFp=ZOqWt?$BNum>eDP!){)JA{m?crMVjfL4fEsb#mj1Q +zB%=6n%2E3i^ZnT|C|4NWjutp~4>h#IBZKLTjvDG9u#M5oFATyYvR9(w!Ul#byj4vJ +zoMeoJEc3$rJ`%t65wH=aQ`f;f(Q*l}G?K>4;t+9D(u=OW!$RV!%D`K)St5IA-#en( +zgUPKFKHFAykLTXCy$kv%sps9OrSGLZHp{(RC^~9ON4TlU!zlY3Nf^IRySfGo+o+3v&i4>?9RQ&6M~J#| +z7NTUKG^)N+SQ2g=#vfDHEUP&)5guGieqFi122@o?`6XJNw77ul?)|w;x@)PDCq!vWDn9oZ%Gnz+9J8h# +zAy129@6xB=K^);9ady4C%*9D8=9aVH$BrsHSM-nuwusU8dCsMveGt-C`kceqPDAmF +z-EqKITKasqm%>ZVzKBMBE3O9m?3~(I&y(07?>6!j%9Nb$iqQ-1Pi{6$ +z^M~d%H55x$TLjmCqAX*anXSDPRPFrSjyh{>0R_RUbJ2E~Zj`>oa=|XD{w5(dyp}PQ +zCJ1YZ%Od4z`4`C`<9rviOVO(@5f7UCvFrmG9MfpMIq+5w!XR?R!9P$2}d?d +z*?PN*8#ix4kr4ljBk$wVx16p{uHAMf6Q`c3+GAk~oGs%wo)zXT3D|~|oWKt+y+>(f +zt7wWQ+B(VOiM()BrdUSRwEe|ho0DR=u;92m>TQIXB*pl=z91U;wD;*Vr(GVkt=5XD +z%k3LwFiAOr@{J0-96rvG!2s>+G%N0(qRkjg60Vc?rJ%g_A=M={C`tC;#h#+?&OYrD;TYTiSgI)ev2Q}=i@SNUD@S@5(fDXahetCRt)$$< +z(Hh^1`7;E*YA^T*t*XzL$eX+BkLC6cv0 +z_G)3#4r;_=OLtqb3RLa{d593X%Qe|MWF6tWmPa7e=F4G7NXS_(6#$Z7u8K)@y|lzD +zV3jl5Qn@5Gz3Fb=vnzra%oxYACMk0I6g)<`RWeS=6gWh~p)pmNg6D)GK#JiQjOU}? +zp@&n%agDXq63@`4hKSPYzMFg(!m4SY$3Z;EvZ;Tj}^|RINj&&9>-`S`AE+%mbk-f?aS)M9mtw@zu$_WlcdHspE8`O +zPOx$gZMy`M<<05Th3@#pYj5+saIr7?WxdS|;xFD64U1$gA-gSuy3OfRhv&b(oM#X} +z5=g$Mob+1wbu=t^(=B1;^c{PlbXaU%#zHcZkx8Hbsu+LQz2Y|5FXlR{MH%d +z?66?>DfEz>+2#Cu9)(3>r`BCwHn! +zc?$eGqGM`aYeajq93Qo_ujgGy)Uy;$Wm{;CU{0d?Dyl*r?T|py)5uWSQkaLMj>mGJ +zq4yV@lf5l59INJ@>G_vjZr7TJ{+!rk4RUdN2AO^H!VQ6?p`UWOUpDxcx!hHNxB{gG +zQ9WhbFRqQ=%F`;QlEvgqJ5?vJD8?!9bWB_`xWiuA1*HXHG_NM`f-IZ&OmQLKDVcK)z{Gc_h>TzQ^rHE8L+0)9N#-%*2_9qq{9%?n)`4Uw +zjlJ*jc}X&6=*3T6lPq%wBQwwHEZtb*o*8*@7iJ1FjP!k*js7O}-=zMV)PIxue|J*1 +zh5}Ft`5~Ex{?DyQxIzGM{8o~+MIa$~-;?Ry^L5IfEtZ`Tn5gJyD-vRG7!-leg^R%X +zwj_aOZpz`v&By;kGR?~;i1;Cy{-*x2k2ZqfTTM<33i-o441xxe2Jn1CJTbbys|2xu +zXr){q*fLiMB0LOB&G}!bWDmxU)U>=!sKuI&CeF|(5Pm?lb#$BiKEqSA$Zn)78f;Rw +zW@7y>v2Bci&$2-mK@`DFfPL;-7E#|^N|NpPKqPa;h6`Ro-kY3U-7{1F`);!h6o9J#A82!f +z0O0fuZFUGGgy1{c!Ze#HN2;qCe!SVgM9$gzmmorbi-${qmy7SL49tC|BK}Yjgk1Ot +z+;0fQ_yeJa-2ZSRD3yBQ&Sl9TMBi^>7m1nFsC9V+@;tJ4Qy*B}SE!u@jZbWf)Ruyb +zC(bo7T`(b{EaRAOF@X)x-1evNdMHcx*SeTz+-o){`mt=p9_rZU^V41CJ_E!51aDsp +zV>C=wB~>*U?R&hQ&&u!Rn^KmXTxU<|JNJZ5W_|rZ7XlAT3r37SQ&N-I9@ZZjVMLtJ +zb7fpb$$58@1@ga;vsPtnrT+umXhCnoY>&^&Y4uFS=v`?yw~-nJf=flgDx@Fd-#5q*QP!P=hMEkdI9d*>#5V;vS%xLn>C`55J(8;cQ`(~p*R;o*Khp;9ASThBah%u +z%dtENK7l_g3E$LT_PLF~{geDq*aF~y4rT)26FsJG4HA@2vAhw%&vN=9@%3UDF9bhi +z_fs!X3`j8_nS?qVzPw04Saih9AjX&KCllf;o}|gSREcML`XsngE9}d<;^I`=!RBts +z2oqHzO;`Qc$rHgSiTrrjeZ5auMSo$&{Q;${mCk5NHoL53LD5Q~h_+d)pOE^?2LFl~ +zVK6Izuz+%b(+oEKis1WHcU!5&j{P~EiyKHa$vL)Y^w4kQ3>He +zKsagq9m>uC0Q*0{U~xuwW>5sjQCwgnTXiJwxz`Ug&@8_^--OF76tTS9o +z+yMSJNb_-X{g4Cj@o;f-|L6v1>M#2Qr2fqhF2Vvr02~RPN4?YV=k( +zpPpy;Y*5KNN;$@;TJc3Cnp_}r+cg%LU~Rb)gcbH2Ucg^XGm3bpjdB6Ldt;6f!mghA +zGLdO)*qB-EfPb`>#pYGb=zZ)JlqlR7GzDLu%N_O=xP<(dlBlE1rQOz7vbJ61{nYCA +zFGS$ycxC1kKtKJ(SxzsPEe@5@$TVuj-`+8QPQj7CvHg>?{IbEnauzr&AQB(~!l2UN +zrCy?ejw89B)!<53x=84GSG|mU33v(*esqpTr3TdlRI=gr3aReOQdS +zAusLZ;Jd*$vQ?z#_n^`c4r!-?z58~NZ{a2-Yd5)ExWi7*MfzUxYHF#$ZP$dIl;ejM +zKlSuR?KZpHpCU*g3j}i-Zt95c5cg;1)sLp!#QW}0$pC=(KO8FJ4CY@iai7R?;Bjt$ +z+k0!XtBJWL$4t5($wwKKJC@+S8(E_mXd>%EjvVWs$X_Uv1x8e?WqCf!QC3uV_<%Pk +z)5Ps&gZ6W%G+0<{6|YewbE}z1e|zse$xzR+H0gystX6y(`OO>XBcWKLm=l+z)!VlXBXqYE{^l^3GfR2>3`qU +zUw1-6=zcT~K>;u%psNYv3M!OU9|21x!1d_$ZEmxd&5hH0ss +zAM2PMn;y-LbuMBNRWIWz +ztf!sOWz=LUCe7Wn-25;5W#jca!47!rf*v*4cuud17oI3OR?*v0dEvxhq#m?% +zRs)QxRYu3S2Bor_&UEbMk1k^|^7!rF5mE0rG4zb3I#^eT9IQ&RNEWzX|5VsBk-I!? +z{%&*)GVePBVL<>uhk&onbN0;BaAKg|Cs7N~HY(zE9-_IUV&+a5gk6R1n38K>5&GH*W +zv`r;1SD(B>3MyB(&BYVe1x2%z>KnPL*j2ARpKC!y-M_HBy>kgwwNOP&cZSqeF$mi5 +zPDK8RI$wT!(WxlkpsBJH~|!T3&?Ek0la5Zb9B3N+jRZUw1-6|32){GkS(%LXl7i7!}78 +ziST!rCPaP7)GwAiN{X%Bq?#{fnkl2xG7aaMau&@EDU8uWvGd=2$d9TZHA{E9!D_@_4?A`CWN +zuY@|z(hyU6wl0kuSQ(VI<7lrew?7g@yjvjWxmic!i-Rpl)M7xj{Q77>pLv)$QcU!L +zv{@&j7AX|Kd~_T%cRuH3_2NsjHRF_v*LcU{V66vbMM>;N0uqDN#LMtZg#8kaTsP2b$RpEh7fkGJrJNPJWD$#9o)-nei? +z+_+7fYT`8L`V#YcdbjoN9YwG8LgAUI6RQfZUj9cHZbWYlWKcC|Swv6SUis)FzyeKY +zILflMH>^UDAv`r3;EGrA^zR_vBwo*KR0R(e<7>RE5cdw2)`Lj#KW-dX1|63gwx1IV +zm#Lt;9?yuN_;ULS`+3MvNn=-QWD`^U)&Td~wWjF(X5YEilhYSdMF%gSJ+lwlkEsfF +zsA>XP=4g>cHailqTAT?q(;l+`#-7MO*oNqOi0r7xzWKcHCKtrLiC`? +z;4&-EdL3Q3L|fCl5P=t|1qenTf!)#5sLO} +zoqR+B(h3AGr_VPm9T<2oIUI*R5Gqc6gf+Kn_JFs@n1pVN<0>z+eqq>vy#5if_7av1 +zt3P}jIB`M$BRoR^K!<{_Cx +zrBvp=3j#xXd-AP~J|^?VUub2$Q&XSvS+!lHMSK`r3D!yDY+Dw>aXEpXSjpusQ8x1w +z5ui?U$Tuzc(5ra2IL|mTKu#;i82f1^lPFgdE|xsK@^1U7kWOp~yxpzDj4H}3+)Mpk +z;w!w2Jk0SH{5#_zUC1ZYB*Er|^L?v?6&Z}T9QUU0C3UBa3&VOYzHQ1YOGwEr)=f;j +z93lI((dI5IyY+QK0}Sjh>NKqq!F?~&n0q1i7wd|mo%0D>#A9ViIox%qA}2QoS_uR?+%6e^7-G=O#?Er4on`C{ldmCo +zD0z+t$@pZ)H4FZ_oku7qMRtAlCbe+>)^+aru#?XWntEzA +zl~Q^=g}J9X1qs^C*>h-;qhkG#;-SUhw^;g^0gncJY-VHpHgEYIr+&w&e-o#?(Et$p +zVcYos^z0Z8z{$5=muKmh@%P#BEcvY^qCPa^f0us!WxJQq*`m~+v*T~--_oyd+r1#! +zKN|lwJB~S<9fyD2#FB>GSnQ`8*M7&-`oSR-CHQ=JJHw5Nhu2MEVJoTl0v4v8J>eck^xNC8n;=on@=fyV_b9SJWe! +zhe)BCI0M&DwfJwsZMqu|7|mUH%`2j@`x3CFQJMV(9gT +zp$uhg5WazUGE2!%Utv&Jc``f2zP?HxIDDhefLN2}?!}k}_iV0r9au7O$~uw81}S38 +z_scYt`q>-l?K0~_%5FO_^MLnZgoYp5l(kKb<{`ZPGH(TB>CYLNS*!BanZXn_s};_e@W@aFI6S7R8JG+p>17 +z$r=ZR8-%Z$qhxrLoG~|0?1IKG6W&-QqOVNZz^|@vD*o_})q|0ehrqDe0wT}8YSuS; +z@$uSf_jxqp9@~6LFhRYtyy+0cw{HRXP>$^8LPo6`;JgslKiKz +z;i%D`YwZp*fwlVvArto7{(%+n9V=vabEvYU+B%aR`nIX3jMS2>~GN +zkLrLw1OUJOz`o1xU5dFLqKZXS+w%FLiPa@|(~6i}a`3@}Pz`>_SQh1u +zkK5&AGld+7mo?C%SM6j>vgyyqRk(#>d8VmtM1+O(TOLa%f}{8el-=+!2+fxb_Yf29 +zgNKYAou$=s8@v>mu#f~?9 +zCX_!hFvxIlYmOXHAgV?TUy~={75TojmDE*gBGvMK`C2J*Hg}&g +z*10@?W#|o`=pD?H7bR?r_wL(NmLaCM>ip4z%MM3JMup}%53Xa>yS#i6`s`JOZFzFk +zEKN7_8bkHnD3-bM13%k3+y@btMD*L((H(n*$)D$ct4{pp$^Ywlk__dW54oE=|Cf*0 +z`7OWYxBQm>r{()|{!(g+H0oBjXryf&Ol@d*xz!XQP)zWzPXPQ`{(c_dS${(C!--@+ +z9Qt&2BH5o(3H#;wWPdgA6e5dZ*yLV)6RpOPO00B-)! +z04U&S>SX8QXl&}lYUt=>{Iw4NzyQi`uYv#o00G261pok$o6a`^0s#8oAKnNy000sI +z0AOIKS=f4zi`m@!K-=^(1xtUL{o6Ge5>wy4(`uk%501yBGfIp0OUXPK}0mPx7W8dv@rz$Fc<^C_@V8Mj`REb-QWp&^BPzl +zF!6uuDZZqWea9-#;v +zLUZEP-&Z~)VeoU>8+sF8$wKha +zy=UXS*RHV{3B^+}G(_dD=ZFOcuSEpBKGlvip~s)j +zd#ZOwA5dk$oT8r5URhE#j94R`!(VM{u~kUkwUn!r7-mh}%^42kF|MVP-@Y~u;T*8K +zA~_V)(wE&mlwli_5VwlwK6zWW=~f_|H|tfjVQ+rvhiGL|?u5S#Z@bM<#`LOh(Q3YY +zrBFC&k%_{;aa>b=5Y2SH5}73|%N-hC*C&3z)Kl!Zf( +zUXqWd7m2a&7dFp=>P!~ej1^V4`?jqQFHKJ3&in3EUxpEAPk4znD+qN+JYE!mdTayz +zh8Sw${FD@6s2J1($79!V&i{@Mf3rfW;JJTifAWftf5z5|_H&lXwJpzCdvD$QBk35p +zPp%RaIabzD>ApVVDAVAWFL}%0Bcx0R`Vf$HeovhPsDjlK5~# +zKDzBKJNE>V0M=X*SF@4 +zkH0uPC|}-}!#?V}TmEVD+~Jx2iD!lPWJ>%Ro2OIVCC%P09I4&jw!X3)0wQpzXXpwB +zfH3&KgY7K<0F12-ot#XaSWQgbqY@O%vBhwD7H!RVEt0#rrjn=7vrm*I8@q}|^60fn +zURERGZr{&K;a=cM3tG5mevp|RdSZ(#@9bvAf&KoUD;U36~l_60Im9 +zu$~`HEB5#T)lZlFiroZvv`YihMs~E63%5g24P}ug>TJI~`^;?DtT2V&tFWi@ +z;-utuF&Q!lLt9cDy@(tUPbly)B35JjdtFSB>ci(HNGYF&>qKhc=OIt|_v4jA45`76 +zQTJcshBIkR3fii!Y&4|Kp>dEw9|S5U5+&>)mK=p9WYAmD6WNSdp`II6+$T^OF5a4p +zF-^tc-S$XXabr*KIJ2W1=jtIdZ0aevb4|4^5_@r0Tr`bNxv2Cc1M9rR5gf3+*^a+N +z7|YF^%Pj-Q1*z>=e%31)j)cZ0UmxGOv`e|Ps_77wXumB|ndilFrax%-y#5kuuDMB^ +z&%BX1pDNXF`Y~Z}p{O69V`O^sl%#PvYp$x^&fz%=;tteBQ+Kg3*QYAfao2Qd$(R1| +zZas5`KSbM#v*NL?+F|K9?lUFWv?pf3@jO2G`CC=8a +ze94hYKBWjKcZeP3M+l?Gpibj|?$kphi(eq@<(|3M>i}c>K(;;%AUVfk5gicsk;q(B +zZ?9GjY$VJKd9ZrtF_U75tXvqVSyV1BY2NC|l9LNw=?rw&ILK4b$zIM5t=Ub;l0JfN +z%~o=161_aaEA^^NN6rm<)*0mj=k_#DzftxX(&#RN*J4}aL+W=gbZMhoq3>bQUokw& +z3?$eJPQ{zE$U<&=Qu=%9b7j6KQYbj>Q5GM<^wO7;(?y_#jgPSnwLXjSkW?BQKdjHr +z2uTp(E4O%|nrcDCa-2=)cZeXKD1CI$dSgTHCPQD`x^Z0aKT`cK`6a*Pm;91n@^8wS +z(zgK~$bb8PI~2)5Q62z}p#X3U27b%!ZgP4M6UN8R`@8z{P641= +zSOAFW`_Ld*0EiUq?+?VIrCj>6YMjZKW@}z(-Wf0;JnX3Btua_ke;{(yr;a+}dLa$k +zvHXx#Q^U5K+*_C%S3L`8EW`E}ZRY*9iR-)tYigD|?1t};ZIe8HRtMvrer8z?uL$Rc +zPG&?uMRifL_x!bS3aY`Lk64nBH5Oq8vA9c>pGIUqBT +zFTZU+6?+j)gj1QgzT2t0tdOr4)uM+|_BJtEs^q9!9h`o@SYYrdNj)+sD|b4#S7SkA +ztw*>{kZU$3mv14aw66S%ICk!8i)gl%?P#4%B*!z+4=ZiV5fJ|%0POGQ^yXz=%;$R& +zJ+g7dA@#b_^d2csu*mcXvESzNK*DBoy8Q-m +z2#n)Ps9e=Nfqk1aR9mu(#SP(3N%uqDa!SgK(?#kw +z)m@5gH82jfDwv%!toe11Da*R}V(SQ}+Xrj&Xy~q!^{0oP1z_|E+AU-}$7>xZN#P?18d8Yt~G%Ntj{{!)X +znZW@d5YTFOs3J{ya6Xgwys%%Bn4g2m`cPFn`o%0qv=)1Z!h%*Irfr7s(lafGE5D_v +z22_d={aKEzcyme)kk9_=QIOaOp>u(cXKa?Hu@?qUD$9-tuH%yh_gu6Y8c*NStPfL5 +z@vCM1kMrk0vx>jc=R%rZuIdxz-Y=Y%>1tFy3CfA|LBxSfXYeZOj9yg32^{%qW +zF?-7TTo1#Yq>KB4-gxtHl&@HXx7zNEkGC`Bb2jm;y+>Vp?SgK>K9-Qr?58*Y^>tCT>b(@P;8-7+{(CIG7L|00Q`#dA+nq?)A1v +zvnzhU38PLqUy$X{o-?C3AE=S(=c|v6SJv*h_9v+uesfXej<4rnU-M?vp&1+PrB`_1 +zLFMD?p3U}Xat2C-l%f~Iu1P^4=^?4aFP)i%h;s}_MU{4ooJ(J1vFESnBzXr4ET04G +zhpRbJB5yW`?-(U|+oHXzN7Ivd`!d_TklVx5*E0`QPpERE^&AD!ogi|TYsG)bZi6p! +zACCtVo*@W|=rC%=B)<1Dg5963-do#m)(>N!8A(|P)|!|y{7OCU+?cpjDm0~bD|W%X +z`m87&Zp18)ruSuWAR}&{fTCY{ey2IgI3a9nb5=p7r2|$H@=-Ji5&(h+egjM+UY8w7 +z=&}!}@MQJYoN>ly@y;{V#5YU +z%Dt3~u^l7~`OR~~d_UuT@aDA=pj6dDzS3~=H#ZQ+%wiFAk=Kc?dCY+CtVF|AyjLuF +zZreAe)Qij^AF_r^s@g2^8<(IF3`tHaUO>`<3r=aFplauK~jlHBHX8T#<`;B^C-952o^M?OI1 +zK8Y=X*K{rtlGeGwS4N`Z#YcqUG^WVCDRPh-0{g`&zc}R=r~Ef?%Dr0vKo0+3k0n;& +z0ALC3#uVY^VF7Rf-(!iwLb6nRA)fBPizPT=yc~asB{;ZwevBn<)W5_MzjX?L_P_!l +zKgJS}n^?jhs2rfL;kb$xB1DdjEp*WvR8kt}xzpyL!45bdB`sxA-cJ#|!cARQ^p2w` +zV{SyU&zgG`a9tP^PM!W3c7b)l+Px;l&Wb1Ol5^V63@^D47^@D1N +zMb2pyj$ycRd??ZM26nNaEp^$e-~?yZ$5Fu6!8`G6#Lc_6or-1UpXSyHyH4;Roa$i_ +z_cV>fX}siCw0t*C4IBn4a}t9~-X8T4drI3DlB@2=R)gQ%Ql98-hzas)znx5yoYPZ2 +zPUP0`uzsE=G^eS)NVLiQ!1V4uGNr#}o5DWVxt^GrMA}mllDWe0*d) +zlh#7aMFgSogRmb>;Jc3e&)~|sygRwGR1zbf1rvB$-)BaIdr635?G1-9 +z3~8rPNcelY>YEPvS`#`Cua@Xa$5#<8XJ5F)^Y*&+erh%;>kjS3@yy~C(}Jz+$OU)S +z9I-t=8|VMrk;2&5%z%AP7J0JRE0C#M;a~r>G;%u<`Sw&nPqWk)GcHz&i^0<^8KiS- +z;$qR7UR&j`Xgg&*;q~w~lzhdD`wVw}XNMX(ZKPJK# +zthR-K#Sy-qYw-DPdMETxoU*HU4sAzVOi&YMvg+o{UJg&&xv>jH`bthL?g+ve8?uS9 +zYlJUHxw1T3LKDiK+qlPzET1*ARdQ8ebqob_*=8DJ$g}W1a!R0AhxnlMR6=;BWcrb) +z%ZZn75C`&aNxI${iBWdT^!QUOcVx*)eM@+@I$-r+At3u9(F5M~;XlN3KW*?&W4U_( +z>@JuBi0Ump7`;FKC|9G1R1%pr^;#9%tOzaN!#;6a?=f>lH<$tlBY!uI8D!pkY>XBu +z>#1h2u0WH*N!ydVINVNd!m-)5HJjj +z9Rr5;ZAk*b)R@JdgPZ4vV491Y5B5Va{Z0L8A59qcx0;+V81(z_5D)@H9DwHOV+vFD +z-@}dxL?~h3Wy;*bj&#>AG36Om%pQsvt8V>}P=hibjhCU8FYtnN|H73ciKYeNNl$b7`!eA9i#F?0#P0F2u}^SI55?3rq_@%M +zUPGB{)r%IsJ2zDT0B#nUZstq+rcxmVCKo%FkDNBcA2#-DR0&S*c~cvdZ{Oq=;Dlu* +zFi~%2iw>p$@~M4M?kHjHDAU}25K1J4k$~Q%mgH+AH%_N&|Bg^HNc(1}|GCR-1qOi1 +z{|mIafB?YZ8`^AO0U+$}XbV$sCK;=$qWSS+{}eel>tB2@UUp7)UM_a-n=&xRjSBl+ +zh2gMc!7#od6zO+_>T~?fg&>jdgF2Qz-xd0_hgv9XRIS|Y9?1F1)r}R85om0% +zDpXz%GMv8EL`P(VOH#_R+-d|FBzN^A_Dqwc{BvE*BX))fjCd&-c?>_X_xAdTzF$xO +z-@)5&g)wqEi{i@ajE-Y2k2hs;dB!BgS1QcO{kIyJBtCw8(G9}{QvhQIUr5OCt|5EY-5jRLQU>khgp0PK7Lr&WYj%EMF7il$Fs5N}>xpxcy?arsDuyG16=xKzxQ+y>td_PVH*wX#7j-8u9+ISUf>QV=W;`8~&)V#YCSkJ4dd??Q!5`VaXz>T6 +z{yeLxOZbBl_%9Ab#T;*Er|>|^DX%+ +zxwN~?$R~oN-cT?*Fsfc5o(saMM!-pRq2(knJo<8=&yn~v>XoKL>D;HeafQHWdB|MF +zRiZr19UEuX@H>>9006N29So0d=*|=jBMhQyktAoJ+kAmDqZ`aUz8tYO;Z})mk|f{A +zQkq>}wP}gHS=lDQ&FVrb4K?v11+xQ3(Uyr@h20I7YqgHI2g +zwb@c!DSxm7=wC3+&B6Xd5WvmJ&cX4c9o(ot?c<;F7ek04r!yq$wTSj$fv{4;BTLj0cq +zF#j;HIB<0p9Pmj?A@p+uwDZH;0>d0H0!w${J((Rdt=kM`jFQ)b=KbD@)3UZk0eaIq +z68BCaPfhi?C}xM&hTcn75}+T0#X&6M4*ADPHcvi4jf%G)vO95vUEg}*bJw$}wHl*C +z9dcEM6g7 +z4%(MD3po4AaCvM4ax*lQ)MbjTQrQ@DVn$DpvUQT&e`-Cql@SwDL47r>q`UdDAnx=w +zlPghMZT)2pI?m)QyFw^fjFyw8R%?qIa@vMDnr*(MZYs&P+c!Rx6mE}q +zbxg6)5iyT4lrv7p4o)slh&PK>HrG*dXkTm@jJ)w*|9=C<3l0E;A^(WKZ*F(Exzpoc +z?FhQrIdt`HN6c$zUOPR@&?hvGH_gS;iBznY`QHC +ziAIaxS323s817VX6(x#8)Z5)JzG#m1id#;3i}_`59xYsne+H(wj@9P}@4hw8;tTk(|Pee^gKIUb}%qEgo_1@ +z$eQcaxkt(x0c2RP+9NE*3dq6CK5DV6b7{N|&Gq0Ar^e9Ol3OU<+q`VbXzjtGHr5N=Ru$eQY5rL!31OIQ62 +zP&v{?H*&Wag-Wbq?p7>bnR=JK&uBnG3sxlxyI$RoOeK!P?jj4HFeQ&@ssk+#_V%|oN?L&y{fnJnBSu4K4;1%a=ZMq+~98C51xE>3jNEP_^?)-y??f?4#_Hp~`1w&v}#T +zS_C{2Im%L(!=tMMa=#N03J3rYLBMaub92wrNMf5JY5g8TsOeW^&+ +zQaemk?)EL&%gHRX2icOCqHf6>fl6OTgjSrbamZl&r1)LZRzm8gpB69377w3CPg?Tl +z^1)NvEb{0@w$DA^sJeO=z^72vz7&sB8x+k@qHEx+Xj8TQcBvH}{*-9r;E)YosX$R! +zdx5}NE(lz|CMeUO%AMCycrC;|WUL?tYUmSiC&T2!+O<9Kd34J!c``sHYHrK`H-RhM +zx1i2ndA8Ytf=@wqj#Z$ul4d!H>3%l36 +zpLpXvz2AJ1-Ff<990(4=8*58%^uiuIfY5&P$-nIMU)pI35&-DJ{Ubwwg8q9l1P~km +zTz#t)pTh#c|3S}T4y8yT=hK9LvgW@qEfpYZm&Qa)PNWoJbI2*scG#+?m +z@{NS#h*t1fas^%YMSQnib>MNZfS)X0pvLN^fj#eL(kPr*!Mo$v_~!2_F#RS*eT%*r +z`K33X!}Ru??}pkhlH-whw5?C-S?HB?plNPybiCq&t*zYVd{|5FgNDk7+p0&pF>^7f +zOFu&YL|EvBxJehRCV=0c{^Bxd2|Z`3YIVwF+c25xK9_2|Hf7BF5gCmx+*LHrFTR;h +zwwRI)G0}tZ^0#6t(R)56%he!d`&&^Iz9M8X(6R1RlTzm~ejk^VI;c;Lx$+fPWKXDJ +zq+20(QXn#R(yCo4aUSUY`gCUgs4e`loae^^frYs%i*nCCo>xQEC$18gHb>i*eeaviB0@CE-t354XacAovg9xxb?_5>{ +zU6$x~+!BtED5q43r-c!Jb-l}s4jL|Q>~4F~L|3;z$gzFDDf+b8XQ}P#dUUSvY!uwP +zn8tibntw=I9mudm5m0D#cn4C0HjQB1YvNDayLb)JJ$RfTurS;weVK9Mv>X_aLAs@g +zdi)%Er&j3&r={drMj*#xrBn)gbpRC#op<-EAO^x1WSmF#!Lkjh03${o{rRj-f`<0s +z&)n1b)kl{Ls#i=n1*7Xv6p6ox3mKUH!9D%7!QZG^F +z43Q4}WNw|dst0NAM@h5?_npgB5Ii%JyCSQhLk%V@Gy81Ww4z&?rDF+dN0oW31VjI~#? +z9GJL+jcGvi!MCb!c`R*B;C{l!SG26499S+sGqOC4p|tj6URm+NAmlN=ojMBki*&cI +z`p}XUw(31do2qRq)Y;qE`aHik>QT5FQo7t;d{L)VSGvGr?wt#>=FC(zt;aaAYg*P; +z4MPVbUqTP8^&B)kh1c9*O|c~2@NE2+G=^q-XEU?F^q=kf@*#H!_&S*YOzk2s>-i +zteJbmuwODk2kM;`6+#?~x`h-w8AIO-NWZ>#IT5z-nlma#uH?4TvVp(6|0QM3kZNlf +zNiDAN|+OJCN$Qfjk1tMPhYt!ze90c;)l+V)?oCfhjbYjtxt3+3Osp<8q +z`fsVsy4jq^%iNduv7&Efm`KpFw&D$DNw1WY7H*4nDhk-{#AdKoDr@@&Kbq4O^vXi| +z9EDWcb0R1> +zEYeO)l!}yWX|xJwWVTen(L+N0s!HB=C%AtqmA(&TOI2GK?U;wtDiR|}z~ZJwCT--K +zk9A*Oh<_N)u|ZWzOJ58XJ`uR&_k`lSId}ePiFT9+pu{%UDynFhiTNaQL`K=7HPY} +zWU8^#L~n5h&^8=8XF+E=IQesuB|mOGBooNnSK(L=yZS=2S6s+=XDzEr0qyWwXcSU* +z7`2*XPQX*9ubu?B>(ypBmJG%Ddpjs~JlM!DV`^fsDe!y%C9x}UlaYKb$M%x1EIhV! +zV3nstOnzn#`B-TV6m*nxY}X`B%D9{Cu0i9wTJo9(lN|Wm%tZSwZ~5h?e)*|?;itS1 +z06_SMZR7vx>=+6FSKoGB-h^L<-?QVz+mF_9`wNQ)!>-S2VQMB|R8>A41vay1#UlZoTbpZ>8N- +zeL_D>09HpERJqpRc?h-YX*{Dfb>cFusG4jS>(5xVH*_7)U$k0p$_SkZN75!>ty-t) +z^Mb$)XYAm-2YJwo$;{uSQB`bMoMZmDbvtn6LBAfJI(azN(|WgT_O(tF2`EXeU}L=) +zp82N@auVI_o%9ZgkHZQshY(Z$PhmLvyX^{^#s9OWW;2is^Oi~f +zIMwUzO*e2MBt!e{D)!|GIsSttg1X*N0|q9%v2|;0yW_LMdp?9e3x6t0S~uS)nVmUU +zhjEuwz0bc^ef{bW;m=PS{C)TX@&_mn)gM^-)%1@X19GMnW{uCD&Ne1$erA5F^?uLz +z>L@Z@weKpFRh+D|C~`37tg9r_zB5>#jSz#UN711Tg~WiT%q6>NolZ`x&Tq)mYb@&O +zfblIp@3Sd!kpp@>2gwJM`pNM32zA+^wQ4vX!_n%c_k+g{6TDB!`ktfITVy}xZ+|9p +z5;hVw-h02pZXvMdR4-)O_P{T&9C~OG(9;~MAgcV4&Ia+o*qZ2#ecZz~jd?=ybbSe8 +zgfPm==BfBPV~zU^ucgDGqV&|yUelS&*T%yp8PnmTP;kq-Yi!3_WE&O&#uyRSU-h_r +zj#yrvwzH&u^r9;CvQO2+BfMg)#mg<{DZ-`k`vy=2>6f}tk0&yw#-f_1Uallo)3jCv +ziC6a=iUaxEvw8?f!XN4IKZ*k|PwgiuBh>U?wU4$l&$N+BO4IMrec&~oVIHytq>BUhc>WA7HYT_107|lU3b+hqMz31fFye8TzyD!k;9&DpL`ELo`3)# +z?Dy(`9|!<^2Lk)0J~su@tON!4bz5JHCjuAo({M)-VIcCaJ8mIH +znrCUWon6Lwb8_Chm*Tx8CZ?~Fuq9%SnW7^DbkRccIWMZNp_s*8rnNn)MVMKTo+A5) +z-qQ*vG&B+{9O`3d#IVXS{h8a(FbjP~)sl)H47HL__sSV^WWuvHk9IkXw?rqsFd{WP +z|153Ud@Vf4uW7bIK{(sMtDVPADi}XKG9YF$s +zE5w_f*ofz_0O)^IM>@g0nd3B>Xg_*T)Sncu`Plit@5bhWak2Ara{NbigoFKe^)K%E +zw@v}jzeb(Vo9YM@85{rw0j0C>(ZbXl6X;X1MOuBc&>76&b$h48!%c?*_%EUc!;;bq +zP{wf#$rp&_FJ7N{qD0_Ag7KQ5``8>kFm;-Ib))^p)eVLm4~8I_sfVO(mG^M#`7Q)qYK< +zxK2Eb={~fZ&z-OGM%Uj;M^co=a!F=-Jo~!Kv~)T?SlHjs%dFw+TeDbV;Kn)`g|A>T +z+GAO)Vkz;Z=G^gk_@ohvq{QPob0{3&OMLs4ca?Xh;jM~P1NAi46S(SH&2X_va|uaw +z8k+1DCkGK-oq=aWdJHMXu7>LvuiU6C#XjNo6hu|La~|)o)=Bs6J5=_2O?aOqQ!^fZ +zppNgMHDxhT8^Ex7p0lsdpBs=0Vb4R*+?IuoKJd*`CU-Y86 +z7^Nh>6!oN;t$)(W0oQOS&bqXVm6;oR*Eo1KqtuaP7Nta(b6D~78wzZm&uF~`5d3Ix +z_Lo|cIhhmJ$B+5D$9bAm8Ye;WD_Si$%U{P!gIbU8y;UTS$7)z{@wr7re?%+!U{pV5 +zW|G`EY?h2VT_T%xY9N)_H+aC-q`p<}1mn$0>ki$mGO>P@<+7`>+PJoj&*TQ?Zj%Wf +zC@-|Ip6O-KlO^cIPw!#mmY4u|iE7cT<|YfwXVNHQ(MeeZZmdW%k?+}Wy-u^<&d~ebvn|&%9 +z)a&)H7{{#bWTR6;sqAqg$G#CHNrk*09P$NLMUd$8CO1gy&E-*cF5Y#pDOZqoFj>pN +zJZ5Xtk`?fQxnRl4Or^OsRGFsAn2q#Cu7J4qej(hK>Zh32xuodx?r8I5Ggde?Vci3( +zg5bDzgy0^p4^PX_T11SLmi#tVRVg38UbE`^Jd=`clZ2i@Zw#dbv8%hX$CvKor!@rqZi=g +z*Z$i6(3T8y@n_+oZdl)4CzY>XsEIkIcd|Z|v4MT={2@I2X@h?n9-`hXm_b2+`H4E* +zTYV}jaRvu)$1X-Sd6UDYAf)qzfql_bnkk2&{F+}y5o2fOoHo}d;8Q|p2l~TwYGQ+) +z#RK^PO_j!cz7AW|d7U-l!iNYpo8t)*o(hIaF>&dq7OAswwylvWBPgHl`l`;FMW7eD +zMzCL|98rsKreYp@-9kZ$5z)!@S(w-A^Fqz}RNChy>tnm;fI5nZGAH>xJ=vDv#T6CkBhJq2wiCMkv03C{u4KW=pzE +z$*zy9zy!BP6AyOtKGXHZYJxmxQ+igiu^1qUk;{1U1h)@&2lSGLZcr2TDf*mRhH!L4 +zMnfz+T_Li3Q}5a1vg@iP(|cD}NOr*{Zsg66u=WG^4yG0B%2d)47>Yx8OmHr&yDrNM +z?06{6Px%+-k8U~YG@G-nwP^=&Gv6LqHhHxw?Rl +z=tTKBuju+p$ORcZ-AliAEu$1Z)=-kxZ~{RAiuI5uukU{W;~$Y^>ds>YJ>e8!;tLdc +z#p9!gh{WFbU?B303w$C^8SWV4StrHr$QsUDC|~Qkz4wOQeH&?Bcxfwv{`P(v6KJ0O +zR=%7u@?O$a@LT+K9G`K*o-gaYXTsaM#km7ie)fIvFNdZAncJK^vW_#6@D%PHt#iJ7 +zz`N{nV$VrDP9!rsY%zC@KOI)Q-X9??yPaaM=>^P+soIpr=4>ZZR2JlX?hha&bH_}-@3`3Pn@QyDszD@yDDgl1;+5Dt}>aQ +zk67l(*DZuYb*#@#xq}8V5>yU4dzZS&QDLC^7uipeoh7O2Lv +z?&6(&>b$BV%_YpQqVi%rmuwf*)%0egh2Zx8@v#%Bao;%pV5q%OhAKMzKw*_#-vt5}v +zZr}2~Rw%+`?#(sqn4&PMp%_KaLMA6ak1%HZz+;e%!`0=8@22rRJwbs203!7F>L?Td +zRImm)y3|ppNu>Br#$a~|ERo)}6Tb=%95{FpG>HAk>lVFPM_uqIL|3b?L#Wms!a{g! +zY%j%bB_Sz>mu{?>X!kzS&Oyg>v=_1G$=&JAFHEzXCwlt)mJ5k_)5gPf&#CRh_+b;G +zgi8X!aQx +z=4+q3I9p$PE*hap?StrZq5T3L#6Wso@u3K-FinP)4x?C^*^{()uDf3KE=1XPkEUff9LITO|jE +zVHyeF|ESJA`c5I8tTC@^$sj!ASOH+fuuj*^J1b~sF&eDoC48PPa+RT#tz`DaSV{ki +z?us|0)drp&u&1HF!PKbjL=F1D@Cpjc`x$j9Cc$ +zFursLbMlU(_9|lwEkA}jjGnS%d|gQAfJTSKP~l4JWVEs1yEb&3eZ51cGc%~))YYu? +zTF)&qGa9b^6(SsSwKij6KesZ`ohKn;d`*DH=g33iA^g#@Al4~1*)83YqPIh+&?94kv3f8C}-`_7>TY%HTjDd;~%5mfd=&K +zGkujDF9Hif)AkPE^+}4)lSkQQ6zpBs?T1#8ktlVVlULkNof0M8(T_xu)nAk@VQkpY +z>?F)jZHzx(NX3i>o^*eGD0*Ih{j95zA?l@>pah!SgRJhvXCr#*_@zgk_r%d3z-w44 +zU2iOUZlZ;rkNY({gx@cabXjWf>x +WSq|>ELvbMh1ZcQvb#rVy@P7b@M_;D^ + +literal 0 +HcmV?d00001 + diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch new file mode 100644 index 00000000..1bca1f45 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: nxf32288 +Date: Wed, 4 Sep 2019 16:41:11 +0530 +Subject: [PATCH] {android10_r2}: Prevent OOB write in + nfc_ncif_proc_ee_discover_req + +Change-Id: Icedf5245ecfcb0767c67e9389d85d0e9c9456a62 +--- + src/nfc/nfc/nfc_ncif.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc +index 91be27fa..7fa95510 100755 +--- a/src/nfc/nfc/nfc_ncif.cc ++++ b/src/nfc/nfc/nfc_ncif.cc +@@ -2095,6 +2095,13 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + uint8_t u8; + + DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); ++ ++ if (*p > NFC_MAX_EE_DISC_ENTRIES) { ++ android_errorWriteLog(0x534e4554, "122361874"); ++ LOG(ERROR) << __func__ << "Exceed NFC_MAX_EE_DISC_ENTRIES"; ++ return; ++ } ++ + if (p_cback) { + u8 = *p; + ee_disc_req.status = NFC_STATUS_OK; diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch new file mode 100644 index 00000000..13364b04 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 17 Mar 2022 15:39:20 -0700 +Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config + +Bug: 221216105 +Test: build ok +Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99) +Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +--- + src/nfa/dm/nfa_dm_main.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/nfa/dm/nfa_dm_main.cc b/src/nfa/dm/nfa_dm_main.cc +index eab0b9d0..745558d6 100755 +--- a/src/nfa/dm/nfa_dm_main.cc ++++ b/src/nfa/dm/nfa_dm_main.cc +@@ -45,6 +45,7 @@ + + #include + #include ++#include + + #include "nfa_api.h" + #include "nfa_dm_int.h" +@@ -279,6 +280,12 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list, + len = *(p_tlv_list + xx + 1); + p_value = p_tlv_list + xx + 2; + p_cur_len = NULL; ++ if (len > (tlv_list_len - xx - 2)) { ++ LOG(ERROR) << StringPrintf("error: invalid TLV length: t:0x%x, l:%d", ++ type, len); ++ android_errorWriteLog(0x534e4554, "221216105"); ++ return NFA_STATUS_FAILED; ++ } + + switch (type) { + /* diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch new file mode 100644 index 00000000..6876eeeb --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 8 Mar 2022 17:27:34 -0800 +Subject: [PATCH] Double Free in ce_t4t_data_cback + +Bug: 221862119 +Test: build ok +Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e) +Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640 +--- + src/nfc/tags/ce_t4t.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc +index 7d5ca382..b586bb0d 100755 +--- a/src/nfc/tags/ce_t4t.cc ++++ b/src/nfc/tags/ce_t4t.cc +@@ -602,6 +602,7 @@ static void ce_t4t_data_cback(uint8_t conn_id, tNFC_CONN_EVT event, + } else { + GKI_freebuf(p_c_apdu); + ce_t4t_send_status(T4T_RSP_NOT_FOUND); ++ return; + } + } else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED) { + DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("CET4T: Forward raw frame to wildcard AID handler"); diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch new file mode 100644 index 00000000..4558fdfb --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Mon, 21 Mar 2022 19:31:28 -0700 +Subject: [PATCH] OOBR in nfc_ncif_proc_ee_discover_req() + +Bug: 221856662 +Test: build ok +Change-Id: If4b4872e4101fc65172596b4f7579b259b6f6b63 +(cherry picked from commit 1c6ab25b3d76c2ced764dc649bec6cf05aecd198) +Merged-In: If4b4872e4101fc65172596b4f7579b259b6f6b63 +--- + src/nfc/nfc/nfc_ncif.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc +index 7fa95510..a0f0eff1 100755 +--- a/src/nfc/nfc/nfc_ncif.cc ++++ b/src/nfc/nfc/nfc_ncif.cc +@@ -2096,6 +2096,11 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + + DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); + ++ if (!plen) { ++ android_errorWriteLog(0x534e4554, "221856662"); ++ return; ++ } ++ + if (*p > NFC_MAX_EE_DISC_ENTRIES) { + android_errorWriteLog(0x534e4554, "122361874"); + LOG(ERROR) << __func__ << "Exceed NFC_MAX_EE_DISC_ENTRIES"; diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch new file mode 100644 index 00000000..430dda45 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 Aug 2022 13:32:30 -0700 +Subject: [PATCH] The length of a packet should be non-zero + +Bug: 221856662 +Bug: 237079835 +Test: no functional changes, the build is ok +Change-Id: I6defe4025c962ae7dde2e673e2bfcfc15785cc12 +(cherry picked from commit 396ac0e081ae67a1d743e0373257ec869692912c) +Merged-In: I6defe4025c962ae7dde2e673e2bfcfc15785cc12 +--- + src/nfc/nfc/nfc_ncif.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc +index a0f0eff1..dbf5e3a7 100755 +--- a/src/nfc/nfc/nfc_ncif.cc ++++ b/src/nfc/nfc/nfc_ncif.cc +@@ -2094,13 +2094,13 @@ void nfc_ncif_proc_ee_discover_req(uint8_t* p, uint16_t plen) { + tNFC_EE_DISCOVER_INFO* p_info; + uint8_t u8; + +- DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); +- + if (!plen) { + android_errorWriteLog(0x534e4554, "221856662"); + return; + } + ++ DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen); ++ + if (*p > NFC_MAX_EE_DISC_ENTRIES) { + android_errorWriteLog(0x534e4554, "122361874"); + LOG(ERROR) << __func__ << "Exceed NFC_MAX_EE_DISC_ENTRIES"; diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch new file mode 100644 index 00000000..17d975b1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + src/nfc/nci/nci_hmsgs.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc +index 969638c2..2b89e39c 100755 +--- a/src/nfc/nci/nci_hmsgs.cc ++++ b/src/nfc/nci/nci_hmsgs.cc +@@ -724,6 +724,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=false and num routing entries=0) */ diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch new file mode 100644 index 00000000..fce1d56c --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 May 2023 14:20:57 -0700 +Subject: [PATCH] OOBW in rw_i93_send_to_upper() + +Bug: 271849189 +Test: tag r/w +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8) +Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 +Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 + +Change-Id: Ia10491e388a495a164462c73ced7ea1965808860 +--- + src/nfc/tags/rw_i93.cc | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc +index 62c5b54c..13ccaf0e 100755 +--- a/src/nfc/tags/rw_i93.cc ++++ b/src/nfc/tags/rw_i93.cc +@@ -472,6 +472,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) { + case I93_CMD_GET_MULTI_BLK_SEC: + case I93_CMD_EXT_GET_MULTI_BLK_SEC: + ++ if (UINT16_MAX - length < NFC_HDR_SIZE) { ++ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED; ++ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd; ++ rw_cb.tcb.i93.sent_cmd = 0; ++ ++ event = RW_I93_CMD_CMPL_EVT; ++ break; ++ } ++ + /* forward tag data or security status */ + p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE)); + diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_halimpl/344190.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_halimpl/344190.patch new file mode 100644 index 00000000..352cbfd0 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_halimpl/344190.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 3 Aug 2022 12:25:33 -0700 +Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked() + +Bug: 230356196 +Test: builds ok +Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581 +Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491) +Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +--- + halimpl/hal/phNxpNciHal_ext.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc +index f6fbc47..ac40be8 100755 +--- a/halimpl/hal/phNxpNciHal_ext.cc ++++ b/halimpl/hal/phNxpNciHal_ext.cc +@@ -866,7 +866,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, + status = NFCSTATUS_FAILED; + } + // 2002 0904 3000 3100 3200 5000 +- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && ++ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) && ++ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && + ((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*|| + (p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/ + )) { diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch new file mode 100644 index 00000000..19ba2fc6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Fri, 18 Mar 2022 17:13:05 -0700 +Subject: [PATCH] OOB read in phNciNfc_RecvMfResp() + +The size of RspBuff for Mifare shall be at least 2 bytes: +Mifare Req/Rsp Id + Status + +Bug: 221852424 +Test: build ok +Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436) +Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +index f1678f09..08940e29 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +@@ -1136,8 +1136,9 @@ STATIC NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, + if (NULL == RspBuffInfo) { + status = NFCSTATUS_FAILED; + } else { +- if ((0 == (RspBuffInfo->wLen)) || (PH_NCINFC_STATUS_OK != wStatus) || +- (NULL == (RspBuffInfo->pBuff))) { ++ if (((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > ++ RspBuffInfo->wLen) || ++ (PH_NCINFC_STATUS_OK != wStatus) || (NULL == (RspBuffInfo->pBuff))) { + status = NFCSTATUS_FAILED; + } else { + RecvdExtnRspId = (phNciNfc_ExtnRespId_t)RspBuffInfo->pBuff[0]; diff --git a/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch new file mode 100644 index 00000000..c13cd139 --- /dev/null +++ b/Patches/LineageOS-16.0/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 22 Nov 2022 15:49:11 -0800 +Subject: [PATCH] DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr + +Bug: 246932269 +Test: Build ok +Change-Id: I4dcd18da8b5145e218d070414da8997aff181364 +(cherry picked from commit 2e4dfa6c92de30907851914add6485f8b7920968) +Merged-In: I4dcd18da8b5145e218d070414da8997aff181364 +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +index 08940e29..03ad11f1 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +@@ -1404,6 +1404,11 @@ phNciNfc_MfCreateXchgDataHdr(phNciNfc_TransceiveInfo_t tTranscvInfo, + NFCSTATUS status = NFCSTATUS_SUCCESS; + uint8_t i = 0; + ++ if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1)) { ++ android_errorWriteLog(0x534e4554, "246932269"); ++ return NFCSTATUS_FAILED; ++ } ++ + buff[i++] = phNciNfc_e_MfRawDataXchgHdr; + memcpy(&buff[i], tTranscvInfo.tSendData.pBuff, tTranscvInfo.tSendData.wLen); + *buffSz = i + tTranscvInfo.tSendData.wLen; diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index 5533da12..7fdcb5b5 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -72,34 +72,8 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - source build/envsetup.sh; + #source build/envsetup.sh; #repopick -it pie-firewall; - #repopick cannot handle empty commits - repopick -fit P_asb_2022-05 -e 341484; - repopick -fit P_asb_2022-06 -e 342112; - repopick -fit P_asb_2022-07 -e 342113; - repopick -fit P_asb_2022-08 -e 342114; - repopick -fit P_asb_2022-09 -e 342116; - repopick -fit P_asb_2022-10 -e 342119; - repopick -fit P_tzdata_2022; - repopick -fit P_asb_2022-11 -e 344200; - repopick -fit P_asb_2022-12 -e 345931; - repopick -fit P_asb_2023-01 -e 347129; - repopick -fit P_asb_2023-02 -e 349337; - repopick -fit P_asb_2023-03; - repopick -fit P_asb_2023-04; - repopick -fit P_asb_2023-05; - repopick -fit P_asb_2023-06; - repopick -fit P_asb_2023-07 -e 361282; - repopick -fit P_asb_2023-08 -e 365327,365328,364605; - repopick -fit P_asb_2023-09; - repopick -fit P_asb_2023-10 -e 370704; - repopick -fit P_asb_2023-11 -e 374916; - repopick -fit P_asb_2023-12; - repopick -fit P_asb_2024-01; - repopick -fit P_asb_2024-02; - repopick -fit P_asb_2024-03; - repopick -fit P_asb_2024-04; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 3a07630a..aafdf224 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -112,7 +112,8 @@ echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #Ignore neverallow vio fi; if enterAndClear "external/aac"; then -applyPatch "$DOS_PATCHES/android_external_aac/364027.patch"; #R_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). +#applyPatch "$DOS_PATCHES/android_external_aac/332775.patch"; #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation. +applyPatch "$DOS_PATCHES/android_external_aac/364605.patch"; #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer(). fi; if enterAndClear "external/chromium-webview"; then @@ -125,17 +126,17 @@ if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_ex fi; if enterAndClear "external/dtc"; then -git fetch https://github.com/LineageOS/android_external_dtc refs/changes/96/342096/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-10 -git fetch https://github.com/LineageOS/android_external_dtc refs/changes/61/344161/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-11 -git fetch https://github.com/LineageOS/android_external_dtc refs/changes/91/345891/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-12 +applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings +applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation. +applyPatch "$DOS_PATCHES/android_external_dtc/345891.patch"; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths fi; if enterAndClear "external/expat"; then -git fetch https://github.com/LineageOS/android_external_expat refs/changes/53/338353/1 && git cherry-pick FETCH_HEAD; #P_asb_2022-09 -git fetch https://github.com/LineageOS/android_external_expat refs/changes/54/338354/1 && git cherry-pick FETCH_HEAD; -git fetch https://github.com/LineageOS/android_external_expat refs/changes/55/338355/1 && git cherry-pick FETCH_HEAD; -git fetch https://github.com/LineageOS/android_external_expat refs/changes/56/338356/1 && git cherry-pick FETCH_HEAD; -git fetch https://github.com/LineageOS/android_external_expat refs/changes/28/349328/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-02 +applyPatch "$DOS_PATCHES/android_external_expat/338353.patch"; #P_asb_2022-09 Prevent integer overflow in copyString +applyPatch "$DOS_PATCHES/android_external_expat/338354.patch"; #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow +applyPatch "$DOS_PATCHES/android_external_expat/338355.patch"; #P_asb_2022-09 Prevent integer overflow in function doProlog +applyPatch "$DOS_PATCHES/android_external_expat/338356.patch"; #P_asb_2022-09 Prevent more integer overflows +applyPatch "$DOS_PATCHES/android_external_expat/349328.patch"; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) fi; if [ "$DOS_GRAPHENE_MALLOC" = true ]; then @@ -145,12 +146,21 @@ applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc-legacy/0002-Bro fi; fi; +if enterAndClear "external/libcups"; then +git fetch https://github.com/LineageOS/android_external_libcups refs/changes/32/374932/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-11 Upgrade libcups to v2.3.1 +git fetch https://github.com/LineageOS/android_external_libcups refs/changes/33/374933/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-11 Upgrade libcups to v2.3.3 +fi; + if enterAndClear "external/libvpx"; then applyPatch "$DOS_PATCHES_COMMON/android_external_libvpx/CVE-2023-5217.patch"; #VP8: disallow thread count changes fi; if enterAndClear "external/libxml2"; then -applyPatch "$DOS_PATCHES/android_external_libxml2/368053.patch"; #R_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +applyPatch "$DOS_PATCHES/android_external_libxml2/370701.patch"; #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +fi; + +if enterAndClear "external/zlib"; then +applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate(). fi; if enterAndClear "external/svox"; then @@ -161,10 +171,136 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav fi; if enterAndClear "frameworks/av"; then +applyPatch "$DOS_PATCHES/android_frameworks_av/344167.patch"; #P_asb_2022-11 setSecurityLevel in clearkey +applyPatch "$DOS_PATCHES/android_frameworks_av/349329.patch"; #P_asb_2023-02 move MediaCodec metrics processing to looper thread +applyPatch "$DOS_PATCHES/android_frameworks_av/359729.patch"; #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling +applyPatch "$DOS_PATCHES/android_frameworks_av/366126.patch"; #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. +applyPatch "$DOS_PATCHES/android_frameworks_av/374924.patch"; #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. +applyPatch "$DOS_PATCHES/android_frameworks_av/377765.patch"; #P_asb_2023-12 httplive: fix use-after-free +applyPatch "$DOS_PATCHES/android_frameworks_av/379788.patch"; #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth. +applyPatch "$DOS_PATCHES/android_frameworks_av/383562.patch"; #P_asb_2024-02 Update mtp packet buffer +applyPatch "$DOS_PATCHES/android_frameworks_av/385670.patch"; #P_asb_2024-03 Validate OMX Params for VPx encoders +applyPatch "$DOS_PATCHES/android_frameworks_av/385671.patch"; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS) fi; if enterAndClear "frameworks/base"; then +applyPatch "$DOS_PATCHES/android_frameworks_base/330961.patch"; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority +applyPatch "$DOS_PATCHES/android_frameworks_base/330962.patch"; #P_asb_2022-05 Verify caller before auto granting slice permission +applyPatch "$DOS_PATCHES/android_frameworks_base/330963.patch"; #P_asb_2022-05 Always restart apps if base.apk gets updated. +applyPatch "$DOS_PATCHES/android_frameworks_base/332756.patch"; #P_asb_2022-06 Add finalizeWorkProfileProvisioning. +applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update +applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format. +applyPatch "$DOS_PATCHES/android_frameworks_base/332777.patch"; #P_asb_2022-06 Add an OEM configurable limit for zen rules +applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse +applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/334256.patch"; #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage +applyPatch "$DOS_PATCHES/android_frameworks_base/334257.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails +applyPatch "$DOS_PATCHES/android_frameworks_base/334258.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only +applyPatch "$DOS_PATCHES/android_frameworks_base/334259.patch"; #P_asb_2022-07 Ignore errors preparing user storage for existing users +applyPatch "$DOS_PATCHES/android_frameworks_base/334260.patch"; #P_asb_2022-07 Log to EventLog on prepareUserStorage failure +applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications +applyPatch "$DOS_PATCHES/android_frameworks_base/335117.patch"; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity +applyPatch "$DOS_PATCHES/android_frameworks_base/335118.patch"; #P_asb_2022-08 Suppress notifications when device enter lockdown +applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent +applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash +applyPatch "$DOS_PATCHES/android_frameworks_base/335121.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters +applyPatch "$DOS_PATCHES/android_frameworks_base/338346.patch"; #P_asb_2022-09 Fix duplicate permission privilege escalation +applyPatch "$DOS_PATCHES/android_frameworks_base/338347.patch"; #P_asb_2022-09 Parcel: recycle recycles +applyPatch "$DOS_PATCHES/android_frameworks_base/338348.patch"; #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable +applyPatch "$DOS_PATCHES/android_frameworks_base/338349.patch"; #P_asb_2022-09 Remove package name from SafetyNet logs +applyPatch "$DOS_PATCHES/android_frameworks_base/342100.patch"; #P_asb_2022-10 Limit the number of concurrently snoozed notifications +applyPatch "$DOS_PATCHES/android_frameworks_base/344168.patch"; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/344169.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_frameworks_base/344170.patch"; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo +applyPatch "$DOS_PATCHES/android_frameworks_base/344171.patch"; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user. +applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction +applyPatch "$DOS_PATCHES/android_frameworks_base/344174.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock +applyPatch "$DOS_PATCHES/android_frameworks_base/345892.patch"; #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps." +applyPatch "$DOS_PATCHES/android_frameworks_base/345893.patch"; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup +applyPatch "$DOS_PATCHES/android_frameworks_base/345894.patch"; #P_asb_2022-12 Prevent non-admin users from deleting system apps. +applyPatch "$DOS_PATCHES/android_frameworks_base/345895.patch"; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions. +applyPatch "$DOS_PATCHES/android_frameworks_base/345896.patch"; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK. +applyPatch "$DOS_PATCHES/android_frameworks_base/345897.patch"; #P_asb_2022-12 [pm] forbid deletion of protected packages +applyPatch "$DOS_PATCHES/android_frameworks_base/345898.patch"; #P_asb_2022-12 Fix NPE +applyPatch "$DOS_PATCHES/android_frameworks_base/345899.patch"; #P_asb_2022-12 Fix a security issue in app widget service. +applyPatch "$DOS_PATCHES/android_frameworks_base/345900.patch"; #P_asb_2022-12 Ignore malformed shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting +applyPatch "$DOS_PATCHES/android_frameworks_base/345902.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch. +applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length. +applyPatch "$DOS_PATCHES/android_frameworks_base/347045.patch"; #P_asb_2023-01 Disable all A11yServices from an uninstalled package. +applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/347047.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated +applyPatch "$DOS_PATCHES/android_frameworks_base/347048.patch"; #P_asb_2023-01 Revert "Revert "Validate permission tree size..." +applyPatch "$DOS_PATCHES/android_frameworks_base/347049.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings +applyPatch "$DOS_PATCHES/android_frameworks_base/347050.patch"; #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23 +applyPatch "$DOS_PATCHES/android_frameworks_base/347051.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed. +applyPatch "$DOS_PATCHES/android_frameworks_base/349330.patch"; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED +applyPatch "$DOS_PATCHES/android_frameworks_base/349331.patch"; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity +applyPatch "$DOS_PATCHES/android_frameworks_base/351910.patch"; #P_asb_2023-03 Move service initialization +applyPatch "$DOS_PATCHES/android_frameworks_base/351911.patch"; #P_asb_2023-03 Enable user graularity for lockdown mode +applyPatch "$DOS_PATCHES/android_frameworks_base/351912.patch"; #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag +applyPatch "$DOS_PATCHES/android_frameworks_base/351913.patch"; #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code. +applyPatch "$DOS_PATCHES/android_frameworks_base/354242.patch"; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +applyPatch "$DOS_PATCHES/android_frameworks_base/354243.patch"; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +applyPatch "$DOS_PATCHES/android_frameworks_base/354244.patch"; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +applyPatch "$DOS_PATCHES/android_frameworks_base/354245.patch"; #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE +applyPatch "$DOS_PATCHES/android_frameworks_base/356154.patch"; #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size. +applyPatch "$DOS_PATCHES/android_frameworks_base/356155.patch"; #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path +applyPatch "$DOS_PATCHES/android_frameworks_base/356156.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +applyPatch "$DOS_PATCHES/android_frameworks_base/359730.patch"; #P_asb_2023-06 Check key intent for selectors and prohibited flags +applyPatch "$DOS_PATCHES/android_frameworks_base/359731.patch"; #P_asb_2023-06 Handle invalid data during job loading. +applyPatch "$DOS_PATCHES/android_frameworks_base/359732.patch"; #P_asb_2023-06 Allow filtering of services +applyPatch "$DOS_PATCHES/android_frameworks_base/359733.patch"; #P_asb_2023-06 Prevent RemoteViews crashing SystemUi +applyPatch "$DOS_PATCHES/android_frameworks_base/361254.patch"; #P_asb_2023-07 Sanitize VPN label to prevent HTML injection +applyPatch "$DOS_PATCHES/android_frameworks_base/361255.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +applyPatch "$DOS_PATCHES/android_frameworks_base/361256.patch"; #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE +applyPatch "$DOS_PATCHES/android_frameworks_base/361257.patch"; #P_asb_2023-07 Dismiss keyguard when simpin auth'd and... +applyPatch "$DOS_PATCHES/android_frameworks_base/361258.patch"; #P_asb_2023-07 Truncate ShortcutInfo Id +applyPatch "$DOS_PATCHES/android_frameworks_base/361259.patch"; #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views. +applyPatch "$DOS_PATCHES/android_frameworks_base/364607.patch"; #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only +applyPatch "$DOS_PATCHES/android_frameworks_base/364608.patch"; #P_asb_2023-08 Verify URI permissions for notification shortcutIcon. +applyPatch "$DOS_PATCHES/android_frameworks_base/364609.patch"; #P_asb_2023-08 On device lockdown, always show the keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/364610.patch"; #P_asb_2023-08 Ensure policy has no absurdly long strings +applyPatch "$DOS_PATCHES/android_frameworks_base/364611.patch"; #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd. +applyPatch "$DOS_PATCHES/android_frameworks_base/364612.patch"; #P_asb_2023-08 Check URIs in notification public version. +applyPatch "$DOS_PATCHES/android_frameworks_base/364613.patch"; #P_asb_2023-08 Verify URI permissions in MediaMetadata +applyPatch "$DOS_PATCHES/android_frameworks_base/364614.patch"; #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used +applyPatch "$DOS_PATCHES/android_frameworks_base/364615.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user. +applyPatch "$DOS_PATCHES/android_frameworks_base/366127.patch"; #P_asb_2023-09 Forbid granting access to NLSes with too-long component names +applyPatch "$DOS_PATCHES/android_frameworks_base/366128.patch"; #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly. +applyPatch "$DOS_PATCHES/android_frameworks_base/370693.patch"; #P_asb_2023-10 RingtoneManager: verify default ringtone is audio +applyPatch "$DOS_PATCHES/android_frameworks_base/370694.patch"; #P_asb_2023-10 Do not share key mappings with JNI object +applyPatch "$DOS_PATCHES/android_frameworks_base/370695.patch"; #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews +applyPatch "$DOS_PATCHES/android_frameworks_base/370696.patch"; #P_asb_2023-10 Fix KCM key mapping cloning +applyPatch "$DOS_PATCHES/android_frameworks_base/370697.patch"; #P_asb_2023-10 Disallow loading icon from content URI to PipMenu +applyPatch "$DOS_PATCHES/android_frameworks_base/370698.patch"; #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings +applyPatch "$DOS_PATCHES/android_frameworks_base/370699.patch"; #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..." +applyPatch "$DOS_PATCHES/android_frameworks_base/374921.patch"; #P_asb_2023-11 Fix BAL via notification.publicVersion +applyPatch "$DOS_PATCHES/android_frameworks_base/374922.patch"; #P_asb_2023-11 Use type safe API of readParcelableArray +applyPatch "$DOS_PATCHES/android_frameworks_base/374923.patch"; #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting +applyPatch "$DOS_PATCHES/android_frameworks_base/377766.patch"; #P_asb_2023-12 Visit Uris added by WearableExtender +applyPatch "$DOS_PATCHES/android_frameworks_base/377767.patch"; #P_asb_2023-12 Drop invalid data. +applyPatch "$DOS_PATCHES/android_frameworks_base/377768.patch"; #P_asb_2023-12 Require permission to unlock keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/377769.patch"; #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service +applyPatch "$DOS_PATCHES/android_frameworks_base/377770.patch"; #P_asb_2023-12 Validate userId when publishing shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/377771.patch"; #P_asb_2023-12 Revert "On device lockdown, always show the keyguard" +applyPatch "$DOS_PATCHES/android_frameworks_base/377772.patch"; #P_asb_2023-12 Adding in verification of calling UID in onShellCommand +applyPatch "$DOS_PATCHES/android_frameworks_base/377773.patch"; #P_asb_2023-12 Updated: always show the keyguard on device lockdown +applyPatch "$DOS_PATCHES/android_frameworks_base/379789.patch"; #P_asb_2024-01 Dismiss keyguard when simpin auth'd and... +applyPatch "$DOS_PATCHES/android_frameworks_base/379790.patch"; #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete +applyPatch "$DOS_PATCHES/android_frameworks_base/379791.patch"; #P_asb_2024-01 Truncate user data to a limit of 500 characters +applyPatch "$DOS_PATCHES/android_frameworks_base/379792.patch"; #P_asb_2024-01 Validate component name length before requesting notification access. +applyPatch "$DOS_PATCHES/android_frameworks_base/379793.patch"; #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target +applyPatch "$DOS_PATCHES/android_frameworks_base/379794.patch"; #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +applyPatch "$DOS_PATCHES/android_frameworks_base/379980.patch"; #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions +applyPatch "$DOS_PATCHES/android_frameworks_base/383563.patch"; #P_asb_2024-02 Unbind TileService onNullBinding +applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit. +applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant. +applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout. +applyPatch "$DOS_PATCHES/android_frameworks_base/389269.patch"; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements +applyPatch "$DOS_PATCHES/android_frameworks_base/389270.patch"; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -209,8 +345,16 @@ sed -i '301i\ if(packageList != null && packageList.length() > 0) { packa rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps fi; +if enterAndClear "frameworks/minikin"; then +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345903.patch"; #P_asb_2022-12 Fix OOB read for registerLocaleList +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345904.patch"; #P_asb_2022-12 Fix OOB crash for registerLocaleList +fi; + if enterAndClear "frameworks/native"; then -applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) +applyPatch "$DOS_PATCHES/android_frameworks_native/356151.patch"; #P_asb_2023-05 Check for malformed Sensor Flattenable +applyPatch "$DOS_PATCHES/android_frameworks_native/356152.patch"; #P_asb_2023-05 Remove some new memory leaks from SensorManager +applyPatch "$DOS_PATCHES/android_frameworks_native/356153.patch"; #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager +applyPatch "$DOS_PATCHES/android_frameworks_native/366129.patch"; #P_asb_2023-09 Allow sensors list to be empty fi; if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then @@ -223,6 +367,14 @@ if enterAndClear "frameworks/opt/net/wifi"; then if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; +if enterAndClear "frameworks/opt/telephony"; then +applyPatch "$DOS_PATCHES/android_frameworks_opt_telephony/334263.patch"; #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID) +fi; + +if enterAndClear "hardware/nxp/nfc"; then +applyPatch "$DOS_PATCHES/android_hardware_nxp_nfc/344180.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +fi; + if enterAndClear "hardware/qcom/display"; then applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8084.patch" --directory="msm8084"; #(Qualcomm) applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8916.patch" --directory="msm8226"; @@ -275,6 +427,11 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332.patch"; #P_asb_2023-02 Fix OPP comparison +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377774.patch"; #P_asb_2023-12 Fix UAF in ~CallbackEnv if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -283,6 +440,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Car_Settings/358565-backport.patc fi; if enterAndClear "packages/apps/Contacts"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332760.patch"; #P_asb_2022-06 No longer export CallSubjectDialog applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0001-No_Google_Links.patch"; #Remove Privacy Policy and Terms of Service links (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0003-Skip_Accounts.patch"; #Don't prompt to add account when creating a contact (CalyxOS) applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0004-No_GMaps.patch"; #Use common intent for directions instead of Google Maps URL (GrapheneOS) @@ -290,9 +448,21 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0005-vCard-Four.p fi; if enterAndClear "packages/apps/Dialer"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332761.patch"; #P_asb_2022-06 No longer export CallSubjectDialog applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/0001-Not_Private_Banner.patch"; #Add a privacy warning banner to calls (CalyxOS) fi; +if enterAndClear "packages/apps/EmergencyInfo"; then +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/342101.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345908.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345909.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/349333.patch"; #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app. +fi; + +if enterAndClear "packages/apps/KeyChain"; then +applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334264.patch"; #P_asb_2022-07 Encode authority part of uri before showing in UI +fi; + if enterAndClear "packages/apps/LineageParts"; then rm -rf src/org/lineageos/lineageparts/lineagestats/ res/xml/anonymous_stats.xml res/xml/preview_data.xml; #Nuke part of the analytics applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS) @@ -305,10 +475,13 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Messaging/0001-null-fix.pa fi; if enterAndClear "packages/apps/Nfc"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332762.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/347043.patch"; #P_asb_2023-01 OOBW in Mfc_Transceive() if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; if enterAndClear "packages/apps/PackageInstaller"; then +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/344181.patch"; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-1.patch"; #Always treat INTERNET as a runtime permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Network_Permission-2.patch"; #Add NETWORK permission group (GrapheneOS) applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Permission-1.patch"; #Add OTHER_SENSORS permission group (GrapheneOS) @@ -316,6 +489,23 @@ applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/0001-Sensors_Per fi; if enterAndClear "packages/apps/Settings"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/330960.patch"; #P_asb_2022-05 Hide private DNS settings UI in Guest mode +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335112.patch"; #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335113.patch"; #P_asb_2022-08 Fix: policy enforcement for location wifi scanning +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345910.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings." +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914.patch"; #P_asb_2023-03 FRP bypass defense in the settings app +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351915.patch"; #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/359734.patch"; #P_asb_2023-06 Convert argument to intent in AddAccountSettings. +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/366136.patch"; #P_asb_2023-09 Prevent non-system IME from becoming device admin +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/370700.patch"; #P_asb_2023-10 Restrict ApnEditor settings git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work @@ -333,10 +523,21 @@ if enterAndClear "packages/apps/SetupWizard"; then applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS) fi; +if enterAndClear "packages/apps/Traceur"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378475.patch"; #P_asb_2023-06 Update Traceur to check admin user status +applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378476.patch"; #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check +fi; + if enterAndClear "packages/apps/Trebuchet"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/366137.patch"; #P_asb_2023-09 Fix permission issue in legacy shortcut +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377775.patch"; #P_asb_2023-12 Fix permission bypass in legacy shortcut cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed fi; +if enterAndClear "packages/apps/TvSettings"; then +applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/359735.patch"; #P_asb_2023-06 Convert argument to intent in addAccount TvSettings. +fi; + if enterAndClear "packages/apps/Updater"; then applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS) @@ -349,23 +550,94 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS) fi; +if enterAndClear "packages/providers/ContactsProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query +fi; + if enterAndClear "packages/providers/DownloadProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/383567.patch"; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; -#if enterAndClear "packages/providers/TelephonyProvider"; then +if enterAndClear "packages/providers/TelephonyProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/344182.patch"; #P_asb_2022-11 Check dir path before updating permissions. +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364616.patch"; #P_asb_2023-08 Update file permissions using canonical path +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/374920.patch"; #P_asb_2023-11 Block access to sms/mms db from work profile. #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; -#fi; +fi; + +if enterAndClear "packages/services/BuiltInPrintService"; then +applyPatch "$DOS_PATCHES/android_packages_services_BuiltInPrintService/374919.patch"; #P_asb_2023-11 Adjust APIs for CUPS 2.3.3 +fi; + +if enterAndClear "packages/services/Telecomm"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/330959.patch"; #P_asb_2022-05 Handle null bindings returned from ConnectionService. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/356150.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364617.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377776.patch"; #P_asb_2023-12 Resolve account image icon profile boundary exploit. +fi; if enterAndClear "packages/services/Telephony"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041.patch"; #P_asb_2023-01 prevent overlays on the phone settings +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/366130.patch"; #P_asb_2023-09 Fixed leak of cross user data in multiple settings. git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55; applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS) applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; fi; if enterAndClear "system/bt"; then +applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Security: Fix out of bound write in HFP client +applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length +applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST +applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys +applyPatch "$DOS_PATCHES/android_system_bt/338350.patch"; #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed +applyPatch "$DOS_PATCHES/android_system_bt/338351.patch"; #P_asb_2022-09 Fix OOB in BNEP_Write +applyPatch "$DOS_PATCHES/android_system_bt/338352.patch"; #P_asb_2022-09 Fix OOB in reassemble_and_dispatch +applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response +applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp +applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_system_bt/345914.patch"; #P_asb_2022-12 Add length check when copy AVDTP packet +applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added max buffer length check +applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc +applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet +applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response +applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 BT: Once AT command is retrieved, return from method. +applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields +applyPatch "$DOS_PATCHES/android_system_bt/349334.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP +applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate +applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc +applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute +applyPatch "$DOS_PATCHES/android_system_bt/354246.patch"; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp +applyPatch "$DOS_PATCHES/android_system_bt/359736.patch"; #P_asb_2023-06 Prevent use-after-free of HID reports +applyPatch "$DOS_PATCHES/android_system_bt/359737.patch"; #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq"" +applyPatch "$DOS_PATCHES/android_system_bt/359738.patch"; #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +applyPatch "$DOS_PATCHES/android_system_bt/361252.patch"; #P_asb_2023-07 Fix gatt_end_operation buffer overflow +applyPatch "$DOS_PATCHES/android_system_bt/366131.patch"; #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl +applyPatch "$DOS_PATCHES/android_system_bt/366132.patch"; #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_system_bt/366133.patch"; #P_asb_2023-09 Fix potential abort in btu_av_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/366134.patch"; #P_asb_2023-09 Fix reliable write. +applyPatch "$DOS_PATCHES/android_system_bt/366135.patch"; #P_asb_2023-09 Fix UAF in gatt_cl.cc +applyPatch "$DOS_PATCHES/android_system_bt/377777.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +applyPatch "$DOS_PATCHES/android_system_bt/377778.patch"; #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +applyPatch "$DOS_PATCHES/android_system_bt/377779.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +applyPatch "$DOS_PATCHES/android_system_bt/377780.patch"; #P_asb_2023-12 Reorganize the code for checking auth requirement +applyPatch "$DOS_PATCHES/android_system_bt/377781.patch"; #P_asb_2023-12 Enforce authentication if encryption is required +applyPatch "$DOS_PATCHES/android_system_bt/377782.patch"; #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow +applyPatch "$DOS_PATCHES/android_system_bt/379796.patch"; #P_asb_2024-01 Fix some OOB errors in BTM parsing +applyPatch "$DOS_PATCHES/android_system_bt/383565.patch"; #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/383566.patch"; #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/385675.patch"; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length +applyPatch "$DOS_PATCHES/android_system_bt/385676.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req +applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi; @@ -375,6 +647,7 @@ cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the ne fi; if enterAndClear "system/core"; then +applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host. if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file git revert --no-edit b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS) @@ -388,6 +661,19 @@ if enterAndClear "system/extras"; then applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS) fi; +if enterAndClear "system/netd"; then +applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run +fi; + +if enterAndClear "system/nfc"; then +applyPatch "$DOS_PATCHES/android_system_nfc/332766.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_system_nfc/332768.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +applyPatch "$DOS_PATCHES/android_system_nfc/342098.patch"; #P_asb_2022-10 The length of a packet should be non-zero +applyPatch "$DOS_PATCHES/android_system_nfc/354248.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_system_nfc/361251.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +fi; + if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) @@ -400,8 +686,27 @@ awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignori fi; if enterAndClear "tools/apksig"; then -git fetch https://github.com/LineageOS/android_tools_apksig refs/changes/80/361280/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-07 -git fetch https://github.com/LineageOS/android_tools_apksig refs/changes/81/361281/1 && git cherry-pick FETCH_HEAD; +applyPatch "$DOS_PATCHES/android_tools_apksig/361280.patch"; #P_asb_2023-07 Create source stamp verifier +applyPatch "$DOS_PATCHES/android_tools_apksig/361281.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers +fi; + +if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch"; #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch"; #P_asb_2022-10 The length of a packet should be non-zero +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper() +fi; + +if enterAndClear "vendor/nxp/opensource/halimpl"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_halimpl/344190.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +fi; + +if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch"; #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr fi; if enterAndClear "vendor/lineage"; then