14.1: July ASB picks

Signed-off-by: Tavi <tavi@divested.dev>
2024-09-07 18:12:02 +00:00 · 2024-07-04 09:17:52 -04:00 · 2024-07-04 09:17:52 -04:00 · 093df020a2
commit 093df020a2
parent 1e2d7e9218
4 changed files with 117 additions and 5 deletions
--- a/1
+++ b/1
@ -22,6 +22,7 @@ Patches/
 		[Everything Else] - Apache-2.0
 	LineageOS-*/
 		android_external_hardened_malloc/ - MIT
+		android_packages_apps_CarrierConfig2/ - MIT
 		android_kernel_*/ - GPL-2.0-only
 		[Everything Else] - Apache-2.0
 	Linux/ - See COPYING included (GPL-2.0-only)
--- a/Patches/LineageOS-14.1/android_frameworks_base/396611.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_base/396611.patch
@ -0,0 +1,47 @@
+From e4ea22f79e2995c16f19b45925d4dd66f9813646 Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@google.com>
+Date: Thu, 29 Feb 2024 12:03:05 +0000
+Subject: [PATCH] [BACKPORT] Verify UID of incoming Zygote connections.
+
+Only the system UID should be allowed to connect to the Zygote. While
+for generic Zygotes this is also covered by SELinux policy, this is not
+true for App Zygotes: the preload code running in an app zygote could
+connect to another app zygote socket, if it had access to its (random)
+socket address.
+
+On the Java layer, simply check the UID when the connection is made. In
+the native layer, this check was already present, but it actually didn't
+work in the case where we receive a new incoming connection on the
+socket, and receive a 'non-fork' command: in that case, we will simply
+exit the native loop, and let the Java layer handle the command, without
+any further UID checking.
+
+Modified the native logic to drop new connections with a mismatching
+UID, and to keep serving the existing connection (if it was still
+there).
+
+Bug: 319081336
+Test: manual
+(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
+Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
+Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
+---
+ core/java/com/android/internal/os/ZygoteConnection.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
+index 85d84bb3f9867..40ab4839195bc 100644
+--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
+@@ -104,6 +104,10 @@ class ZygoteConnection {
+             Log.e(TAG, "Cannot read peer credentials", ex);
+             throw ex;
+         }
+
+        if (peer.getUid() != Process.SYSTEM_UID) {
+            throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
+        }
+     }
+ 
+     /**
--- a/Patches/LineageOS-14.1/android_system_bt/396612.patch
+++ b/Patches/LineageOS-14.1/android_system_bt/396612.patch
@ -0,0 +1,62 @@
+From 9dabeb4f8d2ab8936c84823786fab90d0e929ce3 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:14:56 +0000
+Subject: [PATCH] [BACKPORT] Fix an authentication bypass bug in SMP
+
+When pairing with BLE legacy pairing initiated
+from remote, authentication can be bypassed.
+This change fixes it.
+
+Bug: 251514170
+Test: m com.android.btservices
+Test: manual run against PoC
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
+Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+---
+ stack/smp/smp_act.c | 11 +++++++++++
+ stack/smp/smp_int.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
+index 8702e109578..a9bcd4c87c2 100644
+--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
+@@ -331,6 +331,7 @@ void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
+ {
+     SMP_TRACE_DEBUG("%s", __func__);
+     smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+    p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
+ }
+ 
+ /*******************************************************************************
+@@ -704,6 +705,16 @@ void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
+         return;
+     }
+ 
+   if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+         (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+       !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT))
+   {
+     // in legacy pairing, the peer should send its rand after
+     // we send our confirm
+     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+     return;
+   }
+
+     /* save the SRand for comparison */
+     STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
+ }
+diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
+index aea85380edd..aac64ea2ef1 100644
+--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
+@@ -251,6 +251,7 @@ typedef union
+ #define SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY  (1 << 6) /* used on slave to resolve race condition */
+ #define SMP_PAIR_FLAG_HAVE_PEER_COMM      (1 << 7) /* used to resolve race condition */
+ #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY (1 << 8) /* used on slave to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT   (1 << 9)
+ 
+ /* check if authentication requirement need MITM protection */
+ #define SMP_NO_MITM_REQUIRED(x)  (((x) & SMP_AUTH_YN_BIT) == 0)
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-06 #XXX
+sed -i 's/2021-06-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-07 #XXX
 fi;

 if enterAndClear "device/qcom/sepolicy"; then
@ -282,10 +282,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 F
 applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit.
 applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
-applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-05 Add more checkKeyIntent checks to AccountManagerService.
-applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-05 Adds additional sanitization for Zygote command arguments.
-applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-05 Check hidden API exemptions
-applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-05 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-06 Add more checkKeyIntent checks to AccountManagerService.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-06 Adds additional sanitization for Zygote command arguments.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-06 Check hidden API exemptions
+applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
+applyPatch "$DOS_PATCHES/android_frameworks_base/396611.patch"; #n-asb-2024-07 Verify UID of incoming Zygote connections.
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -585,6 +586,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/385236.patch"; #n-asb-2024-03 Fix OOB
 applyPatch "$DOS_PATCHES/android_system_bt/385237.patch"; #n-asb-2024-03 Fix an OOB bug in smp_proc_sec_req
 applyPatch "$DOS_PATCHES/android_system_bt/385238.patch"; #n-asb-2024-03 Fix an OOB write bug in attp_build_value_cmd
 applyPatch "$DOS_PATCHES/android_system_bt/385239.patch"; #n-asb-2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
+applyPatch "$DOS_PATCHES/android_system_bt/396612.patch"; #n-asb-2024-07 Fix an authentication bypass bug in SMP
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)