16.0: January ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-16.0/android_frameworks_av/379144.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songyue Han <songyueh@google.com>
+Date: Tue, 3 Oct 2023 22:40:14 +0000
+Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for
+ unsupported cropwidth.
+
+Bug: 300476626
+Test: color_conversion_fuzzer
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c)
+Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733
+Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733
+---
+ media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
+index a1873bc5c4..94356b0b0c 100644
+--- a/media/libstagefright/colorconversion/ColorConverter.cpp
++++ b/media/libstagefright/colorconversion/ColorConverter.cpp
+@@ -592,7 +592,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410(
+ 
+         uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1;
+         size_t x = 0;
+-        for (; x < src.cropWidth() - 3; x += 4) {
++        // x % 4 is always 0 so x + 3 will never overflow.
++        for (; x + 3 < src.cropWidth(); x += 4) {
+             u01 = *((uint32_t*)ptr_u); ptr_u += 2;
+             v01 = *((uint32_t*)ptr_v); ptr_v += 2;
+ 

Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch

@@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
  1 file changed, 1 insertion(+), 7 deletions(-)
 
 diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
-index 847beb87408d..d47abf142ef7 100644
+index e1159493fe24..d6443110128d 100644
 --- a/services/core/java/com/android/server/am/ActivityManagerService.java
 +++ b/services/core/java/com/android/server/am/ActivityManagerService.java
 @@ -7937,13 +7937,7 @@ public class ActivityManagerService extends IActivityManager.Stub

Patches/LineageOS-16.0/android_frameworks_base/379145-backport.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Tue, 28 Mar 2023 13:15:04 -0700
+Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
+
+security method is none. This is mostly to fix the case where we auth
+sim pin in the set up wizard and it goes straight to keyguard instead of
+the setup wizard activity.
+
+This works with the prevent bypass keyguard flag because the device
+should be noe secure in this case.
+
+Fixes: 222446076
+Test: turn locked sim on, which opens the sim pin screen. Auth the
+screen and observe that keyguard is not shown.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
+Cherry-picking this CL as a security fix
+
+Bug: 222446076
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
+Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+AOSP-Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+Change-Id: Id6eb8eff88481f9ec2c9cbcde9d7b0f78a349d98
+---
+ .../src/com/android/keyguard/KeyguardSecurityContainer.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index 6a71cf84759c..bb205956e932 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
++                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+                             KeyguardUpdateMonitor.getCurrentUser())) {
+                         finish = true;
+                     } else {

Patches/LineageOS-16.0/android_frameworks_base/379146-backport.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Fri, 11 Aug 2023 11:02:33 -0700
+Subject: [PATCH] DO NOT MERGE Ensure finish lockscreen when usersetup
+ incomplete
+
+Ensure that when the usersetup for the user is not complete, we do not
+want to go to lockscreen, even if lockscreen is not disabled.
+
+Bug: 222446076
+Test: add Unit test,
+Test: Wipe device, auth sim pin in setup, observe that lockscreen is
+not there.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01ea2f91df5a1c67da2546d83beeee75c2c1ef94)
+Merged-In: I8e33db8eb6e2c917966cab3d6a4f982670473040
+Change-Id: I8e33db8eb6e2c917966cab3d6a4f982670473040
+---
+ .../android/keyguard/KeyguardSecurityContainer.java  | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index bb205956e932..a6fa034cb901 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -32,6 +32,8 @@ import android.widget.FrameLayout;
+ 
+ import com.android.internal.widget.LockPatternUtils;
+ import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
++import com.android.systemui.statusbar.policy.DeviceProvisionedController;
++import com.android.systemui.Dependency;
+ 
+ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSecurityView {
+     private static final boolean DEBUG = KeyguardConstants.DEBUG;
+@@ -50,6 +52,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+     private SecurityCallback mSecurityCallback;
+     private AlertDialog mAlertDialog;
+ 
++    private final DeviceProvisionedController mDeviceProvisionedController;
++
+     private final KeyguardUpdateMonitor mUpdateMonitor;
+ 
+     // Used to notify the container when something interesting happens.
+@@ -81,6 +85,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+         mSecurityModel = new KeyguardSecurityModel(context);
+         mLockPatternUtils = new LockPatternUtils(context);
+         mUpdateMonitor = KeyguardUpdateMonitor.getInstance(mContext);
++        mDeviceProvisionedController = Dependency.get(DeviceProvisionedController.class);
+     }
+ 
+     public void setSecurityCallback(SecurityCallback callback) {
+@@ -351,8 +356,11 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+-                            KeyguardUpdateMonitor.getCurrentUser())) {
++                    boolean isLockscreenDisabled = mLockPatternUtils.isLockScreenDisabled(
++                            KeyguardUpdateMonitor.getCurrentUser())
++                            || !mDeviceProvisionedController.isUserSetup(targetUserId);
++
++                    if (securityMode == SecurityMode.None && isLockscreenDisabled) {
+                         finish = true;
+                     } else {
+                         showSecurityScreen(securityMode);

Patches/LineageOS-16.0/android_frameworks_base/379147-backport.patch

@@ -0,0 +1,94 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tetiana Meronyk <tetianameronyk@google.com>
+Date: Thu, 24 Aug 2023 16:27:30 +0000
+Subject: [PATCH] Truncate user data to a limit of 500 characters
+
+Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
+
+By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
+
+Bug: 293602317
+Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827)
+Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
+Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
+---
+ .../android/server/pm/UserManagerService.java | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index 423b88388809..7b121ba5a0f6 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -216,6 +216,8 @@ public class UserManagerService extends IUserManager.Stub {
+ 
+     private static final int USER_VERSION = 7;
+ 
++    private static final int MAX_USER_STRING_LENGTH = 500;
++
+     private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
+ 
+     // Maximum number of managed profiles permitted per user is 1. This cannot be increased
+@@ -2292,15 +2294,17 @@ public class UserManagerService extends IUserManager.Stub {
+         // Write seed data
+         if (userData.persistSeedData) {
+             if (userData.seedAccountName != null) {
+-                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
++                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
++                        truncateString(userData.seedAccountName));
+             }
+             if (userData.seedAccountType != null) {
+-                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
++                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
++                        truncateString(userData.seedAccountType));
+             }
+         }
+         if (userInfo.name != null) {
+             serializer.startTag(null, TAG_NAME);
+-            serializer.text(userInfo.name);
++            serializer.text(truncateString(userInfo.name));
+             serializer.endTag(null, TAG_NAME);
+         }
+         synchronized (mRestrictionsLock) {
+@@ -2335,6 +2339,13 @@ public class UserManagerService extends IUserManager.Stub {
+         serializer.endDocument();
+     }
+ 
++    private String truncateString(String original) {
++        if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
++            return original;
++        }
++        return original.substring(0, MAX_USER_STRING_LENGTH);
++    }
++
+     /*
+      * Writes the user list file in this format:
+      *
+@@ -2632,6 +2643,7 @@ public class UserManagerService extends IUserManager.Stub {
+ 
+     private UserInfo createUserInternalUnchecked(String name, int flags, int parentId,
+             String[] disallowedPackages) {
++        String truncatedName = truncateString(name);
+         DeviceStorageMonitorInternal dsm = LocalServices
+                 .getService(DeviceStorageMonitorInternal.class);
+         if (dsm.isMemoryLow()) {
+@@ -2710,7 +2722,7 @@ public class UserManagerService extends IUserManager.Stub {
+                         flags |= UserInfo.FLAG_EPHEMERAL;
+                     }
+ 
+-                    userInfo = new UserInfo(userId, name, null, flags);
++                    userInfo = new UserInfo(userId, truncatedName, null, flags);
+                     userInfo.serialNumber = mNextSerialNumber++;
+                     long now = System.currentTimeMillis();
+                     userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0;
+@@ -3541,8 +3553,8 @@ public class UserManagerService extends IUserManager.Stub {
+                     Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
+                     return;
+                 }
+-                userData.seedAccountName = accountName;
+-                userData.seedAccountType = accountType;
++                userData.seedAccountName = truncateString(accountName);
++                userData.seedAccountType = truncateString(accountType);
+                 userData.seedAccountOptions = accountOptions;
+                 userData.persistSeedData = persist;
+             }

Patches/LineageOS-16.0/android_frameworks_base/379148-backport.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raphael Kim <raphk@google.com>
+Date: Mon, 18 Sep 2023 14:07:23 -0700
+Subject: [PATCH] Validate component name length before requesting notification
+ access.
+
+Bug: 295335110
+Test: Test app with long component name
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8)
+Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
+Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
+---
+ .../server/companion/CompanionDeviceManagerService.java      | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index e39652d77b7a..087fe8560fc8 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -107,6 +107,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
+     private static final boolean DEBUG = false;
+     private static final String LOG_TAG = "CompanionDeviceManagerService";
+ 
++    private static final int MAX_CN_LENGTH = 500;
++
+     private static final String XML_TAG_ASSOCIATIONS = "associations";
+     private static final String XML_TAG_ASSOCIATION = "association";
+     private static final String XML_ATTR_PACKAGE = "package";
+@@ -290,6 +292,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
+             String callingPackage = component.getPackageName();
+             checkCanCallNotificationApi(callingPackage);
+             int userId = getCallingUserId();
++            if (component.flattenToString().length() > MAX_CN_LENGTH) {
++                throw new IllegalArgumentException("Component name is too long.");
++            }
+             final long identity = Binder.clearCallingIdentity();
+             try {
+                 return PendingIntent.getActivity(getContext(),

Patches/LineageOS-16.0/android_frameworks_base/379149-backport.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nan Wu <wnan@google.com>
+Date: Fri, 25 Aug 2023 15:02:28 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when
+ sending non-PI target
+
+Log ActivityManagerService.sendIntentSender if the target is not a
+PendingIntent and a non-null whitelistToken is sent to the client.
+This is simply to detect if there are real cases this would happen
+before we decide simply remove whitelistToken in that case.
+
+Do not pass  whitelistToken when sending non-PI target
+
+In ActivityManagerService.sendIntentSender, if the target is not a
+PendingIntent, do not send whitelistToken to the client.
+
+Bug: 279428283
+Test: Manual test
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52)
+Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810
+Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810
+---
+ .../server/am/ActivityManagerService.java     | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 847beb87408d..e1159493fe24 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -8625,12 +8625,12 @@ public class ActivityManagerService extends IActivityManager.Stub
+     }
+ 
+     @Override
+-    public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code,
++    public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code,
+             Intent intent, String resolvedType,
+             IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) {
+         if (target instanceof PendingIntentRecord) {
+             return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType,
+-                    whitelistToken, finishedReceiver, requiredPermission, options);
++                    allowlistToken, finishedReceiver, requiredPermission, options);
+         } else {
+             if (intent == null) {
+                 // Weird case: someone has given us their own custom IIntentSender, and now
+@@ -8642,7 +8642,20 @@ public class ActivityManagerService extends IActivityManager.Stub
+                 intent = new Intent(Intent.ACTION_MAIN);
+             }
+             try {
+-                target.send(code, intent, resolvedType, whitelistToken, null,
++                if (allowlistToken != null) {
++                    final int callingUid = Binder.getCallingUid();
++                    final String packageName;
++                    final long token = Binder.clearCallingIdentity();
++                    try {
++                        packageName = AppGlobals.getPackageManager().getNameForUid(callingUid);
++                    } finally {
++                        Binder.restoreCallingIdentity(token);
++                    }
++                    Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target."
++                            + " Calling package: " + packageName + "; intent: " + intent
++                            + "; options: " + options);
++                }
++                target.send(code, intent, resolvedType, null, null,
+                         requiredPermission, options);
+             } catch (RemoteException e) {
+             }

Patches/LineageOS-16.0/android_frameworks_base/379150.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Will Leshner <wleshner@google.com>
+Date: Tue, 31 Oct 2023 13:23:08 -0700
+Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
+ activities
+
+Test: Flashed device and verified dream settings works as expected
+Test: Installed APK from bug and verified the dream didn't allow
+launching the inappropriate settings activity.
+Fixes: 300090204
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
+Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
+Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
+---
+ .../com/android/settingslib/dream/DreamBackend.java  | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+index 3c0f6fe8ccbb..0b771580fff4 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
++++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+@@ -332,7 +332,17 @@ public class DreamBackend {
+         if (cn != null && cn.indexOf('/') < 0) {
+             cn = resolveInfo.serviceInfo.packageName + "/" + cn;
+         }
+-        return cn == null ? null : ComponentName.unflattenFromString(cn);
++        // Ensure that the component is from the same package as the dream service. If not,
++        // treat the component as invalid and return null instead.
++        final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
++        if (result != null
++                && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
++            Log.w(TAG,
++                    "Inconsistent package name in component: " + result.getPackageName()
++                            + ", should be: " + resolveInfo.serviceInfo.packageName);
++            return null;
++        }
++        return result;
+     }
+ 
+     private static void logd(String msg, Object... args) {

Patches/LineageOS-16.0/android_system_bt/379154.patch

@@ -0,0 +1,135 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 23 May 2023 23:23:11 +0000
+Subject: [PATCH] Fix some OOB errors in BTM parsing
+
+Some HCI BLE events are missing bounds checks, leading to possible OOB
+access.  Add the appropriate bounds checks on the packets.
+
+Bug: 279169188
+Test: atest bluetooth_test_gd_unit, net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
+Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+---
+ stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
+ stack/btu/btu_hcif.cc    |  6 +++++
+ 2 files changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
+index 4e8471261..8a2c53c30 100644
+--- a/stack/btm/btm_ble_gap.cc
++++ b/stack/btm/btm_ble_gap.cc
+@@ -1879,19 +1879,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+       advertising_sid;
+   int8_t rssi, tx_power;
+   uint16_t event_type, periodic_adv_int, direct_address_type;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                  "for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR(
+-          "Malformed LE Extended Advertising Report Event from controller - "
+-          "can't loop the data");
++    bytes_to_process += 24;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for metadata";
+       return;
+     }
+ 
+@@ -1911,8 +1919,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the next packet*/
+-    if (p > data + data_len) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    bytes_to_process += pkt_data_len;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for packet data";
+       return;
+     }
+ 
+@@ -1941,17 +1952,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+   uint8_t* p = data;
+   uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
+   int8_t rssi;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR)
++        << "Malformed LE advertising packet: not enough room for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
++    bytes_to_process += 9;
++
++    if (data_len < bytes_to_process) {
++      LOG(ERROR)
++          << "Malformed LE advertising packet: not enough room for metadata";
+       return;
+     }
+ 
+@@ -1963,8 +1985,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the rssi byte */
+-    if (p > data + data_len - sizeof(rssi)) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    // include rssi for this check
++    bytes_to_process += pkt_data_len + 1;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
++                    "packet data and/or RSSI";
+       return;
+     }
+ 
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index 720bab266..8c83fa10e 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -1810,6 +1810,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
+     return;
+   }
+ 
++  // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
++  if (evt_len < 8) {
++    LOG_ERROR(LOG_TAG, "Event packet too short");
++    return;
++  }
++
+   STREAM_TO_UINT16(handle, p);
+   STREAM_TO_UINT16(tx_data_len, p);
+   p += 2; /* Skip the TxTimer */

Scripts/LineageOS-16.0/Patch.sh

@@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-12 #XXX
+sed -i 's/2022-01-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-01 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -161,10 +161,17 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
 fi;
 
 if enterAndClear "frameworks/av"; then
+applyPatch "$DOS_PATCHES/android_frameworks_av/379144.patch"; #R_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
 fi;
 
 if enterAndClear "frameworks/base"; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/379145-backport.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
+applyPatch "$DOS_PATCHES/android_frameworks_base/379146-backport.patch"; #R_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
+applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_2024-01 Truncate user data to a limit of 500 characters
+applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access.
+applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
+applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@@ -365,6 +372,7 @@ fi;
 if enterAndClear "system/bt"; then
 applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
 applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
+applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;