diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377006.patch b/Patches/LineageOS-14.1/android_frameworks_base/377939.patch similarity index 56% rename from Patches/LineageOS-17.1/android_frameworks_base/377006.patch rename to Patches/LineageOS-14.1/android_frameworks_base/377939.patch index c1b02775..60c853f8 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/377006.patch +++ b/Patches/LineageOS-14.1/android_frameworks_base/377939.patch @@ -1,7 +1,7 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From 52459a71e45159f7fd837a29c2455deebae61424 Mon Sep 17 00:00:00 2001 From: Marzia Favaro Date: Mon, 31 Jul 2023 15:10:34 +0000 -Subject: [PATCH] Require permission to unlock keyguard +Subject: [PATCH] BACKPORT: Require permission to unlock keyguard Bug: 288896339 Test: Manual, verify that the app which can be found on the bug can no longer call @@ -17,27 +17,29 @@ keyguardGoingAway successfully (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ad8e7e3b1db22684988a179e23639567a4096ca6) Merged-In: I7ba7e56f954c8e6f1f734311f735215918975bc6 Change-Id: I7ba7e56f954c8e6f1f734311f735215918975bc6 + +Change-Id: Id9a5ac676c7047c5c4d73b617a1cd628ba885ffe --- - .../java/com/android/server/wm/ActivityTaskManagerService.java | 2 ++ + .../core/java/com/android/server/am/ActivityManagerService.java | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java -index d0dad0a23729..5bcc5975604a 100644 ---- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java -+++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java -@@ -18,6 +18,7 @@ package com.android.server.wm; +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 4e48f422a2fe3..61563f40b825c 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -254,6 +254,7 @@ + import libcore.io.IoUtils; + import libcore.util.EmptyArray; - import static android.Manifest.permission.BIND_VOICE_INTERACTION; - import static android.Manifest.permission.CHANGE_CONFIGURATION; +import static android.Manifest.permission.CONTROL_KEYGUARD; - import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS; import static android.Manifest.permission.INTERACT_ACROSS_USERS; import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL; -@@ -3890,6 +3891,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { + import static android.Manifest.permission.MANAGE_ACTIVITY_STACKS; +@@ -6973,6 +6974,7 @@ public void keyguardWaitingForActivityDrawn() { @Override public void keyguardGoingAway(int flags) { -+ mAmInternal.enforceCallingPermission(CONTROL_KEYGUARD, "unlock keyguard"); ++ enforceCallingPermission(CONTROL_KEYGUARD, "keyguardGoingAway()"); enforceNotIsolatedCaller("keyguardGoingAway"); final long token = Binder.clearCallingIdentity(); try { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377001-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/377001-backport.patch deleted file mode 100644 index 4cc92385..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377001-backport.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= -Date: Wed, 5 Jul 2023 13:52:21 +0200 -Subject: [PATCH] Visit Uris added by WearableExtender - -Bug: 283962802 -Test: atest + manual (POC app now crashes on notify() as expected) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab) -Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed -Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed ---- - core/java/android/app/Notification.java | 17 +++++++++++++++- - .../NotificationManagerServiceTest.java | 20 +++++++++++++++++++ - 2 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java -index d456e3d57039..d1354a7e5c21 100644 ---- a/core/java/android/app/Notification.java -+++ b/core/java/android/app/Notification.java -@@ -1700,6 +1700,10 @@ public class Notification implements Parcelable - } - } - -+ private void visitUris(@NonNull Consumer visitor) { -+ visitIconUri(visitor, getIcon()); -+ } -+ - @Override - public Action clone() { - return new Action( -@@ -2362,7 +2366,7 @@ public class Notification implements Parcelable - - if (actions != null) { - for (Action action : actions) { -- visitIconUri(visitor, action.getIcon()); -+ action.visitUris(visitor); - } - } - -@@ -2390,6 +2394,11 @@ public class Notification implements Parcelable - } - } - } -+ -+ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) { -+ WearableExtender extender = new WearableExtender(this); -+ extender.visitUris(visitor); -+ } - } - - /** -@@ -9045,6 +9054,12 @@ public class Notification implements Parcelable - mFlags &= ~mask; - } - } -+ -+ private void visitUris(@NonNull Consumer visitor) { -+ for (Action action : mActions) { -+ action.visitUris(visitor); -+ } -+ } - } - - /** -diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -index e073e6767da6..379290bcf0ad 100644 ---- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -@@ -2797,6 +2797,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { - anyInt(), anyInt()); - } - -+ @Test -+ public void testVisitUris_wearableExtender() { -+ Icon actionIcon = Icon.createWithContentUri("content://media/action"); -+ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction"); -+ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(), -+ PendingIntent.FLAG_IMMUTABLE); -+ Notification n = new Notification.Builder(mContext, "a") -+ .setSmallIcon(android.R.drawable.sym_def_app_icon) -+ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build()) -+ .extend(new Notification.WearableExtender().addAction( -+ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build())) -+ .build(); -+ -+ Consumer visitor = (Consumer) spy(Consumer.class); -+ n.visitUris(visitor); -+ -+ verify(visitor).accept(eq(actionIcon.getUri())); -+ verify(visitor).accept(eq(wearActionIcon.getUri())); -+ } -+ - @Test - public void testSetNotificationPolicy_preP_setOldFields() { - ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377002.patch b/Patches/LineageOS-16.0/android_frameworks_base/377002.patch deleted file mode 100644 index 9a8753df..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377002.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Lifu Tang -Date: Wed, 5 Jul 2023 13:03:00 -0700 -Subject: [PATCH] Fix bypass BAL via `requestGeofence` - -Bug: 273729172 -Test: manually -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f9be7c3c859dc82d37452570d9878b58f6437a9) -Merged-In: Ia8094244f908b20d42711b6ea8f58f9b3345b563 -Change-Id: Ia8094244f908b20d42711b6ea8f58f9b3345b563 ---- - services/core/java/com/android/server/PendingIntentUtils.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/services/core/java/com/android/server/PendingIntentUtils.java b/services/core/java/com/android/server/PendingIntentUtils.java -index 1600101b20f4..a72a4d254a2a 100644 ---- a/services/core/java/com/android/server/PendingIntentUtils.java -+++ b/services/core/java/com/android/server/PendingIntentUtils.java -@@ -34,6 +34,7 @@ public class PendingIntentUtils { - public static Bundle createDontSendToRestrictedAppsBundle(@Nullable Bundle bundle) { - final BroadcastOptions options = BroadcastOptions.makeBasic(); - options.setDontSendToRestrictedApps(true); -+ options.setPendingIntentBackgroundActivityLaunchAllowed(false); - if (bundle == null) { - return options.toBundle(); - } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377004-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/377004-backport.patch deleted file mode 100644 index b6dab918..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377004-backport.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Kweku Adams -Date: Fri, 23 Sep 2022 21:06:53 +0000 -Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data. - -Drop invalid data when writing or reading from XML. PersistableBundle -does lazy unparcelling, so checking the values during unparcelling would -remove the benefit of the lazy unparcelling. Checking the validity when -writing to or reading from XML seems like the best alternative. - -Bug: 246542285 -Bug: 247513680 -Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file -(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9) -Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 -Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 ---- - core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++---- - 1 file changed, 34 insertions(+), 8 deletions(-) - -diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java -index 40eceb8a04e1..6a6ff64c5a5f 100644 ---- a/core/java/android/os/PersistableBundle.java -+++ b/core/java/android/os/PersistableBundle.java -@@ -18,6 +18,7 @@ package android.os; - - import android.annotation.Nullable; - import android.util.ArrayMap; -+import android.util.Slog; - import android.util.proto.ProtoOutputStream; - - import com.android.internal.util.XmlUtils; -@@ -38,6 +39,8 @@ import java.util.ArrayList; - */ - public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable, - XmlUtils.WriteMapCallback { -+ private static final String TAG = "PersistableBundle"; -+ - private static final String TAG_PERSISTABLEMAP = "pbundle_as_map"; - public static final PersistableBundle EMPTY; - -@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - * @hide - */ - public PersistableBundle(Bundle b) { -- this(b.getMap()); -+ this(b, true); -+ } -+ -+ private PersistableBundle(Bundle b, boolean throwException) { -+ this(b.getMap(), throwException); - } - - /** -@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - * @param map a Map containing only those items that can be persisted. - * @throws IllegalArgumentException if any element of #map cannot be persisted. - */ -- private PersistableBundle(ArrayMap map) { -+ private PersistableBundle(ArrayMap map, boolean throwException) { - super(); - mFlags = FLAG_DEFUSABLE; - -@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - - // Now verify each item throwing an exception if there is a violation. - final int N = mMap.size(); -- for (int i=0; i= 0; --i) { - Object value = mMap.valueAt(i); - if (value instanceof ArrayMap) { - // Fix up any Maps by replacing them with PersistableBundles. -- mMap.setValueAt(i, new PersistableBundle((ArrayMap) value)); -+ mMap.setValueAt(i, -+ new PersistableBundle((ArrayMap) value, throwException)); - } else if (value instanceof Bundle) { -- mMap.setValueAt(i, new PersistableBundle(((Bundle) value))); -+ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException)); - } else if (!isValidType(value)) { -- throw new IllegalArgumentException("Bad value in PersistableBundle key=" -- + mMap.keyAt(i) + " value=" + value); -+ final String errorMsg = "Bad value in PersistableBundle key=" -+ + mMap.keyAt(i) + " value=" + value; -+ if (throwException) { -+ throw new IllegalArgumentException(errorMsg); -+ } else { -+ Slog.wtfStack(TAG, errorMsg); -+ mMap.removeAt(i); -+ } - } - } - } -@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - /** @hide */ - public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException { - unparcel(); -+ // Explicitly drop invalid types an attacker may have added before persisting. -+ for (int i = mMap.size() - 1; i >= 0; --i) { -+ final Object value = mMap.valueAt(i); -+ if (!isValidType(value)) { -+ Slog.e(TAG, "Dropping bad data before persisting: " -+ + mMap.keyAt(i) + "=" + value); -+ mMap.removeAt(i); -+ } -+ } - XmlUtils.writeMapXml(mMap, out, this); - } - -@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - while (((event = in.next()) != XmlPullParser.END_DOCUMENT) && - (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) { - if (event == XmlPullParser.START_TAG) { -+ // Don't throw an exception when restoring from XML since an attacker could try to -+ // input invalid data in the persisted file. - return new PersistableBundle((ArrayMap) - XmlUtils.readThisArrayMapXml(in, startTag, tagName, -- new MyReadMapCallback())); -+ new MyReadMapCallback()), -+ /* throwException */ false); - } - } - return EMPTY; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377008.patch b/Patches/LineageOS-16.0/android_frameworks_base/377008.patch deleted file mode 100644 index 24642324..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377008.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pawan Wagh -Date: Tue, 13 Jun 2023 17:37:26 +0000 -Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service - -readFileDescriptor doesn't provide ownership of the fds. fdopen -needs ownership of the fds. Fds read from parcel should be duped -in this scenario and readUniqueFileDescriptor dups fds internally. - -Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer -Test: atest incidentd_test -Bug: 286931110 -Bug: 283699145 -(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055) -Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e -Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e ---- - cmds/incidentd/src/IncidentService.cpp | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp -index e305b5462b77..cdff153e9b60 100644 ---- a/cmds/incidentd/src/IncidentService.cpp -+++ b/cmds/incidentd/src/IncidentService.cpp -@@ -261,9 +261,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* - - switch (code) { - case SHELL_COMMAND_TRANSACTION: { -- int in = data.readFileDescriptor(); -- int out = data.readFileDescriptor(); -- int err = data.readFileDescriptor(); -+ unique_fd in, out, err; -+ if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status; -+ -+ if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status; -+ -+ if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status; -+ - int argc = data.readInt32(); - Vector args; - for (int i = 0; i < argc && data.dataAvail() > 0; i++) { -@@ -273,15 +277,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* - sp resultReceiver = - IResultReceiver::asInterface(data.readStrongBinder()); - -- FILE* fin = fdopen(in, "r"); -- FILE* fout = fdopen(out, "w"); -- FILE* ferr = fdopen(err, "w"); -+ FILE* fin = fdopen(in.release(), "r"); -+ FILE* fout = fdopen(out.release(), "w"); -+ FILE* ferr = fdopen(err.release(), "w"); - - if (fin == NULL || fout == NULL || ferr == NULL) { - resultReceiver->send(NO_MEMORY); - } else { -- err = command(fin, fout, ferr, args); -- resultReceiver->send(err); -+ status_t result = command(fin, fout, ferr, args); -+ resultReceiver->send(result); - } - - if (fin != NULL) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377009.patch b/Patches/LineageOS-16.0/android_frameworks_base/377009.patch deleted file mode 100644 index bcc023bf..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377009.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pinyao Ting -Date: Mon, 24 Jul 2023 14:58:56 -0700 -Subject: [PATCH] Validate userId when publishing shortcuts - -Bug: 288110451 -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c) -Merged-In: Idbde676f871db83825155730e3714f3727e25762 -Change-Id: Idbde676f871db83825155730e3714f3727e25762 ---- - services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java -index e30da13d7d16..d97f653c8326 100644 ---- a/services/core/java/com/android/server/pm/ShortcutService.java -+++ b/services/core/java/com/android/server/pm/ShortcutService.java -@@ -1582,6 +1582,10 @@ public class ShortcutService extends IShortcutService.Stub { - android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, ""); - throw new SecurityException("Shortcut package name mismatch"); - } -+ final int callingUid = injectBinderCallingUid(); -+ if (UserHandle.getUserId(callingUid) != si.getUserId()) { -+ throw new SecurityException("User-ID in shortcut doesn't match the caller"); -+ } - } - - private void verifyShortcutInfoPackages( diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377010-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/377010-backport.patch deleted file mode 100644 index 7c1b6434..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377010-backport.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Beverly Tai -Date: Thu, 14 Sep 2023 20:50:28 +0000 -Subject: [PATCH] Revert "On device lockdown, always show the keyguard" - -This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94. - -Reason for revert: b/300463732 regression -Bug: 300463732 -Bug: 218495634 -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f) -Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82 -Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82 ---- - .../systemui/keyguard/KeyguardViewMediator.java | 10 +--------- - 1 file changed, 1 insertion(+), 9 deletions(-) - -diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index 820c7eac715a..292e9e752052 100644 ---- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -@@ -586,13 +586,6 @@ public class KeyguardViewMediator extends SystemUI { - notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); - } - } -- -- @Override -- public void onStrongAuthStateChanged(int userId) { -- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -- doKeyguardLocked(null); -- } -- } - }; - - ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { -@@ -1348,8 +1341,7 @@ public class KeyguardViewMediator extends SystemUI { - } - - // if another app is disabling us, don't show -- if (!mExternallyEnabled -- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ if (!mExternallyEnabled) { - if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); - - // note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377011.patch b/Patches/LineageOS-16.0/android_frameworks_base/377011.patch deleted file mode 100644 index 704506a0..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377011.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Kunal Malhotra -Date: Thu, 2 Feb 2023 23:48:27 +0000 -Subject: [PATCH] Adding in verification of calling UID in onShellCommand - -Test: manual testing on device -Bug: b/261709193 -(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0) -Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273 -Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273 ---- - .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index 44761a523abb..0a8c45cb16cf 100644 ---- a/services/core/java/com/android/server/am/ActivityManagerService.java -+++ b/services/core/java/com/android/server/am/ActivityManagerService.java -@@ -16250,6 +16250,13 @@ public class ActivityManagerService extends IActivityManager.Stub - public void onShellCommand(FileDescriptor in, FileDescriptor out, - FileDescriptor err, String[] args, ShellCallback callback, - ResultReceiver resultReceiver) { -+ final int callingUid = Binder.getCallingUid(); -+ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) { -+ if (resultReceiver != null) { -+ resultReceiver.send(-1, null); -+ } -+ throw new SecurityException("Shell commands are only callable by root or shell"); -+ } - (new ActivityManagerShellCommand(this, false)).exec( - this, in, out, err, args, callback, resultReceiver); - } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/377012-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/377012-backport.patch deleted file mode 100644 index afb48338..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/377012-backport.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Beverly Tai -Date: Tue, 19 Sep 2023 21:01:11 +0000 -Subject: [PATCH] Updated: always show the keyguard on device lockdown - -Additionally, don't hide keyguard when it's disabled if the user has locked -down the device. - -Manual test steps: - 1. Enable app pinning and disable "Ask for PIN before unpinning" setting - 2. Pin an app (ie: Settings) - 3. Lockdown from the power menu - 4. Observe: user is brought to the keyguard, primary auth is - required to enter the device. - => After entering correct credential, the device is still in - app pinning mode. - => After entering an incorrect credential, the keyguard remains - showing and the user can attempt again up to the limit - -Bug: 300463732 -Bug: 218495634 -Test: atest KeyguardViewMediatorTest -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff) -Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 -Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 ---- - .../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index 292e9e752052..c7d231f6f522 100644 ---- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -@@ -571,6 +571,13 @@ public class KeyguardViewMediator extends SystemUI { - } - } - -+ @Override -+ public void onStrongAuthStateChanged(int userId) { -+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ doKeyguardLocked(null); -+ } -+ } -+ - @Override - public void onTrustChanged(int userId) { - if (userId == KeyguardUpdateMonitor.getCurrentUser()) { -@@ -1129,6 +1136,10 @@ public class KeyguardViewMediator extends SystemUI { - mExternallyEnabled = enabled; - - if (!enabled && mShowing) { -+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown"); -+ return; -+ } - if (mExitSecureCallback != null) { - if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring"); - // we're in the process of handling a request to verify the user -@@ -1340,8 +1351,9 @@ public class KeyguardViewMediator extends SystemUI { - return; - } - -- // if another app is disabling us, don't show -- if (!mExternallyEnabled) { -+ // if another app is disabling us, don't show unless we're in lockdown mode -+ if (!mExternallyEnabled -+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { - if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); - - // note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377014-backport.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377014-backport.patch deleted file mode 100644 index 8fbbe903..00000000 --- a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/377014-backport.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Thu, 5 Oct 2023 00:01:03 +0000 -Subject: [PATCH] Fix UAF in ~CallbackEnv - -com_android_bluetooth_btservice_AdapterService does not null its local -JNI environment variable after detaching the thread (which frees the -environment context), allowing UAF under certain conditions. - -Null the variable in this case. - -Testing here was done through a custom unit test; see patchsets 4-6 for -contents. However, unit testing of the JNI layer is problematic in -production, so that part of the patch is omitted for final merge. - -Bug: 291500341 -Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) -Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 -Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 ---- - jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp -index f88a675b7..8faf670ce 100644 ---- a/jni/com_android_bluetooth_btservice_AdapterService.cpp -+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp -@@ -406,6 +406,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { - return; - } - vm->DetachCurrentThread(); -+ callbackEnv = NULL; - } - } - diff --git a/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377015.patch b/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377015.patch deleted file mode 100644 index 76e37478..00000000 --- a/Patches/LineageOS-16.0/android_packages_apps_Trebuchet/377015.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pinyao Ting -Date: Tue, 12 Sep 2023 22:37:16 +0000 -Subject: [PATCH] Fix permission bypass in legacy shortcut - -Intent created for Chooser should not be allowed in legacy shortcuts -since it doesn't make sense for user to tap on a shortcut in homescreen -to share, the expected share flow started from ShareSheet. - -Bug: 295334906, 295045199 -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305) -Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa -Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa ---- - .../android/launcher3/util/PackageManagerHelper.java | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java -index 4eac947fd0..96c636a8e7 100644 ---- a/src/com/android/launcher3/util/PackageManagerHelper.java -+++ b/src/com/android/launcher3/util/PackageManagerHelper.java -@@ -118,15 +118,8 @@ public class PackageManagerHelper { - public boolean hasPermissionForActivity(Intent intent, String srcPackage) { - // b/270152142 - if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { -- final Bundle extras = intent.getExtras(); -- if (extras == null) { -- return true; -- } -- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT -- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); -- if (intent == null) { -- return true; -- } -+ // Chooser shortcuts is not a valid target -+ return false; - } - ResolveInfo target = mPm.resolveActivity(intent, 0); - if (target == null) { diff --git a/Patches/LineageOS-16.0/android_packages_services_Telecomm/377016-backport.patch b/Patches/LineageOS-16.0/android_packages_services_Telecomm/377016-backport.patch deleted file mode 100644 index a4ef1b8e..00000000 --- a/Patches/LineageOS-16.0/android_packages_services_Telecomm/377016-backport.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pranav Madapurmath -Date: Wed, 5 Apr 2023 21:36:12 +0000 -Subject: [PATCH] Resolve account image icon profile boundary exploit. - -Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit -is possible where the user can upload an image icon (belonging to -another user) via registering a phone account. This CL provides a -lightweight solution for parsing the image URI to detect profile -exploitation. - -Fixes: 273502295 -Fixes: 296915211 -Test: Unit test to enforce successful/failure path -(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) -(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) -Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 -Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 ---- - .../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++ - .../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++ - 2 files changed, 43 insertions(+) - -diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java -index 74a7d840b..14804f0d3 100644 ---- a/src/com/android/server/telecom/TelecomServiceImpl.java -+++ b/src/com/android/server/telecom/TelecomServiceImpl.java -@@ -36,6 +36,7 @@ import android.content.pm.PackageManager; - import android.content.res.Resources; - import android.content.pm.ParceledListSlice; - import android.content.pm.ResolveInfo; -+import android.graphics.drawable.Icon; - import android.net.Uri; - import android.os.Binder; - import android.os.Bundle; -@@ -469,6 +470,9 @@ public class TelecomServiceImpl { - enforceRegisterMultiUser(); - } - enforceUserHandleMatchesCaller(account.getAccountHandle()); -+ // Validate the profile boundary of the given image URI. -+ validateAccountIconUserBoundary(account.getIcon()); -+ - final long token = Binder.clearCallingIdentity(); - try { - mPhoneAccountRegistrar.registerPhoneAccount(account); -@@ -1820,4 +1824,22 @@ public class TelecomServiceImpl { - // If only TX or RX were set (or neither), the video state is valid. - return remainingState == 0; - } -+ -+ private void validateAccountIconUserBoundary(Icon icon) { -+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of -+ // incompatible types. -+ if (icon != null && (icon.getType() == Icon.TYPE_URI -+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { -+ String encodedUser = icon.getUri().getEncodedUserInfo(); -+ // If there is no encoded user, the URI is calling into the calling user space -+ if (encodedUser != null) { -+ int userId = Integer.parseInt(encodedUser); -+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) { -+ // If we are transcending the profile boundary, throw an error. -+ throw new IllegalArgumentException("Attempting to register a phone account with" -+ + " an image icon belonging to another user."); -+ } -+ } -+ } -+ } - } -diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -index 521d05aae..8aa6f806c 100644 ---- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -@@ -29,6 +29,7 @@ import android.content.Context; - import android.content.Intent; - import android.content.pm.ApplicationInfo; - import android.content.pm.PackageManager; -+import android.graphics.drawable.Icon; - import android.net.Uri; - import android.os.Binder; - import android.os.Bundle; -@@ -501,6 +502,26 @@ public class TelecomServiceImplTest extends TelecomTestCase { - } - } - -+ @SmallTest -+ @Test -+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException { -+ String packageNameToUse = "com.android.officialpackage"; -+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName( -+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle()); -+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); -+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); -+ doReturn(PackageManager.PERMISSION_GRANTED) -+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE); -+ -+ // This should fail; security exception will be thrown. -+ registerPhoneAccountTestHelper(phoneAccount, false); -+ -+ icon = Icon.createWithContentUri("content://0@media/external/images/media/"); -+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); -+ // This should succeed. -+ registerPhoneAccountTestHelper(phoneAccount, true); -+ } -+ - @SmallTest - @Test - public void testUnregisterPhoneAccount() throws RemoteException { diff --git a/Patches/LineageOS-16.0/android_system_bt/377017.patch b/Patches/LineageOS-16.0/android_system_bt/377017.patch deleted file mode 100644 index 5bef4988..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377017.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:20:10 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [1] - -Rejecct access to services running on l2cap - -Backport of -Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) -Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 -Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 ---- - stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 34 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 899b6b908..a4d916cc3 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -98,7 +98,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, - uint32_t mx_proto_id, - uint32_t mx_chan_id); - --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, -@@ -140,7 +140,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { - * Returns bool true or false - * - ******************************************************************************/ --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { - if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { - return (true); - } -@@ -214,6 +214,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, - return (false); - } - -+/******************************************************************************* -+ * -+ * Function access_secure_service_from_temp_bond -+ * -+ * Description a utility function to test whether an access to -+ * secure service from temp bonding is happening -+ * -+ * Returns true if the aforementioned condition holds, -+ * false otherwise -+ * -+ ******************************************************************************/ -+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, -+ bool locally_initiated, -+ uint16_t security_req) { -+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && -+ btm_dev_authenticated(p_dev_rec) && -+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; -+} -+ - /******************************************************************************* - * - * Function BTM_SecRegister -@@ -2075,9 +2094,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - } - - if (rc == BTM_SUCCESS) { -+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - if (p_callback) -- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); -- return (BTM_SUCCESS); -+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); -+ return (rc); - } - } - -@@ -5133,6 +5156,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - } - } - -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ p_dev_rec->is_originator, -+ p_dev_rec->security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ return (BTM_FAILED_ON_SECURITY); -+ } -+ - /* All required security procedures already established */ - p_dev_rec->security_required &= - ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-16.0/android_system_bt/377018.patch b/Patches/LineageOS-16.0/android_system_bt/377018.patch deleted file mode 100644 index b0e8c4b4..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377018.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:27:29 +0000 -Subject: [PATCH] Reject access to secure services authenticated from temp - bonding [2] - -Reject access to service running on rfcomm - -this is a backport of -I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) -Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 -Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 ---- - stack/btm/btm_sec.cc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index a4d916cc3..bce9eae06 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2423,6 +2423,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, - mx_chan_id, p_callback, p_ref_data); - } else /* rc == BTM_SUCCESS */ - { -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - /* access granted */ - if (p_callback) { - (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-16.0/android_system_bt/377019.patch b/Patches/LineageOS-16.0/android_system_bt/377019.patch deleted file mode 100644 index d85ba587..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377019.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 12 Sep 2023 23:47:48 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [3] - -Allow access to rfcomm PSM by default - -Original bug -Bug: 294854926 - -Nearby regressions: -Bug: 298539299 - -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) -Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 -Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 ---- - stack/btm/btm_sec.cc | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index bce9eae06..41f81631e 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2117,15 +2117,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - btm_cb.security_mode == BTM_SEC_MODE_SC) { - if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { - if (is_originator) { -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_OUT_ENCRYPT; - } else /* acceptor */ - { - /* SM4 to SM4: the acceptor needs to make sure the authentication is - * already done */ - chk_acp_auth_done = true; -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_IN_ENCRYPT; - } - } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { - /* the remote features are not known yet */ diff --git a/Patches/LineageOS-16.0/android_system_bt/377020.patch b/Patches/LineageOS-16.0/android_system_bt/377020.patch deleted file mode 100644 index 0ec4548a..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377020.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 12 Sep 2023 23:54:08 +0000 -Subject: [PATCH] Reorganize the code for checking auth requirement - -Original bug -Bug: 294854926 - -regressions: -Bug: 299570702 - -Test: Test: m com.android.btservices -Test: QA validation -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91) -Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 -Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 ---- - stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------ - 1 file changed, 56 insertions(+), 37 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 41f81631e..b8a423d28 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -5076,46 +5076,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - - /* If connection is not authenticated and authentication is required */ - /* start authentication and return PENDING to the caller */ -- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) && -- ((p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) || -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) || -- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) && -- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { --/* -- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, -- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the -- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM -- * authenticated connections, hence we cannot distinguish here. -- */ -- -- BTM_TRACE_EVENT("Security Manager: Start authentication"); -+ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) { -+ bool start_auth = false; -+ -+ // Check link status of BR/EDR -+ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { -+ if (p_dev_rec->is_originator) { -+ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { -+ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); -+ start_auth = true; -+ } -+ } else { -+ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { -+ LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); -+ start_auth = true; -+ } -+ } -+ } - -- /* -- * If we do have a link-key, but we end up here because we need an -- * upgrade, then clear the link-key known and authenticated flag before -- * restarting authentication. -- * WARNING: If the controller has link-key, it is optional and -- * recommended for the controller to send a Link_Key_Request. -- * In case we need an upgrade, the only alternative would be to delete -- * the existing link-key. That could lead to very bad user experience -- * or even IOP issues, if a reconnect causes a new connection that -- * requires an upgrade. -- */ -- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && -- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { -- p_dev_rec->sec_flags &= -- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | -- BTM_SEC_AUTHENTICATED); -+ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) { -+ /* -+ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, -+ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the -+ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM -+ * authenticated connections, hence we cannot distinguish here. -+ */ -+ if (!p_dev_rec->is_originator) { -+ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) { -+ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required"); -+ start_auth = true; -+ } -+ } - } - -- btm_sec_start_authentication(p_dev_rec); -- return (BTM_CMD_STARTED); -+ if (start_auth) { -+ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication"); -+ -+ /* -+ * If we do have a link-key, but we end up here because we need an -+ * upgrade, then clear the link-key known and authenticated flag before -+ * restarting authentication. -+ * WARNING: If the controller has link-key, it is optional and -+ * recommended for the controller to send a Link_Key_Request. -+ * In case we need an upgrade, the only alternative would be to delete -+ * the existing link-key. That could lead to very bad user experience -+ * or even IOP issues, if a reconnect causes a new connection that -+ * requires an upgrade. -+ */ -+ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && -+ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -+ (!p_dev_rec->is_originator && -+ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { -+ p_dev_rec->sec_flags &= -+ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | -+ BTM_SEC_AUTHENTICATED); -+ } -+ -+ btm_sec_start_authentication(p_dev_rec); -+ return (BTM_CMD_STARTED); -+ } - } - - /* If connection is not encrypted and encryption is required */ diff --git a/Patches/LineageOS-16.0/android_system_bt/377021.patch b/Patches/LineageOS-16.0/android_system_bt/377021.patch deleted file mode 100644 index e097021b..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377021.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Wed, 13 Sep 2023 00:00:44 +0000 -Subject: [PATCH] Enforce authentication if encryption is required - -Original bug -Bug: 294854926 - -regressions: -Bug: 299570702 -Bug: 299561281 - -Test: Test: m com.android.btservices -Test: QA validation -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553) -Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa -Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa ---- - stack/btm/btm_sec.cc | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index b8a423d28..71f737ebf 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -5082,13 +5082,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - // Check link status of BR/EDR - if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { - if (p_dev_rec->is_originator) { -- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { -- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); -+ if (p_dev_rec->security_required & -+ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) { -+ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required"); - start_auth = true; - } - } else { -- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { -- LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); -+ if (p_dev_rec->security_required & -+ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) { -+ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required"); - start_auth = true; - } - } diff --git a/Patches/LineageOS-16.0/android_system_bt/377023-backport.patch b/Patches/LineageOS-16.0/android_system_bt/377023-backport.patch deleted file mode 100644 index cd39cffe..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/377023-backport.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Tue, 3 Oct 2023 21:27:49 +0000 -Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature - -BTM_BleVerifySignature uses a stock memcmp, allowing signature contents -to be deduced through a side-channel attack. - -Change to CRYPTO_memcmp, which is hardened against this attack, to -eliminate this attack. - -Bug: 274478807 -Test: atest bluetooth_test_gd_unit -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) -Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c -Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c ---- - stack/Android.bp | 1 + - stack/btm/btm_ble.cc | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/stack/Android.bp b/stack/Android.bp -index 03e2c940b..93c989ff5 100644 ---- a/stack/Android.bp -+++ b/stack/Android.bp -@@ -179,6 +179,7 @@ cc_library_static { - "libcutils", - "liblog", - "libstatslog", -+ "libcrypto", - ], - required: [ - "libldacBT_enc", -diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc -index 48f4496b1..82699286a 100644 ---- a/stack/btm/btm_ble.cc -+++ b/stack/btm/btm_ble.cc -@@ -41,6 +41,7 @@ - #include "hcimsgs.h" - #include "log/log.h" - #include "l2c_int.h" -+#include "openssl/mem.h" - #include "osi/include/log.h" - #include "osi/include/osi.h" - #include "smp_api.h" -@@ -2261,7 +2262,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, - - if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len, - BTM_CMAC_TLEN_SIZE, p_mac)) { -- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { -+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { - btm_ble_increment_sign_ctr(bd_addr, false); - verified = true; - } diff --git a/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch b/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch deleted file mode 100644 index 727e3214..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Toni Heidenreich -Date: Wed, 6 Sep 2023 12:49:33 +0000 -Subject: [PATCH] httplive: fix use-after-free - -Implement a mutex to ensure secure multi-threaded -access to the KeyedVector in MetaDataBase. -Concurrent access by different threads can lead -to accessing the wrong memory location due to -potential changes in the vector - -Bug: 298057702 -Test: HTTP Live Streaming test -(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) -Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a -Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a ---- - media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp -index bfea6f1537..a3c623e354 100644 ---- a/media/libstagefright/foundation/MetaDataBase.cpp -+++ b/media/libstagefright/foundation/MetaDataBase.cpp -@@ -24,6 +24,8 @@ - #include - #include - -+#include -+ - #include - #include - #include -@@ -75,6 +77,7 @@ struct MetaDataBase::Rect { - - - struct MetaDataBase::MetaDataInternal { -+ std::mutex mLock; - KeyedVector mItems; - }; - -@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() { - } - - void MetaDataBase::clear() { -+ std::lock_guard guard(mInternalData->mLock); - mInternalData->mItems.clear(); - } - - bool MetaDataBase::remove(uint32_t key) { -+ std::lock_guard guard(mInternalData->mLock); - ssize_t i = mInternalData->mItems.indexOfKey(key); - - if (i < 0) { -@@ -249,6 +254,7 @@ bool MetaDataBase::setData( - uint32_t key, uint32_t type, const void *data, size_t size) { - bool overwrote_existing = true; - -+ std::lock_guard guard(mInternalData->mLock); - ssize_t i = mInternalData->mItems.indexOfKey(key); - if (i < 0) { - typed_data item; -@@ -266,6 +272,7 @@ bool MetaDataBase::setData( - - bool MetaDataBase::findData(uint32_t key, uint32_t *type, - const void **data, size_t *size) const { -+ std::lock_guard guard(mInternalData->mLock); - ssize_t i = mInternalData->mItems.indexOfKey(key); - - if (i < 0) { -@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, - } - - bool MetaDataBase::hasData(uint32_t key) const { -+ std::lock_guard guard(mInternalData->mLock); - ssize_t i = mInternalData->mItems.indexOfKey(key); - - if (i < 0) { -@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) { - - String8 MetaDataBase::toString() const { - String8 s; -+ std::lock_guard guard(mInternalData->mLock); - for (int i = mInternalData->mItems.size(); --i >= 0;) { - int32_t key = mInternalData->mItems.keyAt(i); - char cc[5]; -@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const { - } - - void MetaDataBase::dumpToLog() const { -+ std::lock_guard guard(mInternalData->mLock); - for (int i = mInternalData->mItems.size(); --i >= 0;) { - int32_t key = mInternalData->mItems.keyAt(i); - char cc[5]; -@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const { - - status_t MetaDataBase::writeToParcel(Parcel &parcel) { - status_t ret; -+ std::lock_guard guard(mInternalData->mLock); - size_t numItems = mInternalData->mItems.size(); - ret = parcel.writeUint32(uint32_t(numItems)); - if (ret) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377001.patch b/Patches/LineageOS-17.1/android_frameworks_base/377001.patch deleted file mode 100644 index 7375e8ab..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377001.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= -Date: Wed, 5 Jul 2023 13:52:21 +0200 -Subject: [PATCH] Visit Uris added by WearableExtender - -Bug: 283962802 -Test: atest + manual (POC app now crashes on notify() as expected) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab) -Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed -Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed ---- - core/java/android/app/Notification.java | 17 +++++++++++++++- - .../NotificationManagerServiceTest.java | 20 +++++++++++++++++++ - 2 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java -index d8eefc3d3be4..9d0a5e93e2d8 100644 ---- a/core/java/android/app/Notification.java -+++ b/core/java/android/app/Notification.java -@@ -1790,6 +1790,10 @@ public class Notification implements Parcelable - } - } - -+ private void visitUris(@NonNull Consumer visitor) { -+ visitIconUri(visitor, getIcon()); -+ } -+ - @Override - public Action clone() { - return new Action( -@@ -2467,7 +2471,7 @@ public class Notification implements Parcelable - - if (actions != null) { - for (Action action : actions) { -- visitIconUri(visitor, action.getIcon()); -+ action.visitUris(visitor); - } - } - -@@ -2501,6 +2505,11 @@ public class Notification implements Parcelable - if (mBubbleMetadata != null) { - visitIconUri(visitor, mBubbleMetadata.getIcon()); - } -+ -+ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) { -+ WearableExtender extender = new WearableExtender(this); -+ extender.visitUris(visitor); -+ } - } - - /** -@@ -9818,6 +9827,12 @@ public class Notification implements Parcelable - mFlags &= ~mask; - } - } -+ -+ private void visitUris(@NonNull Consumer visitor) { -+ for (Action action : mActions) { -+ action.visitUris(visitor); -+ } -+ } - } - - /** -diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -index 34550bb52a52..61297cf67ee0 100755 ---- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java -@@ -3528,6 +3528,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { - verify(visitor, times(1)).accept(eq(personIcon3.getUri())); - } - -+ @Test -+ public void testVisitUris_wearableExtender() { -+ Icon actionIcon = Icon.createWithContentUri("content://media/action"); -+ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction"); -+ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(), -+ PendingIntent.FLAG_IMMUTABLE); -+ Notification n = new Notification.Builder(mContext, "a") -+ .setSmallIcon(android.R.drawable.sym_def_app_icon) -+ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build()) -+ .extend(new Notification.WearableExtender().addAction( -+ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build())) -+ .build(); -+ -+ Consumer visitor = (Consumer) spy(Consumer.class); -+ n.visitUris(visitor); -+ -+ verify(visitor).accept(eq(actionIcon.getUri())); -+ verify(visitor).accept(eq(wearActionIcon.getUri())); -+ } -+ - @Test - public void testSetNotificationPolicy_preP_setOldFields() { - ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377002.patch b/Patches/LineageOS-17.1/android_frameworks_base/377002.patch deleted file mode 100644 index 9a8753df..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377002.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Lifu Tang -Date: Wed, 5 Jul 2023 13:03:00 -0700 -Subject: [PATCH] Fix bypass BAL via `requestGeofence` - -Bug: 273729172 -Test: manually -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f9be7c3c859dc82d37452570d9878b58f6437a9) -Merged-In: Ia8094244f908b20d42711b6ea8f58f9b3345b563 -Change-Id: Ia8094244f908b20d42711b6ea8f58f9b3345b563 ---- - services/core/java/com/android/server/PendingIntentUtils.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/services/core/java/com/android/server/PendingIntentUtils.java b/services/core/java/com/android/server/PendingIntentUtils.java -index 1600101b20f4..a72a4d254a2a 100644 ---- a/services/core/java/com/android/server/PendingIntentUtils.java -+++ b/services/core/java/com/android/server/PendingIntentUtils.java -@@ -34,6 +34,7 @@ public class PendingIntentUtils { - public static Bundle createDontSendToRestrictedAppsBundle(@Nullable Bundle bundle) { - final BroadcastOptions options = BroadcastOptions.makeBasic(); - options.setDontSendToRestrictedApps(true); -+ options.setPendingIntentBackgroundActivityLaunchAllowed(false); - if (bundle == null) { - return options.toBundle(); - } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch deleted file mode 100644 index 2c21ab21..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Kweku Adams -Date: Fri, 23 Sep 2022 21:06:53 +0000 -Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data. - -Drop invalid data when writing or reading from XML. PersistableBundle -does lazy unparcelling, so checking the values during unparcelling would -remove the benefit of the lazy unparcelling. Checking the validity when -writing to or reading from XML seems like the best alternative. - -Bug: 246542285 -Bug: 247513680 -Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file -(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9) -Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 -Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 ---- - core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++---- - 1 file changed, 34 insertions(+), 8 deletions(-) - -diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java -index 6f1bf71f187b..3e6312754359 100644 ---- a/core/java/android/os/PersistableBundle.java -+++ b/core/java/android/os/PersistableBundle.java -@@ -18,6 +18,7 @@ package android.os; - - import android.annotation.Nullable; - import android.util.ArrayMap; -+import android.util.Slog; - import android.util.proto.ProtoOutputStream; - - import com.android.internal.util.XmlUtils; -@@ -38,6 +39,8 @@ import java.util.ArrayList; - */ - public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable, - XmlUtils.WriteMapCallback { -+ private static final String TAG = "PersistableBundle"; -+ - private static final String TAG_PERSISTABLEMAP = "pbundle_as_map"; - public static final PersistableBundle EMPTY; - -@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - * @hide - */ - public PersistableBundle(Bundle b) { -- this(b.getMap()); -+ this(b, true); -+ } -+ -+ private PersistableBundle(Bundle b, boolean throwException) { -+ this(b.getMap(), throwException); - } - - /** -@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - * @param map a Map containing only those items that can be persisted. - * @throws IllegalArgumentException if any element of #map cannot be persisted. - */ -- private PersistableBundle(ArrayMap map) { -+ private PersistableBundle(ArrayMap map, boolean throwException) { - super(); - mFlags = FLAG_DEFUSABLE; - -@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - - // Now verify each item throwing an exception if there is a violation. - final int N = mMap.size(); -- for (int i=0; i= 0; --i) { - Object value = mMap.valueAt(i); - if (value instanceof ArrayMap) { - // Fix up any Maps by replacing them with PersistableBundles. -- mMap.setValueAt(i, new PersistableBundle((ArrayMap) value)); -+ mMap.setValueAt(i, -+ new PersistableBundle((ArrayMap) value, throwException)); - } else if (value instanceof Bundle) { -- mMap.setValueAt(i, new PersistableBundle(((Bundle) value))); -+ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException)); - } else if (!isValidType(value)) { -- throw new IllegalArgumentException("Bad value in PersistableBundle key=" -- + mMap.keyAt(i) + " value=" + value); -+ final String errorMsg = "Bad value in PersistableBundle key=" -+ + mMap.keyAt(i) + " value=" + value; -+ if (throwException) { -+ throw new IllegalArgumentException(errorMsg); -+ } else { -+ Slog.wtfStack(TAG, errorMsg); -+ mMap.removeAt(i); -+ } - } - } - } -@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - /** @hide */ - public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException { - unparcel(); -+ // Explicitly drop invalid types an attacker may have added before persisting. -+ for (int i = mMap.size() - 1; i >= 0; --i) { -+ final Object value = mMap.valueAt(i); -+ if (!isValidType(value)) { -+ Slog.e(TAG, "Dropping bad data before persisting: " -+ + mMap.keyAt(i) + "=" + value); -+ mMap.removeAt(i); -+ } -+ } - XmlUtils.writeMapXml(mMap, out, this); - } - -@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa - while (((event = in.next()) != XmlPullParser.END_DOCUMENT) && - (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) { - if (event == XmlPullParser.START_TAG) { -+ // Don't throw an exception when restoring from XML since an attacker could try to -+ // input invalid data in the persisted file. - return new PersistableBundle((ArrayMap) - XmlUtils.readThisArrayMapXml(in, startTag, tagName, -- new MyReadMapCallback())); -+ new MyReadMapCallback()), -+ /* throwException */ false); - } - } - return EMPTY; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377008.patch b/Patches/LineageOS-17.1/android_frameworks_base/377008.patch deleted file mode 100644 index 203ee0b5..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377008.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pawan Wagh -Date: Tue, 13 Jun 2023 17:37:26 +0000 -Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service - -readFileDescriptor doesn't provide ownership of the fds. fdopen -needs ownership of the fds. Fds read from parcel should be duped -in this scenario and readUniqueFileDescriptor dups fds internally. - -Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer -Test: atest incidentd_test -Bug: 286931110 -Bug: 283699145 -(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055) -Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e -Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e ---- - cmds/incidentd/src/IncidentService.cpp | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp -index a52726396b53..a4819633efee 100644 ---- a/cmds/incidentd/src/IncidentService.cpp -+++ b/cmds/incidentd/src/IncidentService.cpp -@@ -418,9 +418,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* - - switch (code) { - case SHELL_COMMAND_TRANSACTION: { -- int in = data.readFileDescriptor(); -- int out = data.readFileDescriptor(); -- int err = data.readFileDescriptor(); -+ unique_fd in, out, err; -+ if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status; -+ -+ if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status; -+ -+ if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status; -+ - int argc = data.readInt32(); - Vector args; - for (int i = 0; i < argc && data.dataAvail() > 0; i++) { -@@ -430,15 +434,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* - sp resultReceiver = - IResultReceiver::asInterface(data.readStrongBinder()); - -- FILE* fin = fdopen(in, "r"); -- FILE* fout = fdopen(out, "w"); -- FILE* ferr = fdopen(err, "w"); -+ FILE* fin = fdopen(in.release(), "r"); -+ FILE* fout = fdopen(out.release(), "w"); -+ FILE* ferr = fdopen(err.release(), "w"); - - if (fin == NULL || fout == NULL || ferr == NULL) { - resultReceiver->send(NO_MEMORY); - } else { -- err = command(fin, fout, ferr, args); -- resultReceiver->send(err); -+ status_t result = command(fin, fout, ferr, args); -+ resultReceiver->send(result); - } - - if (fin != NULL) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377009.patch b/Patches/LineageOS-17.1/android_frameworks_base/377009.patch deleted file mode 100644 index 140c7daf..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377009.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pinyao Ting -Date: Mon, 24 Jul 2023 14:58:56 -0700 -Subject: [PATCH] Validate userId when publishing shortcuts - -Bug: 288110451 -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c) -Merged-In: Idbde676f871db83825155730e3714f3727e25762 -Change-Id: Idbde676f871db83825155730e3714f3727e25762 ---- - services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java -index d1ee52eef2df..0e887d375924 100644 ---- a/services/core/java/com/android/server/pm/ShortcutService.java -+++ b/services/core/java/com/android/server/pm/ShortcutService.java -@@ -1589,6 +1589,10 @@ public class ShortcutService extends IShortcutService.Stub { - android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, ""); - throw new SecurityException("Shortcut package name mismatch"); - } -+ final int callingUid = injectBinderCallingUid(); -+ if (UserHandle.getUserId(callingUid) != si.getUserId()) { -+ throw new SecurityException("User-ID in shortcut doesn't match the caller"); -+ } - } - - private void verifyShortcutInfoPackages( diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377010.patch b/Patches/LineageOS-17.1/android_frameworks_base/377010.patch deleted file mode 100644 index c1819206..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377010.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Beverly Tai -Date: Thu, 14 Sep 2023 20:50:28 +0000 -Subject: [PATCH] Revert "On device lockdown, always show the keyguard" - -This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94. - -Reason for revert: b/300463732 regression -Bug: 300463732 -Bug: 218495634 -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f) -Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82 -Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82 ---- - .../systemui/keyguard/KeyguardViewMediator.java | 10 +--------- - 1 file changed, 1 insertion(+), 9 deletions(-) - -diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index a7d5c64dd3a3..e21b14dec0b0 100644 ---- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -@@ -556,13 +556,6 @@ public class KeyguardViewMediator extends SystemUI { - notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); - } - } -- -- @Override -- public void onStrongAuthStateChanged(int userId) { -- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -- doKeyguardLocked(null); -- } -- } - }; - - ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { -@@ -1326,8 +1319,7 @@ public class KeyguardViewMediator extends SystemUI { - } - - // if another app is disabling us, don't show -- if (!mExternallyEnabled -- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ if (!mExternallyEnabled) { - if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); - - mNeedToReshowWhenReenabled = true; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377011.patch b/Patches/LineageOS-17.1/android_frameworks_base/377011.patch deleted file mode 100644 index 65ca1618..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377011.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Kunal Malhotra -Date: Thu, 2 Feb 2023 23:48:27 +0000 -Subject: [PATCH] Adding in verification of calling UID in onShellCommand - -Test: manual testing on device -Bug: b/261709193 -(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0) -Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273 -Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273 ---- - .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index 3e99e594a702..faeb5f348834 100644 ---- a/services/core/java/com/android/server/am/ActivityManagerService.java -+++ b/services/core/java/com/android/server/am/ActivityManagerService.java -@@ -9884,6 +9884,13 @@ public class ActivityManagerService extends IActivityManager.Stub - public void onShellCommand(FileDescriptor in, FileDescriptor out, - FileDescriptor err, String[] args, ShellCallback callback, - ResultReceiver resultReceiver) { -+ final int callingUid = Binder.getCallingUid(); -+ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) { -+ if (resultReceiver != null) { -+ resultReceiver.send(-1, null); -+ } -+ throw new SecurityException("Shell commands are only callable by root or shell"); -+ } - (new ActivityManagerShellCommand(this, false)).exec( - this, in, out, err, args, callback, resultReceiver); - } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377012.patch b/Patches/LineageOS-17.1/android_frameworks_base/377012.patch deleted file mode 100644 index 5f74de49..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377012.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Beverly Tai -Date: Tue, 19 Sep 2023 21:01:11 +0000 -Subject: [PATCH] Updated: always show the keyguard on device lockdown - -Additionally, don't hide keyguard when it's disabled if the user has locked -down the device. - -Manual test steps: - 1. Enable app pinning and disable "Ask for PIN before unpinning" setting - 2. Pin an app (ie: Settings) - 3. Lockdown from the power menu - 4. Observe: user is brought to the keyguard, primary auth is - required to enter the device. - => After entering correct credential, the device is still in - app pinning mode. - => After entering an incorrect credential, the keyguard remains - showing and the user can attempt again up to the limit - -Bug: 300463732 -Bug: 218495634 -Test: atest KeyguardViewMediatorTest -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff) -Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 -Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 ---- - .../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index e21b14dec0b0..5c343c941454 100644 ---- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -@@ -541,6 +541,13 @@ public class KeyguardViewMediator extends SystemUI { - } - } - -+ @Override -+ public void onStrongAuthStateChanged(int userId) { -+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ doKeyguardLocked(null); -+ } -+ } -+ - @Override - public void onTrustChanged(int userId) { - if (userId == KeyguardUpdateMonitor.getCurrentUser()) { -@@ -1107,6 +1114,10 @@ public class KeyguardViewMediator extends SystemUI { - mExternallyEnabled = enabled; - - if (!enabled && mShowing) { -+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { -+ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown"); -+ return; -+ } - if (mExitSecureCallback != null) { - if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring"); - // we're in the process of handling a request to verify the user -@@ -1318,8 +1329,9 @@ public class KeyguardViewMediator extends SystemUI { - return; - } - -- // if another app is disabling us, don't show -- if (!mExternallyEnabled) { -+ // if another app is disabling us, don't show unless we're in lockdown mode -+ if (!mExternallyEnabled -+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { - if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); - - mNeedToReshowWhenReenabled = true; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch deleted file mode 100644 index 192ce059..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Beth Thibodeau -Date: Tue, 8 Aug 2023 16:19:48 -0500 -Subject: [PATCH] RESTRICT AUTOMERGE: Check URI permissions for resumable media - artwork - -When resumable media is added that has artwork set via URI, check the -permissions for the URI before attempting to load it - -Test: atest MediaDataManagerTest UriGrantsManagerServiceTest -Test: manual with test app -Bug: 284297452 -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c13567e39cd906c8544011de537490b70ce29b2f) -Merged-In: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3 -Change-Id: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3 ---- - core/java/android/app/IUriGrantsManager.aidl | 3 ++ - .../server/uri/UriGrantsManagerService.java | 42 +++++++++++++++++++ - 2 files changed, 45 insertions(+) - -diff --git a/core/java/android/app/IUriGrantsManager.aidl b/core/java/android/app/IUriGrantsManager.aidl -index 9e7f2fecfea0..b630d034dca9 100644 ---- a/core/java/android/app/IUriGrantsManager.aidl -+++ b/core/java/android/app/IUriGrantsManager.aidl -@@ -39,4 +39,7 @@ interface IUriGrantsManager { - void clearGrantedUriPermissions(in String packageName, int userId); - ParceledListSlice getUriPermissions(in String packageName, boolean incoming, - boolean persistedOnly); -+ -+ int checkGrantUriPermission_ignoreNonSystem( -+ int sourceUid, String targetPkg, in Uri uri, int modeFlags, int userId); - } -diff --git a/services/core/java/com/android/server/uri/UriGrantsManagerService.java b/services/core/java/com/android/server/uri/UriGrantsManagerService.java -index 55f062bca2d1..7cab7b28cfee 100644 ---- a/services/core/java/com/android/server/uri/UriGrantsManagerService.java -+++ b/services/core/java/com/android/server/uri/UriGrantsManagerService.java -@@ -43,6 +43,7 @@ import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT; - import static org.xmlpull.v1.XmlPullParser.START_TAG; - - import android.annotation.Nullable; -+import android.annotation.RequiresPermission; - import android.app.ActivityManager; - import android.app.ActivityManagerInternal; - import android.app.AppGlobals; -@@ -65,6 +66,7 @@ import android.os.Handler; - import android.os.IBinder; - import android.os.Looper; - import android.os.Message; -+import android.os.Process; - import android.os.RemoteException; - import android.os.SystemClock; - import android.os.UserHandle; -@@ -1225,6 +1227,46 @@ public class UriGrantsManagerService extends IUriGrantsManager.Stub { - return false; - } - -+ /** -+ * Check if the targetPkg can be granted permission to access uri by -+ * the callingUid using the given modeFlags. See {@link #checkGrantUriPermissionUnlocked}. -+ * -+ * @param callingUid The uid of the grantor app that has permissions to the uri. -+ * @param targetPkg The package name of the granted app that needs permissions to the uri. -+ * @param uri The uri for which permissions should be granted. -+ * @param modeFlags The modes to grant. See {@link Intent#FLAG_GRANT_READ_URI_PERMISSION}, etc. -+ * @param userId The userId in which the uri is to be resolved. -+ * @return uid of the target or -1 if permission grant not required. Returns -1 if the caller -+ * does not hold INTERACT_ACROSS_USERS_FULL -+ * @throws SecurityException if the grant is not allowed. -+ */ -+ @Override -+ @RequiresPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL) -+ public int checkGrantUriPermission_ignoreNonSystem(int callingUid, String targetPkg, Uri uri, -+ int modeFlags, int userId) { -+ if (!isCallerIsSystemOrPrivileged()) { -+ return Process.INVALID_UID; -+ } -+ final long origId = Binder.clearCallingIdentity(); -+ try { -+ return checkGrantUriPermissionUnlocked(callingUid, targetPkg, uri, modeFlags, -+ userId); -+ } finally { -+ Binder.restoreCallingIdentity(origId); -+ } -+ } -+ -+ private boolean isCallerIsSystemOrPrivileged() { -+ final int uid = Binder.getCallingUid(); -+ if (uid == Process.SYSTEM_UID || uid == Process.ROOT_UID) { -+ return true; -+ } -+ return ActivityManager.checkComponentPermission( -+ android.Manifest.permission.INTERACT_ACROSS_USERS_FULL, -+ uid, /* owningUid = */-1, /* exported = */ true) -+ == PackageManager.PERMISSION_GRANTED; -+ } -+ - private void writeGrantedUriPermissions() { - if (DEBUG) Slog.v(TAG, "writeGrantedUriPermissions()"); - diff --git a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch deleted file mode 100644 index c73830c0..00000000 --- a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Thu, 5 Oct 2023 00:01:03 +0000 -Subject: [PATCH] Fix UAF in ~CallbackEnv - -com_android_bluetooth_btservice_AdapterService does not null its local -JNI environment variable after detaching the thread (which frees the -environment context), allowing UAF under certain conditions. - -Null the variable in this case. - -Testing here was done through a custom unit test; see patchsets 4-6 for -contents. However, unit testing of the JNI layer is problematic in -production, so that part of the patch is omitted for final merge. - -Bug: 291500341 -Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) -Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 -Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 ---- - jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp -index 55b391c56..aa0a13d46 100644 ---- a/jni/com_android_bluetooth_btservice_AdapterService.cpp -+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp -@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { - return; - } - vm->DetachCurrentThread(); -+ callbackEnv = NULL; - } - } - diff --git a/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch b/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch deleted file mode 100644 index 9ba49a68..00000000 --- a/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pinyao Ting -Date: Tue, 12 Sep 2023 22:37:16 +0000 -Subject: [PATCH] Fix permission bypass in legacy shortcut - -Intent created for Chooser should not be allowed in legacy shortcuts -since it doesn't make sense for user to tap on a shortcut in homescreen -to share, the expected share flow started from ShareSheet. - -Bug: 295334906, 295045199 -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305) -Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa -Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa ---- - .../android/launcher3/util/PackageManagerHelper.java | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java -index f263331f8f..1ca28f82dc 100644 ---- a/src/com/android/launcher3/util/PackageManagerHelper.java -+++ b/src/com/android/launcher3/util/PackageManagerHelper.java -@@ -114,15 +114,8 @@ public class PackageManagerHelper { - public boolean hasPermissionForActivity(Intent intent, String srcPackage) { - // b/270152142 - if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { -- final Bundle extras = intent.getExtras(); -- if (extras == null) { -- return true; -- } -- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT -- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); -- if (intent == null) { -- return true; -- } -+ // Chooser shortcuts is not a valid target -+ return false; - } - ResolveInfo target = mPm.resolveActivity(intent, 0); - if (target == null) { diff --git a/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch b/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch deleted file mode 100644 index 868aaa98..00000000 --- a/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Pranav Madapurmath -Date: Wed, 5 Apr 2023 21:36:12 +0000 -Subject: [PATCH] Resolve account image icon profile boundary exploit. - -Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit -is possible where the user can upload an image icon (belonging to -another user) via registering a phone account. This CL provides a -lightweight solution for parsing the image URI to detect profile -exploitation. - -Fixes: 273502295 -Fixes: 296915211 -Test: Unit test to enforce successful/failure path -(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) -(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) -Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 -Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 ---- - .../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++ - .../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++ - 2 files changed, 43 insertions(+) - -diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java -index 8c498fc55..4472ad837 100644 ---- a/src/com/android/server/telecom/TelecomServiceImpl.java -+++ b/src/com/android/server/telecom/TelecomServiceImpl.java -@@ -37,6 +37,7 @@ import android.content.pm.PackageManager; - import android.content.res.Resources; - import android.content.pm.ParceledListSlice; - import android.content.pm.ResolveInfo; -+import android.graphics.drawable.Icon; - import android.net.Uri; - import android.os.Binder; - import android.os.Build; -@@ -513,6 +514,9 @@ public class TelecomServiceImpl { - if (callingUid != Process.SHELL_UID) { - enforceUserHandleMatchesCaller(account.getAccountHandle()); - } -+ // Validate the profile boundary of the given image URI. -+ validateAccountIconUserBoundary(account.getIcon()); -+ - final long token = Binder.clearCallingIdentity(); - try { - mPhoneAccountRegistrar.registerPhoneAccount(account); -@@ -2100,4 +2104,22 @@ public class TelecomServiceImpl { - mContext.sendBroadcast(intent); - } - } -+ -+ private void validateAccountIconUserBoundary(Icon icon) { -+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of -+ // incompatible types. -+ if (icon != null && (icon.getType() == Icon.TYPE_URI -+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { -+ String encodedUser = icon.getUri().getEncodedUserInfo(); -+ // If there is no encoded user, the URI is calling into the calling user space -+ if (encodedUser != null) { -+ int userId = Integer.parseInt(encodedUser); -+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) { -+ // If we are transcending the profile boundary, throw an error. -+ throw new IllegalArgumentException("Attempting to register a phone account with" -+ + " an image icon belonging to another user."); -+ } -+ } -+ } -+ } - } -diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -index 00d8000e4..6daf516d1 100644 ---- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java -@@ -30,6 +30,7 @@ import android.content.Context; - import android.content.Intent; - import android.content.pm.ApplicationInfo; - import android.content.pm.PackageManager; -+import android.graphics.drawable.Icon; - import android.net.Uri; - import android.os.Binder; - import android.os.Bundle; -@@ -531,6 +532,26 @@ public class TelecomServiceImplTest extends TelecomTestCase { - } - } - -+ @SmallTest -+ @Test -+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException { -+ String packageNameToUse = "com.android.officialpackage"; -+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName( -+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle()); -+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); -+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); -+ doReturn(PackageManager.PERMISSION_GRANTED) -+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE); -+ -+ // This should fail; security exception will be thrown. -+ registerPhoneAccountTestHelper(phoneAccount, false); -+ -+ icon = Icon.createWithContentUri("content://0@media/external/images/media/"); -+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); -+ // This should succeed. -+ registerPhoneAccountTestHelper(phoneAccount, true); -+ } -+ - @SmallTest - @Test - public void testUnregisterPhoneAccount() throws RemoteException { diff --git a/Patches/LineageOS-17.1/android_system_bt/377017.patch b/Patches/LineageOS-17.1/android_system_bt/377017.patch deleted file mode 100644 index 9b729407..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377017.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:20:10 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [1] - -Rejecct access to services running on l2cap - -Backport of -Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) -Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 -Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 ---- - stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 34 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 3ba1a6023..d4377a1fe 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -104,7 +104,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, - uint32_t mx_proto_id, - uint32_t mx_chan_id); - --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, -@@ -146,7 +146,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { - * Returns bool true or false - * - ******************************************************************************/ --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { - if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { - return (true); - } -@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, - return (false); - } - -+/******************************************************************************* -+ * -+ * Function access_secure_service_from_temp_bond -+ * -+ * Description a utility function to test whether an access to -+ * secure service from temp bonding is happening -+ * -+ * Returns true if the aforementioned condition holds, -+ * false otherwise -+ * -+ ******************************************************************************/ -+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, -+ bool locally_initiated, -+ uint16_t security_req) { -+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && -+ btm_dev_authenticated(p_dev_rec) && -+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; -+} -+ - /******************************************************************************* - * - * Function BTM_SecRegister -@@ -2077,9 +2096,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - } - - if (rc == BTM_SUCCESS) { -+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - if (p_callback) -- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); -- return (BTM_SUCCESS); -+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); -+ return (rc); - } - } - -@@ -5138,6 +5161,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - } - } - -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ p_dev_rec->is_originator, -+ p_dev_rec->security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ return (BTM_FAILED_ON_SECURITY); -+ } -+ - /* All required security procedures already established */ - p_dev_rec->security_required &= - ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-17.1/android_system_bt/377018.patch b/Patches/LineageOS-17.1/android_system_bt/377018.patch deleted file mode 100644 index 9b91946b..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377018.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:27:29 +0000 -Subject: [PATCH] Reject access to secure services authenticated from temp - bonding [2] - -Reject access to service running on rfcomm - -this is a backport of -I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) -Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 -Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 ---- - stack/btm/btm_sec.cc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index d4377a1fe..6163c3fb7 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2425,6 +2425,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, - mx_chan_id, p_callback, p_ref_data); - } else /* rc == BTM_SUCCESS */ - { -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - /* access granted */ - if (p_callback) { - (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-17.1/android_system_bt/377019.patch b/Patches/LineageOS-17.1/android_system_bt/377019.patch deleted file mode 100644 index c423d2a8..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377019.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 12 Sep 2023 23:47:48 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [3] - -Allow access to rfcomm PSM by default - -Original bug -Bug: 294854926 - -Nearby regressions: -Bug: 298539299 - -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) -Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 -Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 ---- - stack/btm/btm_sec.cc | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 6163c3fb7..e69fe9b4c 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2119,15 +2119,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - btm_cb.security_mode == BTM_SEC_MODE_SC) { - if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { - if (is_originator) { -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_OUT_ENCRYPT; - } else /* acceptor */ - { - /* SM4 to SM4: the acceptor needs to make sure the authentication is - * already done */ - chk_acp_auth_done = true; -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_IN_ENCRYPT; - } - } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { - /* the remote features are not known yet */ diff --git a/Patches/LineageOS-17.1/android_system_bt/377020.patch b/Patches/LineageOS-17.1/android_system_bt/377020.patch deleted file mode 100644 index fc711bf6..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377020.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 12 Sep 2023 23:54:08 +0000 -Subject: [PATCH] Reorganize the code for checking auth requirement - -Original bug -Bug: 294854926 - -regressions: -Bug: 299570702 - -Test: Test: m com.android.btservices -Test: QA validation -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91) -Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 -Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 ---- - stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------ - 1 file changed, 56 insertions(+), 37 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index e69fe9b4c..e73cfb363 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -5081,46 +5081,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - - /* If connection is not authenticated and authentication is required */ - /* start authentication and return PENDING to the caller */ -- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) && -- ((p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) || -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) || -- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) && -- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { --/* -- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, -- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the -- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM -- * authenticated connections, hence we cannot distinguish here. -- */ -- -- BTM_TRACE_EVENT("Security Manager: Start authentication"); -+ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) { -+ bool start_auth = false; -+ -+ // Check link status of BR/EDR -+ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { -+ if (p_dev_rec->is_originator) { -+ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { -+ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); -+ start_auth = true; -+ } -+ } else { -+ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { -+ LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); -+ start_auth = true; -+ } -+ } -+ } - -- /* -- * If we do have a link-key, but we end up here because we need an -- * upgrade, then clear the link-key known and authenticated flag before -- * restarting authentication. -- * WARNING: If the controller has link-key, it is optional and -- * recommended for the controller to send a Link_Key_Request. -- * In case we need an upgrade, the only alternative would be to delete -- * the existing link-key. That could lead to very bad user experience -- * or even IOP issues, if a reconnect causes a new connection that -- * requires an upgrade. -- */ -- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && -- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -- (!p_dev_rec->is_originator && -- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { -- p_dev_rec->sec_flags &= -- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | -- BTM_SEC_AUTHENTICATED); -+ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) { -+ /* -+ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, -+ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the -+ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM -+ * authenticated connections, hence we cannot distinguish here. -+ */ -+ if (!p_dev_rec->is_originator) { -+ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) { -+ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required"); -+ start_auth = true; -+ } -+ } - } - -- btm_sec_start_authentication(p_dev_rec); -- return (BTM_CMD_STARTED); -+ if (start_auth) { -+ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication"); -+ -+ /* -+ * If we do have a link-key, but we end up here because we need an -+ * upgrade, then clear the link-key known and authenticated flag before -+ * restarting authentication. -+ * WARNING: If the controller has link-key, it is optional and -+ * recommended for the controller to send a Link_Key_Request. -+ * In case we need an upgrade, the only alternative would be to delete -+ * the existing link-key. That could lead to very bad user experience -+ * or even IOP issues, if a reconnect causes a new connection that -+ * requires an upgrade. -+ */ -+ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && -+ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && -+ (!p_dev_rec->is_originator && -+ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { -+ p_dev_rec->sec_flags &= -+ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | -+ BTM_SEC_AUTHENTICATED); -+ } -+ -+ btm_sec_start_authentication(p_dev_rec); -+ return (BTM_CMD_STARTED); -+ } - } - - /* If connection is not encrypted and encryption is required */ diff --git a/Patches/LineageOS-17.1/android_system_bt/377021.patch b/Patches/LineageOS-17.1/android_system_bt/377021.patch deleted file mode 100644 index cde9c109..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377021.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Wed, 13 Sep 2023 00:00:44 +0000 -Subject: [PATCH] Enforce authentication if encryption is required - -Original bug -Bug: 294854926 - -regressions: -Bug: 299570702 -Bug: 299561281 - -Test: Test: m com.android.btservices -Test: QA validation -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553) -Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa -Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa ---- - stack/btm/btm_sec.cc | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index e73cfb363..de91023c6 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -5087,13 +5087,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - // Check link status of BR/EDR - if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { - if (p_dev_rec->is_originator) { -- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { -- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); -+ if (p_dev_rec->security_required & -+ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) { -+ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required"); - start_auth = true; - } - } else { -- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { -- LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); -+ if (p_dev_rec->security_required & -+ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) { -+ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required"); - start_auth = true; - } - } diff --git a/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch b/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch deleted file mode 100644 index 3893dfb7..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Tue, 3 Oct 2023 21:27:49 +0000 -Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature - -BTM_BleVerifySignature uses a stock memcmp, allowing signature contents -to be deduced through a side-channel attack. - -Change to CRYPTO_memcmp, which is hardened against this attack, to -eliminate this attack. - -Bug: 274478807 -Test: atest bluetooth_test_gd_unit -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) -Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c -Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c ---- - stack/Android.bp | 1 + - stack/btm/btm_ble.cc | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/stack/Android.bp b/stack/Android.bp -index c4684236e..4021d9e51 100644 ---- a/stack/Android.bp -+++ b/stack/Android.bp -@@ -178,6 +178,7 @@ cc_library_static { - shared_libs: [ - "libcutils", - "liblog", -+ "libcrypto", - ], - required: [ - "libldacBT_enc", -diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc -index b1f4119d5..f34c6db59 100644 ---- a/stack/btm/btm_ble.cc -+++ b/stack/btm/btm_ble.cc -@@ -41,6 +41,7 @@ - #include "hcimsgs.h" - #include "log/log.h" - #include "l2c_int.h" -+#include "openssl/mem.h" - #include "osi/include/log.h" - #include "osi/include/osi.h" - #include "stack/crypto_toolbox/crypto_toolbox.h" -@@ -2110,7 +2111,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, - - crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len, - BTM_CMAC_TLEN_SIZE, p_mac); -- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { -+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { - btm_ble_increment_sign_ctr(bd_addr, false); - verified = true; - } diff --git a/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch b/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch deleted file mode 100644 index e3999bc6..00000000 --- a/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Lin Lee -Date: Mon, 7 Aug 2023 09:34:41 +0000 -Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run - -Use thread join to avoid thread exiting after instance -recycled. - -Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds. - -Test: m, fuzzing -Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer - -Bug: 272382770 -Ignore-AOSP-First: Security Issue -(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd) -Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138 -Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138 ---- - server/MDnsSdListener.cpp | 35 +++++++++++++++++++++++------------ - server/MDnsSdListener.h | 4 +++- - 2 files changed, 26 insertions(+), 13 deletions(-) - -diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp -index 42dcddf3..d551d37c 100644 ---- a/server/MDnsSdListener.cpp -+++ b/server/MDnsSdListener.cpp -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - - #define LOG_TAG "MDnsDS" - #define DBG 1 -@@ -527,12 +528,18 @@ MDnsSdListener::Monitor::Monitor() { - mPollSize = 10; - socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, mCtrlSocketPair); - -- const int rval = ::android::netdutils::threadLaunch(this); -- if (rval != 0) { -- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval); -- } -+ mRescanThread = new std::thread(&Monitor::run, this); -+ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread."); - } - -+MDnsSdListener::Monitor::~Monitor() { -+ if (VDBG) ALOGD("Monitor recycling"); -+ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will -+ // be 17 = POLLIN | POLLHUP -+ mRescanThread->join(); -+ delete mRescanThread; -+ if (VDBG) ALOGD("Monitor recycled"); -+} - #define NAP_TIME 200 // 200 ms between polls - static int wait_for_property(const char *name, const char *desired_value, int maxwait) - { -@@ -611,14 +618,18 @@ void MDnsSdListener::Monitor::run() { - } - } - if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents); -- switch (mPollFds[0].revents) { -- case POLLIN: { -- char readBuf[2]; -- read(mCtrlSocketPair[0], &readBuf, 1); -- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); -- if (memcmp(RESCAN, readBuf, 1) == 0) { -- pollCount = rescan(); -- } -+ if (mPollFds[0].revents & POLLHUP) { -+ free(mPollFds); -+ free(mPollRefs); -+ if (VDBG) ALOGD("Monitor thread leaving."); -+ return; -+ } -+ if (mPollFds[0].revents == POLLIN) { -+ char readBuf[2]; -+ read(mCtrlSocketPair[0], &readBuf, 1); -+ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); -+ if (memcmp(RESCAN, readBuf, 1) == 0) { -+ pollCount = rescan(); - } - } - mPollFds[0].revents = 0; -diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h -index 47ddc28f..915a3bc8 100644 ---- a/server/MDnsSdListener.h -+++ b/server/MDnsSdListener.h -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - - #include "NetdCommand.h" - -@@ -70,7 +71,7 @@ private: - class Monitor { - public: - Monitor(); -- virtual ~Monitor() {} -+ ~Monitor(); - DNSServiceRef *allocateServiceRef(int id, Context *c); - void startMonitoring(int id); - DNSServiceRef *lookupServiceRef(int id); -@@ -100,6 +101,7 @@ private: - int mPollSize; - int mCtrlSocketPair[2]; - std::mutex mMutex; -+ std::thread* mRescanThread; - }; - - class Handler : public NetdCommand { diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch deleted file mode 100644 index 82308d74..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Thu, 5 Oct 2023 00:01:03 +0000 -Subject: [PATCH] Fix UAF in ~CallbackEnv - -com_android_bluetooth_btservice_AdapterService does not null its local -JNI environment variable after detaching the thread (which frees the -environment context), allowing UAF under certain conditions. - -Null the variable in this case. - -Testing here was done through a custom unit test; see patchsets 4-6 for -contents. However, unit testing of the JNI layer is problematic in -production, so that part of the patch is omitted for final merge. - -Bug: 291500341 -Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) -Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 -Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 - -Change-Id: I6abe916720bcd6dbd8a532c2611c11d3c39f1940 ---- - jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp -index fdb7dbf0b..b7e927b56 100644 ---- a/jni/com_android_bluetooth_btservice_AdapterService.cpp -+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp -@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { - return; - } - vm->DetachCurrentThread(); -+ callbackEnv = NULL; - } - } - diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch deleted file mode 100644 index 36593cf0..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:20:10 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [1] - -Rejecct access to services running on l2cap - -Backport of -Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) -Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 -Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 - -Change-Id: I0435b4ee14c40213f3dae8abc54143ef7e8f67e0 ---- - stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 34 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 40f051c0d..4da0320c5 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -102,7 +102,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, - uint32_t mx_proto_id, - uint32_t mx_chan_id); - --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); - static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, -@@ -144,7 +144,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { - * Returns bool true or false - * - ******************************************************************************/ --static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { -+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { - if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { - return (true); - } -@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, - return (false); - } - -+/******************************************************************************* -+ * -+ * Function access_secure_service_from_temp_bond -+ * -+ * Description a utility function to test whether an access to -+ * secure service from temp bonding is happening -+ * -+ * Returns true if the aforementioned condition holds, -+ * false otherwise -+ * -+ ******************************************************************************/ -+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, -+ bool locally_initiated, -+ uint16_t security_req) { -+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && -+ btm_dev_authenticated(p_dev_rec) && -+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; -+} -+ - /******************************************************************************* - * - * Function BTM_SecRegister -@@ -2271,9 +2290,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - } - - if (rc == BTM_SUCCESS) { -+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - if (p_callback) -- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); -- return (BTM_SUCCESS); -+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); -+ return (rc); - } - } - -@@ -5486,6 +5509,13 @@ extern tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { - } - } - -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ p_dev_rec->is_originator, -+ p_dev_rec->security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); -+ return (BTM_FAILED_ON_SECURITY); -+ } -+ - /* All required security procedures already established */ - p_dev_rec->security_required &= - ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch deleted file mode 100644 index da175a97..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Sat, 2 Sep 2023 04:27:29 +0000 -Subject: [PATCH] Reject access to secure services authenticated from temp - bonding [2] - -Reject access to service running on rfcomm - -this is a backport of -I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 - -Bug: 294854926 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) -Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 -Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 ---- - stack/btm/btm_sec.cc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 4da0320c5..93e8b7a60 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2633,6 +2633,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, - mx_chan_id, p_callback, p_ref_data); - } else /* rc == BTM_SUCCESS */ - { -+ if (access_secure_service_from_temp_bond(p_dev_rec, -+ is_originator, security_required)) { -+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); -+ rc = BTM_FAILED_ON_SECURITY; -+ } - /* access granted */ - if (p_callback) { - (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch deleted file mode 100644 index fad1a908..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 12 Sep 2023 23:47:48 +0000 -Subject: [PATCH] Reject access to secure service authenticated from a temp - bonding [3] - -Allow access to rfcomm PSM by default - -Original bug -Bug: 294854926 - -Nearby regressions: -Bug: 298539299 - -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) -Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 -Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 ---- - stack/btm/btm_sec.cc | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 93e8b7a60..80f4d3031 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -2313,15 +2313,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, - btm_cb.security_mode == BTM_SEC_MODE_SC) { - if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { - if (is_originator) { -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_OUT_ENCRYPT; - } else /* acceptor */ - { - /* SM4 to SM4: the acceptor needs to make sure the authentication is - * already done */ - chk_acp_auth_done = true; -- /* SM4 to SM4 -> always authenticate & encrypt */ -- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); -+ /* SM4 to SM4 -> always encrypt */ -+ security_required |= BTM_SEC_IN_ENCRYPT; - } - } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { - /* the remote features are not known yet */ diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch deleted file mode 100644 index d4b94b5b..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Tad -Date: Mon, 11 Dec 2023 13:42:41 -0500 -Subject: [PATCH] Fixup missing import - -Signed-off-by: Tad -Change-Id: I52177ea7c37da977a133afa791e7319c7fb4843b ---- - stack/Android.bp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/stack/Android.bp b/stack/Android.bp -index 696cd6cd2..7bc03a2c2 100644 ---- a/stack/Android.bp -+++ b/stack/Android.bp -@@ -185,6 +185,7 @@ cc_library_static { - shared_libs: [ - "libcutils", - "liblog", -+ "libcrypto", - ], - required: [ - "libldacBT_enc", diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch deleted file mode 100644 index 200888eb..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Brian Delwiche -Date: Tue, 3 Oct 2023 21:27:49 +0000 -Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature - -BTM_BleVerifySignature uses a stock memcmp, allowing signature contents -to be deduced through a side-channel attack. - -Change to CRYPTO_memcmp, which is hardened against this attack, to -eliminate this attack. - -Bug: 274478807 -Test: atest bluetooth_test_gd_unit -Tag: #security -Ignore-AOSP-First: Security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) -Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c -Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c - -Change-Id: Ib7f3fff9f40140978c4dfb2f20ca57127586a05a ---- - stack/btm/btm_ble.cc | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc -index 7fd154d2d..56f4fa1cd 100644 ---- a/stack/btm/btm_ble.cc -+++ b/stack/btm/btm_ble.cc -@@ -41,6 +41,7 @@ - #include "hcimsgs.h" - #include "log/log.h" - #include "l2c_int.h" -+#include "openssl/mem.h" - #include "osi/include/log.h" - #include "osi/include/osi.h" - #include "stack/crypto_toolbox/crypto_toolbox.h" -@@ -2183,7 +2184,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, - - crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len, - BTM_CMAC_TLEN_SIZE, p_mac); -- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { -+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { - btm_ble_increment_sign_ctr(bd_addr, false); - verified = true; - } diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch deleted file mode 100644 index bfaad663..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: balakrishna -Date: Wed, 24 May 2023 13:28:21 +0530 -Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc - -Root cause: -if the length of "pin_code" is greater than 16, -an OOBW will be triggered due to a missing bounds check. - -Fix: -Check is added to avoid Out of Bound Write. - -CRs-Fixed: 3507292 -Change-Id: I15a1eae59b17f633e29180a01676c260189b8353 ---- - btif/src/bluetooth.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc -index 47667abd7..584d4c5db 100644 ---- a/btif/src/bluetooth.cc -+++ b/btif/src/bluetooth.cc -@@ -316,6 +316,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, - bt_pin_code_t tmp_pin_code; - /* sanity check */ - if (interface_ready() == false) return BT_STATUS_NOT_READY; -+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; - - memcpy(&tmp_pin_code, pin_code, pin_len); - return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch deleted file mode 100644 index 09cc0478..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: balakrishna -Date: Tue, 7 Mar 2023 16:53:46 +0530 -Subject: [PATCH] BT: Fixing the rfc_slot_id overflow - -Root cause: -overflow causing leak in slot fds. -As slot id 0 not valid, we are not able to release these fds later. - -Fix: -Changes are made to avoid overflow while allocate rfc slots. - -CRs-Fixed: 3417458 -Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0 ---- - btif/src/btif_sock_rfc.cc | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc -index c2a0bc868..bfe549eb7 100644 ---- a/btif/src/btif_sock_rfc.cc -+++ b/btif/src/btif_sock_rfc.cc -@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name, - } - - // Increment slot id and make sure we don't use id=0. -- if (++rfc_slot_id == 0) rfc_slot_id = 1; -+ if (UINT32_MAX == rfc_slot_id) { -+ rfc_slot_id = 1; -+ } else { -+ ++rfc_slot_id; -+ } - - slot->fd = fds[0]; - slot->app_fd = fds[1]; diff --git a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch deleted file mode 100644 index b767a691..00000000 --- a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Tad -Date: Mon, 11 Dec 2023 13:42:41 -0500 -Subject: [PATCH] Fixup missing import - -Signed-off-by: Tad -Change-Id: I52177ea7c37da977a133afa791e7319c7fb4843b ---- - stack/Android.bp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/stack/Android.bp b/stack/Android.bp -index b4a9d414c..be60b8ae7 100644 ---- a/stack/Android.bp -+++ b/stack/Android.bp -@@ -187,6 +187,7 @@ cc_library_static { - shared_libs: [ - "libcutils", - "liblog", -+ "libcrypto", - ], - required: [ - "libldacBT_enc", diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 21b0848e..4cf127ab 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -242,6 +242,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/373034.patch"; #n-asb-2023-11 U applyPatch "$DOS_PATCHES/android_frameworks_base/376458.patch"; #n-asb-2023-12 Drop invalid data. applyPatch "$DOS_PATCHES/android_frameworks_base/376459.patch"; #n-asb-2023-12 Validate userId when publishing shortcuts applyPatch "$DOS_PATCHES/android_frameworks_base/376460.patch"; #n-asb-2023-12 Adding in verification of calling UID in onShellCommand +applyPatch "$DOS_PATCHES/android_frameworks_base/377939.patch"; #n-asb-2023-12 Require permission to unlock keyguard git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index b0fdcef7..988864d7 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -95,6 +95,7 @@ patchWorkspaceReal() { repopick -fit P_asb_2023-09; repopick -fit P_asb_2023-10 -e 370704; repopick -fit P_asb_2023-11 -e 374916; + repopick -fit P_asb_2023-12; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 939c4906..1aa2c0fc 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -165,14 +165,6 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram fi; if enterAndClear "frameworks/base"; then -applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender -#applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence` -applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data. -#applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service #FIXME -applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts -applyPatch "$DOS_PATCHES/android_frameworks_base/377010-backport.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard" -applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand -applyPatch "$DOS_PATCHES/android_frameworks_base/377012-backport.patch"; #R_asb_2023-12 Updated: always show the keyguard on device lockdown applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -282,7 +274,6 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then -applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -342,7 +333,6 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics fi; if enterAndClear "packages/apps/Trebuchet"; then -applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed fi; @@ -366,10 +356,6 @@ fi; #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; #fi; -if enterAndClear "packages/services/Telecomm"; then -applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit. -fi; - if enterAndClear "packages/services/Telephony"; then git revert --no-edit 99564aaf0417c9ddf7d6aeb10d326e5b24fa8f55; applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS) @@ -377,12 +363,6 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred fi; if enterAndClear "system/bt"; then -applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] -applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] -applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] -applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement -applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required -applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc applyPatch "$DOS_PATCHES/android_system_bt/377031-backport.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh index 04b83d4d..cf72180b 100644 --- a/Scripts/LineageOS-17.1/Functions.sh +++ b/Scripts/LineageOS-17.1/Functions.sh @@ -88,6 +88,7 @@ patchWorkspaceReal() { repopick -fit Q_asb_2023-09; repopick -fit Q_asb_2023-10 -e 376554; repopick -fit Q_asb_2023-11 -e 376568; + repopick -fit Q_asb_2023-12 -e 377251; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 87096b9c..6f5d2553 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -98,7 +98,6 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig -sed -i 's/2023-11-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-12 #XXX fi; if enterAndClear "build/soong"; then @@ -139,6 +138,15 @@ if enterAndClear "external/libxml2"; then applyPatch "$DOS_PATCHES/android_external_libxml2/368053.patch"; #R_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter fi; +if enterAndClear "external/pdfium"; then +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/83/378083/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-12 +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/84/378084/1 && git cherry-pick FETCH_HEAD; +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/85/378085/1 && git cherry-pick FETCH_HEAD; +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/86/378086/1 && git cherry-pick FETCH_HEAD; +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/87/378087/1 && git cherry-pick FETCH_HEAD; +git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/88/378088/1 && git cherry-pick FETCH_HEAD; +fi; + if enterAndClear "external/svox"; then git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie @@ -150,21 +158,7 @@ if enterAndClear "external/zlib"; then git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03 fi; -if enterAndClear "frameworks/av"; then -applyPatch "$DOS_PATCHES/android_frameworks_av/376999-backport.patch"; #R_asb_2023-12 httplive: fix use-after-free -fi; - if enterAndClear "frameworks/base"; then -applyPatch "$DOS_PATCHES/android_frameworks_base/377001.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender -applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence` -applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data. -applyPatch "$DOS_PATCHES/android_frameworks_base/377006.patch"; #R_asb_2023-12 Require permission to unlock keyguard -applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service -applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts -applyPatch "$DOS_PATCHES/android_frameworks_base/377010.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard" -applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand -applyPatch "$DOS_PATCHES/android_frameworks_base/377012.patch"; #R_asb_2023-12 Updated: always show the keyguard on device lockdown -#applyPatch "$DOS_PATCHES/android_frameworks_base/377013-backport.patch"; #R_asb_2023-12 Check URI permissions for resumable media artwork #XXX #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -295,7 +289,6 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then -applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272652.patch"; #ten-bt-sbc-hd-dualchannel: SBC Dual Channel (SBC HD Audio) support (ValdikSS) #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272653.patch"; #ten-bt-sbc-hd-dualchannel: Assume optional codecs are supported if were supported previously (ValdikSS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) @@ -368,7 +361,6 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics fi; if enterAndClear "packages/apps/Trebuchet"; then -applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed fi; @@ -396,21 +388,11 @@ fi; #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; #fi; -if enterAndClear "packages/services/Telecomm"; then -applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit. -fi; - if enterAndClear "prebuilts/abi-dumps/vndk"; then applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS) fi; if enterAndClear "system/bt"; then -applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] -applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] -applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] -applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement -applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required -applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -437,7 +419,6 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; # fi; if enterAndClear "system/netd"; then -applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS) fi; @@ -489,20 +470,6 @@ if enter "vendor/divested"; then echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices fi; - -if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377026.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377027.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377028.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow -fi; - -if enterAndClear "vendor/qcom/opensource/commonsys/packages/apps/Bluetooth"; then -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv -fi; # #END OF ROM CHANGES # diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 71b72cfa..2946d65a 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -123,7 +123,6 @@ patchWorkspaceReal() { repopick -fit msm8974-gps-r; repopick -fit hh-vsync; repopick -fi 311299; #ble: Workaround malformed HCI_BLE_VENDOR_CAP response - repopick -it R_asb_2023-12; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 489708da..72b95c53 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -103,10 +103,6 @@ applyPatch "$DOS_PATCHES/android_build_soong/0001-Enable_fwrapv.patch"; #Use -fw if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_build_soong/0002-hm_apex.patch"; fi; #(GrapheneOS) fi; -if enterAndClear "cts"; then -git fetch https://github.com/LineageOS/android_cts refs/changes/97/376997/1 && git cherry-pick FETCH_HEAD; #R_asb_2023-12 -fi; - if enterAndClear "device/qcom/sepolicy-legacy"; then applyPatch "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH (DivestOS) echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #Ignore neverallow violations XXX: necessary for -user builds of legacy devices @@ -127,10 +123,6 @@ applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras.pa fi; fi; -if enterAndClear "external/pdfium"; then -git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/98/376998/1 && git cherry-pick FETCH_HEAD; #R_asb_2023-12 -fi; - if enterAndClear "frameworks/base"; then applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) @@ -466,10 +458,6 @@ echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add echo "PRODUCT_PACKAGES += eSpeakNG" >> packages.mk; #PicoTTS needs work to compile on 18.1, use eSpeak-NG instead awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices fi; - -if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import -fi; # #END OF ROM CHANGES # diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index 40a4cb62..b16c7438 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -66,10 +66,9 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - source build/envsetup.sh; + #source build/envsetup.sh; #repopick -ift twelve-bt-sbc-hd-dualchannel; #repopick -it twelve-colors; - repopick -it S_asb_2023-12; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 7b49d7b9..915ecfbd 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -105,10 +105,6 @@ applyPatch "$DOS_PATCHES/android_build_soong/0001-Enable_fwrapv.patch"; #Use -fw if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_build_soong/0002-hm_apex.patch"; fi; #(GrapheneOS) fi; -if enterAndClear "cts"; then -git fetch https://github.com/LineageOS/android_cts refs/changes/75/376775/1 && git cherry-pick FETCH_HEAD; #S_asb_2023-12 -fi; - if enterAndClear "external/chromium-webview"; then if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPICK; fi; #Update the WebView to latest if available if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available @@ -125,10 +121,6 @@ applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras-2. fi; fi; -if enterAndClear "external/pdfium"; then -git fetch https://github.com/LineageOS/android_external_pdfium refs/changes/76/376776/1 && git cherry-pick FETCH_HEAD; #S_asb_2023-12 -fi; - if enterAndClear "external/SecureCamera"; then sed -i '/LOCAL_MODULE/s/Camera/SecureCamera/' Android.mk; #Change module name sed -i '11iLOCAL_OVERRIDES_PACKAGES := Camera Camera2 LegacyCamera Snap OpenCamera' Android.mk; #Replace the others @@ -416,7 +408,6 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; # fi; if enterAndClear "system/netd"; then -git fetch https://github.com/LineageOS/android_system_netd refs/changes/09/376809/1 && git cherry-pick FETCH_HEAD; #S_asb_2023-12 applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi;