16.0: October 2024 ASB Picks

Signed-off-by: Tavi <tavi@divested.dev>
2025-01-12 07:59:36 -05:00 · 2024-10-16 20:07:02 -04:00 · 2024-10-16 20:07:02 -04:00 · 17ea960b46
commit 17ea960b46
parent 782f2e1dde
8 changed files with 686 additions and 1 deletions
--- a/Patches/LineageOS-16.0/android_frameworks_base/405829.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/405829.patch
@ -0,0 +1,32 @@
+From a2fea355e79d8057e5910f52ef067642b1d46189 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Thu, 11 Jul 2024 12:39:22 -0700
+Subject: [PATCH] Update AccountManagerService checkKeyIntent.
+
+Block intents with "content" data scheme.
+
+Bug: 349780950
+Test: manual
+Flag: EXEMPT bugfix
+(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5)
+Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+---
+ .../com/android/server/accounts/AccountManagerService.java     | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 19e1a4c55120a..c5fff3652c283 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4799,6 +4799,9 @@ protected boolean checkKeyIntent(int authUid, Bundle bundle) {
+                 if (resolveInfo == null) {
+                     return false;
+                 }
+                if ("content".equals(intent.getScheme())) {
+                    return false;
+                }
+                 ActivityInfo targetActivityInfo = resolveInfo.activityInfo;
+                 int targetUid = targetActivityInfo.applicationInfo.uid;
+                 PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class);
--- a/Patches/LineageOS-16.0/android_frameworks_base/405830.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/405830.patch
@ -0,0 +1,30 @@
+From 036b28bd48fae9e16d8b1b2a8bb629f4221e41c2 Mon Sep 17 00:00:00 2001
+From: William Loh <wloh@google.com>
+Date: Mon, 3 Jun 2024 12:56:47 -0700
+Subject: [PATCH] Fail parseUri if end is missing
+
+Bug: 318683126
+Test: atest IntentTest
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967)
+Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
+Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
+---
+ core/java/android/content/Intent.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index 66c2658f9f132..dbed1b1a8fd31 100644
+--- a/core/java/android/content/Intent.java
+++ b/core/java/android/content/Intent.java
+@@ -6277,6 +6277,9 @@ public static Intent parseUri(String uri, @UriFlags int flags) throws URISyntaxE
+                 int eq = uri.indexOf('=', i);
+                 if (eq < 0) eq = i-1;
+                 int semi = uri.indexOf(';', i);
+                if (semi < 0) {
+                    throw new URISyntaxException(uri, "uri end not found");
+                }
+                 String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : "";
+ 
+                 // action
--- a/Patches/LineageOS-16.0/android_libcore/405831.patch
+++ b/Patches/LineageOS-16.0/android_libcore/405831.patch
@ -0,0 +1,53 @@
+From b7877b7a39d68acb35c40d1df1b588f067cca800 Mon Sep 17 00:00:00 2001
+From: Almaz Mingaleev <mingaleev@google.com>
+Date: Wed, 10 Jul 2024 13:38:35 +0100
+Subject: [PATCH] Do not accept zip files with invalid headers.
+
+According to Section 4.3.6 in [1] non-empty zip file starts with
+local file header. 4.3.1 allows empty files, and in such case
+file starts with "end of central directory record".
+
+This aligns ZipFile with libziparchive modulo empty zip files -
+libziparchive rejects them.
+
+Tests are skipped because sc-dev branch uses ART module
+prebuilts, but builds tests from sources which leads to presubmit
+failures.
+
+Ignore-AOSP-First: b/309938635#comment1
+
+[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt
+
+Bug: 309938635
+Test: CtsLibcoreTestCases
+Test: CtsLibcoreOjTestCases
+(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88)
+Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b
+Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b
+---
+ ojluni/src/main/native/zip_util.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c
+index e2503e84c2e..1f38b1783f1 100644
+--- a/ojluni/src/main/native/zip_util.c
+++ b/ojluni/src/main/native/zip_util.c
+@@ -876,6 +876,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified,
+             zip->locsig = JNI_TRUE;
+         else
+             zip->locsig = JNI_FALSE;
+
+        // BEGIN Android-changed: do not accept files with invalid header.
+        if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) {
+            if (pmsg) {
+                *pmsg = strdup("Entry at offset zero has invalid LFH signature.");
+            }
+            ZFILE_Close(zfd);
+            freeZip(zip);
+            return NULL;
+        }
+        // END Android-changed: do not accept files with invalid header.
+     }
+ 
+     // This lseek is safe because it happens during construction of the ZipFile
--- a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/405835.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/405835.patch
@ -0,0 +1,95 @@
+From 6d050ad48cfcf668435f391733d28752061e62db Mon Sep 17 00:00:00 2001
+From: Himanshu Rawat <rwt@google.com>
+Date: Mon, 8 Apr 2024 19:44:45 +0000
+Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 2/2
+
+HID profile accepted any new incoming HID connection. Even when the
+connection policy disabled HID connection, remote devices could initiate
+HID connection.
+This change ensures that incoming HID connection are accepted only if
+application was interested in that HID connection.
+This vulnerarbility no longer exists on the main because of feature
+request b/324093729.
+
+Test: Manual | Pair and connect a HID device, disable HID connection
+from Bluetooth device setting, attempt to connect from the HID device.
+Bug: 308429049
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96)
+Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777
+Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777
+---
+ jni/com_android_bluetooth_hid_host.cpp            |  8 +++++---
+ src/com/android/bluetooth/hid/HidHostService.java | 12 +++++++++---
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp
+index 7838ff6ce..60fffc2f3 100644
+--- a/jni/com_android_bluetooth_hid_host.cpp
+++ b/jni/com_android_bluetooth_hid_host.cpp
+@@ -276,7 +276,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object,
+ }
+ 
+ static jboolean disconnectHidNative(JNIEnv* env, jobject object,
+-                                    jbyteArray address) {
+                                    jbyteArray address,
+                                    jboolean reconnect_allowed) {
+   jbyte* addr;
+   jboolean ret = JNI_TRUE;
+   if (!sBluetoothHidInterface) return JNI_FALSE;
+@@ -287,7 +288,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object,
+     return JNI_FALSE;
+   }
+ 
+-  bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr);
+  bt_status_t status =
+      sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed);
+   if (status != BT_STATUS_SUCCESS) {
+     ALOGE("Failed disconnect hid channel, status: %d", status);
+     ret = JNI_FALSE;
+@@ -503,7 +505,7 @@ static JNINativeMethod sMethods[] = {
+     {"initializeNative", "()V", (void*)initializeNative},
+     {"cleanupNative", "()V", (void*)cleanupNative},
+     {"connectHidNative", "([B)Z", (void*)connectHidNative},
+-    {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative},
+    {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative},
+     {"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative},
+     {"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative},
+     {"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative},
+diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java
+index 63f52060b..1113760f2 100644
+--- a/src/com/android/bluetooth/hid/HidHostService.java
+++ b/src/com/android/bluetooth/hid/HidHostService.java
+@@ -157,7 +157,10 @@ public void handleMessage(Message msg) {
+                 break;
+                 case MESSAGE_DISCONNECT: {
+                     BluetoothDevice device = (BluetoothDevice) msg.obj;
+-                    if (!disconnectHidNative(Utils.getByteAddress(device))) {
+                    int connectionPolicy = getPriority(device);
+                    boolean reconnectAllowed =
+                            connectionPolicy == BluetoothProfile.PRIORITY_ON;
+                    if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) {
+                         broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING);
+                         broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED);
+                         break;
+@@ -181,7 +184,10 @@ public void handleMessage(Message msg) {
+                         if (DBG) {
+                             Log.d(TAG, "Incoming HID connection rejected");
+                         }
+-                        disconnectHidNative(Utils.getByteAddress(device));
+                        int connectionPolicy = getPriority(device);
+                        boolean reconnectAllowed =
+                                connectionPolicy == BluetoothProfile.PRIORITY_ON;
+                        disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed);
+                     } else {
+                         broadcastConnectionState(device, convertHalState(halState));
+                     }
+@@ -873,7 +879,7 @@ public void dump(StringBuilder sb) {
+ 
+     private native boolean connectHidNative(byte[] btAddress);
+ 
+-    private native boolean disconnectHidNative(byte[] btAddress);
+    private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed);
+ 
+     private native boolean getProtocolModeNative(byte[] btAddress);
+ 
--- a/Patches/LineageOS-16.0/android_packages_apps_Settings/405832.patch
+++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/405832.patch
@ -0,0 +1,51 @@
+From 9e4a67d2ae95b69f88b0bdf15ace52870ae93d5e Mon Sep 17 00:00:00 2001
+From: Yiling Chuang <emilychuang@google.com>
+Date: Mon, 8 Jul 2024 03:09:50 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage
+ page
+
+Before the setup flow completion, don't allow the app info page in App battery usage to be launched.
+
+Bug: 327748846
+Test: atest SettingsRoboTests + manual test
+- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes
+Flag : EXEMPT bugfix
+
+(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429)
+Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0
+Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0
+---
+ .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++
+ .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java     | 3 +++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+index 683395e773c..d2a34c64886 100644
+--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+@@ -234,6 +234,11 @@ public void onResume() {
+         initPreference();
+     }
+ 
+    @Override
+    protected boolean shouldSkipForInitialSUW() {
+        return true;
+    }
+
+     @VisibleForTesting
+     void initAnomalyInfo() {
+         mAnomalies = getArguments().getParcelableArrayList(EXTRA_ANOMALY_LIST);
+diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+index 0be63899785..2de4786763d 100644
+--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+@@ -434,5 +434,8 @@ public void testInitAnomalyInfo_anomalyExisted_updateAnomaly() {
+         mFragment.initAnomalyInfo();
+ 
+         verify(mAnomalySummaryPreferenceController).updateAnomalySummaryPreference(mAnomalies);
+
+    public void shouldSkipForInitialSUW_returnTrue() {
+        assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+     }
+ }
--- a/Patches/LineageOS-16.0/android_system_bt/405833.patch
+++ b/Patches/LineageOS-16.0/android_system_bt/405833.patch
@ -0,0 +1,56 @@
+From cae2930774ada0de113a04086e2d10009e6774e3 Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Sun, 14 Mar 2021 09:52:19 -0700
+Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text
+
+Toward loggable code
+
+Bug: 163134718
+Test: gd/cert/run
+Tag: #refactor
+BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines
+
+Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2
+---
+ btif/include/btif_hh.h | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
+index 2364544824e..5c1ad45108b 100644
+--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
+@@ -45,7 +45,7 @@
+  *  Type definitions and return values
+  ******************************************************************************/
+ 
+-typedef enum {
+typedef enum : unsigned {
+   BTIF_HH_DISABLED = 0,
+   BTIF_HH_ENABLED,
+   BTIF_HH_DISABLING,
+@@ -55,6 +55,25 @@ typedef enum {
+   BTIF_HH_DEV_DISCONNECTED
+ } BTIF_HH_STATUS;
+ 
+#define CASE_RETURN_TEXT(code) \
+  case code:                   \
+    return #code
+
+inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) {
+  switch (status) {
+    CASE_RETURN_TEXT(BTIF_HH_DISABLED);
+    CASE_RETURN_TEXT(BTIF_HH_ENABLED);
+    CASE_RETURN_TEXT(BTIF_HH_DISABLING);
+    CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN);
+    CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING);
+    CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED);
+    CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED);
+    default:
+      return std::string("UNKNOWN[%hhu]", status);
+  }
+}
+#undef CASE_RETURN_TEXT
+
+ typedef struct {
+   bthh_connection_state_t dev_status;
+   uint8_t dev_handle;
--- a/Patches/LineageOS-16.0/android_system_bt/405834.patch
+++ b/Patches/LineageOS-16.0/android_system_bt/405834.patch
@ -0,0 +1,361 @@
+From d2c71969119d6c4bee9c9da387af449827448d03 Mon Sep 17 00:00:00 2001
+From: Himanshu Rawat <rwt@google.com>
+Date: Mon, 8 Apr 2024 19:42:21 +0000
+Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 1/2
+
+HID profile accepted any new incoming HID connection. Even when the
+connection policy disabled HID connection, remote devices could initiate
+HID connection.
+This change ensures that incoming HID connection are accepted only if
+application was interested in that HID connection.
+This vulnerarbility no longer exists on the main because of feature
+request b/324093729.
+
+Test: Manual | Pair and connect a HID device, disable HID connection
+from Bluetooth device setting, attempt to connect from the HID device.
+Bug: 308429049
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b)
+Merged-In: I6e9db983e752dd498625078c13b736cd4c668806
+Change-Id: I6e9db983e752dd498625078c13b736cd4c668806
+---
+ btif/include/btif_hh.h      |  4 +-
+ btif/include/btif_storage.h | 23 ++++++++++
+ btif/src/btif_hh.cc         | 86 ++++++++++++++++++++++++++++++++++---
+ btif/src/btif_storage.cc    | 53 ++++++++++++++++++++++-
+ include/hardware/bt_hh.h    |  2 +-
+ 5 files changed, 160 insertions(+), 8 deletions(-)
+
+diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
+index 5c1ad45108b..8c9ead46283 100644
+--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
+@@ -94,6 +94,7 @@ typedef struct {
+   uint8_t dev_handle;
+   RawAddress bd_addr;
+   tBTA_HH_ATTR_MASK attr_mask;
+  bool reconnect_allowed;
+ } btif_hh_added_device_t;
+ 
+ /**
+@@ -119,7 +120,8 @@ extern btif_hh_cb_t btif_hh_cb;
+ extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle);
+ extern void btif_hh_remove_device(RawAddress bd_addr);
+ extern bool btif_hh_add_added_dev(const RawAddress& bda,
+-                                  tBTA_HH_ATTR_MASK attr_mask);
+                                  tBTA_HH_ATTR_MASK attr_mask,
+                                  bool reconnect_allowed);
+ extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr);
+ extern void btif_hh_disconnect(RawAddress* bd_addr);
+ extern void btif_hh_setreport(btif_hh_device_t* p_dev,
+diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h
+index 07d29c81a7e..365f714d2d6 100644
+--- a/btif/include/btif_storage.h
+++ b/btif/include/btif_storage.h
+@@ -152,6 +152,29 @@ bt_status_t btif_storage_remove_bonded_device(const RawAddress* remote_bd_addr);
+  ******************************************************************************/
+ bt_status_t btif_storage_load_bonded_devices(void);
+ 
+/*******************************************************************************
+ *
+ * Function         btif_storage_set_hid_connection_policy
+ *
+ * Description      Stores connection policy info in nvram
+ *
+ * Returns          BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+                                                   bool reconnect_allowed);
+/*******************************************************************************
+ *
+ * Function         btif_storage_get_hid_connection_policy
+ *
+ * Description      get connection policy info from nvram
+ *
+ * Returns          BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+                                                   bool* reconnect_allowed);
+
+ /*******************************************************************************
+  *
+  * Function         btif_storage_add_hid_device_info
+diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
+index b6441e1cce0..ea6559d34f2 100644
+--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
+@@ -338,6 +338,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) {
+   return NULL;
+ }
+ 
+/*******************************************************************************
+ *
+ * Function         btif_hh_find_added_dev
+ *
+ * Description      Return the added device pointer of the specified address
+ *
+ * Returns          Added device entry
+ ******************************************************************************/
+btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) {
+  for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
+    btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i];
+    if (added_dev->bd_addr == addr) {
+      return added_dev;
+    }
+  }
+  return nullptr;
+}
+
+ /*******************************************************************************
+  *
+  * Function         btif_hh_find_dev_by_bda
+@@ -423,7 +441,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) {
+  *
+  * Returns          true if add successfully, otherwise false.
+  ******************************************************************************/
+-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
+bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask,
+                           bool reconnect_allowed) {
+   int i;
+   for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
+     if (btif_hh_cb.added_devices[i].bd_addr == bda) {
+@@ -437,6 +456,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
+       btif_hh_cb.added_devices[i].bd_addr = bda;
+       btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE;
+       btif_hh_cb.added_devices[i].attr_mask = attr_mask;
+      btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed;
+       return true;
+     }
+   }
+@@ -692,6 +712,23 @@ void btif_hh_service_registration(bool enable) {
+  *
+  ****************************************************************************/
+ 
+static bool btif_hh_connection_allowed(const RawAddress& bda) {
+  /* Accept connection only if reconnection is allowed for the known device, or
+   * outgoing connection was requested */
+  btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda);
+  if (added_dev != nullptr && added_dev->reconnect_allowed) {
+    LOG_VERBOSE(LOG_TAG, "Connection allowed %s", bda.ToString().c_str());
+    return true;
+  } else if (btif_hh_cb.pending_conn_address == bda) {
+    LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s",
+                bda.ToString().c_str(),
+                btif_hh_status_text(btif_hh_cb.status).c_str());
+    return true;
+  }
+
+  return false;
+}
+
+ /*******************************************************************************
+  *
+  * Function         btif_hh_upstreams_evt
+@@ -750,9 +787,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+             p_data->status);
+       break;
+ 
+-    case BTA_HH_OPEN_EVT:
+    case BTA_HH_OPEN_EVT: {
+       BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__,
+                          p_data->conn.handle, p_data->conn.status);
+
+      if (!btif_hh_connection_allowed(p_data->conn.bda)) {
+        LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s",
+                 p_data->conn.bda.ToString().c_str());
+        btif_hh_device_t* p_dev =
+            btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
+        if (p_dev != nullptr) {
+          p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED;
+        }
+
+        btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
+        BTA_HhClose(p_data->conn.handle);
+        HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda,
+                  BTHH_CONN_STATE_DISCONNECTED);
+        return;
+      }
+
+       btif_hh_cb.pending_conn_address = RawAddress::kEmpty;
+       if (p_data->conn.status == BTA_HH_OK) {
+         p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
+@@ -811,6 +865,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+         btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
+       }
+       break;
+    }
+ 
+     case BTA_HH_CLOSE_EVT:
+       BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d",
+@@ -963,7 +1018,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+                                 p_data->dscp_info.version,
+                                 p_data->dscp_info.ctry_code, len,
+                                 p_data->dscp_info.descriptor.dsc_list);
+-        if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) {
+        if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) {
+           tBTA_HH_DEV_DSCP_INFO dscp_info;
+           bt_status_t ret;
+           btif_hh_copy_hid_info(&dscp_info, &p_data->dscp_info);
+@@ -979,6 +1034,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+               p_data->dscp_info.ssr_min_tout, len,
+               p_data->dscp_info.descriptor.dsc_list);
+ 
+          btif_storage_set_hid_connection_policy(p_dev->bd_addr, true);
+
+           ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret);
+           BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device");
+ 
+@@ -1260,6 +1317,13 @@ static bt_status_t init(bthh_callbacks_t* callbacks) {
+  ******************************************************************************/
+ static bt_status_t connect(RawAddress* bd_addr) {
+   if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) {
+    /* If the device was already added, ensure that reconnections are allowed */
+    btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+    if (added_dev != nullptr && !added_dev->reconnect_allowed) {
+      added_dev->reconnect_allowed = true;
+      btif_storage_set_hid_connection_policy(*bd_addr, true);
+    }
+
+     btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT,
+                           (char*)bd_addr, sizeof(RawAddress), NULL);
+     return BT_STATUS_SUCCESS;
+@@ -1276,7 +1340,7 @@ static bt_status_t connect(RawAddress* bd_addr) {
+  * Returns         bt_status_t
+  *
+  ******************************************************************************/
+-static bt_status_t disconnect(RawAddress* bd_addr) {
+static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) {
+   CHECK_BTHH_INIT();
+   BTIF_TRACE_EVENT("BTHH: %s", __func__);
+   btif_hh_device_t* p_dev;
+@@ -1286,6 +1350,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) {
+                        btif_hh_cb.status);
+     return BT_STATUS_FAIL;
+   }
+
+  if (!reconnect_allowed) {
+    LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s",
+             bd_addr->ToString().c_str());
+    btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+    if (added_dev != nullptr && added_dev->reconnect_allowed) {
+      added_dev->reconnect_allowed = false;
+      btif_storage_set_hid_connection_policy(added_dev->bd_addr, false);
+    }
+  }
+
+   p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr);
+   if (p_dev != NULL) {
+     return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT,
+@@ -1417,9 +1492,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) {
+       (uint8_t*)osi_malloc(dscp_info.descriptor.dl_len);
+   memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len);
+ 
+-  if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) {
+  if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) {
+     BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class,
+                  hid_info.app_id, dscp_info);
+    btif_storage_set_hid_connection_policy(*bd_addr, true);
+   }
+ 
+   osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list);
+diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
+index ef2e191ebce..f768845dddf 100644
+--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
+@@ -85,6 +85,8 @@ using bluetooth::Uuid;
+ #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"
+ #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
+ 
+#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed"
+
+ /* This is a local property to add a device found */
+ #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
+ 
+@@ -1260,6 +1262,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr,
+       btif_config_get_int(remote_bd_addr->ToString(), "AddrType", addr_type);
+   return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL;
+ }
+
+/*******************************************************************************
+ *
+ * Function         btif_storage_set_hid_connection_policy
+ *
+ * Description      Stores connection policy info in nvram
+ *
+ * Returns          BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+                                                   bool reconnect_allowed) {
+  std::string bdstr = addr.ToString();
+
+  if (btif_config_set_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED,
+                          reconnect_allowed)) {
+    return BT_STATUS_SUCCESS;
+  } else {
+    return BT_STATUS_FAIL;
+  }
+}
+
+/*******************************************************************************
+ *
+ * Function         btif_storage_get_hid_connection_policy
+ *
+ * Description      get connection policy info from nvram
+ *
+ * Returns          BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+                                                   bool* reconnect_allowed) {
+  std::string bdstr = addr.ToString();
+
+  // For backward compatibility, assume that the reconnection is allowed in the
+  // absence of the key
+  int value = 1;
+  btif_config_get_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value);
+  *reconnect_allowed = (value != 0);
+
+  return BT_STATUS_SUCCESS;
+}
+
+ /*******************************************************************************
+  *
+  * Function         btif_storage_add_hid_device_info
+@@ -1362,8 +1408,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) {
+ 
+     RawAddress bd_addr;
+     RawAddress::FromString(name, bd_addr);
+
+    bool reconnect_allowed = false;
+    btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed);
+
+     // add extracted information to BTA HH
+-    if (btif_hh_add_added_dev(bd_addr, attr_mask)) {
+    if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) {
+       BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info);
+     }
+   }
+@@ -1395,6 +1445,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) {
+   btif_config_remove(bdstr, "HidSSRMaxLatency");
+   btif_config_remove(bdstr, "HidSSRMinTimeout");
+   btif_config_remove(bdstr, "HidDescriptor");
+  btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED);
+   btif_config_save();
+   return BT_STATUS_SUCCESS;
+ }
+diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h
+index b87b129bb12..923c6279216 100644
+--- a/include/hardware/bt_hh.h
+++ b/include/hardware/bt_hh.h
+@@ -154,7 +154,7 @@ typedef struct {
+   bt_status_t (*connect)(RawAddress* bd_addr);
+ 
+   /** dis-connect from hid device */
+-  bt_status_t (*disconnect)(RawAddress* bd_addr);
+  bt_status_t (*disconnect)(RawAddress* bd_addr, bool reconnect_allowed);
+ 
+   /** Virtual UnPlug (VUP) the specified HID device */
+   bt_status_t (*virtual_unplug)(RawAddress* bd_addr);
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-09 #XXX
+sed -i 's/2022-01-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-10 #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -339,6 +339,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/397595.patch"; #P_asb_2024-07 F
 applyPatch "$DOS_PATCHES/android_frameworks_base/399769.patch"; #P_asb_2024-08 Restrict USB poups while setup is in progress
 applyPatch "$DOS_PATCHES/android_frameworks_base/399770.patch"; #P_asb_2024-08 Hide SAW subwindows
 applyPatch "$DOS_PATCHES/android_frameworks_base/403538.patch"; #P_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
+applyPatch "$DOS_PATCHES/android_frameworks_base/405829.patch"; #P_asb_2024-10 Update AccountManagerService checkKeyIntent.
+applyPatch "$DOS_PATCHES/android_frameworks_base/405830.patch"; #P_asb_2024-10 Fail parseUri if end is missing
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -452,6 +454,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8
 fi;

 if enterAndClear "libcore"; then
+applyPatch "$DOS_PATCHES/android_libcore/405831.patch"; #P_asb_2024-10 Do not accept zip files with invalid headers.
 applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
@ -467,6 +470,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759.patch"; #P_asb_2
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332.patch"; #P_asb_2023-02 Fix OPP comparison
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377774.patch"; #P_asb_2023-12 Fix UAF in ~CallbackEnv
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/405835.patch"; #P_asb_2024-10 Disallow unexpected incoming HID connections 2/2
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;

@ -544,6 +548,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/370700.patch"; #P_asb_20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403539.patch"; #P_asb_2024-09 Limit wifi item edit content's max length to 500
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403540.patch"; #P_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage()
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403541.patch"; #P_asb_2024-09 Ignore fragment attr from ext authenticator resource
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405832.patch"; #P_asb_2024-10 FRP bypass defense in App battery usage page
 git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work
@ -677,6 +682,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland:
 applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP
 applyPatch "$DOS_PATCHES/android_system_bt/399772.patch"; #P_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
+applyPatch "$DOS_PATCHES/android_system_bt/405833.patch"; #P_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
+applyPatch "$DOS_PATCHES/android_system_bt/405834.patch"; #P_asb_2024-10 Disallow unexpected incoming HID connections 1/2
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;