diff --git a/Patches/LineageOS-16.0/android_frameworks_base/405829.patch b/Patches/LineageOS-16.0/android_frameworks_base/405829.patch new file mode 100644 index 00000000..aa0b6ca6 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/405829.patch @@ -0,0 +1,32 @@ +From a2fea355e79d8057e5910f52ef067642b1d46189 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Thu, 11 Jul 2024 12:39:22 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntent. + +Block intents with "content" data scheme. + +Bug: 349780950 +Test: manual +Flag: EXEMPT bugfix +(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5) +Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 19e1a4c55120a..c5fff3652c283 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4799,6 +4799,9 @@ protected boolean checkKeyIntent(int authUid, Bundle bundle) { + if (resolveInfo == null) { + return false; + } ++ if ("content".equals(intent.getScheme())) { ++ return false; ++ } + ActivityInfo targetActivityInfo = resolveInfo.activityInfo; + int targetUid = targetActivityInfo.applicationInfo.uid; + PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class); diff --git a/Patches/LineageOS-16.0/android_frameworks_base/405830.patch b/Patches/LineageOS-16.0/android_frameworks_base/405830.patch new file mode 100644 index 00000000..942a928c --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/405830.patch @@ -0,0 +1,30 @@ +From 036b28bd48fae9e16d8b1b2a8bb629f4221e41c2 Mon Sep 17 00:00:00 2001 +From: William Loh +Date: Mon, 3 Jun 2024 12:56:47 -0700 +Subject: [PATCH] Fail parseUri if end is missing + +Bug: 318683126 +Test: atest IntentTest +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967) +Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +--- + core/java/android/content/Intent.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index 66c2658f9f132..dbed1b1a8fd31 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -6277,6 +6277,9 @@ public static Intent parseUri(String uri, @UriFlags int flags) throws URISyntaxE + int eq = uri.indexOf('=', i); + if (eq < 0) eq = i-1; + int semi = uri.indexOf(';', i); ++ if (semi < 0) { ++ throw new URISyntaxException(uri, "uri end not found"); ++ } + String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : ""; + + // action diff --git a/Patches/LineageOS-16.0/android_libcore/405831.patch b/Patches/LineageOS-16.0/android_libcore/405831.patch new file mode 100644 index 00000000..cb729c45 --- /dev/null +++ b/Patches/LineageOS-16.0/android_libcore/405831.patch @@ -0,0 +1,53 @@ +From b7877b7a39d68acb35c40d1df1b588f067cca800 Mon Sep 17 00:00:00 2001 +From: Almaz Mingaleev +Date: Wed, 10 Jul 2024 13:38:35 +0100 +Subject: [PATCH] Do not accept zip files with invalid headers. + +According to Section 4.3.6 in [1] non-empty zip file starts with +local file header. 4.3.1 allows empty files, and in such case +file starts with "end of central directory record". + +This aligns ZipFile with libziparchive modulo empty zip files - +libziparchive rejects them. + +Tests are skipped because sc-dev branch uses ART module +prebuilts, but builds tests from sources which leads to presubmit +failures. + +Ignore-AOSP-First: b/309938635#comment1 + +[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt + +Bug: 309938635 +Test: CtsLibcoreTestCases +Test: CtsLibcoreOjTestCases +(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88) +Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b +Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b +--- + ojluni/src/main/native/zip_util.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c +index e2503e84c2e..1f38b1783f1 100644 +--- a/ojluni/src/main/native/zip_util.c ++++ b/ojluni/src/main/native/zip_util.c +@@ -876,6 +876,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified, + zip->locsig = JNI_TRUE; + else + zip->locsig = JNI_FALSE; ++ ++ // BEGIN Android-changed: do not accept files with invalid header. ++ if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) { ++ if (pmsg) { ++ *pmsg = strdup("Entry at offset zero has invalid LFH signature."); ++ } ++ ZFILE_Close(zfd); ++ freeZip(zip); ++ return NULL; ++ } ++ // END Android-changed: do not accept files with invalid header. + } + + // This lseek is safe because it happens during construction of the ZipFile diff --git a/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/405835.patch b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/405835.patch new file mode 100644 index 00000000..281df31e --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Bluetooth/405835.patch @@ -0,0 +1,95 @@ +From 6d050ad48cfcf668435f391733d28752061e62db Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:44:45 +0000 +Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 2/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96) +Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777 +Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777 +--- + jni/com_android_bluetooth_hid_host.cpp | 8 +++++--- + src/com/android/bluetooth/hid/HidHostService.java | 12 +++++++++--- + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp +index 7838ff6ce..60fffc2f3 100644 +--- a/jni/com_android_bluetooth_hid_host.cpp ++++ b/jni/com_android_bluetooth_hid_host.cpp +@@ -276,7 +276,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object, + } + + static jboolean disconnectHidNative(JNIEnv* env, jobject object, +- jbyteArray address) { ++ jbyteArray address, ++ jboolean reconnect_allowed) { + jbyte* addr; + jboolean ret = JNI_TRUE; + if (!sBluetoothHidInterface) return JNI_FALSE; +@@ -287,7 +288,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object, + return JNI_FALSE; + } + +- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr); ++ bt_status_t status = ++ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed); + if (status != BT_STATUS_SUCCESS) { + ALOGE("Failed disconnect hid channel, status: %d", status); + ret = JNI_FALSE; +@@ -503,7 +505,7 @@ static JNINativeMethod sMethods[] = { + {"initializeNative", "()V", (void*)initializeNative}, + {"cleanupNative", "()V", (void*)cleanupNative}, + {"connectHidNative", "([B)Z", (void*)connectHidNative}, +- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative}, ++ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative}, + {"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative}, + {"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative}, + {"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative}, +diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java +index 63f52060b..1113760f2 100644 +--- a/src/com/android/bluetooth/hid/HidHostService.java ++++ b/src/com/android/bluetooth/hid/HidHostService.java +@@ -157,7 +157,10 @@ public void handleMessage(Message msg) { + break; + case MESSAGE_DISCONNECT: { + BluetoothDevice device = (BluetoothDevice) msg.obj; +- if (!disconnectHidNative(Utils.getByteAddress(device))) { ++ int connectionPolicy = getPriority(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.PRIORITY_ON; ++ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) { + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING); + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED); + break; +@@ -181,7 +184,10 @@ public void handleMessage(Message msg) { + if (DBG) { + Log.d(TAG, "Incoming HID connection rejected"); + } +- disconnectHidNative(Utils.getByteAddress(device)); ++ int connectionPolicy = getPriority(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.PRIORITY_ON; ++ disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed); + } else { + broadcastConnectionState(device, convertHalState(halState)); + } +@@ -873,7 +879,7 @@ public void dump(StringBuilder sb) { + + private native boolean connectHidNative(byte[] btAddress); + +- private native boolean disconnectHidNative(byte[] btAddress); ++ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed); + + private native boolean getProtocolModeNative(byte[] btAddress); + diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/405832.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/405832.patch new file mode 100644 index 00000000..d0c8a72d --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/405832.patch @@ -0,0 +1,51 @@ +From 9e4a67d2ae95b69f88b0bdf15ace52870ae93d5e Mon Sep 17 00:00:00 2001 +From: Yiling Chuang +Date: Mon, 8 Jul 2024 03:09:50 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage + page + +Before the setup flow completion, don't allow the app info page in App battery usage to be launched. + +Bug: 327748846 +Test: atest SettingsRoboTests + manual test +- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes +Flag : EXEMPT bugfix + +(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429) +Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0 +Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0 +--- + .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++ + .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java | 3 +++ + 2 files changed, 8 insertions(+) + +diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +index 683395e773c..d2a34c64886 100644 +--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java ++++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +@@ -234,6 +234,11 @@ public void onResume() { + initPreference(); + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + @VisibleForTesting + void initAnomalyInfo() { + mAnomalies = getArguments().getParcelableArrayList(EXTRA_ANOMALY_LIST); +diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +index 0be63899785..2de4786763d 100644 +--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java ++++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +@@ -434,5 +434,8 @@ public void testInitAnomalyInfo_anomalyExisted_updateAnomaly() { + mFragment.initAnomalyInfo(); + + verify(mAnomalySummaryPreferenceController).updateAnomalySummaryPreference(mAnomalies); ++ ++ public void shouldSkipForInitialSUW_returnTrue() { ++ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue(); + } + } diff --git a/Patches/LineageOS-16.0/android_system_bt/405833.patch b/Patches/LineageOS-16.0/android_system_bt/405833.patch new file mode 100644 index 00000000..d5ef3ad3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/405833.patch @@ -0,0 +1,56 @@ +From cae2930774ada0de113a04086e2d10009e6774e3 Mon Sep 17 00:00:00 2001 +From: Chris Manton +Date: Sun, 14 Mar 2021 09:52:19 -0700 +Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text + +Toward loggable code + +Bug: 163134718 +Test: gd/cert/run +Tag: #refactor +BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines + +Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2 +--- + btif/include/btif_hh.h | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index 2364544824e..5c1ad45108b 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -45,7 +45,7 @@ + * Type definitions and return values + ******************************************************************************/ + +-typedef enum { ++typedef enum : unsigned { + BTIF_HH_DISABLED = 0, + BTIF_HH_ENABLED, + BTIF_HH_DISABLING, +@@ -55,6 +55,25 @@ typedef enum { + BTIF_HH_DEV_DISCONNECTED + } BTIF_HH_STATUS; + ++#define CASE_RETURN_TEXT(code) \ ++ case code: \ ++ return #code ++ ++inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) { ++ switch (status) { ++ CASE_RETURN_TEXT(BTIF_HH_DISABLED); ++ CASE_RETURN_TEXT(BTIF_HH_ENABLED); ++ CASE_RETURN_TEXT(BTIF_HH_DISABLING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED); ++ default: ++ return std::string("UNKNOWN[%hhu]", status); ++ } ++} ++#undef CASE_RETURN_TEXT ++ + typedef struct { + bthh_connection_state_t dev_status; + uint8_t dev_handle; diff --git a/Patches/LineageOS-16.0/android_system_bt/405834.patch b/Patches/LineageOS-16.0/android_system_bt/405834.patch new file mode 100644 index 00000000..ed33a8a8 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/405834.patch @@ -0,0 +1,361 @@ +From d2c71969119d6c4bee9c9da387af449827448d03 Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:42:21 +0000 +Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 1/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b) +Merged-In: I6e9db983e752dd498625078c13b736cd4c668806 +Change-Id: I6e9db983e752dd498625078c13b736cd4c668806 +--- + btif/include/btif_hh.h | 4 +- + btif/include/btif_storage.h | 23 ++++++++++ + btif/src/btif_hh.cc | 86 ++++++++++++++++++++++++++++++++++--- + btif/src/btif_storage.cc | 53 ++++++++++++++++++++++- + include/hardware/bt_hh.h | 2 +- + 5 files changed, 160 insertions(+), 8 deletions(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index 5c1ad45108b..8c9ead46283 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -94,6 +94,7 @@ typedef struct { + uint8_t dev_handle; + RawAddress bd_addr; + tBTA_HH_ATTR_MASK attr_mask; ++ bool reconnect_allowed; + } btif_hh_added_device_t; + + /** +@@ -119,7 +120,8 @@ extern btif_hh_cb_t btif_hh_cb; + extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle); + extern void btif_hh_remove_device(RawAddress bd_addr); + extern bool btif_hh_add_added_dev(const RawAddress& bda, +- tBTA_HH_ATTR_MASK attr_mask); ++ tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed); + extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr); + extern void btif_hh_disconnect(RawAddress* bd_addr); + extern void btif_hh_setreport(btif_hh_device_t* p_dev, +diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h +index 07d29c81a7e..365f714d2d6 100644 +--- a/btif/include/btif_storage.h ++++ b/btif/include/btif_storage.h +@@ -152,6 +152,29 @@ bt_status_t btif_storage_remove_bonded_device(const RawAddress* remote_bd_addr); + ******************************************************************************/ + bt_status_t btif_storage_load_bonded_devices(void); + ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed); ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed); ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc +index b6441e1cce0..ea6559d34f2 100644 +--- a/btif/src/btif_hh.cc ++++ b/btif/src/btif_hh.cc +@@ -338,6 +338,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) { + return NULL; + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_find_added_dev ++ * ++ * Description Return the added device pointer of the specified address ++ * ++ * Returns Added device entry ++ ******************************************************************************/ ++btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) { ++ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { ++ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i]; ++ if (added_dev->bd_addr == addr) { ++ return added_dev; ++ } ++ } ++ return nullptr; ++} ++ + /******************************************************************************* + * + * Function btif_hh_find_dev_by_bda +@@ -423,7 +441,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) { + * + * Returns true if add successfully, otherwise false. + ******************************************************************************/ +-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { ++bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed) { + int i; + for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { + if (btif_hh_cb.added_devices[i].bd_addr == bda) { +@@ -437,6 +456,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { + btif_hh_cb.added_devices[i].bd_addr = bda; + btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE; + btif_hh_cb.added_devices[i].attr_mask = attr_mask; ++ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed; + return true; + } + } +@@ -692,6 +712,23 @@ void btif_hh_service_registration(bool enable) { + * + ****************************************************************************/ + ++static bool btif_hh_connection_allowed(const RawAddress& bda) { ++ /* Accept connection only if reconnection is allowed for the known device, or ++ * outgoing connection was requested */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ LOG_VERBOSE(LOG_TAG, "Connection allowed %s", bda.ToString().c_str()); ++ return true; ++ } else if (btif_hh_cb.pending_conn_address == bda) { ++ LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s", ++ bda.ToString().c_str(), ++ btif_hh_status_text(btif_hh_cb.status).c_str()); ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function btif_hh_upstreams_evt +@@ -750,9 +787,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->status); + break; + +- case BTA_HH_OPEN_EVT: ++ case BTA_HH_OPEN_EVT: { + BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__, + p_data->conn.handle, p_data->conn.status); ++ ++ if (!btif_hh_connection_allowed(p_data->conn.bda)) { ++ LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s", ++ p_data->conn.bda.ToString().c_str()); ++ btif_hh_device_t* p_dev = ++ btif_hh_find_connected_dev_by_handle(p_data->conn.handle); ++ if (p_dev != nullptr) { ++ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED; ++ } ++ ++ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; ++ BTA_HhClose(p_data->conn.handle); ++ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda, ++ BTHH_CONN_STATE_DISCONNECTED); ++ return; ++ } ++ + btif_hh_cb.pending_conn_address = RawAddress::kEmpty; + if (p_data->conn.status == BTA_HH_OK) { + p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle); +@@ -811,6 +865,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; + } + break; ++ } + + case BTA_HH_CLOSE_EVT: + BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d", +@@ -963,7 +1018,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.version, + p_data->dscp_info.ctry_code, len, + p_data->dscp_info.descriptor.dsc_list); +- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) { ++ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) { + tBTA_HH_DEV_DSCP_INFO dscp_info; + bt_status_t ret; + btif_hh_copy_hid_info(&dscp_info, &p_data->dscp_info); +@@ -979,6 +1034,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.ssr_min_tout, len, + p_data->dscp_info.descriptor.dsc_list); + ++ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true); ++ + ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret); + BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device"); + +@@ -1260,6 +1317,13 @@ static bt_status_t init(bthh_callbacks_t* callbacks) { + ******************************************************************************/ + static bt_status_t connect(RawAddress* bd_addr) { + if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) { ++ /* If the device was already added, ensure that reconnections are allowed */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && !added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = true; ++ btif_storage_set_hid_connection_policy(*bd_addr, true); ++ } ++ + btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT, + (char*)bd_addr, sizeof(RawAddress), NULL); + return BT_STATUS_SUCCESS; +@@ -1276,7 +1340,7 @@ static bt_status_t connect(RawAddress* bd_addr) { + * Returns bt_status_t + * + ******************************************************************************/ +-static bt_status_t disconnect(RawAddress* bd_addr) { ++static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) { + CHECK_BTHH_INIT(); + BTIF_TRACE_EVENT("BTHH: %s", __func__); + btif_hh_device_t* p_dev; +@@ -1286,6 +1350,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) { + btif_hh_cb.status); + return BT_STATUS_FAIL; + } ++ ++ if (!reconnect_allowed) { ++ LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s", ++ bd_addr->ToString().c_str()); ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = false; ++ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false); ++ } ++ } ++ + p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr); + if (p_dev != NULL) { + return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT, +@@ -1417,9 +1492,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) { + (uint8_t*)osi_malloc(dscp_info.descriptor.dl_len); + memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len); + +- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) { ++ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) { + BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class, + hid_info.app_id, dscp_info); ++ btif_storage_set_hid_connection_policy(*bd_addr, true); + } + + osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list); +diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc +index ef2e191ebce..f768845dddf 100644 +--- a/btif/src/btif_storage.cc ++++ b/btif/src/btif_storage.cc +@@ -85,6 +85,8 @@ using bluetooth::Uuid; + #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode" + #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout" + ++#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed" ++ + /* This is a local property to add a device found */ + #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF + +@@ -1260,6 +1262,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr, + btif_config_get_int(remote_bd_addr->ToString(), "AddrType", addr_type); + return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL; + } ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ if (btif_config_set_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, ++ reconnect_allowed)) { ++ return BT_STATUS_SUCCESS; ++ } else { ++ return BT_STATUS_FAIL; ++ } ++} ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ // For backward compatibility, assume that the reconnection is allowed in the ++ // absence of the key ++ int value = 1; ++ btif_config_get_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value); ++ *reconnect_allowed = (value != 0); ++ ++ return BT_STATUS_SUCCESS; ++} ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +@@ -1362,8 +1408,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) { + + RawAddress bd_addr; + RawAddress::FromString(name, bd_addr); ++ ++ bool reconnect_allowed = false; ++ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed); ++ + // add extracted information to BTA HH +- if (btif_hh_add_added_dev(bd_addr, attr_mask)) { ++ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) { + BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info); + } + } +@@ -1395,6 +1445,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) { + btif_config_remove(bdstr, "HidSSRMaxLatency"); + btif_config_remove(bdstr, "HidSSRMinTimeout"); + btif_config_remove(bdstr, "HidDescriptor"); ++ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED); + btif_config_save(); + return BT_STATUS_SUCCESS; + } +diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h +index b87b129bb12..923c6279216 100644 +--- a/include/hardware/bt_hh.h ++++ b/include/hardware/bt_hh.h +@@ -154,7 +154,7 @@ typedef struct { + bt_status_t (*connect)(RawAddress* bd_addr); + + /** dis-connect from hid device */ +- bt_status_t (*disconnect)(RawAddress* bd_addr); ++ bt_status_t (*disconnect)(RawAddress* bd_addr, bool reconnect_allowed); + + /** Virtual UnPlug (VUP) the specified HID device */ + bt_status_t (*virtual_unplug)(RawAddress* bd_addr); diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index bbffb4a6..40231ef5 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-09 #XXX +sed -i 's/2022-01-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-10 #XXX fi; if enterAndClear "build/soong"; then @@ -339,6 +339,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/397595.patch"; #P_asb_2024-07 F applyPatch "$DOS_PATCHES/android_frameworks_base/399769.patch"; #P_asb_2024-08 Restrict USB poups while setup is in progress applyPatch "$DOS_PATCHES/android_frameworks_base/399770.patch"; #P_asb_2024-08 Hide SAW subwindows applyPatch "$DOS_PATCHES/android_frameworks_base/403538.patch"; #P_asb_2024-09 Sanitized uri scheme by removing scheme delimiter +applyPatch "$DOS_PATCHES/android_frameworks_base/405829.patch"; #P_asb_2024-10 Update AccountManagerService checkKeyIntent. +applyPatch "$DOS_PATCHES/android_frameworks_base/405830.patch"; #P_asb_2024-10 Fail parseUri if end is missing applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -452,6 +454,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_hardware_qcom_display/CVE-2019-2306-msm8 fi; if enterAndClear "libcore"; then +applyPatch "$DOS_PATCHES/android_libcore/405831.patch"; #P_asb_2024-10 Do not accept zip files with invalid headers. applyPatch "$DOS_PATCHES/android_libcore/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0002-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -467,6 +470,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759.patch"; #P_asb_2 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332.patch"; #P_asb_2023-02 Fix OPP comparison applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377774.patch"; #P_asb_2023-12 Fix UAF in ~CallbackEnv +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/405835.patch"; #P_asb_2024-10 Disallow unexpected incoming HID connections 2/2 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) fi; @@ -544,6 +548,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/370700.patch"; #P_asb_20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403539.patch"; #P_asb_2024-09 Limit wifi item edit content's max length to 500 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403540.patch"; #P_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage() applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403541.patch"; #P_asb_2024-09 Ignore fragment attr from ext authenticator resource +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405832.patch"; #P_asb_2024-10 FRP bypass defense in App battery usage page git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work @@ -677,6 +682,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP applyPatch "$DOS_PATCHES/android_system_bt/399772.patch"; #P_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc +applyPatch "$DOS_PATCHES/android_system_bt/405833.patch"; #P_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text +applyPatch "$DOS_PATCHES/android_system_bt/405834.patch"; #P_asb_2024-10 Disallow unexpected incoming HID connections 1/2 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi;