diff --git a/Patches/LineageOS-17.1/android_frameworks_av/385529.patch b/Patches/LineageOS-17.1/android_frameworks_av/385529.patch deleted file mode 100644 index 97dcec3c..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_av/385529.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Haripriya Deshmukh -Date: Tue, 19 Sep 2023 20:42:45 +0000 -Subject: [PATCH] Validate OMX Params for VPx encoders - -Bug: 273936274 -Bug: 273937171 -Bug: 273937136 -Bug: 273936553 -Bug: 273936601 -Test: POC in bug descriptions -(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7) -(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6) -Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757 -Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757 ---- - media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp | 10 ++++++++++ - media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp | 10 ++++++++++ - media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp | 9 +++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp -index 04737a9ccf..9198b7c327 100644 ---- a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp -+++ b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp -@@ -120,6 +120,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalSetParameter(OMX_INDEXTYPE index, - - OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( - OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { -+ if (!isValidOMXParam(vp8Params)) { -+ android_errorWriteLog(0x534e4554, "273936274"); -+ return OMX_ErrorBadParameter; -+ } -+ - if (vp8Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } -@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( - - OMX_ERRORTYPE SoftVP8Encoder::internalSetVp8Params( - const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { -+ if (!isValidOMXParam(vp8Params)) { -+ android_errorWriteLog(0x534e4554, "273937171"); -+ return OMX_ErrorBadParameter; -+ } -+ - if (vp8Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } -diff --git a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp -index 1ea1c85f76..f8495c2da4 100644 ---- a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp -+++ b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp -@@ -119,6 +119,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalSetParameter( - - OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( - OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { -+ if (!isValidOMXParam(vp9Params)) { -+ android_errorWriteLog(0x534e4554, "273936553"); -+ return OMX_ErrorBadParameter; -+ } -+ - if (vp9Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } -@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( - - OMX_ERRORTYPE SoftVP9Encoder::internalSetVp9Params( - const OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { -+ if (!isValidOMXParam(vp9Params)) { -+ android_errorWriteLog(0x534e4554, "273937136"); -+ return OMX_ErrorBadParameter; -+ } -+ - if (vp9Params->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } -diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp -index d0cb0718c2..054413e7c0 100644 ---- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp -+++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp -@@ -485,6 +485,11 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetBitrateParams( - - OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( - OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { -+ if (!isValidOMXParam(vpxAndroidParams)) { -+ android_errorWriteLog(0x534e4554, "273936601"); -+ return OMX_ErrorBadParameter; -+ } -+ - if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } -@@ -501,6 +506,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( - - OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVpxParams( - const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { -+ if (!isValidOMXParam(vpxAndroidParams)) { -+ android_errorWriteLog(0x534e4554, "273937551"); -+ return OMX_ErrorBadParameter; -+ } - if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { - return OMX_ErrorUnsupportedIndex; - } diff --git a/Patches/LineageOS-17.1/android_frameworks_av/385530.patch b/Patches/LineageOS-17.1/android_frameworks_av/385530.patch deleted file mode 100644 index 44efd35b..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_av/385530.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Harish Mahendrakar -Date: Mon, 30 Oct 2023 20:38:56 +0000 -Subject: [PATCH] SoftVideoDecodeOMXComponent: validate OMX params for dynamic - HDR - -Bug: 273935108 -Bug: 281065553 -(cherry picked from https://partner-android-review.googlesource.com/q/commit:b2c67bdcf57149a5e19a04466205266dc543fd86) -(cherry picked from commit a542f2c50700ca6df93e966fe8d4c468e1a15d9a) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:80e0acc096d201e80a1b65af944b1e47c9dd6f7b) -Merged-In: I707745594a9196d8d85d4c4bb498eba3c6198b42 -Change-Id: I707745594a9196d8d85d4c4bb498eba3c6198b42 ---- - media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp -index e853da9763..418302389d 100644 ---- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp -+++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp -@@ -616,6 +616,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig( - DescribeHDR10PlusInfoParams* outParams = - (DescribeHDR10PlusInfoParams *)params; - -+ if (!isValidOMXParam(outParams)) { -+ return OMX_ErrorBadParameter; -+ } -+ - outParams->nParamSizeUsed = info->size(); - - // If the buffer provided by the client does not have enough -@@ -694,6 +698,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetConfig( - const DescribeHDR10PlusInfoParams* inParams = - (DescribeHDR10PlusInfoParams *)params; - -+ if (!isValidOMXParam(inParams)) { -+ return OMX_ErrorBadParameter; -+ } -+ - if (*frameConfig) { - // This is a request to append to the current frame config set. - // For now, we only support kDescribeHdr10PlusInfoIndex, which diff --git a/Patches/LineageOS-17.1/android_frameworks_av/385531.patch b/Patches/LineageOS-17.1/android_frameworks_av/385531.patch deleted file mode 100644 index 8c4d8e7c..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_av/385531.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Haripriya Deshmukh -Date: Tue, 5 Dec 2023 18:32:38 +0000 -Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue - -Bug: 276442130 -Test: POC in bug descriptions -(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643) -(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47) -Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1 -Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1 ---- - media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp -index 60750d9a61..db08030ad1 100644 ---- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp -+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp -@@ -312,8 +312,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { - outHeader->nFilledLen = frameSize; - - List::iterator it = outQueue.begin(); -- while ((*it)->mHeader != outHeader) { -- ++it; -+ while (it != outQueue.end() && (*it)->mHeader != outHeader) { -+ ++it; -+ } -+ if (it == outQueue.end()) { -+ return; - } - - BufferInfo *outInfo = *it; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/385538.patch b/Patches/LineageOS-17.1/android_frameworks_base/385538.patch deleted file mode 100644 index 44f450f7..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/385538.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Alex Buynytskyy -Date: Wed, 20 Dec 2023 01:50:36 +0000 -Subject: [PATCH] Disallow system apps to be installed/updated as instant. - -Bug: 299441833 -Test: atest android.content.pm.cts.PackageManagerTest -(cherry picked from commit 496e78a1951f2ed69290f03c5625c0f8382f4d31) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d0f185c0d526c1dac0a8894b2c2f2e378328d73) -Merged-In: Idd89a6dd72f0e68259095f677185f0494391025c -Change-Id: Idd89a6dd72f0e68259095f677185f0494391025c ---- - .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 5bd1b4ac0195..d27b5ad0d646 100644 ---- a/services/core/java/com/android/server/pm/PackageManagerService.java -+++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -13673,6 +13673,9 @@ public class PackageManagerService extends IPackageManager.Stub - if (pkgSetting == null) { - return PackageManager.INSTALL_FAILED_INVALID_URI; - } -+ if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) { -+ return PackageManager.INSTALL_FAILED_INVALID_URI; -+ } - if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) { - // only allow the existing package to be used if it's installed as a full - // application for at least one user diff --git a/Patches/LineageOS-17.1/android_frameworks_base/385539.patch b/Patches/LineageOS-17.1/android_frameworks_base/385539.patch deleted file mode 100644 index bc53d770..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/385539.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dmitry Dementyev -Date: Wed, 3 Jan 2024 09:26:56 -0800 -Subject: [PATCH] Close AccountManagerService.session after timeout. - -Bug: 303905130 -Bug: 316893159 -Test: manual -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09) -Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 -Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 ---- - .../android/server/accounts/AccountManagerService.java | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java -index 715b32687054..326acdfe3a3f 100644 ---- a/services/core/java/com/android/server/accounts/AccountManagerService.java -+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java -@@ -182,6 +182,7 @@ public class AccountManagerService - - final MessageHandler mHandler; - -+ private static final int TIMEOUT_DELAY_MS = 1000 * 60 * 15; - // Messages that can be sent on mHandler - private static final int MESSAGE_TIMED_OUT = 3; - private static final int MESSAGE_COPY_SHARED_ACCOUNT = 4; -@@ -4766,6 +4767,7 @@ public class AccountManagerService - synchronized (mSessions) { - mSessions.put(toString(), this); - } -+ scheduleTimeout(); - if (response != null) { - try { - response.asBinder().linkToDeath(this, 0 /* flags */); -@@ -4932,6 +4934,11 @@ public class AccountManagerService - } - } - -+ private void scheduleTimeout() { -+ mHandler.sendMessageDelayed( -+ mHandler.obtainMessage(MESSAGE_TIMED_OUT, this), TIMEOUT_DELAY_MS); -+ } -+ - public void cancelTimeout() { - mHandler.removeMessages(MESSAGE_TIMED_OUT, this); - } -@@ -4968,6 +4975,9 @@ public class AccountManagerService - - public void onTimedOut() { - IAccountManagerResponse response = getResponseAndClose(); -+ if (Log.isLoggable(TAG, Log.VERBOSE)) { -+ Log.v(TAG, "Session.onTimedOut"); -+ } - if (response != null) { - try { - response.onError(AccountManager.ERROR_CODE_REMOTE_EXCEPTION, diff --git a/Patches/LineageOS-17.1/android_frameworks_base/385672.patch b/Patches/LineageOS-17.1/android_frameworks_base/385672.patch deleted file mode 100644 index c6f2645b..00000000 --- a/Patches/LineageOS-17.1/android_frameworks_base/385672.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: kumarashishg -Date: Mon, 17 Jul 2023 12:01:18 +0000 -Subject: [PATCH] Resolve custom printer icon boundary exploit. - -Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. - -Bug: 281525042 -Test: Build and flash the code. Try to reproduce the issue with -mentioned steps in the bug -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83) -Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce -Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce ---- - .../server/print/PrintManagerService.java | 34 ++++++++++++++++++- - 1 file changed, 33 insertions(+), 1 deletion(-) - -diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java -index c9b9f3e6bd48..2bed4b5a81f5 100644 ---- a/services/print/java/com/android/server/print/PrintManagerService.java -+++ b/services/print/java/com/android/server/print/PrintManagerService.java -@@ -252,12 +252,44 @@ public final class PrintManagerService extends SystemService { - } - final long identity = Binder.clearCallingIdentity(); - try { -- return userState.getCustomPrinterIcon(printerId); -+ Icon icon = userState.getCustomPrinterIcon(printerId); -+ return validateIconUserBoundary(icon); - } finally { - Binder.restoreCallingIdentity(identity); - } - } - -+ /** -+ * Validates the custom printer icon to see if it's not in the calling user space. -+ * If the condition is not met, return null. Otherwise, return the original icon. -+ * -+ * @param icon -+ * @return icon (validated) -+ */ -+ private Icon validateIconUserBoundary(Icon icon) { -+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of -+ // incompatible types. -+ if (icon != null && (icon.getType() == Icon.TYPE_URI)) { -+ String encodedUser = icon.getUri().getEncodedUserInfo(); -+ -+ // If there is no encoded user, the URI is calling into the calling user space -+ if (encodedUser != null) { -+ int userId = Integer.parseInt(encodedUser); -+ // resolve encoded user -+ final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId); -+ -+ synchronized (mLock) { -+ // Only the current group members can get the printer icons. -+ if (resolveCallingProfileParentLocked(resolvedUserId) -+ != getCurrentUserId()) { -+ return null; -+ } -+ } -+ } -+ } -+ return icon; -+ } -+ - @Override - public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) { - if (printJobId == null) { diff --git a/Patches/LineageOS-17.1/android_system_bt/385557.patch b/Patches/LineageOS-17.1/android_system_bt/385557.patch deleted file mode 100644 index 0625e8f7..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/385557.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 28 Nov 2023 19:57:20 +0000 -Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req - -This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d - -Bug: 300903400 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef) -Merged-In: Id4c65801ff8519aff18b24007e344934493cab55 -Change-Id: Id4c65801ff8519aff18b24007e344934493cab55 ---- - stack/smp/smp_act.cc | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc -index 03d73f781..c1f143e92 100644 ---- a/stack/smp/smp_act.cc -+++ b/stack/smp/smp_act.cc -@@ -423,6 +423,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { - * Description process security request. - ******************************************************************************/ - void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { -+ if (smp_command_has_invalid_length(p_cb)) { -+ tSMP_INT_DATA smp_int_data; -+ smp_int_data.status = SMP_INVALID_PARAMETERS; -+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); -+ return; -+ } -+ - tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data; - tBTM_BLE_SEC_REQ_ACT sec_req_act; - diff --git a/Patches/LineageOS-17.1/android_system_bt/385558.patch b/Patches/LineageOS-17.1/android_system_bt/385558.patch deleted file mode 100644 index 45455382..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/385558.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Fri, 15 Dec 2023 22:55:33 +0000 -Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd - -This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285 - -Bug: 295887535 -Bug: 315127634 -Test: m com.android.btservices -Test: atest net_test_stack_gatt -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c) -Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72 -Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72 ---- - stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++-------- - 1 file changed, 45 insertions(+), 11 deletions(-) - -diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc -index cdf472e40..aaf1a53a3 100644 ---- a/stack/gatt/att_protocol.cc -+++ b/stack/gatt/att_protocol.cc -@@ -278,46 +278,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { - BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, - uint16_t handle, uint16_t offset, uint16_t len, - uint8_t* p_data) { -- uint8_t *p, *pp, pair_len, *p_pair_len; -+ uint8_t *p, *pp, *p_pair_len; -+ size_t pair_len; -+ size_t size_now = 1; -+ -+#define CHECK_SIZE() \ -+ do { \ -+ if (size_now > payload_size) { \ -+ LOG(ERROR) << "payload size too small"; \ -+ osi_free(p_buf); \ -+ return nullptr; \ -+ } \ -+ } while (false) -+ - BT_HDR* p_buf = - (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); - - p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; -+ -+ CHECK_SIZE(); - UINT8_TO_STREAM(p, op_code); - p_buf->offset = L2CAP_MIN_OFFSET; -- p_buf->len = 1; - - if (op_code == GATT_RSP_READ_BY_TYPE) { -- p_pair_len = p; -+ p_pair_len = p++; - pair_len = len + 2; -- UINT8_TO_STREAM(p, pair_len); -- p_buf->len += 1; -+ size_now += 1; -+ CHECK_SIZE(); -+ // this field will be backfilled in the end of this function - } -+ - if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { -+ size_now += 2; -+ CHECK_SIZE(); - UINT16_TO_STREAM(p, handle); -- p_buf->len += 2; - } - - if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { -+ size_now += 2; -+ CHECK_SIZE(); - UINT16_TO_STREAM(p, offset); -- p_buf->len += 2; - } - - if (len > 0 && p_data != NULL) { - /* ensure data not exceed MTU size */ -- if (payload_size - p_buf->len < len) { -- len = payload_size - p_buf->len; -+ if (payload_size - size_now < len) { -+ len = payload_size - size_now; - /* update handle value pair length */ -- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); -+ if (op_code == GATT_RSP_READ_BY_TYPE) { -+ pair_len = (len + 2); -+ } - - LOG(WARNING) << StringPrintf( - "attribute value too long, to be truncated to %d", len); - } - -+ size_now += len; -+ CHECK_SIZE(); - ARRAY_TO_STREAM(p, p_data, len); -- p_buf->len += len; - } - -+ // backfill pair len field -+ if (op_code == GATT_RSP_READ_BY_TYPE) { -+ if (pair_len > UINT8_MAX) { -+ LOG(ERROR) << StringPrintf("pair_len greater than %d", UINT8_MAX); -+ osi_free(p_buf); -+ return nullptr; -+ } -+ -+ *p_pair_len = (uint8_t)pair_len; -+ } -+ -+#undef CHECK_SIZE -+ -+ p_buf->len = (uint16_t)size_now; - return p_buf; - } - diff --git a/Patches/LineageOS-17.1/android_system_bt/385559.patch b/Patches/LineageOS-17.1/android_system_bt/385559.patch deleted file mode 100644 index 0436fb19..00000000 --- a/Patches/LineageOS-17.1/android_system_bt/385559.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 9 Jan 2024 22:38:20 +0000 -Subject: [PATCH] Fix a security bypass issue in - access_secure_service_from_temp_bond - -Backport I48df2c2d77810077e97d4131540277273d441998 -to rvc-dev - -Bug: 318374503 -Test: m com.android.btservices | manual test against PoC | QA -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8) -Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f -Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f ---- - stack/btm/btm_sec.cc | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index de91023c6..72dc9a2ed 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -235,8 +235,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r - bool locally_initiated, - uint16_t security_req) { - return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && -- btm_dev_authenticated(p_dev_rec) && -- p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; -+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; - } - - /******************************************************************************* diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385591.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385591.patch deleted file mode 100644 index 2bc32d52..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385591.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 28 Nov 2023 19:57:20 +0000 -Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req - -This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d - -Bug: 300903400 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef) -Merged-In: Id4c65801ff8519aff18b24007e344934493cab55 -Change-Id: Id4c65801ff8519aff18b24007e344934493cab55 ---- - stack/smp/smp_act.cc | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc -index 196eeacd7..a18d8389b 100755 ---- a/stack/smp/smp_act.cc -+++ b/stack/smp/smp_act.cc -@@ -429,6 +429,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { - * Description process security request. - ******************************************************************************/ - void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { -+ if (smp_command_has_invalid_length(p_cb)) { -+ tSMP_INT_DATA smp_int_data; -+ smp_int_data.status = SMP_INVALID_PARAMETERS; -+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); -+ return; -+ } -+ - tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data; - tBTM_BLE_SEC_REQ_ACT sec_req_act; - diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385592.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385592.patch deleted file mode 100644 index 95e70ed2..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385592.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Fri, 15 Dec 2023 22:55:33 +0000 -Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd - -This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285 - -Bug: 295887535 -Bug: 315127634 -Test: m com.android.btservices -Test: atest net_test_stack_gatt -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c) -Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72 -Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72 ---- - stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++-------- - 1 file changed, 45 insertions(+), 11 deletions(-) - -diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc -index d1e0ece59..41839b072 100644 ---- a/stack/gatt/att_protocol.cc -+++ b/stack/gatt/att_protocol.cc -@@ -278,46 +278,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { - BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, - uint16_t handle, uint16_t offset, uint16_t len, - uint8_t* p_data) { -- uint8_t *p, *pp, pair_len, *p_pair_len; -+ uint8_t *p, *pp, *p_pair_len; -+ size_t pair_len; -+ size_t size_now = 1; -+ -+#define CHECK_SIZE() \ -+ do { \ -+ if (size_now > payload_size) { \ -+ LOG(ERROR) << "payload size too small"; \ -+ osi_free(p_buf); \ -+ return nullptr; \ -+ } \ -+ } while (false) -+ - BT_HDR* p_buf = - (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); - - p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; -+ -+ CHECK_SIZE(); - UINT8_TO_STREAM(p, op_code); - p_buf->offset = L2CAP_MIN_OFFSET; -- p_buf->len = 1; - - if (op_code == GATT_RSP_READ_BY_TYPE) { -- p_pair_len = p; -+ p_pair_len = p++; - pair_len = len + 2; -- UINT8_TO_STREAM(p, pair_len); -- p_buf->len += 1; -+ size_now += 1; -+ CHECK_SIZE(); -+ // this field will be backfilled in the end of this function - } -+ - if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { -+ size_now += 2; -+ CHECK_SIZE(); - UINT16_TO_STREAM(p, handle); -- p_buf->len += 2; - } - - if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { -+ size_now += 2; -+ CHECK_SIZE(); - UINT16_TO_STREAM(p, offset); -- p_buf->len += 2; - } - - if (len > 0 && p_data != NULL) { - /* ensure data not exceed MTU size */ -- if (payload_size - p_buf->len < len) { -- len = payload_size - p_buf->len; -+ if (payload_size - size_now < len) { -+ len = payload_size - size_now; - /* update handle value pair length */ -- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); -+ if (op_code == GATT_RSP_READ_BY_TYPE) { -+ pair_len = (len + 2); -+ } - - LOG(WARNING) << StringPrintf( - "attribute value too long, to be truncated to %d", len); - } - -+ size_now += len; -+ CHECK_SIZE(); - ARRAY_TO_STREAM(p, p_data, len); -- p_buf->len += len; - } - -+ // backfill pair len field -+ if (op_code == GATT_RSP_READ_BY_TYPE) { -+ if (pair_len > UINT8_MAX) { -+ LOG(ERROR) << StringPrintf("pair_len greater than %d", UINT8_MAX); -+ osi_free(p_buf); -+ return nullptr; -+ } -+ -+ *p_pair_len = (uint8_t)pair_len; -+ } -+ -+#undef CHECK_SIZE -+ -+ p_buf->len = (uint16_t)size_now; - return p_buf; - } - diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385593.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385593.patch deleted file mode 100644 index 676a76a1..00000000 --- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385593.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Tue, 9 Jan 2024 22:38:20 +0000 -Subject: [PATCH] Fix a security bypass issue in - access_secure_service_from_temp_bond - -Backport I48df2c2d77810077e97d4131540277273d441998 -to rvc-dev - -Bug: 318374503 -Test: m com.android.btservices | manual test against PoC | QA -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8) -Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f -Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f ---- - stack/btm/btm_sec.cc | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc -index 80f4d3031..1e7913854 100644 ---- a/stack/btm/btm_sec.cc -+++ b/stack/btm/btm_sec.cc -@@ -235,8 +235,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r - bool locally_initiated, - uint16_t security_req) { - return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && -- btm_dev_authenticated(p_dev_rec) && -- p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; -+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; - } - - /******************************************************************************* diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh index 31c8d859..a1d3332a 100644 --- a/Scripts/LineageOS-17.1/Functions.sh +++ b/Scripts/LineageOS-17.1/Functions.sh @@ -95,7 +95,7 @@ patchWorkspaceReal() { repopick -t Q_asb_2023-12 -e 377251,378083,378084,378085,378086,378087,378088,378314,378315; repopick -t Q_asb_2024-01; repopick -t Q_asb_2024-02; - #repopick -t Q_asb_2024-03; + repopick -t Q_asb_2024-03; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 19178ff4..7bea2ecd 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -174,17 +174,11 @@ git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352 fi; if enterAndClear "frameworks/av"; then -applyPatch "$DOS_PATCHES/android_frameworks_av/385529.patch"; #R_asb_2024-03 Validate OMX Params for VPx encoders -applyPatch "$DOS_PATCHES/android_frameworks_av/385530.patch"; #R_asb_2024-03 SoftVideoDecodeOMXComponent: validate OMX params for dynamic HDR -applyPatch "$DOS_PATCHES/android_frameworks_av/385531.patch"; #R_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue fi; if enterAndClear "frameworks/base"; then #applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and... applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions -applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit. -applyPatch "$DOS_PATCHES/android_frameworks_base/385538.patch"; #R_asb_2024-03 Disallow system apps to be installed/updated as instant. -applyPatch "$DOS_PATCHES/android_frameworks_base/385539.patch"; #R_asb_2024-03 Close AccountManagerService.session after timeout. applyPatch "$DOS_PATCHES/android_frameworks_base/389014-backport.patch"; #S_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. applyPatch "$DOS_PATCHES/android_frameworks_base/389269-backport.patch"; #P_asb_2024-04 Close isUserInLockDown can be true when there are other strong auth requirements #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) @@ -422,9 +416,6 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc fi; if enterAndClear "system/bt"; then -applyPatch "$DOS_PATCHES/android_system_bt/385557.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req -applyPatch "$DOS_PATCHES/android_system_bt/385558.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd -applyPatch "$DOS_PATCHES/android_system_bt/385559.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -478,9 +469,6 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_202 fi; if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385591.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385592.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385593.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond fi; if enterAndClear "vendor/lineage"; then