17.1: March ASB work

+ a bonus February patch for 15.1

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-15.1/android_packages_providers_DownloadProvider/383567.patch

@@ -0,0 +1,66 @@
+From d1a6862647428e9c973f4c21adc83656c5ac98f9 Mon Sep 17 00:00:00 2001
+From: Sergey Nikolaienkov <sergeynv@google.com>
+Date: Mon, 3 Jul 2023 17:09:28 +0200
+Subject: [PATCH] DO NOT MERGE: Consolidate queryChildDocumentsXxx()
+ implementations
+
+Make sure to override the single right variant of the
+FileSystemProvider#queryChildDocuments() method: the one that takes the
+"includeHidden" boolean argument.
+
+Bug: 200034476
+Bug: 220066255
+Bug: 283962634
+Test: make, install and run manually
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e11e4ca6eef7e77042f2b27fce4fdb8a0b3d0371)
+Merged-In: I4c00693e28f3d50d716350a65e9e6bfd7482b085
+Change-Id: I4c00693e28f3d50d716350a65e9e6bfd7482b085
+---
+ .../downloads/DownloadStorageProvider.java    | 25 +++++--------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/src/com/android/providers/downloads/DownloadStorageProvider.java b/src/com/android/providers/downloads/DownloadStorageProvider.java
+index b8f47a85b..f7f8a21fd 100644
+--- a/src/com/android/providers/downloads/DownloadStorageProvider.java
++++ b/src/com/android/providers/downloads/DownloadStorageProvider.java
+@@ -245,34 +245,21 @@ public Cursor queryDocument(String docId, String[] projection) throws FileNotFou
+         }
+     }
+ 
+-    @Override
+-    public Cursor queryChildDocuments(String parentDocId, String[] projection, String sortOrder)
+-            throws FileNotFoundException {
+-        return queryChildDocuments(parentDocId, projection, sortOrder, false);
+-    }
+-
+-    @Override
+-    public Cursor queryChildDocumentsForManage(
+-            String parentDocId, String[] projection, String sortOrder)
+-            throws FileNotFoundException {
+-        return queryChildDocuments(parentDocId, projection, sortOrder, true);
+-    }
+-
+-    private Cursor queryChildDocuments(String parentDocId, String[] projection,
+-            String sortOrder, boolean manage) throws FileNotFoundException {
++    protected Cursor queryChildDocuments(String documentId, String[] projection,
++            String sortOrder, boolean includeHidden) throws FileNotFoundException {
+ 
+         // Delegate to real provider
+         final long token = Binder.clearCallingIdentity();
+         Cursor cursor = null;
+         try {
+-            if (RawDocumentsHelper.isRawDocId(parentDocId)) {
+-                return super.queryChildDocuments(parentDocId, projection, sortOrder);
++            if (RawDocumentsHelper.isRawDocId(documentId)) {
++                return super.queryChildDocuments(documentId, projection, sortOrder);
+             }
+ 
+-            assert (DOC_ID_ROOT.equals(parentDocId));
++            assert (DOC_ID_ROOT.equals(documentId));
+             final DownloadsCursor result = new DownloadsCursor(projection,
+                     getContext().getContentResolver());
+-            if (manage) {
++            if (includeHidden) {
+                 cursor = mDm.query(
+                         new DownloadManager.Query().setOnlyIncludeVisibleInDownloadsUi(true));
+             } else {

Patches/LineageOS-17.1/android_frameworks_av/385529.patch

@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
+Date: Tue, 19 Sep 2023 20:42:45 +0000
+Subject: [PATCH] Validate OMX Params for VPx encoders
+
+Bug: 273936274
+Bug: 273937171
+Bug: 273937136
+Bug: 273936553
+Bug: 273936601
+Test: POC in bug descriptions
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7)
+(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6)
+Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757
+Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757
+---
+ media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp | 10 ++++++++++
+ media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp | 10 ++++++++++
+ media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp |  9 +++++++++
+ 3 files changed, 29 insertions(+)
+
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
+index 04737a9ccf..9198b7c327 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
+@@ -120,6 +120,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalSetParameter(OMX_INDEXTYPE index,
+ 
+ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params(
+         OMX_VIDEO_PARAM_VP8TYPE* vp8Params) {
++    if (!isValidOMXParam(vp8Params)) {
++        android_errorWriteLog(0x534e4554, "273936274");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp8Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params(
+ 
+ OMX_ERRORTYPE SoftVP8Encoder::internalSetVp8Params(
+         const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) {
++    if (!isValidOMXParam(vp8Params)) {
++        android_errorWriteLog(0x534e4554, "273937171");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp8Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
+index 1ea1c85f76..f8495c2da4 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
+@@ -119,6 +119,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalSetParameter(
+ 
+ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params(
+         OMX_VIDEO_PARAM_VP9TYPE *vp9Params) {
++    if (!isValidOMXParam(vp9Params)) {
++        android_errorWriteLog(0x534e4554, "273936553");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp9Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params(
+ 
+ OMX_ERRORTYPE SoftVP9Encoder::internalSetVp9Params(
+         const OMX_VIDEO_PARAM_VP9TYPE *vp9Params) {
++    if (!isValidOMXParam(vp9Params)) {
++        android_errorWriteLog(0x534e4554, "273937136");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp9Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+index d0cb0718c2..054413e7c0 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+@@ -485,6 +485,11 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetBitrateParams(
+ 
+ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams(
+         OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) {
++    if (!isValidOMXParam(vpxAndroidParams)) {
++        android_errorWriteLog(0x534e4554, "273936601");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vpxAndroidParams->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -501,6 +506,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams(
+ 
+ OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVpxParams(
+         const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) {
++    if (!isValidOMXParam(vpxAndroidParams)) {
++        android_errorWriteLog(0x534e4554, "273937551");
++        return OMX_ErrorBadParameter;
++    }
+     if (vpxAndroidParams->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }

Patches/LineageOS-17.1/android_frameworks_av/385530.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
+Date: Mon, 30 Oct 2023 20:38:56 +0000
+Subject: [PATCH] SoftVideoDecodeOMXComponent: validate OMX params for dynamic
+ HDR
+
+Bug: 273935108
+Bug: 281065553
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:b2c67bdcf57149a5e19a04466205266dc543fd86)
+(cherry picked from commit a542f2c50700ca6df93e966fe8d4c468e1a15d9a)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:80e0acc096d201e80a1b65af944b1e47c9dd6f7b)
+Merged-In: I707745594a9196d8d85d4c4bb498eba3c6198b42
+Change-Id: I707745594a9196d8d85d4c4bb498eba3c6198b42
+---
+ media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+index e853da9763..418302389d 100644
+--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
++++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+@@ -616,6 +616,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig(
+                 DescribeHDR10PlusInfoParams* outParams =
+                         (DescribeHDR10PlusInfoParams *)params;
+ 
++                if (!isValidOMXParam(outParams)) {
++                    return OMX_ErrorBadParameter;
++                }
++
+                 outParams->nParamSizeUsed = info->size();
+ 
+                 // If the buffer provided by the client does not have enough
+@@ -694,6 +698,10 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::internalSetConfig(
+             const DescribeHDR10PlusInfoParams* inParams =
+                     (DescribeHDR10PlusInfoParams *)params;
+ 
++            if (!isValidOMXParam(inParams)) {
++                return OMX_ErrorBadParameter;
++            }
++
+             if (*frameConfig) {
+                 // This is a request to append to the current frame config set.
+                 // For now, we only support kDescribeHdr10PlusInfoIndex, which

Patches/LineageOS-17.1/android_frameworks_av/385531.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
+Date: Tue, 5 Dec 2023 18:32:38 +0000
+Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue
+
+Bug: 276442130
+Test: POC in bug descriptions
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643)
+(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47)
+Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1
+Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1
+---
+ media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+index 60750d9a61..db08030ad1 100644
+--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
++++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+@@ -312,8 +312,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
+         outHeader->nFilledLen = frameSize;
+ 
+         List<BufferInfo *>::iterator it = outQueue.begin();
+-        while ((*it)->mHeader != outHeader) {
+-            ++it;
++        while (it != outQueue.end() && (*it)->mHeader != outHeader) {
++             ++it;
++        }
++        if (it == outQueue.end()) {
++            return;
+         }
+ 
+         BufferInfo *outInfo = *it;

Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch

@@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility.
  2 files changed, 20 insertions(+), 6 deletions(-)
 
 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index 5bd1b4ac0195..475ba5ddc8c0 100644
+index d27b5ad0d646..32b022455451 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
-@@ -20215,7 +20215,8 @@ public class PackageManagerService extends IPackageManager.Stub
+@@ -20218,7 +20218,8 @@ public class PackageManagerService extends IPackageManager.Stub
              }
  
              // If this permission was granted by default, make sure it is.

Patches/LineageOS-17.1/android_frameworks_base/0021-Unprivileged_microG_Handling.patch

@@ -81,7 +81,7 @@ index a84d23b624bf..1ab293758ee7 100644
  
      <!-- This string array can be overriden to enable test location providers initially. -->
 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index 475ba5ddc8c0..e095007436b0 100644
+index 32b022455451..568cdcac1d47 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
 @@ -4203,8 +4203,20 @@ public class PackageManagerService extends IPackageManager.Stub

Patches/LineageOS-17.1/android_frameworks_base/385538.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Buynytskyy <alexbuy@google.com>
+Date: Wed, 20 Dec 2023 01:50:36 +0000
+Subject: [PATCH] Disallow system apps to be installed/updated as instant.
+
+Bug: 299441833
+Test: atest android.content.pm.cts.PackageManagerTest
+(cherry picked from commit 496e78a1951f2ed69290f03c5625c0f8382f4d31)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d0f185c0d526c1dac0a8894b2c2f2e378328d73)
+Merged-In: Idd89a6dd72f0e68259095f677185f0494391025c
+Change-Id: Idd89a6dd72f0e68259095f677185f0494391025c
+---
+ .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 5bd1b4ac0195..d27b5ad0d646 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -13673,6 +13673,9 @@ public class PackageManagerService extends IPackageManager.Stub
+                 if (pkgSetting == null) {
+                     return PackageManager.INSTALL_FAILED_INVALID_URI;
+                 }
++                if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) {
++                    return PackageManager.INSTALL_FAILED_INVALID_URI;
++                }
+                 if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) {
+                     // only allow the existing package to be used if it's installed as a full
+                     // application for at least one user

Patches/LineageOS-17.1/android_frameworks_base/385539.patch

@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Wed, 3 Jan 2024 09:26:56 -0800
+Subject: [PATCH] Close AccountManagerService.session after timeout.
+
+Bug: 303905130
+Bug: 316893159
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09)
+Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073
+Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073
+---
+ .../android/server/accounts/AccountManagerService.java | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 715b32687054..326acdfe3a3f 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -182,6 +182,7 @@ public class AccountManagerService
+ 
+     final MessageHandler mHandler;
+ 
++    private static final int TIMEOUT_DELAY_MS = 1000 * 60 * 15;
+     // Messages that can be sent on mHandler
+     private static final int MESSAGE_TIMED_OUT = 3;
+     private static final int MESSAGE_COPY_SHARED_ACCOUNT = 4;
+@@ -4766,6 +4767,7 @@ public class AccountManagerService
+             synchronized (mSessions) {
+                 mSessions.put(toString(), this);
+             }
++            scheduleTimeout();
+             if (response != null) {
+                 try {
+                     response.asBinder().linkToDeath(this, 0 /* flags */);
+@@ -4932,6 +4934,11 @@ public class AccountManagerService
+             }
+         }
+ 
++        private void scheduleTimeout() {
++            mHandler.sendMessageDelayed(
++                    mHandler.obtainMessage(MESSAGE_TIMED_OUT, this), TIMEOUT_DELAY_MS);
++        }
++
+         public void cancelTimeout() {
+             mHandler.removeMessages(MESSAGE_TIMED_OUT, this);
+         }
+@@ -4968,6 +4975,9 @@ public class AccountManagerService
+ 
+         public void onTimedOut() {
+             IAccountManagerResponse response = getResponseAndClose();
++            if (Log.isLoggable(TAG, Log.VERBOSE)) {
++                Log.v(TAG, "Session.onTimedOut");
++            }
+             if (response != null) {
+                 try {
+                     response.onError(AccountManager.ERROR_CODE_REMOTE_EXCEPTION,

Patches/LineageOS-17.1/android_frameworks_base/385672.patch

@@ -0,0 +1,67 @@
+From 0254ee96d60cd80a52ce583c90486d6ca1549fb6 Mon Sep 17 00:00:00 2001
+From: kumarashishg <kumarashishg@google.com>
+Date: Mon, 17 Jul 2023 12:01:18 +0000
+Subject: [PATCH] Resolve custom printer icon boundary exploit.
+
+Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation.
+
+Bug: 281525042
+Test: Build and flash the code. Try to reproduce the issue with
+mentioned steps in the bug
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83)
+Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
+Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
+---
+ .../server/print/PrintManagerService.java     | 34 ++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java
+index dc55179bdc9e8..101a2b41addbe 100644
+--- a/services/print/java/com/android/server/print/PrintManagerService.java
++++ b/services/print/java/com/android/server/print/PrintManagerService.java
+@@ -251,12 +251,44 @@ public Icon getCustomPrinterIcon(PrinterId printerId, int userId) {
+             }
+             final long identity = Binder.clearCallingIdentity();
+             try {
+-                return userState.getCustomPrinterIcon(printerId);
++                Icon icon = userState.getCustomPrinterIcon(printerId);
++                return validateIconUserBoundary(icon);
+             } finally {
+                 Binder.restoreCallingIdentity(identity);
+             }
+         }
+ 
++        /**
++         * Validates the custom printer icon to see if it's not in the calling user space.
++         * If the condition is not met, return null. Otherwise, return the original icon.
++         *
++         * @param icon
++         * @return icon (validated)
++         */
++        private Icon validateIconUserBoundary(Icon icon) {
++            // Refer to Icon#getUriString for context. The URI string is invalid for icons of
++            // incompatible types.
++            if (icon != null && (icon.getType() == Icon.TYPE_URI)) {
++                String encodedUser = icon.getUri().getEncodedUserInfo();
++
++                // If there is no encoded user, the URI is calling into the calling user space
++                if (encodedUser != null) {
++                    int userId = Integer.parseInt(encodedUser);
++                    // resolve encoded user
++                    final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
++
++                    synchronized (mLock) {
++                        // Only the current group members can get the printer icons.
++                        if (resolveCallingProfileParentLocked(resolvedUserId)
++                                != getCurrentUserId()) {
++                            return null;
++                        }
++                    }
++                }
++            }
++            return icon;
++        }
++
+         @Override
+         public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) {
+             if (printJobId == null) {

Patches/LineageOS-17.1/android_system_bt/385557.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 28 Nov 2023 19:57:20 +0000
+Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req
+
+This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d
+
+Bug: 300903400
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef)
+Merged-In: Id4c65801ff8519aff18b24007e344934493cab55
+Change-Id: Id4c65801ff8519aff18b24007e344934493cab55
+---
+ stack/smp/smp_act.cc | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
+index 03d73f781..c1f143e92 100644
+--- a/stack/smp/smp_act.cc
++++ b/stack/smp/smp_act.cc
+@@ -423,6 +423,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+  * Description  process security request.
+  ******************************************************************************/
+ void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
++  if (smp_command_has_invalid_length(p_cb)) {
++    tSMP_INT_DATA smp_int_data;
++    smp_int_data.status = SMP_INVALID_PARAMETERS;
++    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
++    return;
++  }
++
+   tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
+   tBTM_BLE_SEC_REQ_ACT sec_req_act;
+ 

Patches/LineageOS-17.1/android_system_bt/385558.patch

@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Fri, 15 Dec 2023 22:55:33 +0000
+Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd
+
+This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285
+
+Bug: 295887535
+Bug: 315127634
+Test: m com.android.btservices
+Test: atest net_test_stack_gatt
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c)
+Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72
+Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72
+---
+ stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++--------
+ 1 file changed, 45 insertions(+), 11 deletions(-)
+
+diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
+index cdf472e40..aaf1a53a3 100644
+--- a/stack/gatt/att_protocol.cc
++++ b/stack/gatt/att_protocol.cc
+@@ -278,46 +278,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) {
+ BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
+                              uint16_t handle, uint16_t offset, uint16_t len,
+                              uint8_t* p_data) {
+-  uint8_t *p, *pp, pair_len, *p_pair_len;
++  uint8_t *p, *pp, *p_pair_len;
++  size_t pair_len;
++  size_t size_now = 1;
++
++#define CHECK_SIZE()                          \
++  do {                                        \
++    if (size_now > payload_size) {            \
++      LOG(ERROR) << "payload size too small"; \
++      osi_free(p_buf);                        \
++      return nullptr;                         \
++    }                                         \
++  } while (false)
++
+   BT_HDR* p_buf =
+       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ 
+   p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
++
++  CHECK_SIZE();
+   UINT8_TO_STREAM(p, op_code);
+   p_buf->offset = L2CAP_MIN_OFFSET;
+-  p_buf->len = 1;
+ 
+   if (op_code == GATT_RSP_READ_BY_TYPE) {
+-    p_pair_len = p;
++    p_pair_len = p++;
+     pair_len = len + 2;
+-    UINT8_TO_STREAM(p, pair_len);
+-    p_buf->len += 1;
++    size_now += 1;
++    CHECK_SIZE();
++    // this field will be backfilled in the end of this function
+   }
++
+   if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
++    size_now += 2;
++    CHECK_SIZE();
+     UINT16_TO_STREAM(p, handle);
+-    p_buf->len += 2;
+   }
+ 
+   if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) {
++    size_now += 2;
++    CHECK_SIZE();
+     UINT16_TO_STREAM(p, offset);
+-    p_buf->len += 2;
+   }
+ 
+   if (len > 0 && p_data != NULL) {
+     /* ensure data not exceed MTU size */
+-    if (payload_size - p_buf->len < len) {
+-      len = payload_size - p_buf->len;
++    if (payload_size - size_now < len) {
++      len = payload_size - size_now;
+       /* update handle value pair length */
+-      if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
++      if (op_code == GATT_RSP_READ_BY_TYPE) {
++        pair_len = (len + 2);
++      }
+ 
+       LOG(WARNING) << StringPrintf(
+           "attribute value too long, to be truncated to %d", len);
+     }
+ 
++    size_now += len;
++    CHECK_SIZE();
+     ARRAY_TO_STREAM(p, p_data, len);
+-    p_buf->len += len;
+   }
+ 
++  // backfill pair len field
++  if (op_code == GATT_RSP_READ_BY_TYPE) {
++    if (pair_len > UINT8_MAX) {
++      LOG(ERROR) << StringPrintf("pair_len greater than %d", UINT8_MAX);
++      osi_free(p_buf);
++      return nullptr;
++    }
++
++    *p_pair_len = (uint8_t)pair_len;
++  }
++
++#undef CHECK_SIZE
++
++  p_buf->len = (uint16_t)size_now;
+   return p_buf;
+ }
+ 

Patches/LineageOS-17.1/android_system_bt/385559.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 9 Jan 2024 22:38:20 +0000
+Subject: [PATCH] Fix a security bypass issue in
+ access_secure_service_from_temp_bond
+
+Backport I48df2c2d77810077e97d4131540277273d441998
+to rvc-dev
+
+Bug: 318374503
+Test: m com.android.btservices | manual test against PoC | QA
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8)
+Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
+Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
+---
+ stack/btm/btm_sec.cc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index de91023c6..72dc9a2ed 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -235,8 +235,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r
+                                                  bool locally_initiated,
+                                                  uint16_t security_req) {
+   return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+-    btm_dev_authenticated(p_dev_rec) &&
+-    p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
++         p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+ }
+ 
+ /*******************************************************************************

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385591.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 28 Nov 2023 19:57:20 +0000
+Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req
+
+This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d
+
+Bug: 300903400
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef)
+Merged-In: Id4c65801ff8519aff18b24007e344934493cab55
+Change-Id: Id4c65801ff8519aff18b24007e344934493cab55
+---
+ stack/smp/smp_act.cc | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
+index 196eeacd7..a18d8389b 100755
+--- a/stack/smp/smp_act.cc
++++ b/stack/smp/smp_act.cc
+@@ -429,6 +429,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+  * Description  process security request.
+  ******************************************************************************/
+ void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
++  if (smp_command_has_invalid_length(p_cb)) {
++    tSMP_INT_DATA smp_int_data;
++    smp_int_data.status = SMP_INVALID_PARAMETERS;
++    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
++    return;
++  }
++
+   tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data->p_data;
+   tBTM_BLE_SEC_REQ_ACT sec_req_act;
+ 

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385592.patch

@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Fri, 15 Dec 2023 22:55:33 +0000
+Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd
+
+This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285
+
+Bug: 295887535
+Bug: 315127634
+Test: m com.android.btservices
+Test: atest net_test_stack_gatt
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c)
+Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72
+Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72
+---
+ stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++--------
+ 1 file changed, 45 insertions(+), 11 deletions(-)
+
+diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
+index d1e0ece59..3117dc6ea 100644
+--- a/stack/gatt/att_protocol.cc
++++ b/stack/gatt/att_protocol.cc
+@@ -278,46 +278,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) {
+ BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code,
+                              uint16_t handle, uint16_t offset, uint16_t len,
+                              uint8_t* p_data) {
+-  uint8_t *p, *pp, pair_len, *p_pair_len;
++  uint8_t *p, *pp, *p_pair_len;
++  size_t pair_len;
++  size_t size_now = 1;
++
++#define CHECK_SIZE()                       \
++  do {                                     \
++    if (size_now > payload_size) {         \
++      LOG_ERROR("payload size too small"); \
++      osi_free(p_buf);                     \
++      return nullptr;                      \
++    }                                      \
++  } while (false)
++
+   BT_HDR* p_buf =
+       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ 
+   p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
++
++  CHECK_SIZE();
+   UINT8_TO_STREAM(p, op_code);
+   p_buf->offset = L2CAP_MIN_OFFSET;
+-  p_buf->len = 1;
+ 
+   if (op_code == GATT_RSP_READ_BY_TYPE) {
+-    p_pair_len = p;
++    p_pair_len = p++;
+     pair_len = len + 2;
+-    UINT8_TO_STREAM(p, pair_len);
+-    p_buf->len += 1;
++    size_now += 1;
++    CHECK_SIZE();
++    // this field will be backfilled in the end of this function
+   }
++
+   if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
++    size_now += 2;
++    CHECK_SIZE();
+     UINT16_TO_STREAM(p, handle);
+-    p_buf->len += 2;
+   }
+ 
+   if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) {
++    size_now += 2;
++    CHECK_SIZE();
+     UINT16_TO_STREAM(p, offset);
+-    p_buf->len += 2;
+   }
+ 
+   if (len > 0 && p_data != NULL) {
+     /* ensure data not exceed MTU size */
+-    if (payload_size - p_buf->len < len) {
+-      len = payload_size - p_buf->len;
++    if (payload_size - size_now < len) {
++      len = payload_size - size_now;
+       /* update handle value pair length */
+-      if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2);
++      if (op_code == GATT_RSP_READ_BY_TYPE) {
++        pair_len = (len + 2);
++      }
+ 
+       LOG(WARNING) << StringPrintf(
+           "attribute value too long, to be truncated to %d", len);
+     }
+ 
++    size_now += len;
++    CHECK_SIZE();
+     ARRAY_TO_STREAM(p, p_data, len);
+-    p_buf->len += len;
+   }
+ 
++  // backfill pair len field
++  if (op_code == GATT_RSP_READ_BY_TYPE) {
++    if (pair_len > UINT8_MAX) {
++      LOG_ERROR("pair_len greater than %d", UINT8_MAX);
++      osi_free(p_buf);
++      return nullptr;
++    }
++
++    *p_pair_len = (uint8_t)pair_len;
++  }
++
++#undef CHECK_SIZE
++
++  p_buf->len = (uint16_t)size_now;
+   return p_buf;
+ }
+ 

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/385593.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 9 Jan 2024 22:38:20 +0000
+Subject: [PATCH] Fix a security bypass issue in
+ access_secure_service_from_temp_bond
+
+Backport I48df2c2d77810077e97d4131540277273d441998
+to rvc-dev
+
+Bug: 318374503
+Test: m com.android.btservices | manual test against PoC | QA
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8)
+Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
+Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
+---
+ stack/btm/btm_sec.cc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 80f4d3031..1e7913854 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -235,8 +235,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r
+                                                  bool locally_initiated,
+                                                  uint16_t security_req) {
+   return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+-    btm_dev_authenticated(p_dev_rec) &&
+-    p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
++         p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+ }
+ 
+ /*******************************************************************************

Scripts/LineageOS-15.1/Patch.sh

@@ -429,6 +429,10 @@ if enterAndClear "packages/providers/ContactsProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query
 fi;
 
+if enterAndClear "packages/providers/DownloadProvider"; then
+applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/383567.patch"; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations
+fi;
+
 if enterAndClear "packages/providers/MediaProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/0001-External_Permission.patch"; #Fix permission denial (luca.stefani)
 fi;

Scripts/LineageOS-17.1/Patch.sh

@@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
+sed -i 's/2024-02-05/2024-03-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-03
 fi;
 
 if enterAndClear "build/soong"; then
@@ -160,12 +161,18 @@ if enterAndClear "external/zlib"; then
 git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
 fi;
 
-#if enterAndClear "frameworks/av"; then
-#fi;
+if enterAndClear "frameworks/av"; then
+applyPatch "$DOS_PATCHES/android_frameworks_av/385529.patch"; #R_asb_2024-03 Validate OMX Params for VPx encoders
+applyPatch "$DOS_PATCHES/android_frameworks_av/385530.patch"; #R_asb_2024-03 SoftVideoDecodeOMXComponent: validate OMX params for dynamic HDR
+applyPatch "$DOS_PATCHES/android_frameworks_av/385531.patch"; #R_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
+fi;
 
 if enterAndClear "frameworks/base"; then
 #applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
 applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
+applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit.
+applyPatch "$DOS_PATCHES/android_frameworks_base/385538.patch"; #R_asb_2024-03 Disallow system apps to be installed/updated as instant.
+applyPatch "$DOS_PATCHES/android_frameworks_base/385539.patch"; #R_asb_2024-03 Close AccountManagerService.session after timeout.
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@@ -400,6 +407,9 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
 fi;
 
 if enterAndClear "system/bt"; then
+applyPatch "$DOS_PATCHES/android_system_bt/385557.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
+applyPatch "$DOS_PATCHES/android_system_bt/385558.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/385559.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@@ -451,8 +461,11 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport-prereq.patch"; #R_
 applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
 fi;
 
-#if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
-#fi;
+if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385591.patch"; #R_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385592.patch"; #R_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/385593.patch"; #R_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
+fi;
 
 if enterAndClear "vendor/lineage"; then
 rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys