Git-Mirrors
/
DivestOS
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Pull in old cherrypicks + 5 missing patches from syphyr 

This adds 3 expat patches for n-asb-2022-09
from https://github.com/syphyr/android_external_expat/commits/cm-14.1
and also applies 2 of them to 15.1

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-09-11 12:25:11 -04:00
parent df3db92d5a
commit 202033c013
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
89 changed files with 7138 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Patches/LineageOS-14.1/android_external_expat/337987-backport.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Thu, 2 Jun 2022 19:32:22 +0000
Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow
Bug: http://b/221255869
Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)
Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29
---
lib/xmlparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 0655e080..ee4de203 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -1738,6 +1738,11 @@ XML_GetBuffer(XML_Parser parser, int len)
if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES;
+ /* Detect and prevent integer overflow */
+ if (keep > INT_MAX - neededSize) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
neededSize += keep;
#endif /* defined XML_CONTEXT_BYTES */
if (neededSize <= bufferLim - buffer) {

54
Patches/LineageOS-14.1/android_external_expat/337988-backport.patch Normal file
View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Fri, 3 Jun 2022 03:40:21 +0000
Subject: [PATCH] Prevent integer overflow in function doProlog
Bug: http://b/221256678
Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3)
Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
---
lib/xmlparse.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index ee4de203..6c8a3a57 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -4667,23 +4667,29 @@ doProlog(XML_Parser parser,
if (dtd->in_eldecl) {
ELEMENT_TYPE *el;
const XML_Char *name;
- int nameLen;
- const char *nxt = (quant == XML_CQUANT_NONE
- ? next
- : next - enc->minBytesPerChar);
+ size_t nameLen;
+ const char *nxt
+ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
int myindex = nextScaffoldPart(parser);
if (myindex < 0)
return XML_ERROR_NO_MEMORY;
dtd->scaffold[myindex].type = XML_CTYPE_NAME;
dtd->scaffold[myindex].quant = quant;
el = getElementType(parser, enc, s, nxt);
- if (!el)
+ if (! el)
return XML_ERROR_NO_MEMORY;
name = el->name;
dtd->scaffold[myindex].name = name;
nameLen = 0;
- for (; name[nameLen++]; );
- dtd->contentStringLen += nameLen;
+ for (; name[nameLen++];)
+ ;
+
+ /* Detect and prevent integer overflow */
+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ dtd->contentStringLen += (unsigned)nameLen;
if (elementDeclHandler)
handleDefault = XML_FALSE;
}

244
Patches/LineageOS-14.1/android_external_expat/337989-backport.patch Normal file
View File

@ -0,0 +1,244 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Wed, 15 Jun 2022 04:14:33 +0000
Subject: [PATCH] Prevent more integer overflows
Bug: http://b/219942275
Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d
(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a)
Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
---
lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 150 insertions(+), 2 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 6c8a3a57..956c2677 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2780,18 +2780,54 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
/* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, attsSize, atts);
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - nDefaultAtts) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
if (n + nDefaultAtts > attsSize) {
int oldAttsSize = attsSize;
ATTRIBUTE *temp;
#ifdef XML_ATTR_INFO
XML_AttrInfo *temp2;
#endif
+
+ /* Detect and prevent integer overflow */
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+ attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp = (ATTRIBUTE *)REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE));
if (temp == NULL)
return XML_ERROR_NO_MEMORY;
atts = temp;
#ifdef XML_ATTR_INFO
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
+ attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp2 = (XML_AttrInfo *)REALLOC((void *)attInfo, attsSize * sizeof(XML_AttrInfo));
if (temp2 == NULL)
return XML_ERROR_NO_MEMORY;
@@ -3069,9 +3105,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
tagNamePtr->prefixLen = prefixLen;
for (i = 0; localPart[i++];)
; /* i includes null terminator */
+
+ /* Detect and prevent integer overflow */
+ if (binding->uriLen > INT_MAX - prefixLen
+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
n = i + binding->uriLen + prefixLen;
if (n > binding->uriAlloc) {
TAG *p;
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
uri = (XML_Char *)MALLOC((n + EXPAND_SPARE) * sizeof(XML_Char));
if (!uri)
return XML_ERROR_NO_MEMORY;
@@ -3172,6 +3230,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
if (freeBindingList) {
b = freeBindingList;
if (len > b->uriAlloc) {
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
XML_Char *temp = (XML_Char *)REALLOC(b->uri,
sizeof(XML_Char) * (len + EXPAND_SPARE));
if (temp == NULL)
@@ -3185,6 +3258,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
b = (BINDING *)MALLOC(sizeof(BINDING));
if (!b)
return XML_ERROR_NO_MEMORY;
+
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
b->uri = (XML_Char *)MALLOC(sizeof(XML_Char) * (len + EXPAND_SPARE));
if (!b->uri) {
FREE(b);
@@ -5437,7 +5525,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
}
else {
DEFAULT_ATTRIBUTE *temp;
+
+ /* Detect and prevent integer overflow */
+ if (type->allocDefaultAtts > INT_MAX / 2) {
+ return 0;
+ }
+
int count = type->allocDefaultAtts * 2;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
+ return 0;
+ }
+#endif
+
temp = (DEFAULT_ATTRIBUTE *)
REALLOC(type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
if (temp == NULL)
@@ -6066,8 +6171,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
/* check for overflow (table is half full) */
if (table->used >> (table->power - 1)) {
unsigned char newPower = table->power + 1;
+
+ /* Detect and prevent invalid shift */
+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
+ return NULL;
+ }
+
size_t newSize = (size_t)1 << newPower;
unsigned long newMask = (unsigned long)newSize - 1;
+
+ /* Detect and prevent integer overflow */
+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
+ return NULL;
+ }
+
size_t tsize = newSize * sizeof(NAMED *);
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
if (!newV)
@@ -6358,6 +6475,20 @@ nextScaffoldPart(XML_Parser parser)
if (dtd->scaffCount >= dtd->scaffSize) {
CONTENT_SCAFFOLD *temp;
if (dtd->scaffold) {
+ /* Detect and prevent integer overflow */
+ if (dtd->scaffSize > UINT_MAX / 2u) {
+ return -1;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
+ return -1;
+ }
+#endif
+
temp = (CONTENT_SCAFFOLD *)
REALLOC(dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
if (temp == NULL)
@@ -6434,8 +6565,25 @@ build_model (XML_Parser parser)
XML_Content *ret;
XML_Content *cpos;
XML_Char * str;
- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
- + (dtd->contentStringLen * sizeof(XML_Char)));
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
+ return NULL;
+ }
+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
+ return NULL;
+ }
+#endif
+ if (dtd->scaffCount * sizeof(XML_Content)
+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
+ return NULL;
+ }
+
+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ + (dtd->contentStringLen * sizeof(XML_Char)));
ret = (XML_Content *)MALLOC(allocsize);
if (!ret)

50
Patches/LineageOS-14.1/android_external_libavc/315711.patch Normal file
View File

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rakesh Kumar <rakesh.kumar@ittiam.com>
Date: Wed, 28 Apr 2021 23:44:50 +0530
Subject: [PATCH] Decoder: Update check for increment u2_cur_slice_num
Increment u2_cur_slice_num only if current slice had atleast
one MB of memory left.
Test: clusterfuzz generated poc in bug
Bug: b/182152757
Bug: b/179938345
Bug: b/185112718
Change-Id: Ic5eb07e961bccb7fde954bcfd791fd879804e335
(cherry picked from commit a88e0683a420d7ee9aa4b6f41f94cb8dc0c5e040)
---
decoder/ih264d_parse_slice.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c
index cf2dda9..ffe7f2b 100644
--- a/decoder/ih264d_parse_slice.c
+++ b/decoder/ih264d_parse_slice.c
@@ -1476,17 +1476,20 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice,
i1_is_end_of_poc = 0;
}
- if (ps_dec->u4_first_slice_in_pic == 0)
+ /* Increment only if the current slice has atleast 1 more MB */
+ if (ps_dec->u4_first_slice_in_pic == 0 &&
+ (ps_dec->ps_parse_cur_slice->u4_first_mb_in_slice <
+ (UWORD32)(ps_dec->u2_total_mbs_coded >> ps_dec->ps_cur_slice->u1_mbaff_frame_flag)))
{
ps_dec->ps_parse_cur_slice++;
ps_dec->u2_cur_slice_num++;
+ // in the case of single core increment ps_decode_cur_slice
+ if(ps_dec->u1_separate_parse == 0)
+ {
+ ps_dec->ps_decode_cur_slice++;
+ }
}
- // in the case of single core increment ps_decode_cur_slice
- if((ps_dec->u1_separate_parse == 0) && (ps_dec->u4_first_slice_in_pic == 0))
- {
- ps_dec->ps_decode_cur_slice++;
- }
ps_dec->u1_slice_header_done = 0;

77
Patches/LineageOS-14.1/android_external_libavc/323462.patch Normal file
View File

@ -0,0 +1,77 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Tue, 5 Oct 2021 15:35:31 -0700
Subject: [PATCH] Move slice increments after completing header parsing
Slice increments are now done after completing header parse.
Earlier this was done before validating mmco related parameters
and calculating poc. In case there were errors that were detected
at this stage, slice increments were incorrect.
Bug: 199536974
Bug: 199733300
Bug: 205702093
Bug: oss-fuzz#38387
Bug: oss-fuzz#38482
Bug: oss-fuzz#40851
Test: ossfuzz generated poc in bug
Change-Id: I8569e9369e4ab6f6c69c81b937f111c299b7a134
(cherry picked from commit cd0385dc074c6ba119dffbcd3df669a9b9ca1790)
(cherry picked from commit dc110841d6a3fb2f9c9f1af04b3b71da40fbd392)
Merged-In:I8569e9369e4ab6f6c69c81b937f111c299b7a134
---
decoder/ih264d_parse_slice.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
diff --git a/decoder/ih264d_parse_slice.c b/decoder/ih264d_parse_slice.c
index ffe7f2b..43025e5 100644
--- a/decoder/ih264d_parse_slice.c
+++ b/decoder/ih264d_parse_slice.c
@@ -1476,23 +1476,6 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice,
i1_is_end_of_poc = 0;
}
- /* Increment only if the current slice has atleast 1 more MB */
- if (ps_dec->u4_first_slice_in_pic == 0 &&
- (ps_dec->ps_parse_cur_slice->u4_first_mb_in_slice <
- (UWORD32)(ps_dec->u2_total_mbs_coded >> ps_dec->ps_cur_slice->u1_mbaff_frame_flag)))
- {
- ps_dec->ps_parse_cur_slice++;
- ps_dec->u2_cur_slice_num++;
- // in the case of single core increment ps_decode_cur_slice
- if(ps_dec->u1_separate_parse == 0)
- {
- ps_dec->ps_decode_cur_slice++;
- }
- }
-
- ps_dec->u1_slice_header_done = 0;
-
-
if(u1_field_pic_flag)
{
ps_dec->u2_prv_frame_num = u2_frame_num;
@@ -1546,6 +1529,22 @@ WORD32 ih264d_parse_decode_slice(UWORD8 u1_is_idr_slice,
}
}
+ /* Increment only if the current slice has atleast 1 more MB */
+ if (ps_dec->u4_first_slice_in_pic == 0 &&
+ (ps_dec->ps_parse_cur_slice->u4_first_mb_in_slice <
+ (UWORD32)(ps_dec->u2_total_mbs_coded >> ps_dec->ps_cur_slice->u1_mbaff_frame_flag)))
+ {
+ ps_dec->ps_parse_cur_slice++;
+ ps_dec->u2_cur_slice_num++;
+ // in the case of single core increment ps_decode_cur_slice
+ if(ps_dec->u1_separate_parse == 0)
+ {
+ ps_dec->ps_decode_cur_slice++;
+ }
+ }
+
+ ps_dec->u1_slice_header_done = 0;
+
/*--------------------------------------------------------------------*/
/* Copy the values read from the bitstream to the slice header and then*/
/* If the slice is first slice in picture, then do Start of Picture */

305
Patches/LineageOS-14.1/android_external_libexif/323459.patch Normal file
View File

@ -0,0 +1,305 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jayant Chowdhary <jchowdhary@google.com>
Date: Tue, 24 Aug 2021 18:04:56 +0000
Subject: [PATCH] Fix MakerNote tag size overflow issues at read time.
This is a cherry-pick of
https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1
for CVE-2020-13112
Bug: 194342672
Test: sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases
--test android.security.sts.CVE_2020_13112#testPocBug_194342672
Change-Id: Ibdf388bc768213833f8fef9740b3527d46a14a2a
Merged-In: Id106e79e829329145d27a93273241b58878bfac3
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
(cherry picked from commit fd5f7bab830858e57a2baf9d4dd47e5820337b56)
Merged-In:Ibdf388bc768213833f8fef9740b3527d46a14a2a
---
libexif/canon/exif-mnote-data-canon.c | 20 ++++++++++++++---
libexif/fuji/exif-mnote-data-fuji.c | 22 +++++++++++++-----
libexif/olympus/exif-mnote-data-olympus.c | 27 ++++++++++++++++++-----
libexif/pentax/exif-mnote-data-pentax.c | 19 ++++++++++++----
4 files changed, 69 insertions(+), 19 deletions(-)
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index acf88ab..4396c53 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -32,6 +32,8 @@
#define DEBUG
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
static void
exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
{
@@ -209,7 +211,8 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
return;
}
datao = 6 + n->offset;
- if ((datao + 2 < datao) || (datao + 2 < 2) || (datao + 2 > buf_size)) {
+
+ if (CHECKOVERFLOW(datao, buf_size, 2)) {
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteCanon", "Short MakerNote");
return;
@@ -233,7 +236,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ if (CHECKOVERFLOW(o,buf_size,12)) {
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteCanon", "Short MakerNote");
break;
@@ -248,6 +251,16 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
"Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
mnote_canon_tag_get_name (n->entries[tcount].tag));
+ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
+ * we will check the buffer sizes closer later. */
+ if ( exif_format_get_size (n->entries[tcount].format) &&
+ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
+ ) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
+ continue;
+ }
+
/*
* Size? If bigger than 4 bytes, the actual data is not
* in the entry but somewhere else (offset).
@@ -264,7 +277,8 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
} else {
size_t dataofs = o + 8;
if (s > 4) dataofs = exif_get_long (buf + dataofs, n->order) + 6;
- if ((dataofs + s < s) || (dataofs + s < dataofs) || (dataofs + s > buf_size)) {
+
+ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
exif_log (ne->log, EXIF_LOG_CODE_DEBUG,
"ExifMnoteCanon",
"Tag data past end of buffer (%zu > %u)",
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index a9949e1..11ff8c3 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -28,6 +28,8 @@
#include "exif-mnote-data-fuji.h"
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
struct _MNoteFujiDataPrivate {
ExifByteOrder order;
};
@@ -162,7 +164,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
return;
}
datao = 6 + n->offset;
- if ((datao + 12 < datao) || (datao + 12 < 12) || (datao + 12 > buf_size)) {
+ if (CHECKOVERFLOW(datao, buf_size, 12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataFuji", "Short MakerNote");
return;
@@ -170,8 +172,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
n->order = EXIF_BYTE_ORDER_INTEL;
datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL);
- if ((datao + 2 < datao) || (datao + 2 < 2) ||
- (datao + 2 > buf_size)) {
+ if (CHECKOVERFLOW(datao, buf_size, 2)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataFuji", "Short MakerNote");
return;
@@ -195,7 +196,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataFuji", "Short MakerNote");
break;
@@ -210,6 +211,16 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
"Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
mnote_fuji_tag_get_name (n->entries[tcount].tag));
+ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
+ * we will check the buffer sizes closer later. */
+ if ( exif_format_get_size (n->entries[tcount].format) &&
+ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
+ ) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
+ continue;
+ }
+
/*
* Size? If bigger than 4 bytes, the actual data is not
* in the entry but somewhere else (offset).
@@ -221,8 +232,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
if (s > 4)
/* The data in this case is merely a pointer */
dataofs = exif_get_long (buf + dataofs, n->order) + 6 + n->offset;
- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
- (dataofs + s >= buf_size)) {
+ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataFuji", "Tag data past end of "
"buffer (%zu >= %u)", dataofs + s, buf_size);
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index f4ccbb0..e7bf984 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -37,6 +37,8 @@
*/
/*#define EXIF_OVERCOME_SANYO_OFFSET_BUG */
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
static enum OlympusVersion
exif_mnote_data_olympus_identify_variant (const unsigned char *buf,
unsigned int buf_size);
@@ -247,7 +249,8 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
return;
}
o2 = 6 + n->offset; /* Start of interesting data */
- if ((o2 + 10 < o2) || (o2 + 10 < 10) || (o2 + 10 > buf_size)) {
+
+ if (CHECKOVERFLOW(o2,buf_size,10)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataOlympus", "Short MakerNote");
return;
@@ -303,6 +306,8 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
/* Olympus S760, S770 */
datao = o2;
o2 += 8;
+
+ if (CHECKOVERFLOW(o2,buf_size,4)) return;
exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
"Parsing Olympus maker note v2 (0x%02x, %02x, %02x, %02x)...",
buf[o2], buf[o2 + 1], buf[o2 + 2], buf[o2 + 3]);
@@ -347,6 +352,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
case nikonV2:
o2 += 6;
if (o2 >= buf_size) return;
+ if (CHECKOVERFLOW(o2,buf_size,12)) return;
exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
"Parsing Nikon maker note v2 (0x%02x, %02x, %02x, "
"%02x, %02x, %02x, %02x, %02x)...",
@@ -406,7 +412,8 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
}
/* Sanity check the offset */
- if ((o2 + 2 < o2) || (o2 + 2 < 2) || (o2 + 2 > buf_size)) {
+
+ if (CHECKOVERFLOW(o2,buf_size,2)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteOlympus", "Short MakerNote");
return;
@@ -430,7 +437,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = o2; i; --i, o += 12) {
size_t s;
- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteOlympus", "Short MakerNote");
break;
@@ -451,6 +458,15 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
n->entries[tcount].components,
(int)exif_format_get_size(n->entries[tcount].format)); */
+ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
+ * we will check the buffer sizes closer later. */
+ if (exif_format_get_size (n->entries[tcount].format) &&
+ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
+ ) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
+ continue;
+ }
+
/*
* Size? If bigger than 4 bytes, the actual data is not
* in the entry but somewhere else (offset).
@@ -469,7 +485,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
* tag in its MakerNote. The offset is actually the absolute
* position in the file instead of the position within the IFD.
*/
- if (dataofs + s > buf_size && n->version == sanyoV1) {
+ if (dataofs > (buf_size - s) && n->version == sanyoV1) {
/* fix pointer */
dataofs -= datao + 6;
exif_log (en->log, EXIF_LOG_CODE_DEBUG,
@@ -478,8 +494,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
}
#endif
}
- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
- (dataofs + s > buf_size)) {
+ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
exif_log (en->log, EXIF_LOG_CODE_DEBUG,
"ExifMnoteOlympus",
"Tag data past end of buffer (%zu > %u)",
diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
index 38fbf64..f9eb69c 100644
--- a/libexif/pentax/exif-mnote-data-pentax.c
+++ b/libexif/pentax/exif-mnote-data-pentax.c
@@ -28,6 +28,8 @@
#include <libexif/exif-byte-order.h>
#include <libexif/exif-utils.h>
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
static void
exif_mnote_data_pentax_clear (ExifMnoteDataPentax *n)
{
@@ -224,7 +226,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
return;
}
datao = 6 + n->offset;
- if ((datao + 8 < datao) || (datao + 8 < 8) || (datao + 8 > buf_size)) {
+ if (CHECKOVERFLOW(datao, buf_size, 8)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataPentax", "Short MakerNote");
return;
@@ -277,7 +279,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ if (CHECKOVERFLOW(o,buf_size,12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataPentax", "Short MakerNote");
break;
@@ -292,6 +294,16 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
"Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
mnote_pentax_tag_get_name (n->entries[tcount].tag));
+ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
+ * we will check the buffer sizes closer later. */
+ if ( exif_format_get_size (n->entries[tcount].format) &&
+ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
+ ) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
+ break;
+ }
+
/*
* Size? If bigger than 4 bytes, the actual data is not
* in the entry but somewhere else (offset).
@@ -304,8 +316,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
if (s > 4)
/* The data in this case is merely a pointer */
dataofs = exif_get_long (buf + dataofs, n->order) + 6;
- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
- (dataofs + s > buf_size)) {
+ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
exif_log (en->log, EXIF_LOG_CODE_DEBUG,
"ExifMnoteDataPentax", "Tag data past end "
"of buffer (%zu > %u)", dataofs + s, buf_size);

77
Patches/LineageOS-14.1/android_external_libexif/323460.patch Normal file
View File

@ -0,0 +1,77 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jayant Chowdhary <jchowdhary@google.com>
Date: Mon, 30 Aug 2021 22:12:01 +0000
Subject: [PATCH] Ensure MakeNote data pointers are initialized with NULL.
This is a cherry-pick of
https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f
Bug: 196085005
Test: sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases
--test android.security.sts.CVE_2020_13113#testPocBug_196085005
Change-Id: Iaed1a1161e4c026bee24337a0ef5f34d2efdb3cf
Merged-In: Id106e79e829329145d27a93273241b58878bfac3
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
(cherry picked from commit 4ceb535b530fd8d0504c9df65c99045a71e12232)
Merged-In:Iaed1a1161e4c026bee24337a0ef5f34d2efdb3cf
---
libexif/canon/exif-mnote-data-canon.c | 2 ++
libexif/fuji/exif-mnote-data-fuji.c | 2 ++
libexif/olympus/exif-mnote-data-olympus.c | 2 ++
libexif/pentax/exif-mnote-data-pentax.c | 2 ++
4 files changed, 8 insertions(+)
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index 4396c53..6d97930 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -236,6 +236,8 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
+
+ memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
if (CHECKOVERFLOW(o,buf_size,12)) {
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteCanon", "Short MakerNote");
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index 11ff8c3..3f3091b 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -196,6 +196,8 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
+
+ memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
if (CHECKOVERFLOW(o, buf_size, 12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataFuji", "Short MakerNote");
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index e7bf984..493463b 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -437,6 +437,8 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = o2; i; --i, o += 12) {
size_t s;
+
+ memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
if (CHECKOVERFLOW(o, buf_size, 12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteOlympus", "Short MakerNote");
diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
index f9eb69c..b4722d6 100644
--- a/libexif/pentax/exif-mnote-data-pentax.c
+++ b/libexif/pentax/exif-mnote-data-pentax.c
@@ -279,6 +279,8 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
tcount = 0;
for (i = c, o = datao; i; --i, o += 12) {
size_t s;
+
+ memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
if (CHECKOVERFLOW(o,buf_size,12)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteDataPentax", "Short MakerNote");

80
Patches/LineageOS-14.1/android_external_libexif/323461.patch Normal file
View File

@ -0,0 +1,80 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jayant Chowdhary <jchowdhary@google.com>
Date: Fri, 12 Nov 2021 18:22:59 +0000
Subject: [PATCH] Zero initialize ExifMnoteData<vendor> during construction
with exif_mnote_data_<vendor>_new.
This is in order to not have an uninitialized 'mem' pointer in parent
ExifMnoteData after construction, when a non default ExifMem is used.
Bug: 205915333
Bug: 196085005
Test: create exif_mnote_data_<vendor>_new with non default exif mem using
malloc debug; use exif_mem pointer from previously created
ExifMnoteData, client app doesn't crash.
Change-Id: I35a393cdfb03755109aaa8f725b0792aef359dc6
Merged-In: Id106e79e829329145d27a93273241b58878bfac3
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
(cherry picked from commit c9da78d8d9f302c767b366ef256e24fa32f8784f)
Merged-In:I35a393cdfb03755109aaa8f725b0792aef359dc6
---
libexif/canon/exif-mnote-data-canon.c | 2 ++
libexif/fuji/exif-mnote-data-fuji.c | 2 ++
libexif/olympus/exif-mnote-data-olympus.c | 2 ++
libexif/pentax/exif-mnote-data-pentax.c | 2 ++
4 files changed, 8 insertions(+)
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index 6d97930..3a0778c 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -384,6 +384,8 @@ exif_mnote_data_canon_new (ExifMem *mem, ExifDataOption o)
if (!d)
return NULL;
+ memset(d, 0, sizeof(ExifMnoteDataCanon));
+
exif_mnote_data_construct (d, mem);
/* Set up function pointers */
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index 3f3091b..ce70bb6 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -342,6 +342,8 @@ exif_mnote_data_fuji_new (ExifMem *mem)
d = exif_mem_alloc (mem, sizeof (ExifMnoteDataFuji));
if (!d) return NULL;
+ memset(d, 0, sizeof(ExifMnoteDataFuji));
+
exif_mnote_data_construct (d, mem);
/* Set up function pointers */
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index 493463b..f11616c 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -657,6 +657,8 @@ exif_mnote_data_olympus_new (ExifMem *mem)
d = exif_mem_alloc (mem, sizeof (ExifMnoteDataOlympus));
if (!d) return NULL;
+ memset(d, 0, sizeof(ExifMnoteDataOlympus));
+
exif_mnote_data_construct (d, mem);
/* Set up function pointers */
diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
index b4722d6..3676563 100644
--- a/libexif/pentax/exif-mnote-data-pentax.c
+++ b/libexif/pentax/exif-mnote-data-pentax.c
@@ -443,6 +443,8 @@ exif_mnote_data_pentax_new (ExifMem *mem)
d = exif_mem_alloc (mem, sizeof (ExifMnoteDataPentax));
if (!d) return NULL;
+ memset(d, 0, sizeof(ExifMnoteDataPentax));
+
exif_mnote_data_construct (d, mem);
/* Set up function pointers */

203
Patches/LineageOS-14.1/android_external_libnfc-nci/317037.patch Normal file
View File

@ -0,0 +1,203 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 25 Aug 2021 17:33:04 -0700
Subject: [PATCH] Type confusion due to race condition on tag type change
Pending timers need to be canceled before a tag type is changed.
Bug: 192472262
Test: build ok
Merged-In: Icd4b5a1615dac4548c6343344e17d7f087c7c057
Merged-In: Iebfcaf9d269381ef2ba14a26e6124f173d2299ec
Merged-In: I93c36bf0f6b92e33a5d03d7420251f5bcf112d66
Change-Id: Ied6cb8c73f4ed60e847b94c18cebad87f7c37463
(cherry picked from commit c46f6bae6eead08db2cf8802597d6a79abecd61d)
---
src/nfa/rw/nfa_rw_main.c | 47 ++++++++++++++++++++++++++++++++++++++++
src/nfc/int/rw_int.h | 10 +++++++++
src/nfc/tags/rw_main.c | 35 ++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
diff --git a/src/nfa/rw/nfa_rw_main.c b/src/nfa/rw/nfa_rw_main.c
index 2176c08..800eb06 100644
--- a/src/nfa/rw/nfa_rw_main.c
+++ b/src/nfa/rw/nfa_rw_main.c
@@ -28,6 +28,7 @@
#include "nfa_rw_int.h"
#include "nfa_dm_int.h"
#include "nfa_sys_int.h"
+#include "rw_int.h"
/* NFA_RW control block */
tNFA_RW_CB nfa_rw_cb;
@@ -93,6 +94,52 @@ void nfa_rw_init (void)
*******************************************************************************/
void nfa_rw_sys_disable (void)
{
+ tRW_T1T_CB* p_t1t;
+ tRW_T2T_CB* p_t2t;
+ tRW_T3T_CB* p_t3t;
+ tRW_T4T_CB* p_t4t;
+ tRW_I93_CB* p_i93;
+
+ switch (rw_cb.tcb_type) {
+ case RW_CB_TYPE_T1T:
+ p_t1t = &rw_cb.tcb.t1t;
+ if (p_t1t->p_cur_cmd_buf != NULL) {
+ GKI_freebuf(p_t1t->p_cur_cmd_buf);
+ p_t1t->p_cur_cmd_buf = NULL;
+ }
+ break;
+ case RW_CB_TYPE_T2T:
+ p_t2t = &rw_cb.tcb.t2t;
+ if (p_t2t->p_cur_cmd_buf != NULL) {
+ GKI_freebuf(p_t2t->p_cur_cmd_buf);
+ p_t2t->p_cur_cmd_buf = NULL;
+ }
+ if (p_t2t->p_sec_cmd_buf != NULL) {
+ GKI_freebuf(p_t2t->p_sec_cmd_buf);
+ p_t2t->p_sec_cmd_buf = NULL;
+ }
+ break;
+ case RW_CB_TYPE_T3T:
+ p_t3t = &rw_cb.tcb.t3t;
+ if (p_t3t->p_cur_cmd_buf != NULL) {
+ GKI_freebuf(p_t3t->p_cur_cmd_buf);
+ p_t3t->p_cur_cmd_buf = NULL;
+ }
+ break;
+ case RW_CB_TYPE_T4T: /* do nothing */
+ p_t4t = &rw_cb.tcb.t4t;
+ break;
+ case RW_CB_TYPE_T5T:
+ p_i93 = &rw_cb.tcb.i93;
+ if (p_i93->p_retry_cmd != NULL) {
+ GKI_freebuf(p_i93->p_retry_cmd);
+ p_i93->p_retry_cmd = NULL;
+ }
+ break;
+ default: /* do nothing */
+ break;
+ }
+
/* Return to idle */
NFC_SetStaticRfCback (NULL);
diff --git a/src/nfc/int/rw_int.h b/src/nfc/int/rw_int.h
index ef07b47..013dcab 100644
--- a/src/nfc/int/rw_int.h
+++ b/src/nfc/int/rw_int.h
@@ -570,9 +570,19 @@ typedef union
tRW_I93_CB i93;
} tRW_TCB;
+/* RW callback type */
+#define RW_CB_TYPE_UNKNOWN 0
+#define RW_CB_TYPE_T1T 1
+#define RW_CB_TYPE_T2T 2
+#define RW_CB_TYPE_T3T 3
+#define RW_CB_TYPE_T4T 4
+#define RW_CB_TYPE_T5T 5
+typedef uint8_t tRW_CB_TYPE;
+
/* RW control blocks */
typedef struct
{
+ tRW_CB_TYPE tcb_type;
tRW_TCB tcb;
tRW_CBACK *p_cback;
UINT32 cur_retry; /* Retry count for the current operation */
diff --git a/src/nfc/tags/rw_main.c b/src/nfc/tags/rw_main.c
index d9fe097..b1dcd34 100644
--- a/src/nfc/tags/rw_main.c
+++ b/src/nfc/tags/rw_main.c
@@ -30,6 +30,7 @@
#if (NFC_INCLUDED == TRUE)
#include "nfc_api.h"
+#include "nfc_int.h"
#include "nci_hmsgs.h"
#include "rw_api.h"
#include "rw_int.h"
@@ -218,6 +219,34 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
return (NFC_STATUS_FAILED);
}
+ switch (rw_cb.tcb_type) {
+ case RW_CB_TYPE_T1T: {
+ nfc_stop_quick_timer(&rw_cb.tcb.t1t.timer);
+ break;
+ }
+ case RW_CB_TYPE_T2T: {
+ nfc_stop_quick_timer(&rw_cb.tcb.t2t.t2_timer);
+ break;
+ }
+ case RW_CB_TYPE_T3T: {
+ nfc_stop_quick_timer(&rw_cb.tcb.t3t.timer);
+ nfc_stop_quick_timer(&rw_cb.tcb.t3t.poll_timer);
+ break;
+ }
+ case RW_CB_TYPE_T4T: {
+ nfc_stop_quick_timer(&rw_cb.tcb.t4t.timer);
+ break;
+ }
+ case RW_CB_TYPE_T5T: {
+ nfc_stop_quick_timer(&rw_cb.tcb.i93.timer);
+ break;
+ }
+ case RW_CB_TYPE_UNKNOWN: {
+ break;
+ }
+ }
+
+
/* Reset tag-specific area of control block */
memset (&rw_cb.tcb, 0, sizeof (tRW_TCB));
@@ -233,6 +262,7 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
/* Type1Tag - NFC-A */
if (p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_A)
{
+ rw_cb.tcb_type = RW_CB_TYPE_T1T;
status = rw_t1t_select (p_activate_params->rf_tech_param.param.pa.hr,
p_activate_params->rf_tech_param.param.pa.nfcid1);
}
@@ -242,6 +272,7 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
/* Type2Tag - NFC-A */
if (p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_A)
{
+ rw_cb.tcb_type = RW_CB_TYPE_T2T;
if (p_activate_params->rf_tech_param.param.pa.sel_rsp == NFC_SEL_RES_NFC_FORUM_T2T)
status = rw_t2t_select ();
}
@@ -251,6 +282,7 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
/* Type3Tag - NFC-F */
if (p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_F)
{
+ rw_cb.tcb_type = RW_CB_TYPE_T3T;
status = rw_t3t_select (p_activate_params->rf_tech_param.param.pf.nfcid2,
p_activate_params->rf_tech_param.param.pf.mrti_check,
p_activate_params->rf_tech_param.param.pf.mrti_update);
@@ -262,6 +294,7 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
if ( (p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_B)
||(p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_A) )
{
+ rw_cb.tcb_type = RW_CB_TYPE_T4T;
status = rw_t4t_select ();
}
}
@@ -270,12 +303,14 @@ tNFC_STATUS RW_SetActivatedTagType (tNFC_ACTIVATE_DEVT *p_activate_params, tRW_C
/* ISO 15693 */
if (p_activate_params->rf_tech_param.mode == NFC_DISCOVERY_TYPE_POLL_ISO15693)
{
+ rw_cb.tcb_type = RW_CB_TYPE_T5T;
status = rw_i93_select (p_activate_params->rf_tech_param.param.pi93.uid);
}
}
/* TODO set up callback for proprietary protocol */
else
{
+ rw_cb.tcb_type = RW_CB_TYPE_UNKNOWN;
RW_TRACE_ERROR0 ("RW_SetActivatedTagType Invalid protocol");
}

40
Patches/LineageOS-14.1/android_external_libnfc-nci/318515.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 4 May 2021 17:46:57 -0700
Subject: [PATCH] OOBW in phNxpNciHal_process_ext_rsp
Bug: 181584626
Bug: 181660091
Bug: 181660093
Test: build ok
Change-Id: I05959cc1bbba12aab896fd93684ce163217e599d
(cherry picked from commit 528b21d3443efd763313a446624ea985f3d46722)
---
halimpl/pn54x/hal/phNxpNciHal_ext.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c
index b7c3159..bb667e9 100644
--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c
+++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c
@@ -323,6 +323,11 @@ NFCSTATUS phNxpNciHal_process_ext_rsp (uint8_t *p_ntf, uint16_t *p_len)
{
icode_send_eof = 0;
}
+ if (*p_len <= (p_ntf[2] + 2)) {
+ android_errorWriteLog(0x534e4554, "181660091");
+ NXPLOG_NCIHAL_E("length error!");
+ return NFCSTATUS_FAILED;
+ }
if (p_ntf[p_ntf[2]+ 2] == 0x00)
{
NXPLOG_NCIHAL_D ("> Going through workaround - data of ISO 15693");
@@ -352,7 +357,7 @@ NFCSTATUS phNxpNciHal_process_ext_rsp (uint8_t *p_ntf, uint16_t *p_len)
p_ntf[2] == 0x01 &&
p_ntf[3] == 0x06 )
{
- NXPLOG_NCIHAL_D ("> Deinit workaround for LLCP set_config 0x%x 0x%x 0x%x", p_ntf[21], p_ntf[22], p_ntf[23]);
+ /* NXPLOG_NCIHAL_D ("> Deinit workaround for LLCP set_config 0x%x 0x%x 0x%x", p_ntf[21], p_ntf[22], p_ntf[23]); */
p_ntf[0] = 0x40;
p_ntf[1] = 0x02;
p_ntf[2] = 0x02;

40
Patches/LineageOS-14.1/android_external_libnfc-nci/332458.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 17 Mar 2022 15:39:20 -0700
Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config
Bug: 221216105
Test: build ok
Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99)
Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
---
src/nfa/dm/nfa_dm_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c
index e146009..3f21261 100644
--- a/src/nfa/dm/nfa_dm_main.c
+++ b/src/nfa/dm/nfa_dm_main.c
@@ -28,6 +28,7 @@
#include "nfa_sys.h"
#include "nfa_dm_int.h"
#include "nfa_sys_int.h"
+#include <log/log.h>
/*****************************************************************************
@@ -247,6 +248,13 @@ tNFA_STATUS nfa_dm_check_set_config (UINT8 tlv_list_len, UINT8 *p_tlv_list, BOOL
len = *(p_tlv_list + xx + 1);
p_value = p_tlv_list + xx + 2;
p_cur_len = NULL;
+ if (len > (tlv_list_len - xx - 2))
+ {
+ NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d",
+ type, len);
+ android_errorWriteLog(0x534e4554, "221216105");
+ return NFA_STATUS_FAILED;
+ }
switch (type)
{

31
Patches/LineageOS-14.1/android_external_libnfc-nci/332459.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Mon, 21 Mar 2022 19:31:28 -0700
Subject: [PATCH] OOBR in nfc_ncif_proc_ee_discover_req()
Bug: 221856662
Test: build ok
Change-Id: If4b4872e4101fc65172596b4f7579b259b6f6b63
(cherry picked from commit 1c6ab25b3d76c2ced764dc649bec6cf05aecd198)
Merged-In: If4b4872e4101fc65172596b4f7579b259b6f6b63
---
src/nfc/nfc/nfc_ncif.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 95de9d1..dd89d46 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -1136,6 +1136,12 @@ void nfc_ncif_proc_ee_discover_req (UINT8 *p, UINT16 plen)
UINT8 u8;
NFC_TRACE_DEBUG2 ("nfc_ncif_proc_ee_discover_req %d len:%d", *p, plen);
+ if (!plen)
+ {
+ android_errorWriteLog(0x534e4554, "221856662");
+ return;
+ }
+
if (p_cback)
{
u8 = *p;

26
Patches/LineageOS-14.1/android_external_libnfc-nci/332460.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 8 Mar 2022 17:27:34 -0800
Subject: [PATCH] Double Free in ce_t4t_data_cback
Bug: 221862119
Test: build ok
Change-Id: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
(cherry picked from commit 2fcf7d677bcebae5a00db43938460bcce267149e)
Merged-In: If12f98033b8c1bc1b57b27d338fa33b6a3cce640
---
src/nfc/tags/ce_t4t.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nfc/tags/ce_t4t.c b/src/nfc/tags/ce_t4t.c
index 98870e7..2e34c6c 100644
--- a/src/nfc/tags/ce_t4t.c
+++ b/src/nfc/tags/ce_t4t.c
@@ -701,6 +701,7 @@ static void ce_t4t_data_cback (UINT8 conn_id, tNFC_CONN_EVT event, tNFC_CONN *p_
{
GKI_freebuf (p_c_apdu);
ce_t4t_send_status (T4T_RSP_NOT_FOUND);
+ return;
}
}
else if (ce_cb.mem.t4t.status & CE_T4T_STATUS_WILDCARD_AID_SELECTED)

70
Patches/LineageOS-14.1/android_external_sonivox/317038.patch Normal file
View File

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aayush Soni <aayush.soni@ittiam.com>
Date: Mon, 5 Jul 2021 10:11:29 +0530
Subject: [PATCH] sonivox: Fix global buffer overflow in WT_InterpolateNoLoop
Check for loop end before accessing new samples
Bug: 190286685
Test: POC in bug description
Change-Id: I26a187d161d713c1a1b1b3009256acfd9e263fb3
(cherry picked from commit 8bfcd9c03af5170b5003712fb77f096b5c9f341b)
---
arm-wt-22k/lib_src/eas_wtengine.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c
index 854d4b4..68a0400 100644
--- a/arm-wt-22k/lib_src/eas_wtengine.c
+++ b/arm-wt-22k/lib_src/eas_wtengine.c
@@ -282,6 +282,7 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
EAS_I32 phaseFrac;
EAS_I32 acc0;
const EAS_SAMPLE *pSamples;
+ const EAS_SAMPLE *bufferEndP1;
EAS_I32 samp1;
EAS_I32 samp2;
EAS_I32 numSamples;
@@ -296,8 +297,9 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
pOutputBuffer = pWTIntFrame->pAudioBuffer;
phaseInc = pWTIntFrame->frame.phaseIncrement;
+ bufferEndP1 = (const EAS_SAMPLE*) pWTVoice->loopEnd + 1;
pSamples = (const EAS_SAMPLE*) pWTVoice->phaseAccum;
- phaseFrac = (EAS_I32)pWTVoice->phaseFrac;
+ phaseFrac = (EAS_I32)(pWTVoice->phaseFrac & PHASE_FRAC_MASK);
/* fetch adjacent samples */
#if defined(_8_BIT_SAMPLES)
@@ -312,6 +314,7 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
while (numSamples--) {
+ EAS_I32 nextSamplePhaseInc;
/* linear interpolation */
acc0 = samp2 - samp1;
@@ -326,13 +329,18 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
/* increment phase */
phaseFrac += phaseInc;
/*lint -e{704} <avoid divide>*/
- acc0 = phaseFrac >> NUM_PHASE_FRAC_BITS;
+ nextSamplePhaseInc = phaseFrac >> NUM_PHASE_FRAC_BITS;
/* next sample */
- if (acc0 > 0) {
+ if (nextSamplePhaseInc > 0) {
+
+ /* check for loop end */
+ if ( &pSamples[nextSamplePhaseInc+1] >= bufferEndP1) {
+ break;
+ }
/* advance sample pointer */
- pSamples += acc0;
+ pSamples += nextSamplePhaseInc;
phaseFrac = (EAS_I32)((EAS_U32)phaseFrac & PHASE_FRAC_MASK);
/* fetch new samples */

78
Patches/LineageOS-14.1/android_external_tremolo/319986.patch Normal file
View File

@ -0,0 +1,78 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Wed, 15 Sep 2021 18:40:53 -0700
Subject: [PATCH] handle cases where order isn't a multiple of dimension
loop around vorbis_book_decodev_set() didn't support a case where
info->order wasn't an integer multple of dimension.
vorbis_book_decodev_set() is now updated to handle the loop inside
with appropriate checks added.
Other functions vorbis_book_decode_*() have appropriate checks where
they are called. So added a comment for those.
This fix is similar to the one in Xiph tremor project's
commit 80661a13c93a01f25b8df4e89fecad0eee69ddcc
Bug: 199065614
Test: clusterfuzz generated poc in bug
Test: atest VorbisDecoderTest -- --enable-module-dynamic-download=true
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest
Test: atest CtsMediaV2TestCases -- --module-arg CtsMediaV2TestCases:\
instrumentation-arg:codec-prefix:=c2.android.vorbis.decoder
Change-Id: Ibb94e7fc361e843caad7f7620229377dc1f8dd73
(cherry picked from commit 42aa2b936a078e2f69725e95009affcc93cb0f98)
---
Tremolo/codebook.c | 5 +++++
Tremolo/floor0.c | 5 ++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index a06302d..de6f3cb 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -838,6 +838,7 @@ static int decode_map(codebook *s, oggpack_buffer *b, ogg_int32_t *v, int point)
#endif
/* returns 0 on OK or -1 on eof *************************************/
+/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
@@ -855,6 +856,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a,
return 0;
}
+/* decode vector / dim granularity gaurding is done in the upper layer */
long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
@@ -871,6 +873,9 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
return 0;
}
+/* unlike the others, we guard against n not being an integer number
+ of <dim> internally rather than in the upper layer (called only by
+ floor0) */
long vorbis_book_decodev_set(codebook *book,ogg_int32_t *a,
oggpack_buffer *b,int n,int point){
if(book->used_entries>0){
diff --git a/Tremolo/floor0.c b/Tremolo/floor0.c
index b6ece29..812c720 100644
--- a/Tremolo/floor0.c
+++ b/Tremolo/floor0.c
@@ -419,10 +419,9 @@ ogg_int32_t *floor0_inverse1(vorbis_dsp_state *vd,vorbis_info_floor *i,
}
ogg_int32_t last=0;
- for(j=0;j<info->order;j+=b->dim)
- if(vorbis_book_decodev_set(b,lsp+j,&vd->opb,b->dim,-24)==-1)goto eop;
+ if(vorbis_book_decodev_set(b,lsp,&vd->opb,info->order,-24)==-1)goto eop;
for(j=0;j<info->order;){
- for(k=0;k<b->dim;k++,j++)lsp[j]+=last;
+ for(k=0;k<b->dim && j<info->order;k++,j++)lsp[j]+=last;
last=lsp[j-1];
}

72
Patches/LineageOS-14.1/android_frameworks_av/319987.patch Normal file
View File

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Santiago Seifert <aquilescanta@google.com>
Date: Thu, 2 Sep 2021 10:29:09 +0100
Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor
Caused by the extractor assuming that sample size will never exceed
the declared max input size (as in AMEDIAFORMAT_KEY_MAX_INPUT_SIZE).
Bug: 188893559
Test: Ran the fuzzer using the bug's testcase.
Change-Id: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 621f0e12017a2d057aeaa1937e979ce61b2ac3cf)
(cherry picked from commit d13a4efc7a5c07c95a00036a7db15b16116b41a5)
---
media/libstagefright/MPEG4Extractor.cpp | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/MPEG4Extractor.cpp
index 989ce75e15..805ff486bb 100644
--- a/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/MPEG4Extractor.cpp
@@ -149,6 +149,7 @@ private:
bool mWantsNALFragments;
+ size_t mSrcBufferSize;
uint8_t *mSrcBuffer;
size_t parseNALSize(const uint8_t *data) const;
@@ -3763,6 +3764,7 @@ MPEG4Source::MPEG4Source(
mGroup(NULL),
mBuffer(NULL),
mWantsNALFragments(false),
+ mSrcBufferSize(0),
mSrcBuffer(NULL) {
#ifdef DOLBY_ENABLE
ALOGV("@DDP MPEG4Source::MPEG4Source");
@@ -3876,6 +3878,7 @@ status_t MPEG4Source::start(MetaData *params) {
mGroup = NULL;
return ERROR_MALFORMED;
}
+ mSrcBufferSize = max_size;
mStarted = true;
@@ -3892,6 +3895,7 @@ status_t MPEG4Source::stop() {
mBuffer = NULL;
}
+ mSrcBufferSize = 0;
delete[] mSrcBuffer;
mSrcBuffer = NULL;
@@ -4727,11 +4731,15 @@ status_t MPEG4Source::read(
ssize_t num_bytes_read = 0;
int32_t drm = 0;
bool usesDRM = (mFormat->findInt32(kKeyIsDRM, &drm) && drm != 0);
- if (usesDRM) {
+ if (usesDRM && size <= mBuffer->size()) {
num_bytes_read =
mDataSource->readAt(offset, (uint8_t*)mBuffer->data(), size);
- } else {
+ } else if (!usesDRM && size <= mSrcBufferSize) {
num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size);
+ } else {
+ // The sample is larger than the expected maximum size. Fall through and let the failure
+ // be handled by the following if.
+ android_errorWriteLog(0x534e4554, "188893559");
}
if (num_bytes_read < (ssize_t)size) {

53
Patches/LineageOS-14.1/android_frameworks_av/321222.patch Normal file
View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gopalakrishnan Nallasamy <gokrishnan@google.com>
Date: Wed, 29 Sep 2021 08:24:26 -0700
Subject: [PATCH] SimpleDecodingSource:Prevent OOB write in heap mem
doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.
Bug: 194105348
Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit a625b40e1c210f1e8ed57962eee9f70cef06fb1b)
(cherry picked from commit f3590a1b18d8cde4ac1cbc135c1022816096438d)
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
---
media/libstagefright/SimpleDecodingSource.cpp | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/media/libstagefright/SimpleDecodingSource.cpp b/media/libstagefright/SimpleDecodingSource.cpp
index 2503a3205d..66e17c9c31 100644
--- a/media/libstagefright/SimpleDecodingSource.cpp
+++ b/media/libstagefright/SimpleDecodingSource.cpp
@@ -292,18 +292,23 @@ status_t SimpleDecodingSource::doRead(
}
size_t cpLen = min(in_buf->range_length(), in_buffer->capacity());
memcpy(in_buffer->base(), (uint8_t *)in_buf->data() + in_buf->range_offset(),
- cpLen );
+ cpLen);
if (mIsVorbis) {
int32_t numPageSamples;
if (!in_buf->meta_data()->findInt32(kKeyValidSamples, &numPageSamples)) {
numPageSamples = -1;
}
- memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ if (cpLen + sizeof(numPageSamples) <= in_buffer->capacity()) {
+ memcpy(in_buffer->base() + cpLen, &numPageSamples, sizeof(numPageSamples));
+ cpLen += sizeof(numPageSamples);
+ } else {
+ ALOGW("Didn't have enough space to copy kKeyValidSamples");
+ }
}
res = mCodec->queueInputBuffer(
- in_ix, 0 /* offset */, in_buf->range_length() + (mIsVorbis ? 4 : 0),
+ in_ix, 0 /* offset */, cpLen,
timestampUs, 0 /* flags */);
if (res != OK) {
ALOGI("[%s] failed to queue input buffer #%zu", mComponentName.c_str(), in_ix);

68
Patches/LineageOS-14.1/android_frameworks_base/315712.patch Normal file
View File

@ -0,0 +1,68 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jorim Jaggi <jjaggi@google.com>
Date: Thu, 20 May 2021 18:35:30 +0200
Subject: [PATCH] Fix race condition between lockNow() and
updateLockscreenTimeout
If updateLockscreenTimeout gets called before the Runnable queued
from lockNow gets executed, lockNow request will be ignored. Fix
this by not clearing out the runnable if it's pending lock request.
Test: Switch user, ensure lockscreen comes up
Bug: 161149543
Change-Id: Ie486396fd7328edf8ca0912df92524bb82a1fb7f
(cherry picked from commit 875fa991aac0f3bbd5c66327408ceae60a24a6b3)
Merged-In: Ie486396fd7328edf8ca0912df92524bb82a1fb7f
(cherry picked from commit 1692babe5e60b4e10f23d4960455ccbff6616ba3)
---
.../android/server/policy/PhoneWindowManager.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java
index 67949ef13137..6a22c505beb3 100644
--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java
+++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java
@@ -853,6 +853,8 @@ public class PhoneWindowManager implements WindowManagerPolicy {
private final List<DeviceKeyHandler> mDeviceKeyHandlers = new ArrayList<>();
+ private boolean mLockNowPending = false;
+
private static final int MSG_ENABLE_POINTER_LOCATION = 1;
private static final int MSG_DISABLE_POINTER_LOCATION = 2;
private static final int MSG_DISPATCH_MEDIA_KEY_WITH_WAKE_LOCK = 3;
@@ -8199,6 +8201,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
mKeyguardDelegate.doKeyguardTimeout(options);
}
mLockScreenTimerActive = false;
+ mLockNowPending = false;
options = null;
}
}
@@ -8208,7 +8211,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
}
}
- ScreenLockTimeout mScreenLockTimeout = new ScreenLockTimeout();
+ final ScreenLockTimeout mScreenLockTimeout = new ScreenLockTimeout();
@Override
public void lockNow(Bundle options) {
@@ -8220,10 +8223,17 @@ public class PhoneWindowManager implements WindowManagerPolicy {
mScreenLockTimeout.setLockOptions(options);
}
mHandler.post(mScreenLockTimeout);
+ synchronized (mScreenLockTimeout) {
+ mLockNowPending = true;
+ }
}
private void updateLockScreenTimeout() {
synchronized (mScreenLockTimeout) {
+ if (mLockNowPending) {
+ Log.w(TAG, "lockNow pending, ignore updating lockscreen timeout");
+ return;
+ }
boolean enable = (mAllowLockscreenWhenOn && mAwake &&
mKeyguardDelegate != null && mKeyguardDelegate.isSecure(mCurrentUserId));
if (mLockScreenTimerActive != enable) {

49
Patches/LineageOS-14.1/android_frameworks_base/315713.patch Normal file
View File

@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Seigo Nonaka <nona@google.com>
Date: Tue, 8 Jun 2021 16:12:39 -0700
Subject: [PATCH] Improve ellipsize performance
Instead of iterate all ellipsized characters, only iterate the necessary
ranges for copying.
Bug: 188913943
Test: atest CtsTextTestCases CtsGraphicsTestCases CtsWidgetTestCases
Change-Id: I3d03b1e3897e427c23fbe51315f412c57a4ce9e9
Merged-In: I3d03b1e3897e427c23fbe51315f412c57a4ce9e9
(cherry picked from commit ae1912b62f7dfa361acfbe472cb8a49cd60f746e)
---
core/java/android/text/Layout.java | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/core/java/android/text/Layout.java b/core/java/android/text/Layout.java
index 0999b982d990..11e5fab2ebb3 100644
--- a/core/java/android/text/Layout.java
+++ b/core/java/android/text/Layout.java
@@ -2054,20 +2054,20 @@ public abstract class Layout {
int ellipsisStart = getEllipsisStart(line);
int linestart = getLineStart(line);
- for (int i = ellipsisStart; i < ellipsisStart + ellipsisCount; i++) {
+ final int min = Math.max(0, start - ellipsisStart - linestart);
+ final int max = Math.min(ellipsisCount, end - ellipsisStart - linestart);
+
+ for (int i = min; i < max; i++) {
char c;
- if (i == ellipsisStart) {
+ if (i == 0) {
c = getEllipsisChar(method); // ellipsis
} else {
c = '\uFEFF'; // 0-width space
}
- int a = i + linestart;
-
- if (a >= start && a < end) {
- dest[destoff + a - start] = c;
- }
+ int a = i + ellipsisStart + linestart;
+ dest[destoff + a - start] = c;
}
}

50
Patches/LineageOS-14.1/android_frameworks_base/315740.patch Normal file
View File

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christopher Tate <ctate@google.com>
Date: Mon, 7 Jun 2021 15:02:45 -0700
Subject: [PATCH] Fix side effects of trace-ipc and dumpheap commands
These shell commands were implicitly deleting any client-named file for
which the system uid had deletion capability. They no longer do this,
instead using only the client's own capabilities and file manipulation
modes.
Bug: 185398942
Test: manual "adb shell cmd activity dumpheap system_server /data/system/last-fstrim"
Test: atest CtsPermissionTestCases:ShellCommandPermissionTest
[basilgello: Backport to LineageOS 14.1:
- Adjust file name,
- Do not remove file creation statements]
Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
Merged-In: Ie61ab2c3f4bfbd04de09ca99c1116d1129461e8f
Change-Id: Ie61ab2c3f4bfbd04de09ca99c1116d1129461e8f
(cherry picked from commit 6984eaa9f4a369228259047c2f797d022afb8f3b)
---
cmds/am/src/com/android/commands/am/Am.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cmds/am/src/com/android/commands/am/Am.java b/cmds/am/src/com/android/commands/am/Am.java
index 618a7ed34708..ebf3d0b8a8fc 100644
--- a/cmds/am/src/com/android/commands/am/Am.java
+++ b/cmds/am/src/com/android/commands/am/Am.java
@@ -945,8 +945,8 @@ public class Am extends BaseCommand {
ParcelFileDescriptor fd = null;
try {
+ // Writes an error message to stderr on failure
File file = new File(filename);
- file.delete();
fd = openForSystemServer(file,
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE |
@@ -1094,8 +1094,8 @@ public class Am extends BaseCommand {
ParcelFileDescriptor fd = null;
try {
+ // Writes an error message to stderr on failure
File file = new File(heapFile);
- file.delete();
fd = openForSystemServer(file,
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE |

65
Patches/LineageOS-14.1/android_frameworks_base/315741.patch Normal file
View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Steve Elliott <steell@google.com>
Date: Tue, 22 Jun 2021 13:58:48 -0400
Subject: [PATCH] Don't attach private Notification to A11yEvent when user
locked
Fixes: 159624555
Test: manual, atest
Change-Id: Ib44f1d3695d2b31bee4f8ccae3f948c83f3b40b6
Merged-In: Ib44f1d3695d2b31bee4f8ccae3f948c83f3b40b6
(cherry picked from commit 54fbccc2934eae844550d851480d5448c2542f1d)
(cherry picked from commit 93f167b8f577027f5744dc8c03c8f4c256735eb8)
---
.../NotificationManagerService.java | 23 +++++++++++++++----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 4a827dc6cfef..7ced1f96cc49 100644
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -3081,7 +3081,7 @@ public class NotificationManagerService extends SystemService {
if (!(record.isUpdate
&& (notification.flags & Notification.FLAG_ONLY_ALERT_ONCE) != 0)) {
- sendAccessibilityEvent(notification, record.sbn.getPackageName());
+ sendAccessibilityEvent(record);
if (canBeep && hasValidSound) {
boolean looping =
@@ -3508,18 +3508,31 @@ public class NotificationManagerService extends SystemService {
return (x < low) ? low : ((x > high) ? high : x);
}
- void sendAccessibilityEvent(Notification notification, CharSequence packageName) {
+ void sendAccessibilityEvent(NotificationRecord record) {
AccessibilityManager manager = AccessibilityManager.getInstance(getContext());
if (!manager.isEnabled()) {
return;
}
- AccessibilityEvent event =
+ final Notification notification = record.getNotification();
+ final CharSequence packageName = record.sbn.getPackageName();
+ final AccessibilityEvent event =
AccessibilityEvent.obtain(AccessibilityEvent.TYPE_NOTIFICATION_STATE_CHANGED);
event.setPackageName(packageName);
event.setClassName(Notification.class.getName());
- event.setParcelableData(notification);
- CharSequence tickerText = notification.tickerText;
+ final int visibilityOverride = record.getPackageVisibilityOverride();
+ final int notifVisibility = visibilityOverride == NotificationManager.VISIBILITY_NO_OVERRIDE
+ ? notification.visibility : visibilityOverride;
+ final int userId = record.getUser().getIdentifier();
+ final boolean needPublic = userId >= 0 && mKeyguardManager.isDeviceLocked(userId);
+ if (needPublic && notifVisibility != Notification.VISIBILITY_PUBLIC) {
+ // Emit the public version if we're on the lockscreen and this notification isn't
+ // publicly visible.
+ event.setParcelableData(notification.publicVersion);
+ } else {
+ event.setParcelableData(notification);
+ }
+ final CharSequence tickerText = notification.tickerText;
if (!TextUtils.isEmpty(tickerText)) {
event.getText().add(tickerText);
}

41
Patches/LineageOS-14.1/android_frameworks_base/317035.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Reck <jreck@google.com>
Date: Thu, 22 Apr 2021 16:55:09 -0400
Subject: [PATCH] Fix a potential thread safety issue in VectorDrawable
Bug: 158839504
Bug: 185178568
Test: speculative
Change-Id: Id9f229f08fe5897dda25441fbaa15c98f8130de9
(cherry picked from commit 32207ceb2fb408d06924b46919fc438477fddcf0)
---
.../java/android/graphics/drawable/VectorDrawable.java | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/graphics/java/android/graphics/drawable/VectorDrawable.java b/graphics/java/android/graphics/drawable/VectorDrawable.java
index d644beeb7d37..a182e5b8b71b 100644
--- a/graphics/java/android/graphics/drawable/VectorDrawable.java
+++ b/graphics/java/android/graphics/drawable/VectorDrawable.java
@@ -262,15 +262,19 @@ public class VectorDrawable extends Drawable {
private final Rect mTmpBounds = new Rect();
public VectorDrawable() {
- this(new VectorDrawableState(null), null);
+ this(null, null);
}
/**
* The one constructor to rule them all. This is called by all public
* constructors to set the state and initialize local properties.
*/
- private VectorDrawable(@NonNull VectorDrawableState state, @Nullable Resources res) {
- mVectorState = state;
+ private VectorDrawable(@Nullable VectorDrawableState state, @Nullable Resources res) {
+ // As the mutable, not-thread-safe native instance is stored in VectorDrawableState, we
+ // need to always do a defensive copy even if mutate() isn't called. Otherwise
+ // draw() being called on 2 different VectorDrawable instances could still hit the same
+ // underlying native object.
+ mVectorState = new VectorDrawableState(state);
updateLocalState(res);
}

63
Patches/LineageOS-14.1/android_frameworks_base/317036.patch Normal file
View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rhed Jao <rhedjao@google.com>
Date: Fri, 30 Jul 2021 15:52:05 +0800
Subject: [PATCH] DO NOT MERGE Apply a maximum char count to the load label api
The system is overwhelmed by an enormous label string returned by
the load label api. This cl truncates the label string if it exceeds
the maximum safe length.
Also update the max safe label length to 1000 characters, which is
enough.
Bug: 67013844
Test: atest PackageManagerTest
Change-Id: Ia4d768cc93a47cfb8b6f7c4b6dc73abd801809bd
Merged-in: Ia4d768cc93a47cfb8b6f7c4b6dc73abd801809bd
(cherry picked from commit 7380c153b97bfa38a0dfa9cccc71062f6d6bd6f4)
---
.../android/content/pm/PackageItemInfo.java | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/core/java/android/content/pm/PackageItemInfo.java b/core/java/android/content/pm/PackageItemInfo.java
index 73ae83e32f68..4ce6a8db2f3f 100644
--- a/core/java/android/content/pm/PackageItemInfo.java
+++ b/core/java/android/content/pm/PackageItemInfo.java
@@ -47,7 +47,7 @@ import java.util.Comparator;
public class PackageItemInfo {
private static final float MAX_LABEL_SIZE_PX = 500f;
/** The maximum length of a safe label, in characters */
- private static final int MAX_SAFE_LABEL_LENGTH = 50000;
+ private static final int MAX_SAFE_LABEL_LENGTH = 1000;
/**
* Public name of this item. From the "android:name" attribute.
@@ -135,6 +135,12 @@ public class PackageItemInfo {
* item does not have a label, its name is returned.
*/
public CharSequence loadLabel(PackageManager pm) {
+ // Trims the label string to the MAX_SAFE_LABEL_LENGTH. This is to prevent that the
+ // system is overwhelmed by an enormous string returned by the application.
+ return trimToSize(loadUnsafeLabel(pm), MAX_SAFE_LABEL_LENGTH);
+ }
+
+ private CharSequence loadUnsafeLabel(PackageManager pm) {
if (nonLocalizedLabel != null) {
return nonLocalizedLabel;
}
@@ -212,6 +218,15 @@ public class PackageItemInfo {
TextUtils.TruncateAt.END);
}
+ private CharSequence trimToSize(CharSequence label, int size) {
+ if (TextUtils.isEmpty(label) || label.length() <= size) return label;
+ if (Character.isHighSurrogate(label.charAt(size - 1))
+ && Character.isLowSurrogate(label.charAt(size))) {
+ size = size - 1;
+ }
+ return label.subSequence(0, size);
+ }
+
/**
* Retrieve the current graphical icon associated with this item. This
* will call back on the given PackageManager to load the icon from

93
Patches/LineageOS-14.1/android_frameworks_base/317049.patch Normal file
View File

@ -0,0 +1,93 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Thu, 17 Jun 2021 13:16:38 -0700
Subject: [PATCH] Change ownership of the account request notification.
Add "Permission requested by Application..." string.
Test: manual
Bug: 179338675
Change-Id: Ib66ccc1b39bd1f3f8fa3b1efc38a9d413b72a321
(cherry picked from commit 26de0c231ffb9fd8d22e80ca120c766c26276779)
---
core/res/res/values/strings.xml | 2 ++
core/res/res/values/symbols.xml | 1 +
.../accounts/AccountManagerService.java | 19 ++++++++++++++-----
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index d3df61ba1942..1e32ca2629d2 100755
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -3309,6 +3309,8 @@
<string name="deny">Deny</string>
<string name="permission_request_notification_title">Permission requested</string>
<string name="permission_request_notification_with_subtitle">Permission requested\nfor account <xliff:g id="account" example="foo@gmail.com">%s</xliff:g>.</string>
+ <!-- Title and subtitle for notification shown when app request account access (two lines) [CHAR LIMIT=NONE] -->
+ <string name="permission_request_notification_for_app_with_subtitle">Permission requested by <xliff:g id="app" example="Gmail">%1$s</xliff:g>\nfor account <xliff:g id="account" example="foo@gmail.com">%2$s</xliff:g>.</string>
<!-- Message to show when an intent automatically switches users into the personal profile. -->
<string name="forward_intent_to_owner">You\'re using this app outside of your work profile</string>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index eeacb08436e2..71e388d48ba7 100755
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -462,6 +462,7 @@
<java-symbol type="string" name="menu_space_shortcut_label" />
<java-symbol type="string" name="notification_title" />
<java-symbol type="string" name="permission_request_notification_with_subtitle" />
+ <java-symbol type="string" name="permission_request_notification_for_app_with_subtitle" />
<java-symbol type="string" name="prepend_shortcut_label" />
<java-symbol type="string" name="paste_as_plain_text" />
<java-symbol type="string" name="replace" />
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 126955add01a..520a0d314318 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -502,7 +502,7 @@ public class AccountManagerService
if (!checkAccess || hasAccountAccess(account, packageName,
UserHandle.getUserHandleForUid(uid))) {
cancelNotification(getCredentialPermissionNotificationId(account,
- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid),
UserHandle.getUserHandleForUid(uid));
}
}
@@ -2572,8 +2572,8 @@ public class AccountManagerService
String authTokenType = intent.getStringExtra(
GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE);
final String titleAndSubtitle =
- mContext.getString(R.string.permission_request_notification_with_subtitle,
- account.name);
+ mContext.getString(R.string.permission_request_notification_for_app_with_subtitle,
+ getApplicationLabel(packageName), account.name);
final int index = titleAndSubtitle.indexOf('\n');
String title = titleAndSubtitle;
String subtitle = "";
@@ -2594,7 +2594,16 @@ public class AccountManagerService
PendingIntent.FLAG_CANCEL_CURRENT, null, user))
.build();
installNotification(getCredentialPermissionNotificationId(
- account, authTokenType, uid), n, packageName, user.getIdentifier());
+ account, authTokenType, uid), n, "android", user.getIdentifier());
+ }
+
+ private String getApplicationLabel(String packageName) {
+ try {
+ return mPackageManager.getApplicationLabel(
+ mPackageManager.getApplicationInfo(packageName, 0)).toString();
+ } catch (PackageManager.NameNotFoundException e) {
+ return packageName;
+ }
}
private Intent newGrantCredentialsPermissionIntent(Account account, String packageName,
@@ -3582,7 +3591,7 @@ public class AccountManagerService
private void handleAuthenticatorResponse(boolean accessGranted) throws RemoteException {
cancelNotification(getCredentialPermissionNotificationId(account,
- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid),
UserHandle.getUserHandleForUid(uid));
if (callback != null) {
Bundle result = new Bundle();

45
Patches/LineageOS-14.1/android_frameworks_base/317050.patch Normal file
View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: MahendaviAamir <mahendavi.aamirmohammedbhai@sasken.com>
Date: Wed, 9 Jun 2021 17:10:42 +0530
Subject: [PATCH] Send targeted broadcasts to prevent other apps from receiving
them.
When sending broadcasts ACTION_SNOOZE_WARNING in NPMS, which may
contain sensitive information, explicitly set the package name
that should receive it to prevent other apps from receiving them.
Bug: 177931370
Test: manual
Change-Id: I2a0a0dc09e27791de829bacfb2e865ffea993715
Merged-In: I11d736771d859d2af27d5c84a502ab038974e2e2
(cherry picked from commit fdbcf17a4eda04e3140b5d97658a3d4815abd9f5)
---
.../com/android/server/net/NetworkPolicyManagerService.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
index fddfb003029b..c1111607f0dc 100644
--- a/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
+++ b/services/core/java/com/android/server/net/NetworkPolicyManagerService.java
@@ -1067,7 +1067,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
builder.setDefaults(Notification.DEFAULT_ALL);
builder.setPriority(Notification.PRIORITY_HIGH);
- final Intent snoozeIntent = buildSnoozeWarningIntent(policy.template);
+ final Intent snoozeIntent = buildSnoozeWarningIntent(policy.template,
+ mContext.getPackageName());
builder.setDeleteIntent(PendingIntent.getBroadcast(
mContext, 0, snoozeIntent, PendingIntent.FLAG_UPDATE_CURRENT));
@@ -3607,9 +3608,10 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub {
return new Intent(ACTION_ALLOW_BACKGROUND);
}
- private static Intent buildSnoozeWarningIntent(NetworkTemplate template) {
+ private static Intent buildSnoozeWarningIntent(NetworkTemplate template, String targetPackage) {
final Intent intent = new Intent(ACTION_SNOOZE_WARNING);
intent.putExtra(EXTRA_NETWORK_TEMPLATE, template);
+ intent.setPackage(targetPackage);
return intent;
}

68
Patches/LineageOS-14.1/android_frameworks_base/318516.patch Normal file
View File

@ -0,0 +1,68 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jayant Chowdhary <jchowdhary@google.com>
Date: Wed, 9 Jun 2021 14:34:54 -0700
Subject: [PATCH] camera2: Fix exception swallowing in params classes
createFromParcel
Do not catch exceptions when we attempt to create the following classes
from a parcel
- OutputConfiguration
- VendorTagDescriptor
- VendorTagDescriptorCache
- SessionConfiguration
This could cause subsequent parcel information to be read incorrectly.
Bug: 188675581
Test: Sample app which tries to write invalid data into an
OutputConfiguration parcel to send in an intent via Broadcast. When read by the receiving app,
gets an exception (not swallowed).
Merged-In: I745ca49daa6ca36b1020d518e9f346b52684f2b1
Change-Id: I745ca49daa6ca36b1020d518e9f346b52684f2b1
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
(cherry picked from commit 6b0bcd60c81003e6a193aeccf44ee03f188e3984)
(cherry picked from commit 8a11538146d894264420d5baa554e3968496b020)
---
.../hardware/camera2/params/OutputConfiguration.java | 8 +-------
.../hardware/camera2/params/VendorTagDescriptor.java | 8 +-------
2 files changed, 2 insertions(+), 14 deletions(-)
diff --git a/core/java/android/hardware/camera2/params/OutputConfiguration.java b/core/java/android/hardware/camera2/params/OutputConfiguration.java
index 69c00e987302..15b64993912c 100644
--- a/core/java/android/hardware/camera2/params/OutputConfiguration.java
+++ b/core/java/android/hardware/camera2/params/OutputConfiguration.java
@@ -395,13 +395,7 @@ public final class OutputConfiguration implements Parcelable {
new Parcelable.Creator<OutputConfiguration>() {
@Override
public OutputConfiguration createFromParcel(Parcel source) {
- try {
- OutputConfiguration outputConfiguration = new OutputConfiguration(source);
- return outputConfiguration;
- } catch (Exception e) {
- Log.e(TAG, "Exception creating OutputConfiguration from parcel", e);
- return null;
- }
+ return new OutputConfiguration(source);
}
@Override
diff --git a/core/java/android/hardware/camera2/params/VendorTagDescriptor.java b/core/java/android/hardware/camera2/params/VendorTagDescriptor.java
index ea424e594081..893bde1e1430 100644
--- a/core/java/android/hardware/camera2/params/VendorTagDescriptor.java
+++ b/core/java/android/hardware/camera2/params/VendorTagDescriptor.java
@@ -36,13 +36,7 @@ public final class VendorTagDescriptor implements Parcelable {
new Parcelable.Creator<VendorTagDescriptor>() {
@Override
public VendorTagDescriptor createFromParcel(Parcel source) {
- try {
- VendorTagDescriptor vendorDescriptor = new VendorTagDescriptor(source);
- return vendorDescriptor;
- } catch (Exception e) {
- Log.e(TAG, "Exception creating VendorTagDescriptor from parcel", e);
- return null;
- }
+ return new VendorTagDescriptor(source);
}
@Override

37
Patches/LineageOS-14.1/android_frameworks_base/318517.patch Normal file
View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Wed, 18 Aug 2021 16:35:00 -0700
Subject: [PATCH] DO NOT MERGE Bluetooth: Fix formatting in getAlias()
Bug: 180747689
Test: manual
Change-Id: Ic309f4aad116fd424d5d0d0e2016d61be8826b78
(cherry picked from commit 3bdad2df2e34c948bde80a51ae232c46848dab06)
---
core/java/android/bluetooth/BluetoothDevice.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/core/java/android/bluetooth/BluetoothDevice.java b/core/java/android/bluetooth/BluetoothDevice.java
index 3134445112f0..44fb652cabb0 100644
--- a/core/java/android/bluetooth/BluetoothDevice.java
+++ b/core/java/android/bluetooth/BluetoothDevice.java
@@ -770,8 +770,17 @@ public final class BluetoothDevice implements Parcelable {
return null;
}
try {
- return sService.getRemoteAlias(this);
- } catch (RemoteException e) {Log.e(TAG, "", e);}
+ String alias = sService.getRemoteAlias(this);
+ if (alias == null) {
+ return getName();
+ }
+ return alias
+ .replace('\t', ' ')
+ .replace('\n', ' ')
+ .replace('\r', ' ');
+ } catch (RemoteException e) {
+ Log.e(TAG, "", e);
+ }
return null;
}

32
Patches/LineageOS-14.1/android_frameworks_base/319988.patch Normal file
View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yu-Han Yang <yuhany@google.com>
Date: Tue, 21 Sep 2021 12:29:34 -0700
Subject: [PATCH] Fix serialization bug in GpsNavigationMessage
Bug: 196970023
Test: presubmits passing.
Change-Id: I69f51eb2faac0cf2ee9f7a5f94f7100925f7221c
(cherry picked from commit 8bcd86e6626a38df525507cd25044cc9592b9b0d)
---
location/java/android/location/GpsNavigationMessage.java | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/location/java/android/location/GpsNavigationMessage.java b/location/java/android/location/GpsNavigationMessage.java
index 5c3c71012cdd..16ac26d7852d 100644
--- a/location/java/android/location/GpsNavigationMessage.java
+++ b/location/java/android/location/GpsNavigationMessage.java
@@ -259,12 +259,8 @@ public class GpsNavigationMessage implements Parcelable {
parcel.readByteArray(data);
navigationMessage.setData(data);
- if (parcel.dataAvail() >= Integer.SIZE) {
- int status = parcel.readInt();
- navigationMessage.setStatus((short) status);
- } else {
- navigationMessage.setStatus(STATUS_UNKNOWN);
- }
+ int status = parcel.readInt();
+ navigationMessage.setStatus((short) status);
return navigationMessage;
}

106
Patches/LineageOS-14.1/android_frameworks_base/322452.patch Normal file
View File

@ -0,0 +1,106 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: tiansiming <tiansiming@xiaomi.com>
Date: Wed, 20 Sep 2017 13:59:13 +0800
Subject: [PATCH] Fix another AddAccountSettings memory leak
The memory leak will always occur in AddAccoutSettings
when Bundle with an invalid intent returned in the addAccount we implement.
Bug:https://issuetracker.google.com/issues/66088681
Test:Install the app through the github offered in above link,
then press the "Test" item in ChooseAccountActivity (adb shell am start -n
'com.android.settings/.accounts.ChooseAccountActivity') serveal times.
Check the activity number by "adb shell dumpsys meminfo com.android.settings".
Change-Id: Id15fc73521d0ddc6ca891b6029ad04cd4427dbfe
Signed-off-by: tiansiming <tiansiming@xiaomi.com>
---
.../accounts/AccountManagerService.java | 36 +++++++++++++------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 520a0d314318..dd3e4d9cb17c 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -2530,9 +2530,13 @@ public class AccountManagerService
* have users launching arbitrary activities by tricking users to
* interact with malicious notifications.
*/
- checkKeyIntent(
+ if (!checkKeyIntent(
Binder.getCallingUid(),
- intent);
+ intent)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
doNotification(mAccounts,
account, result.getString(AccountManager.KEY_AUTH_FAILED_MESSAGE),
intent, "android", accounts.userId);
@@ -2941,9 +2945,13 @@ public class AccountManagerService
Intent intent = null;
if (result != null
&& (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
- checkKeyIntent(
+ if (!checkKeyIntent(
Binder.getCallingUid(),
- intent);
+ intent)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
}
IAccountManagerResponse response;
if (mExpectActivityLaunch && result != null
@@ -4209,9 +4217,7 @@ public class AccountManagerService
* into launching aribtrary intents on the device via by tricking to click authenticator
* supplied entries in the system Settings app.
*/
- protected void checkKeyIntent(
- int authUid,
- Intent intent) throws SecurityException {
+ protected boolean checkKeyIntent(int authUid, Intent intent) {
intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
| Intent.FLAG_GRANT_WRITE_URI_PERMISSION
| Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
@@ -4220,6 +4226,9 @@ public class AccountManagerService
try {
PackageManager pm = mContext.getPackageManager();
ResolveInfo resolveInfo = pm.resolveActivityAsUser(intent, 0, mAccounts.userId);
+ if (resolveInfo == null) {
+ return false;
+ }
ActivityInfo targetActivityInfo = resolveInfo.activityInfo;
int targetUid = targetActivityInfo.applicationInfo.uid;
if (PackageManager.SIGNATURE_MATCH != pm.checkSignatures(authUid, targetUid)) {
@@ -4227,9 +4236,10 @@ public class AccountManagerService
String activityName = targetActivityInfo.name;
String tmpl = "KEY_INTENT resolved to an Activity (%s) in a package (%s) that "
+ "does not share a signature with the supplying authenticator (%s).";
- throw new SecurityException(
- String.format(tmpl, activityName, pkgName, mAccountType));
+ Log.e(TAG, String.format(tmpl, activityName, pkgName, mAccountType));
+ return false;
}
+ return true;
} finally {
Binder.restoreCallingIdentity(bid);
}
@@ -4378,9 +4388,13 @@ public class AccountManagerService
}
if (result != null
&& (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
- checkKeyIntent(
+ if (!checkKeyIntent(
Binder.getCallingUid(),
- intent);
+ intent)) {
+ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+ "invalid intent in bundle returned");
+ return;
+ }
}
if (result != null
&& !TextUtils.isEmpty(result.getString(AccountManager.KEY_AUTHTOKEN))) {

44
Patches/LineageOS-14.1/android_frameworks_base/322453.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 23 Apr 2020 11:11:06 -0600
Subject: [PATCH] Force-set a ClipData to prevent later migration.
migrateExtraStreamToClipData() will only offer to promote Uri values
if a ClipData isn't already defined, so we ensure that a ClipData
value is always defined. This blocks later promotion and granting.
Bug: 200683077
Bug: 123700107
Test: manual
Change-Id: I99c1411e8b4eb01eb27ac4306e3bf6cc88cb4273
(cherry picked from commit 6ebf410b818c6a525130d5fcb72381217fec8e7a)
(cherry picked from commit 3cf2b049867977916d29f1674f71e89b49ea1f69)
Merged-In:I99c1411e8b4eb01eb27ac4306e3bf6cc88cb4273
---
.../com/android/server/accounts/AccountManagerService.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index dd3e4d9cb17c..3aea365b7ced 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -47,6 +47,7 @@ import android.app.admin.DevicePolicyManager;
import android.app.admin.DevicePolicyManagerInternal;
import android.content.BroadcastReceiver;
import android.content.ComponentName;
+import android.content.ClipData;
import android.content.ContentValues;
import android.content.Context;
import android.content.Intent;
@@ -4218,6 +4219,11 @@ public class AccountManagerService
* supplied entries in the system Settings app.
*/
protected boolean checkKeyIntent(int authUid, Intent intent) {
+ // Explicitly set an empty ClipData to ensure that we don't offer to
+ // promote any Uris contained inside for granting purposes
+ if (intent.getClipData() == null) {
+ intent.setClipData(ClipData.newPlainText(null, null));
+ }
intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
| Intent.FLAG_GRANT_WRITE_URI_PERMISSION
| Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION

46
Patches/LineageOS-14.1/android_frameworks_base/322454.patch Normal file
View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aseem Kumar <aseemk@google.com>
Date: Mon, 17 May 2021 09:25:03 +0000
Subject: [PATCH] Prevent apps from spamming addAccountExplicitly.
See comment here for the discussion on solution
https://b.corp.google.com/issues/169762606#comment14
Change-Id: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
Bug: 169762606
(cherry picked from commit 11053c17b397db67b20e96ce769508766cef7db9)
Change-Id: I6494366a5695daedc3f4f0046da9e130a5363f5f
Merged-In: If212df3a3b7be1de0fb26b8e88b2fcbb8077c253
(cherry picked from commit 5beff34b5738ee050d04ff5786e8c883bb5585f8)
Merged-In:I6494366a5695daedc3f4f0046da9e130a5363f5f
---
core/java/android/accounts/Account.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/core/java/android/accounts/Account.java b/core/java/android/accounts/Account.java
index 3f90f36fb2a1..1546ae14862d 100644
--- a/core/java/android/accounts/Account.java
+++ b/core/java/android/accounts/Account.java
@@ -28,6 +28,7 @@ import android.util.ArraySet;
import android.util.Log;
import com.android.internal.annotations.GuardedBy;
+import java.util.Objects;
import java.util.Set;
/**
@@ -80,6 +81,12 @@ public class Account implements Parcelable {
if (TextUtils.isEmpty(type)) {
throw new IllegalArgumentException("the type must not be empty: " + type);
}
+ if (name.length() > 200) {
+ throw new IllegalArgumentException("account name is longer than 200 characters");
+ }
+ if (type.length() > 200) {
+ throw new IllegalArgumentException("account type is longer than 200 characters");
+ }
this.name = name;
this.type = type;
this.accessId = accessId;

87
Patches/LineageOS-14.1/android_frameworks_base/331108.patch Normal file
View File

@ -0,0 +1,87 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Buynytskyy <alexbuy@google.com>
Date: Thu, 24 Feb 2022 21:40:13 -0800
Subject: [PATCH] Always restart apps if base.apk gets updated.
Bug: 219044664
Fixes: 219044664
Test: atest PackageManagerShellCommandTest
Change-Id: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
(cherry picked from commit a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2)
Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
---
.../android/content/pm/IPackageInstallerSession.aidl | 2 ++
core/java/android/content/pm/PackageInstaller.java | 12 ++++++++++++
.../android/server/pm/PackageInstallerSession.java | 10 ++++++++++
3 files changed, 24 insertions(+)
diff --git a/core/java/android/content/pm/IPackageInstallerSession.aidl b/core/java/android/content/pm/IPackageInstallerSession.aidl
index 2a3fac341e24..c612e6afc6e3 100644
--- a/core/java/android/content/pm/IPackageInstallerSession.aidl
+++ b/core/java/android/content/pm/IPackageInstallerSession.aidl
@@ -34,4 +34,6 @@ interface IPackageInstallerSession {
void close();
void commit(in IntentSender statusReceiver);
void abandon();
+
+ int getInstallFlags();
}
diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
index ed8143e36f03..3516590338c5 100644
--- a/core/java/android/content/pm/PackageInstaller.java
+++ b/core/java/android/content/pm/PackageInstaller.java
@@ -844,6 +844,18 @@ public class PackageInstaller {
throw e.rethrowFromSystemServer();
}
}
+
+ /**
+ * @return Session's {@link SessionParams#installFlags}.
+ * @hide
+ */
+ public int getInstallFlags() {
+ try {
+ return mSession.getInstallFlags();
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+ }
}
/**
diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
index 6eb7bcd9893a..d0721071e308 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
@@ -62,6 +62,7 @@ import android.system.OsConstants;
import android.system.StructStat;
import android.text.TextUtils;
import android.util.ArraySet;
+import android.util.EventLog;
import android.util.ExceptionUtils;
import android.util.MathUtils;
import android.util.Slog;
@@ -808,6 +809,10 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
if (mResolvedBaseFile == null) {
mResolvedBaseFile = new File(appInfo.getBaseCodePath());
mResolvedInheritedFiles.add(mResolvedBaseFile);
+ } else if ((params.installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) {
+ EventLog.writeEvent(0x534e4554, "219044664");
+ // Installing base.apk. Make sure the app is restarted.
+ params.setDontKillApp(false);
}
// Inherit splits if not overridden
@@ -1136,6 +1141,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
dispatchSessionFinished(INSTALL_FAILED_ABORTED, "Session was abandoned", null);
}
+ @Override
+ public int getInstallFlags() {
+ return params.installFlags;
+ }
+
private void dispatchSessionFinished(int returnCode, String msg, Bundle extras) {
mFinalStatus = returnCode;
mFinalMessage = msg;

36
Patches/LineageOS-14.1/android_frameworks_base/332444.patch Normal file
View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Selim Cinek <cinek@google.com>
Date: Fri, 5 May 2017 14:45:11 -0700
Subject: [PATCH] Fixed a concurrent modification crash
Test: runtest -x packages/SystemUI/tests/src/com/android/systemui/settings/CurrentUserTrackerTest.java
Change-Id: I23261843b7366d3a66a795a41c61b7661f7ca3a6
Fixes: 38006784
[syphyr: Backport to LineageOS 14.1: implement the actual fix only -
without exposing private members for testing visibility]
Signed-off-by: syphyr <syphyr@gmail.com>
Change-Id: Iceb22cc9d93f893e12def6b4e6d2b8cfba9a1b9f
---
.../com/android/systemui/settings/CurrentUserTracker.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/settings/CurrentUserTracker.java b/packages/SystemUI/src/com/android/systemui/settings/CurrentUserTracker.java
index 005206fcd14c..90d8b61b9157 100644
--- a/packages/SystemUI/src/com/android/systemui/settings/CurrentUserTracker.java
+++ b/packages/SystemUI/src/com/android/systemui/settings/CurrentUserTracker.java
@@ -105,8 +105,12 @@ public abstract class CurrentUserTracker {
private void notifyUserSwitched(int newUserId) {
if (mCurrentUserId != newUserId) {
mCurrentUserId = newUserId;
- for (Consumer<Integer> consumer : mCallbacks) {
- consumer.accept(newUserId);
+ List<Consumer<Integer>> callbacks = new ArrayList<>(mCallbacks);
+ for (Consumer<Integer> consumer : callbacks) {
+ // Accepting may modify this list
+ if (mCallbacks.contains(consumer)) {
+ consumer.accept(newUserId);
+ }
}
}
}

41
Patches/LineageOS-14.1/android_frameworks_base/332445.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ayush Sharma <ayushsha@google.com>
Date: Wed, 16 Mar 2022 10:32:23 +0000
Subject: [PATCH] Fix security hole in GateKeeperResponse
GateKeeperResponse has inconsistent writeToParcel() and
createFromParcel() methods, making it possible for a malicious app to
create a Bundle that changes contents after reserialization. Such
Bundles can be used to execute Intents with system privileges.
We fixed related issues previously for GateKeeperResponse class, but
one of the case was remaining when payload is byte array of size 0,
Fixing this case now.
Bug: 220303465
Test: With the POC provided in the bug.
Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)
Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
(cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516)
Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
---
core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
index 6ca6d8ac7100..53baedc769fa 100644
--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -82,7 +82,7 @@ public final class GateKeeperResponse implements Parcelable {
dest.writeInt(mTimeout);
} else if (mResponseCode == RESPONSE_OK) {
dest.writeInt(mShouldReEnroll ? 1 : 0);
- if (mPayload != null) {
+ if (mPayload != null && mPayload.length > 0) {
dest.writeInt(mPayload.length);
dest.writeByteArray(mPayload);
} else {

45
Patches/LineageOS-14.1/android_frameworks_base/332446.patch Normal file
View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: David Christie <dnchrist@google.com>
Date: Fri, 11 Mar 2022 01:13:31 +0000
Subject: [PATCH] Update GeofenceHardwareRequestParcelable to match
parcel/unparcel format.
Test: manual
Bug: 216631962
Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
(cherry picked from commit 3e1ffdb29417f4fb994587a013fa56c83e157f6f)
Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
---
.../location/GeofenceHardwareRequestParcelable.java | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
index d3311f5c8c5e..fc27d1de6372 100644
--- a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
+++ b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
@@ -16,9 +16,9 @@
package android.hardware.location;
+import android.os.BadParcelableException;
import android.os.Parcel;
import android.os.Parcelable;
-import android.util.Log;
/**
* Geofence Hardware Request used for internal location services communication.
@@ -139,11 +139,8 @@ public final class GeofenceHardwareRequestParcelable implements Parcelable {
@Override
public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) {
int geofenceType = parcel.readInt();
- if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
- Log.e(
- "GeofenceHardwareRequest",
- String.format("Invalid Geofence type: %d", geofenceType));
- return null;
+ if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
+ throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
}
GeofenceHardwareRequest request = GeofenceHardwareRequest.createCircularGeofence(

44
Patches/LineageOS-14.1/android_frameworks_base/332447.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Fri, 25 Mar 2022 10:02:41 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting
system apps.
This addresses a security issue where the guest user can remove updates
for system apps.
With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user.
This is a backport of ag/17352264.
Bug: 170646036
Test: manual, try uninstalling system app update as guest
Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
(cherry picked from commit a7621e0ce00f1d140b375518e26cf75693314203)
Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
---
.../com/android/server/pm/PackageManagerService.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 2e63c6c4d4e3..9265358b8b37 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -16059,6 +16059,15 @@ public class PackageManagerService extends IPackageManager.Stub {
Slog.w(TAG, "Not removing non-existent package " + packageName);
return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
}
+ if (isSystemApp(uninstalledPs)) {
+ UserInfo userInfo = sUserManager.getUserInfo(userId);
+ if (userInfo == null || !userInfo.isAdmin()) {
+ Slog.w(TAG, "Not removing package " + packageName
+ + " as only admin user may downgrade system apps");
+ EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
+ return PackageManager.DELETE_FAILED_USER_RESTRICTED;
+ }
+ }
allUsers = sUserManager.getUserIds();
info.origUsers = uninstalledPs.queryInstalledUsers(allUsers, true);
}

36
Patches/LineageOS-14.1/android_frameworks_base/332448.patch Normal file
View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Mon, 31 Jan 2022 20:31:42 +0000
Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10; api doc
update
bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
(cherry picked from commit f0f67b5a319efedbf8693b436a641fa65bc2d8be)
Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
---
telecomm/java/android/telecom/TelecomManager.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
index c06fb3aeb860..b05e0fc2752c 100644
--- a/telecomm/java/android/telecom/TelecomManager.java
+++ b/telecomm/java/android/telecom/TelecomManager.java
@@ -845,9 +845,14 @@ public class TelecomManager {
* when placing calls. The user may still need to enable the {@link PhoneAccount} within
* the phone app settings before the account is usable.
* <p>
+ * Note: Each package is limited to 10 {@link PhoneAccount} registrations.
+ * <p>
* A {@link SecurityException} will be thrown if an app tries to register a
* {@link PhoneAccountHandle} where the package name specified within
* {@link PhoneAccountHandle#getComponentName()} does not match the package name of the app.
+ * <p>
+ * A {@link IllegalArgumentException} will be thrown if an app tries to register a
+ * {@link PhoneAccount} when the upper bound limit, 10, has already been reached.
*
* @param account The complete {@link PhoneAccount}.
*/

40
Patches/LineageOS-14.1/android_frameworks_base/332449.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Tue, 1 Mar 2022 10:30:27 -0500
Subject: [PATCH] DO NOT MERGE Add an OEM configurable limit for zen rules
Test: ZenModeHelperTest
Bug: 220735360
Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
(cherry picked from commit 3072d98c2dc2b709bd8ffc343c101557a53dd188)
Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
---
.../com/android/server/notification/ZenModeHelper.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java
index c2d70c070ad4..eb883b486b09 100644
--- a/services/core/java/com/android/server/notification/ZenModeHelper.java
+++ b/services/core/java/com/android/server/notification/ZenModeHelper.java
@@ -85,6 +85,7 @@ public class ZenModeHelper {
// The amount of time rules instances can exist without their owning app being installed.
private static final int RULE_INSTANCE_GRACE_PERIOD = 1000 * 60 * 60 * 72;
+ static final int RULE_LIMIT_PER_PACKAGE = 100;
private final Context mContext;
private final H mHandler;
@@ -294,8 +295,10 @@ public class ZenModeHelper {
ruleInstanceLimit = owner.metaData.getInt(
ConditionProviderService.META_DATA_RULE_INSTANCE_LIMIT, -1);
}
- if (ruleInstanceLimit > 0 && ruleInstanceLimit
- < (getCurrentInstanceCount(automaticZenRule.getOwner()) + 1)) {
+ int newRuleInstanceCount = getCurrentInstanceCount(automaticZenRule.getOwner())
+ + 1;
+ if (newRuleInstanceCount > RULE_LIMIT_PER_PACKAGE
+ || (ruleInstanceLimit > 0 && ruleInstanceLimit < newRuleInstanceCount)) {
throw new IllegalArgumentException("Rule instance limit exceeded");
}
}

34
Patches/LineageOS-14.1/android_frameworks_base/334035.patch Normal file
View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Wed, 7 Jul 2021 16:19:44 -0400
Subject: [PATCH] DO NOT MERGE Crash invalid FGS notifications
Test: CTS, ActivityManagerProcessStateTest
Fixes: 191981182
Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392
Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
(cherry picked from commit 6f657f8f5b7d41af426d6cd8d60bfda6e12057c0)
(cherry picked from commit b6b2906ea6472d182e6ae03c581a63802cd84f08)
Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
---
.../server/notification/NotificationManagerService.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 7ced1f96cc49..84ea9ce7751a 100644
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -2732,8 +2732,11 @@ public class NotificationManagerService extends SystemService {
pkg, PackageManager.MATCH_DEBUG_TRIAGED_MISSING,
(userId == UserHandle.USER_ALL) ? UserHandle.USER_SYSTEM : userId);
Notification.addFieldsFromContext(ai, userId, notification);
- } catch (NameNotFoundException e) {
- Slog.e(TAG, "Cannot create a context for sending app", e);
+ } catch (Exception e) {
+ if ((notification.flags & Notification.FLAG_FOREGROUND_SERVICE) != 0) {
+ throw new SecurityException("Invalid FGS notification", e);
+ }
+ Slog.e(TAG, "Cannot fix notification", e);
return;
}

36
Patches/LineageOS-14.1/android_frameworks_base/334325.patch Normal file
View File

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Bin Wang <bin.wang@oppo.corp-partner.google.com>
Date: Thu, 23 Jun 2022 16:00:24 +0800
Subject: [PATCH] Modify conditions for preventing updated system apps from
being downgraded
Add two conditions prior to deciding whether a specific user can downgrade system apps by deletePackageX.
1.uninstalledPs must be a updated system app.
2.deleteFlags does not contains PackageManager.DELETE_SYSTEM_APP, since flag PackageManager.DELETE_SYSTEM_APP
will just mark the app as uninstalled for the specific user instead of uninstalling the update and rolling back
to the older system version.
Test: Update a system app and create some multi users; Then use command "pm uninstall --user ${userId} ${packageName}"
to uninstall the system app for a specific user; The result is that the system app is marked as uninstalled for
this specific user successfully
Signed-off-by: Bin Wang <bin.wang@oppo.corp-partner.google.com>
Change-Id: I2c6c8c4ad1b41995c4d7d0153a036edcfae03687
---
.../core/java/com/android/server/pm/PackageManagerService.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 9265358b8b37..e109337809cf 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -16059,7 +16059,8 @@ public class PackageManagerService extends IPackageManager.Stub {
Slog.w(TAG, "Not removing non-existent package " + packageName);
return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
}
- if (isSystemApp(uninstalledPs)) {
+ if (isUpdatedSystemApp(uninstalledPs)
+ && ((deleteFlags & PackageManager.DELETE_SYSTEM_APP) == 0)) {
UserInfo userInfo = sUserManager.getUserInfo(userId);
if (userInfo == null || !userInfo.isAdmin()) {
Slog.w(TAG, "Not removing package " + packageName

128
Patches/LineageOS-14.1/android_frameworks_base/334871.patch Normal file
View File

@ -0,0 +1,128 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeff Chang <chengjeff@google.com>
Date: Wed, 29 Sep 2021 16:49:00 +0800
Subject: [PATCH] Only allow system and same app to apply
relinquishTaskIdentity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on users activities.
This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity
Bug: 185810717
Test: atest IntentTests
atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec)
Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
---
.../com/android/server/am/TaskRecord.java | 48 +++++++++++++++----
1 file changed, 38 insertions(+), 10 deletions(-)
diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java
index 3f6db990a5b5..1e64d9f8a5b5 100644
--- a/services/core/java/com/android/server/am/TaskRecord.java
+++ b/services/core/java/com/android/server/am/TaskRecord.java
@@ -38,6 +38,7 @@ import android.graphics.Point;
import android.graphics.Rect;
import android.os.Debug;
import android.os.ParcelFileDescriptor;
+import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
import android.provider.Settings;
@@ -138,6 +139,11 @@ final class TaskRecord {
static final int INVALID_TASK_ID = -1;
static final int INVALID_MIN_SIZE = -1;
+ /**
+ * Used to identify if the activity that is installed from device's system image.
+ */
+ boolean mIsEffectivelySystemApp;
+
final int taskId; // Unique identifier for this task.
String affinity; // The affinity name for this task, or null; may change identity.
String rootAffinity; // Initial base affinity, or null; does not change from initial root.
@@ -389,9 +395,18 @@ final class TaskRecord {
/** Sets the original intent, and the calling uid and package. */
void setIntent(ActivityRecord r) {
- mCallingUid = r.launchedFromUid;
- mCallingPackage = r.launchedFromPackage;
- setIntent(r.intent, r.info);
+ boolean updateIdentity = false;
+ if (this.intent == null) {
+ updateIdentity = true;
+ } else if (!mNeverRelinquishIdentity) {
+ updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp
+ || effectiveUid == r.info.applicationInfo.uid);
+ }
+ if (updateIdentity) {
+ mCallingUid = r.launchedFromUid;
+ mCallingPackage = r.launchedFromPackage;
+ setIntent(r.intent, r.info);
+ }
}
/** Sets the original intent, _without_ updating the calling uid or package. */
@@ -411,6 +426,7 @@ final class TaskRecord {
rootAffinity = affinity;
}
effectiveUid = info.applicationInfo.uid;
+ mIsEffectivelySystemApp = info.applicationInfo.isSystemApp();
stringName = null;
if (info.targetActivity == null) {
@@ -1055,12 +1071,12 @@ final class TaskRecord {
// utility activities.
int activityNdx;
final int numActivities = mActivities.size();
- final boolean relinquish = numActivities == 0 ? false :
- (mActivities.get(0).info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) != 0;
- for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities;
- ++activityNdx) {
+ for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) {
final ActivityRecord r = mActivities.get(activityNdx);
- if (relinquish && (r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
+ if ((r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0
+ || (r.info.applicationInfo.uid != Process.SYSTEM_UID
+ && !r.info.applicationInfo.isSystemApp()
+ && r.info.applicationInfo.uid != effectiveUid)) {
// This will be the top activity for determining taskDescription. Pre-inc to
// overcome initial decrement below.
++activityNdx;
@@ -1109,15 +1125,27 @@ final class TaskRecord {
int findEffectiveRootIndex() {
int effectiveNdx = 0;
final int topActivityNdx = mActivities.size() - 1;
+ ActivityRecord root = null;
for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) {
final ActivityRecord r = mActivities.get(activityNdx);
if (r.finishing) {
continue;
}
- effectiveNdx = activityNdx;
- if ((r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
+
+ if (root == null) {
+ // Set this as the candidate root since it isn't finishing.
+ root = r;
+ effectiveNdx = activityNdx;
+ }
+ final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid;
+ if ((root.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0
+ || (root.info.applicationInfo.uid != Process.SYSTEM_UID
+ && !root.info.applicationInfo.isSystemApp()
+ && root.info.applicationInfo.uid != uid)) {
break;
}
+ effectiveNdx = activityNdx;
+ root = r;
}
return effectiveNdx;
}

70
Patches/LineageOS-14.1/android_frameworks_base/334872.patch Normal file
View File

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: chiachangwang <chiachangwang@google.com>
Date: Thu, 2 Jun 2022 10:22:20 +0000
Subject: [PATCH] Stop using invalid URL to prevent unexpected crash
Verify the input PAC Uri before performing follow-up actions.
Check if the URL is a valid URL to filter some invalid URLs since
these invalid URLs could not fall into any subclass of existing
URLConnections. When the PAC Uri is other invalid URL scheme, it
will cause an UnsupportedOperationException if there is no proper
subclass that implements the openConnection() method.
A malformed URL may crash the system.
Even it's a valid URL, some subclasses(e.g. JarURLConnection)
may not have openConnection() implemented. It will also hit the
problem, so convert the possbile exception from openConnection()
to re-throw it to IOException which is handled in the existing
code.
Bug: 219498290
Test: atest FrameworksNetTests CtsNetTestCases
Test: Test with malformed URL
Merged-In: I22903414380b62051f514e43b93af992f45740b4
Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076
Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f)
(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4)
Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
---
.../server/connectivity/PacManager.java | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/connectivity/PacManager.java b/services/core/java/com/android/server/connectivity/PacManager.java
index 46f76b1a1aec..8bd6a835930c 100644
--- a/services/core/java/com/android/server/connectivity/PacManager.java
+++ b/services/core/java/com/android/server/connectivity/PacManager.java
@@ -36,6 +36,7 @@ import android.os.SystemClock;
import android.os.SystemProperties;
import android.provider.Settings;
import android.util.Log;
+import android.webkit.URLUtil;
import com.android.internal.annotations.GuardedBy;
import com.android.net.IProxyCallback;
@@ -209,8 +210,22 @@ public class PacManager {
* @throws IOException
*/
private static String get(Uri pacUri) throws IOException {
- URL url = new URL(pacUri.toString());
- URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
+ if (!URLUtil.isValidUrl(pacUri.toString())) {
+ throw new IOException("Malformed URL:" + pacUri);
+ }
+
+ final URL url = new URL(pacUri.toString());
+ URLConnection urlConnection;
+ try {
+ urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
+ // Catch the possible exceptions and rethrow as IOException to not to crash the system
+ // for illegal input.
+ } catch (IllegalArgumentException e) {
+ throw new IOException("Incorrect proxy type for " + pacUri);
+ } catch (UnsupportedOperationException e) {
+ throw new IOException("Unsupported URL connection type for " + pacUri);
+ }
+
long contentLength = -1;
try {
contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length"));

60
Patches/LineageOS-14.1/android_frameworks_base/334873.patch Normal file
View File

@ -0,0 +1,60 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Makoto Onuki <omakoto@google.com>
Date: Tue, 19 Apr 2022 10:54:18 -0700
Subject: [PATCH] Only allow the system server to connect to sync adapters
Bug: 203229608
Test: Manual test with changing the check logic + debug log
Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f
(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee)
(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff)
Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f
---
.../content/AbstractThreadedSyncAdapter.java | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/core/java/android/content/AbstractThreadedSyncAdapter.java b/core/java/android/content/AbstractThreadedSyncAdapter.java
index 58bd5cda825d..9d1978a3a5ef 100644
--- a/core/java/android/content/AbstractThreadedSyncAdapter.java
+++ b/core/java/android/content/AbstractThreadedSyncAdapter.java
@@ -17,6 +17,7 @@
package android.content;
import android.accounts.Account;
+import android.os.Binder;
import android.os.Bundle;
import android.os.IBinder;
import android.os.Process;
@@ -160,9 +161,22 @@ public abstract class AbstractThreadedSyncAdapter {
}
private class ISyncAdapterImpl extends ISyncAdapter.Stub {
+ private boolean isCallerSystem() {
+ final long callingUid = Binder.getCallingUid();
+ if (callingUid != Process.SYSTEM_UID) {
+ android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, "");
+ return false;
+ }
+ return true;
+ }
+
@Override
public void startSync(ISyncContext syncContext, String authority, Account account,
Bundle extras) {
+ if (!isCallerSystem()) {
+ return;
+ }
+
final SyncContext syncContextClient = new SyncContext(syncContext);
boolean alreadyInProgress;
@@ -203,6 +217,9 @@ public abstract class AbstractThreadedSyncAdapter {
@Override
public void cancelSync(ISyncContext syncContext) {
+ if (!isCallerSystem()) {
+ return;
+ }
// synchronize to make sure that mSyncThreads doesn't change between when we
// check it and when we use it
SyncThread info = null;

41
Patches/LineageOS-14.1/android_frameworks_base/338003.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Adrian Roos <roosa@google.com>
Date: Thu, 24 Sep 2020 15:30:46 +0200
Subject: [PATCH] IMMS: Make IMMS PendingIntents immutable
Fixes: 154913391
Test: n/a
Change-Id: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
(cherry picked from commit d4b625994f7664666ac7b53bf6a7d79a6459b3f1)
(cherry picked from commit 6842f03c9d2f128785df5ce2bd02c61f35226554)
(cherry picked from commit 2b859826165bddb11f17b217d097253c442f6045)
Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
---
.../java/com/android/server/InputMethodManagerService.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java
index 6ae495a37632..6685ea942f55 100644
--- a/services/core/java/com/android/server/InputMethodManagerService.java
+++ b/services/core/java/com/android/server/InputMethodManagerService.java
@@ -914,7 +914,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
.setColor(com.android.internal.R.color.system_notification_accent_color);
Intent intent = new Intent(Settings.ACTION_SHOW_INPUT_METHOD_PICKER);
- mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, 0);
+ mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent,
+ PendingIntent.FLAG_IMMUTABLE);
mShowOngoingImeSwitcherForPhones = false;
@@ -1507,7 +1508,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
mCurIntent.putExtra(Intent.EXTRA_CLIENT_LABEL,
com.android.internal.R.string.input_method_binding_label);
mCurIntent.putExtra(Intent.EXTRA_CLIENT_INTENT, PendingIntent.getActivity(
- mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), 0));
+ mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS),
+ PendingIntent.FLAG_IMMUTABLE));
if (bindCurrentInputMethodService(mCurIntent, this, Context.BIND_AUTO_CREATE
| Context.BIND_NOT_VISIBLE | Context.BIND_NOT_FOREGROUND
| Context.BIND_SHOWING_UI)) {

187
Patches/LineageOS-14.1/android_frameworks_native/315714.patch Normal file
View File

@ -0,0 +1,187 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Siarhei Vishniakou <svv@google.com>
Date: Mon, 21 Jun 2021 22:30:51 +0000
Subject: [PATCH] Do not modify vector after getting references
We used to obtain a reference to a specific element inside a vector. We
would then modify the vector, invalidating the reference. But we then
used the reference, and passed it to 'assignPointerIds'.
Refactor the code to modify the collection first, and then to proceed
with modifying / reading the elements.
Bug: 179839665
Test: atest inputflinger_tests (on a hwasan build)
Merged-In: I9204b954884e9c83a50babdad5e08a0f6d18ad78
Change-Id: I9204b954884e9c83a50babdad5e08a0f6d18ad78
(cherry picked from commit ade0672333565773645abe89eccc468572c07228)
---
services/inputflinger/InputReader.cpp | 80 +++++++++++++--------------
services/inputflinger/InputReader.h | 2 +-
2 files changed, 41 insertions(+), 41 deletions(-)
diff --git a/services/inputflinger/InputReader.cpp b/services/inputflinger/InputReader.cpp
index 768c8f88da..7f8457e1e5 100644
--- a/services/inputflinger/InputReader.cpp
+++ b/services/inputflinger/InputReader.cpp
@@ -4082,27 +4082,27 @@ void TouchInputMapper::process(const RawEvent* rawEvent) {
}
void TouchInputMapper::sync(nsecs_t when) {
- const RawState* last = mRawStatesPending.isEmpty() ?
- &mCurrentRawState : &mRawStatesPending.top();
-
// Push a new state.
mRawStatesPending.push();
- RawState* next = &mRawStatesPending.editTop();
- next->clear();
- next->when = when;
+ RawState& next = mRawStatesPending.editTop();
+ next.clear();
+ next.when = when;
// Sync button state.
- next->buttonState = mTouchButtonAccumulator.getButtonState()
+ next.buttonState = mTouchButtonAccumulator.getButtonState()
| mCursorButtonAccumulator.getButtonState();
// Sync scroll
- next->rawVScroll = mCursorScrollAccumulator.getRelativeVWheel();
- next->rawHScroll = mCursorScrollAccumulator.getRelativeHWheel();
+ next.rawVScroll = mCursorScrollAccumulator.getRelativeVWheel();
+ next.rawHScroll = mCursorScrollAccumulator.getRelativeHWheel();
mCursorScrollAccumulator.finishSync();
// Sync touch
- syncTouch(when, next);
+ syncTouch(when, &next);
+ // The last RawState is actually the second to last, since we just added a new state
+ const RawState& last = mRawStatesPending.size() == 1 ?
+ mCurrentRawState : mRawStatesPending.editItemAt(mRawStatesPending.size() - 2);
// Assign pointer ids.
if (!mHavePointerIds) {
assignPointerIds(last, next);
@@ -4111,12 +4111,12 @@ void TouchInputMapper::sync(nsecs_t when) {
#if DEBUG_RAW_EVENTS
ALOGD("syncTouch: pointerCount %d -> %d, touching ids 0x%08x -> 0x%08x, "
"hovering ids 0x%08x -> 0x%08x",
- last->rawPointerData.pointerCount,
- next->rawPointerData.pointerCount,
- last->rawPointerData.touchingIdBits.value,
- next->rawPointerData.touchingIdBits.value,
- last->rawPointerData.hoveringIdBits.value,
- next->rawPointerData.hoveringIdBits.value);
+ last.rawPointerData.pointerCount,
+ next.rawPointerData.pointerCount,
+ last.rawPointerData.touchingIdBits.value,
+ next.rawPointerData.touchingIdBits.value,
+ last.rawPointerData.hoveringIdBits.value,
+ next.rawPointerData.hoveringIdBits.value);
#endif
processRawTouches(false /*timeout*/);
@@ -6368,11 +6368,11 @@ const TouchInputMapper::VirtualKey* TouchInputMapper::findVirtualKeyHit(
return NULL;
}
-void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current) {
- uint32_t currentPointerCount = current->rawPointerData.pointerCount;
- uint32_t lastPointerCount = last->rawPointerData.pointerCount;
+void TouchInputMapper::assignPointerIds(const RawState& last, RawState& current) {
+ uint32_t currentPointerCount = current.rawPointerData.pointerCount;
+ uint32_t lastPointerCount = last.rawPointerData.pointerCount;
- current->rawPointerData.clearIdBits();
+ current.rawPointerData.clearIdBits();
if (currentPointerCount == 0) {
// No pointers to assign.
@@ -6383,21 +6383,21 @@ void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current)
// All pointers are new.
for (uint32_t i = 0; i < currentPointerCount; i++) {
uint32_t id = i;
- current->rawPointerData.pointers[i].id = id;
- current->rawPointerData.idToIndex[id] = i;
- current->rawPointerData.markIdBit(id, current->rawPointerData.isHovering(i));
+ current.rawPointerData.pointers[i].id = id;
+ current.rawPointerData.idToIndex[id] = i;
+ current.rawPointerData.markIdBit(id, current.rawPointerData.isHovering(i));
}
return;
}
if (currentPointerCount == 1 && lastPointerCount == 1
- && current->rawPointerData.pointers[0].toolType
- == last->rawPointerData.pointers[0].toolType) {
+ && current.rawPointerData.pointers[0].toolType
+ == last.rawPointerData.pointers[0].toolType) {
// Only one pointer and no change in count so it must have the same id as before.
- uint32_t id = last->rawPointerData.pointers[0].id;
- current->rawPointerData.pointers[0].id = id;
- current->rawPointerData.idToIndex[id] = 0;
- current->rawPointerData.markIdBit(id, current->rawPointerData.isHovering(0));
+ uint32_t id = last.rawPointerData.pointers[0].id;
+ current.rawPointerData.pointers[0].id = id;
+ current.rawPointerData.idToIndex[id] = 0;
+ current.rawPointerData.markIdBit(id, current.rawPointerData.isHovering(0));
return;
}
@@ -6415,9 +6415,9 @@ void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current)
for (uint32_t lastPointerIndex = 0; lastPointerIndex < lastPointerCount;
lastPointerIndex++) {
const RawPointerData::Pointer& currentPointer =
- current->rawPointerData.pointers[currentPointerIndex];
+ current.rawPointerData.pointers[currentPointerIndex];
const RawPointerData::Pointer& lastPointer =
- last->rawPointerData.pointers[lastPointerIndex];
+ last.rawPointerData.pointers[lastPointerIndex];
if (currentPointer.toolType == lastPointer.toolType) {
int64_t deltaX = currentPointer.x - lastPointer.x;
int64_t deltaY = currentPointer.y - lastPointer.y;
@@ -6523,11 +6523,11 @@ void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current)
matchedCurrentBits.markBit(currentPointerIndex);
matchedLastBits.markBit(lastPointerIndex);
- uint32_t id = last->rawPointerData.pointers[lastPointerIndex].id;
- current->rawPointerData.pointers[currentPointerIndex].id = id;
- current->rawPointerData.idToIndex[id] = currentPointerIndex;
- current->rawPointerData.markIdBit(id,
- current->rawPointerData.isHovering(currentPointerIndex));
+ uint32_t id = last.rawPointerData.pointers[lastPointerIndex].id;
+ current.rawPointerData.pointers[currentPointerIndex].id = id;
+ current.rawPointerData.idToIndex[id] = currentPointerIndex;
+ current.rawPointerData.markIdBit(id,
+ current.rawPointerData.isHovering(currentPointerIndex));
usedIdBits.markBit(id);
#if DEBUG_POINTER_ASSIGNMENT
@@ -6543,10 +6543,10 @@ void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current)
uint32_t currentPointerIndex = matchedCurrentBits.markFirstUnmarkedBit();
uint32_t id = usedIdBits.markFirstUnmarkedBit();
- current->rawPointerData.pointers[currentPointerIndex].id = id;
- current->rawPointerData.idToIndex[id] = currentPointerIndex;
- current->rawPointerData.markIdBit(id,
- current->rawPointerData.isHovering(currentPointerIndex));
+ current.rawPointerData.pointers[currentPointerIndex].id = id;
+ current.rawPointerData.idToIndex[id] = currentPointerIndex;
+ current.rawPointerData.markIdBit(id,
+ current.rawPointerData.isHovering(currentPointerIndex));
#if DEBUG_POINTER_ASSIGNMENT
ALOGD("assignPointerIds - assigned: cur=%d, id=%d",
diff --git a/services/inputflinger/InputReader.h b/services/inputflinger/InputReader.h
index dacdacc8de..9c11f8dc80 100644
--- a/services/inputflinger/InputReader.h
+++ b/services/inputflinger/InputReader.h
@@ -1906,7 +1906,7 @@ private:
bool isPointInsideSurface(int32_t x, int32_t y);
const VirtualKey* findVirtualKeyHit(int32_t x, int32_t y);
- static void assignPointerIds(const RawState* last, RawState* current);
+ static void assignPointerIds(const RawState& last, RawState& current);
void unfadePointer(PointerControllerInterface::Transition transition);

42
Patches/LineageOS-14.1/android_frameworks_native/325993.patch Normal file
View File

@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Siarhei Vishniakou <svv@google.com>
Date: Wed, 9 Dec 2020 08:07:46 -1000
Subject: [PATCH] Check if the window is partially obscured for slippery enters
Currently, we only check whether a window is partially obscured during
the initial tap down. However, there is another use case: slippery
enter.
During a slippery enter, the touch down is generated into the
slipped-into window, and touch cancel is generated for the slipped-from
window. The window receiving the slippery enter does not need to have
any flags.
Until we figure out whether we can restrict the usage of this flag to
system components, add this check as an intermediate fix.
Bug: 157929241
Test: atest FlagSlipperyTest
Test: atest inputflinger_tests
Change-Id: I93d9681479f41244ffed4b1f88cceb69be71adf2
Merged-In: I93d9681479f41244ffed4b1f88cceb69be71adf2
(cherry picked from commit 870ececa8d5dfb293e671c716f98ccddae24147f)
(cherry picked from commit 6e689ffe3fad4b190629e11222936fb7cda041c2)
Merged-In:I93d9681479f41244ffed4b1f88cceb69be71adf2
---
services/inputflinger/InputDispatcher.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/services/inputflinger/InputDispatcher.cpp b/services/inputflinger/InputDispatcher.cpp
index 37e9038aa6..07040a626b 100644
--- a/services/inputflinger/InputDispatcher.cpp
+++ b/services/inputflinger/InputDispatcher.cpp
@@ -1391,6 +1391,8 @@ int32_t InputDispatcher::findTouchedWindowTargetsLocked(nsecs_t currentTime,
}
if (isWindowObscuredAtPointLocked(newTouchedWindowHandle, x, y)) {
targetFlags |= InputTarget::FLAG_WINDOW_IS_OBSCURED;
+ } else if (isWindowObscuredLocked(newTouchedWindowHandle)) {
+ targetFlags |= InputTarget::FLAG_WINDOW_IS_PARTIALLY_OBSCURED;
}
BitSet32 pointerIds;

30
Patches/LineageOS-14.1/android_packages_apps_Bluetooth/332451.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rahul Sabnis <rahulsabnis@google.com>
Date: Wed, 6 Apr 2022 18:08:18 +0000
Subject: [PATCH] Removes app access to BluetoothAdapter#setScanMode by
requiring BLUETOOTH_PRIVILEGED permission.
Bug: 203431023
Test: Manual
Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
Change-Id: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
(cherry picked from commit 95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0)
Merged-In: I50d5ed327a7c90a3f73a9924e5b2b66310dff76c
---
src/com/android/bluetooth/btservice/AdapterService.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 9ecb0bb7b..753b0a298 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1625,7 +1625,8 @@ public class AdapterService extends Service {
}
boolean setScanMode(int mode, int duration) {
- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
+ enforceCallingOrSelfPermission(BLUETOOTH_PRIVILEGED,
+ "Need BLUETOOTH PRIVILEGED permission");
setDiscoverableTimeout(duration);
int newMode = convertScanModeToHal(mode);

30
Patches/LineageOS-14.1/android_packages_apps_Bluetooth/332452.patch Normal file
View File

@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rahul Sabnis <rahulsabnis@google.com>
Date: Wed, 6 Apr 2022 22:44:01 +0000
Subject: [PATCH] Removes app access to BluetoothAdapter#setDiscoverableTimeout
by requiring BLUETOOTH_PRIVILEGED permission.
Bug: 206807679
Test: Manual
Merged-In: I73288f495d35280a5724d070248db54e2fe537fd
Change-Id: I73288f495d35280a5724d070248db54e2fe537fd
(cherry picked from commit 528ea846133dc7dc4ce843e5b649abd50b58d527)
Merged-In: I73288f495d35280a5724d070248db54e2fe537fd
---
src/com/android/bluetooth/btservice/AdapterService.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 753b0a298..d4c7778ae 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1640,7 +1640,8 @@ public class AdapterService extends Service {
}
boolean setDiscoverableTimeout(int timeout) {
- enforceCallingOrSelfPermission(BLUETOOTH_PERM, "Need BLUETOOTH permission");
+ enforceCallingOrSelfPermission(BLUETOOTH_PRIVILEGED,
+ "Need BLUETOOTH PRIVILEGED permission");
return mAdapterProperties.setDiscoverableTimeout(timeout);
}

26
Patches/LineageOS-14.1/android_packages_apps_Contacts/318518.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Shao <johnshao@google.com>
Date: Wed, 25 Aug 2021 23:29:56 +0000
Subject: [PATCH] Add permission to start NFC activity to ensure it is from NFC
stack
Bug: 191053931
Test: build
Change-Id: I41b5ddf464f45e68a4da6ad880cbc9b12e447ec5
(cherry picked from commit 024c62fa49aa2090daf50657c2b509b9478d8b92)
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index b3f789852..c0c87c192 100755
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -468,6 +468,7 @@
</activity>
<activity android:name=".common.vcard.NfcImportVCardActivity"
+ android:permission="android.permission.DISPATCH_NFC_MESSAGE"
android:label="@string/launcherActivityLabel"
android:configChanges="orientation|screenSize|keyboardHidden"
android:theme="@style/BackgroundOnlyTheme">

95
Patches/LineageOS-14.1/android_packages_apps_Contacts/319989.patch Normal file
View File

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Mai <garymai@google.com>
Date: Wed, 15 Sep 2021 16:20:01 -0700
Subject: [PATCH] Address photo editing security bug
Filter to only system apps that can handle cropping.
Otherwise, save the photo as is.
Bug: 195748381
Test: Manual test with the PoC. Verified only the system installed app
was able to crop the photo and no crop was offered when it was disabled
Change-Id: Id1527f589064aa278715afcb060647ec6841e6da
(cherry picked from commit 8b19ca470847f5f77d5b2e5dd086aae9ad4ea389)
---
.../contacts/activities/AttachPhotoActivity.java | 13 ++++++++-----
.../contacts/detail/PhotoSelectionHandler.java | 13 ++++++++-----
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/src/com/android/contacts/activities/AttachPhotoActivity.java b/src/com/android/contacts/activities/AttachPhotoActivity.java
index 1abbecfd1..012bd1501 100644
--- a/src/com/android/contacts/activities/AttachPhotoActivity.java
+++ b/src/com/android/contacts/activities/AttachPhotoActivity.java
@@ -187,7 +187,8 @@ public class AttachPhotoActivity extends ContactsActivity {
}
ContactPhotoUtils.addPhotoPickerExtras(intent, mCroppedPhotoUri);
ContactPhotoUtils.addCropExtras(intent, mPhotoDim != 0 ? mPhotoDim : mDefaultPhotoDim);
- if (!hasIntentHandler(intent)) {
+ final ResolveInfo intentHandler = getIntentHandler(intent);
+ if (intentHandler == null) {
// No activity supports the crop action. So skip cropping and set the photo
// without performing any cropping.
mCroppedPhotoUri = mTempPhotoUri;
@@ -201,6 +202,7 @@ public class AttachPhotoActivity extends ContactsActivity {
return;
}
+ intent.setPackage(intentHandler.activityInfo.packageName);
try {
startActivityForResult(intent, REQUEST_CROP_PHOTO);
} catch (ActivityNotFoundException ex) {
@@ -227,10 +229,11 @@ public class AttachPhotoActivity extends ContactsActivity {
}
}
- private boolean hasIntentHandler(Intent intent) {
- final List<ResolveInfo> resolveInfo = getPackageManager()
- .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);
- return resolveInfo != null && resolveInfo.size() > 0;
+ private ResolveInfo getIntentHandler(Intent intent) {
+ final List<ResolveInfo> resolveInfos = getPackageManager()
+ .queryIntentActivities(intent,
+ PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);
+ return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;
}
// TODO: consider moving this to ContactLoader, especially if we keep adding similar
diff --git a/src/com/android/contacts/detail/PhotoSelectionHandler.java b/src/com/android/contacts/detail/PhotoSelectionHandler.java
index d2e5763a0..302e8c1a9 100644
--- a/src/com/android/contacts/detail/PhotoSelectionHandler.java
+++ b/src/com/android/contacts/detail/PhotoSelectionHandler.java
@@ -241,7 +241,8 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
*/
private void doCropPhoto(Uri inputUri, Uri outputUri) {
final Intent intent = getCropImageIntent(inputUri, outputUri);
- if (!hasIntentHandler(intent)) {
+ final ResolveInfo intentHandler = getIntentHandler(intent);
+ if (intentHandler == null) {
try {
getListener().onPhotoSelected(inputUri);
} catch (FileNotFoundException e) {
@@ -251,6 +252,7 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
}
return;
}
+ intent.setPackage(intentHandler.activityInfo.packageName);
try {
// Launch gallery to crop the photo
startPhotoActivity(intent, REQUEST_CROP_PHOTO, inputUri);
@@ -321,10 +323,11 @@ public abstract class PhotoSelectionHandler implements OnClickListener {
return intent;
}
- private boolean hasIntentHandler(Intent intent) {
- final List<ResolveInfo> resolveInfo = mContext.getPackageManager()
- .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY);
- return resolveInfo != null && resolveInfo.size() > 0;
+ private ResolveInfo getIntentHandler(Intent intent) {
+ final List<ResolveInfo> resolveInfos = mContext.getPackageManager()
+ .queryIntentActivities(intent,
+ PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY);
+ return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null;
}
/**

31
Patches/LineageOS-14.1/android_packages_apps_Contacts/332453.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Shao <johnshao@google.com>
Date: Thu, 24 Feb 2022 22:20:11 +0000
Subject: [PATCH] No longer export CallSubjectDialog
This is most likely not used outside of the app and can be potentially
exploited
Bug: 218341397
Test: Manual
Change-Id: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
(cherry picked from commit eadb0b1cc94deaa238bfdf225a504119a8a24388)
(cherry picked from commit 1f6d68c79699a9790e6cf0ab82bdc15c64eb7f5a)
Merged-In: I8c0c2bdddb172aba5a41e3fff0413eb48a5f4455
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index c0c87c192..05600da64 100755
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -569,6 +569,7 @@
<activity android:name="com.android.contacts.common.dialog.CallSubjectDialog"
android:theme="@style/Theme.CallSubjectDialogTheme"
+ android:exported="false"
android:windowSoftInputMode="stateVisible|adjustResize">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>

27
Patches/LineageOS-14.1/android_packages_apps_Dialer/332454.patch Normal file
View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tatsuaki Machida <tmachida@google.com>
Date: Mon, 28 Feb 2022 10:36:08 +0000
Subject: [PATCH] No longer export CallSubjectDialog
Bug: 221802256
Change-Id: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48
Test: N/A
(cherry picked from commit d96b98bbb21118356726588d0ff3707246369fdb)
(cherry picked from commit 380a088b2d03f239e37b23c051beadd7d0280dbf)
Merged-In: Ibfc10e706d204131c33071a5fd5b6596ba5c2d48
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index b154c778a..ee8905394 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -209,6 +209,7 @@
<activity android:name="com.android.contacts.common.dialog.CallSubjectDialog"
android:theme="@style/Theme.CallSubjectDialogTheme"
+ android:exported="false"
android:windowSoftInputMode="stateVisible|adjustResize">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>

51
Patches/LineageOS-14.1/android_packages_apps_KeyChain/319990.patch Normal file
View File

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tianyi Hu <hutianyi@bytedance.com>
Date: Wed, 15 Sep 2021 21:43:18 +0800
Subject: [PATCH] DO NOT MERGE Hide overlay on KeyChainActivity
Hide non system overlay to improve security.
Test: N/A
Bug: 199754277
Merged-In: Ia0e97f40d79a7f89035572e0175990694870938f
Change-Id: Ia0e97f40d79a7f89035572e0175990694870938f
(cherry picked from commit cdca35442c767d64f6d0db4af438a3856263857a)
---
AndroidManifest.xml | 2 ++
src/com/android/keychain/KeyChainActivity.java | 3 +++
2 files changed, 5 insertions(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 3e03c87..807966a 100755
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -3,6 +3,8 @@
package="com.android.keychain"
android:sharedUserId="android.uid.system"
>
+ <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
+
<application android:label="@string/app_name"
android:allowBackup="false"
android:usesCleartextTraffic="false" >
diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java
index b5058b2..eac36b4 100644
--- a/src/com/android/keychain/KeyChainActivity.java
+++ b/src/com/android/keychain/KeyChainActivity.java
@@ -61,6 +61,8 @@ import java.util.List;
import javax.security.auth.x500.X500Principal;
+import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+
public class KeyChainActivity extends Activity {
private static final String TAG = "KeyChain";
@@ -84,6 +86,7 @@ public class KeyChainActivity extends Activity {
@Override public void onCreate(Bundle savedState) {
super.onCreate(savedState);
+ getWindow().addPrivateFlags(PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
if (savedState == null) {
mState = State.INITIAL;
} else {

33
Patches/LineageOS-14.1/android_packages_apps_KeyChain/334036.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ayush Sharma <ayushsha@google.com>
Date: Tue, 10 May 2022 14:09:40 +0000
Subject: [PATCH] Encode authority part of uri before showing in UI
As per rfc2396, allowing only characters that are reserved|unreserved|@
to be in non escaped form, all the other characters will be escaped.
This would cover all the possible characters there can be in valid
authority as per the rfc2396. android.net.Uri conforms to RFC 2396.
Bug: 221859869
Test: Manual
Change-Id: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
(cherry picked from commit 8550c37c186099926ce364b65b61ffbf6ed7958d)
Merged-In: Ib4f5431bd80b7f4c72c4414f98d99eeb7ca900ed
---
src/com/android/keychain/KeyChainActivity.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java
index eac36b4..21ba9aa 100644
--- a/src/com/android/keychain/KeyChainActivity.java
+++ b/src/com/android/keychain/KeyChainActivity.java
@@ -289,7 +289,7 @@ public class KeyChainActivity extends Activity {
Uri uri = getIntent().getParcelableExtra(KeyChain.EXTRA_URI);
if (uri != null) {
String hostMessage = String.format(res.getString(R.string.requesting_server),
- uri.getAuthority());
+ Uri.encode(uri.getAuthority(), "$,;:@&=+"));
if (contextMessage == null) {
contextMessage = hostMessage;
} else {

28
Patches/LineageOS-14.1/android_packages_apps_Nfc/315715.patch Normal file
View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 17 Jun 2021 11:27:00 -0700
Subject: [PATCH] Add HIDE_NON_SYSTEM_OVERLAY_WINDOWS permission to Nfc
This permission is required for xx_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS
window flag to function properly.
Bug: 180422108
Test: build ok
Change-Id: I8246c06c0e7d60d4e06ef4fa430ccd5111e99a43
(cherry picked from commit 9c56b01c5745252c13c05a2fe39faaef130813e5)
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 8a7763cf..fe94e7de 100755
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -35,6 +35,7 @@
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_FRAME_BUFFER" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
+ <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.VIBRATE" />

59
Patches/LineageOS-14.1/android_packages_apps_Nfc/328308.patch Normal file
View File

@ -0,0 +1,59 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jack Yu <jackcwyu@google.com>
Date: Thu, 13 Jan 2022 16:27:22 +0800
Subject: [PATCH] Do not set default contactless application without user
interaction
Keep the default contactless apllication "not set" if user does not
select one from the Settings page.
Bug: 212610736
Test: Manual
Merged-In: I8e1d67528eca037f4f88380a96f8c542965a1981
Change-Id: I8e1d67528eca037f4f88380a96f8c542965a1981
(cherry picked from commit 4177b086cf2f1ae9c1831cb1a7ed88233c7a6aca)
Merged-In:I8e1d67528eca037f4f88380a96f8c542965a1981
---
.../cardemulation/CardEmulationManager.java | 27 +++----------------
1 file changed, 4 insertions(+), 23 deletions(-)
diff --git a/src/com/android/nfc/cardemulation/CardEmulationManager.java b/src/com/android/nfc/cardemulation/CardEmulationManager.java
index cff9dd3e..af31f89c 100644
--- a/src/com/android/nfc/cardemulation/CardEmulationManager.java
+++ b/src/com/android/nfc/cardemulation/CardEmulationManager.java
@@ -205,31 +205,12 @@ public class CardEmulationManager implements RegisteredServicesCache.Callback,
void verifyDefaults(int userId, List<ApduServiceInfo> services) {
ComponentName defaultPaymentService =
- getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, false);
+ getDefaultServiceForCategory(userId, CardEmulation.CATEGORY_PAYMENT, true);
if (DBG) Log.d(TAG, "Current default: " + defaultPaymentService);
if (defaultPaymentService == null) {
- // A payment service may have been removed, leaving only one;
- // in that case, automatically set that app as default.
- int numPaymentServices = 0;
- ComponentName lastFoundPaymentService = null;
- for (ApduServiceInfo service : services) {
- if (service.hasCategory(CardEmulation.CATEGORY_PAYMENT)) {
- numPaymentServices++;
- lastFoundPaymentService = service.getComponent();
- }
- }
- if (numPaymentServices > 1) {
- // More than one service left, leave default unset
- if (DBG) Log.d(TAG, "No default set, more than one service left.");
- } else if (numPaymentServices == 1) {
- // Make single found payment service the default
- if (DBG) Log.d(TAG, "No default set, making single service default.");
- setDefaultServiceForCategoryChecked(userId, lastFoundPaymentService,
- CardEmulation.CATEGORY_PAYMENT);
- } else {
- // No payment services left, leave default at null
- if (DBG) Log.d(TAG, "No default set, last payment service removed.");
- }
+ // A payment service may have been removed, set default payment selection to "not set".
+ if (DBG) Log.d(TAG, "No default set, last payment service removed.");
+ setDefaultServiceForCategoryChecked(userId, null, CardEmulation.CATEGORY_PAYMENT);
}
}

44
Patches/LineageOS-14.1/android_packages_apps_Nfc/332455.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Fri, 18 Mar 2022 17:13:05 -0700
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()
The size of RspBuff for Mifare shall be at least 2 bytes:
Mifare Req/Rsp Id + Status
Bug: 221852424
Test: build ok
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index d3d78a03..0ee2314d 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1230,7 +1230,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
}
else
{
- if((0 == (RspBuffInfo->wLen))
+ if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
|| (PH_NCINFC_STATUS_OK != wStatus)
|| (NULL == (RspBuffInfo->pBuff))
)
@@ -1250,13 +1250,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
{
status = NFCSTATUS_SUCCESS;
- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
- RspBuffInfo->wLen)
- {
- android_errorWriteLog(0x534e4554, "181346550");
- return NFCSTATUS_FAILED;
- }
-
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
wPldDataSize = ((RspBuffInfo->wLen) -
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));

62
Patches/LineageOS-14.1/android_packages_apps_Settings/315716.patch Normal file
View File

@ -0,0 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hugh Chen <hughchen@google.com>
Date: Thu, 3 Jun 2021 16:38:24 +0800
Subject: [PATCH] RESTRICT AUTOMERGE Update string
1. Replace "An untrusted Bluetooth device" to "A Bluetooth device".
2. Replace "Deny" to "Don't allow"
https://docs.google.com/document/d/18bVSIAyX4MNpNeCvxqyZu7CXcBUcdV0pnh-gzVprjqU/edit?ts=60709637
Bug: 167403112
Test: send intent to test right prompts message is pop up.
make -j42 RunSettingsRoboTests
Change-Id: I38da15d4b1fb08671f6352458cbf3f735b4083bc
(cherry picked from commit 38fc9a91b53e82c092c1324f5ba3085740e7dcdf)
(cherry picked from commit 3d6641a468bdb296af29bd222b3bc55ed62b78bc)
---
res/values/strings.xml | 11 +++++++----
.../bluetooth/BluetoothPermissionActivity.java | 2 +-
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index a4fdaf58c9..322baf1566 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -7961,15 +7961,18 @@
<string name="touchscreen_gesture_settings_summary">Perform various touchscreen gestures for quick actions</string>
<!-- Bluetooth message permission alert for notification content [CHAR LIMIT=none] -->
- <string name="bluetooth_message_access_notification_content">Untrusted device wants to access your messages. Tap for details.</string>
+ <string name="bluetooth_message_access_notification_content">A device wants to access your messages. Tap for details.</string>
<!-- Bluetooth message permission alert for dialog title [CHAR LIMIT=none] -->
<string name="bluetooth_message_access_dialog_title">Allow access to messages?</string>
<!-- Bluetooth message permission alert for dialog content [CHAR LIMIT=none] -->
- <string name="bluetooth_message_access_dialog_content">An untrusted Bluetooth device, <xliff:g id="device_name" example="My device">%1$s</xliff:g>, wants to access your messages.\n\nYou haven\u2019t connected to <xliff:g id="device_name" example="My device">%2$s</xliff:g> before.</string>
+ <string name="bluetooth_message_access_dialog_content">A Bluetooth device, <xliff:g id="device_name" example="My device">%1$s</xliff:g>, wants to access your messages.\n\nYou haven\u2019t connected to <xliff:g id="device_name" example="My device">%2$s</xliff:g> before.</string>
<!-- Bluetooth phonebook permission alert for notification content [CHAR LIMIT=none] -->
- <string name="bluetooth_phonebook_access_notification_content">Untrusted device wants to access your contacts and call log. Tap for details.</string>
+ <string name="bluetooth_phonebook_access_notification_content">A device wants to access your contacts and call log. Tap for details.</string>
<!-- Bluetooth phonebook permission alert for dialog title [CHAR LIMIT=none] -->
<string name="bluetooth_phonebook_access_dialog_title">Allow access to contacts and call log?</string>
<!-- Bluetooth phonebook permission alert for dialog content [CHAR LIMIT=none] -->
- <string name="bluetooth_phonebook_access_dialog_content">An untrusted Bluetooth device, <xliff:g id="device_name" example="My device">%1$s</xliff:g>, wants to access your contacts and call log. This includes data about incoming and outgoing calls.\n\nYou haven\u2019t connected to <xliff:g id="device_name" example="My device">%2$s</xliff:g> before.</string>
+ <string name="bluetooth_phonebook_access_dialog_content">A Bluetooth device, <xliff:g id="device_name" example="My device">%1$s</xliff:g>, wants to access your contacts and call log. This includes data about incoming and outgoing calls.\n\nYou haven\u2019t connected to <xliff:g id="device_name" example="My device">%2$s</xliff:g> before.</string>
+
+ <!-- Label for button to not allow grant the permission for remote devices. [CHAR_LIMIT=50] -->
+ <string name="request_manage_bluetooth_permission_dont_allow">Don\u2019t allow</string>
</resources>
diff --git a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
index ffb4f398ab..92988dd97e 100644
--- a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
@@ -138,7 +138,7 @@ public class BluetoothPermissionActivity extends AlertActivity implements
}
p.mPositiveButtonText = getString(R.string.allow);
p.mPositiveButtonListener = this;
- p.mNegativeButtonText = getString(R.string.deny);
+ p.mNegativeButtonText = getString(R.string.request_manage_bluetooth_permission_dont_allow);
p.mNegativeButtonListener = this;
mOkButton = mAlert.getButton(DialogInterface.BUTTON_POSITIVE);
setupAlert();

151
Patches/LineageOS-14.1/android_packages_apps_Settings/315717.patch Normal file
View File

@ -0,0 +1,151 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hugh Chen <hughchen@google.com>
Date: Thu, 3 Jun 2021 16:38:24 +0800
Subject: [PATCH] RESTRICT AUTOMERGE Fix phishing attacks over Bluetooth due to
unclear warning message
This CL add more prompts presented for users to avoid phishing attacks.
Screenshot:
https://screenshot.googleplex.com/p5PZbphN46ddPFV.png
https://screenshot.googleplex.com/6Q2wKfPbNQmTtx8.png
https://screenshot.googleplex.com/987VpYgNUZL2K4T.png
https://screenshot.googleplex.com/9eVg6SAGScVXU8U.png
Bug: 167403112
Test: manually test
Change-Id: Iadec059b662fd91754ad573bbe688702cdd3c9af
(cherry picked from commit 10e459921953825d34e70cc4da846aac703d913c)
(cherry picked from commit 8fe8e0fc211d4f36cce2865a17c834573ec25211)
---
res/values/strings.xml | 21 +++++++++++++++++
.../BluetoothPermissionActivity.java | 23 ++++++++++++-------
.../bluetooth/BluetoothPermissionRequest.java | 12 ++++++----
3 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 322baf1566..f98146b139 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -7975,4 +7975,25 @@
<!-- Label for button to not allow grant the permission for remote devices. [CHAR_LIMIT=50] -->
<string name="request_manage_bluetooth_permission_dont_allow">Don\u2019t allow</string>
+
+ <!-- Bluetooth sim card permission alert for notification title [CHAR LIMIT=none] -->
+ <string name="bluetooth_sim_card_access_notification_title">SIM card access request</string>
+ <!-- Bluetooth sim card permission alert for notification content [CHAR LIMIT=none] -->
+ <string name="bluetooth_sim_card_access_notification_content">A device wants to access your SIM card. Tap for details.</string>
+ <!-- Bluetooth sim card permission alert for dialog title [CHAR LIMIT=none] -->
+ <string name="bluetooth_sim_card_access_dialog_title">Allow access to SIM card?</string>
+ <!-- Bluetooth sim card permission alert for dialog content [CHAR LIMIT=none] -->
+ <string name="bluetooth_sim_card_access_dialog_content">A Bluetooth device, <xliff:g id="device_name" example="My device">%1$s</xliff:g>, wants to access data on your SIM card. This includes your contacts.\n\nWhile connected, <xliff:g id="device_name" example="My device">%2$s</xliff:g> will receive all calls made to <xliff:g id="phone_number" example="0912345678">%3$s</xliff:g>.</string>
+ <!-- Bluetooth connect permission alert for notification title [CHAR LIMIT=none] -->
+ <string name="bluetooth_connect_access_notification_title">Bluetooth device available</string>
+ <!-- Bluetooth connect permission alert for notification content [CHAR LIMIT=none] -->
+ <string name="bluetooth_connect_access_notification_content">A device wants to connect. Tap for details.</string>
+ <!-- Bluetooth connect permission alert for dialog title [CHAR LIMIT=none] -->
+ <string name="bluetooth_connect_access_dialog_title">Connect to Bluetooth device?</string>
+ <!-- Bluetooth connect permission alert for dialog content [CHAR LIMIT=none] -->
+ <string name="bluetooth_connect_access_dialog_content"><xliff:g id="device_name" example="My device">%1$s</xliff:g> wants to connect to this phone.\n\nYou haven\u2019t connected to <xliff:g id="device_name" example="My device">%2$s</xliff:g> before.</string>
+ <!-- Strings for Dialog don't connect button -->
+ <string name="bluetooth_connect_access_dialog_negative">Don\u2019t connect</string>
+ <!-- Strings for Dialog connect button -->
+ <string name="bluetooth_connect_access_dialog_positive">Connect</string>
</resources>
diff --git a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
index 92988dd97e..9444d49263 100644
--- a/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
@@ -25,6 +25,7 @@ import android.content.DialogInterface;
import android.content.Intent;
import android.content.IntentFilter;
import android.os.Bundle;
+import android.telephony.TelephonyManager;
import android.support.v7.preference.Preference;
import android.util.EventLog;
import android.util.Log;
@@ -97,13 +98,13 @@ public class BluetoothPermissionActivity extends AlertActivity implements
if(DEBUG) Log.i(TAG, "onCreate() Request type: " + mRequestType);
if (mRequestType == BluetoothDevice.REQUEST_TYPE_PROFILE_CONNECTION) {
- showDialog(getString(R.string.bluetooth_connection_permission_request), mRequestType);
+ showDialog(getString(R.string.bluetooth_connect_access_dialog_title), mRequestType);
} else if (mRequestType == BluetoothDevice.REQUEST_TYPE_PHONEBOOK_ACCESS) {
showDialog(getString(R.string.bluetooth_phonebook_access_dialog_title), mRequestType);
} else if (mRequestType == BluetoothDevice.REQUEST_TYPE_MESSAGE_ACCESS) {
showDialog(getString(R.string.bluetooth_message_access_dialog_title), mRequestType);
} else if (mRequestType == BluetoothDevice.REQUEST_TYPE_SIM_ACCESS) {
- showDialog(getString(R.string.bluetooth_sap_request), mRequestType);
+ showDialog(getString(R.string.bluetooth_sim_card_access_dialog_title), mRequestType);
}
else {
Log.e(TAG, "Error: bad request type: " + mRequestType);
@@ -136,9 +137,14 @@ public class BluetoothPermissionActivity extends AlertActivity implements
p.mView = createSapDialogView();
break;
}
- p.mPositiveButtonText = getString(R.string.allow);
+ p.mPositiveButtonText = getString(
+ requestType == BluetoothDevice.REQUEST_TYPE_PROFILE_CONNECTION
+ ? R.string.bluetooth_connect_access_dialog_positive : R.string.allow);
p.mPositiveButtonListener = this;
- p.mNegativeButtonText = getString(R.string.request_manage_bluetooth_permission_dont_allow);
+ p.mNegativeButtonText = getString(
+ requestType == BluetoothDevice.REQUEST_TYPE_PROFILE_CONNECTION
+ ? R.string.bluetooth_connect_access_dialog_negative
+ : R.string.request_manage_bluetooth_permission_dont_allow);
p.mNegativeButtonListener = this;
mOkButton = mAlert.getButton(DialogInterface.BUTTON_POSITIVE);
setupAlert();
@@ -170,8 +176,8 @@ public class BluetoothPermissionActivity extends AlertActivity implements
String mRemoteName = createRemoteName();
mView = getLayoutInflater().inflate(R.layout.bluetooth_access, null);
messageView = (TextView)mView.findViewById(R.id.message);
- messageView.setText(getString(R.string.bluetooth_connection_dialog_text,
- mRemoteName));
+ messageView.setText(getString(R.string.bluetooth_connect_access_dialog_content,
+ mRemoteName, mRemoteName));
return mView;
}
@@ -195,10 +201,11 @@ public class BluetoothPermissionActivity extends AlertActivity implements
private View createSapDialogView() {
String mRemoteName = createRemoteName();
+ TelephonyManager tm = getSystemService(TelephonyManager.class);
mView = getLayoutInflater().inflate(R.layout.bluetooth_access, null);
messageView = (TextView)mView.findViewById(R.id.message);
- messageView.setText(getString(R.string.bluetooth_sap_acceptance_dialog_text,
- mRemoteName, mRemoteName));
+ messageView.setText(getString(R.string.bluetooth_sim_card_access_dialog_content,
+ mRemoteName, mRemoteName, tm.getLine1Number()));
return mView;
}
diff --git a/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java b/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
index 3de10a5d10..d23dea93e5 100644
--- a/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
@@ -144,13 +144,17 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
R.string.bluetooth_message_access_notification_content);
break;
case BluetoothDevice.REQUEST_TYPE_SIM_ACCESS:
- title = context.getString(R.string.bluetooth_sap_request);
- message = context.getString(R.string.bluetooth_sap_acceptance_dialog_text,
+ title = context.getString(
+ R.string.bluetooth_sim_card_access_notification_title);
+ message = context.getString(
+ R.string.bluetooth_sim_card_access_notification_content,
deviceAlias, deviceAlias);
break;
default:
- title = context.getString(R.string.bluetooth_connection_permission_request);
- message = context.getString(R.string.bluetooth_connection_dialog_text,
+ title = context.getString(
+ R.string.bluetooth_connect_access_notification_title);
+ message = context.getString(
+ R.string.bluetooth_connect_access_notification_content,
deviceAlias, deviceAlias);
break;
}

1411
Patches/LineageOS-14.1/android_packages_apps_Settings/318519.patch Normal file
View File

File diff suppressed because it is too large Load Diff

27
Patches/LineageOS-14.1/android_packages_apps_Settings/319991.patch Normal file
View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chen Chen <cncn@google.com>
Date: Tue, 5 Oct 2021 17:46:02 -0700
Subject: [PATCH] BluetoothSecurity: Add BLUETOOTH_PRIVILEGED permission for
pairing dialog
Bug: 194300867
Test: Build
Change-Id: I5a496df50550ea7ee6986c960e28ae3e4a056b4b
(cherry picked from commit aebca7f35bf6bf975eeeb443fa8bbeb5d477d642)
---
AndroidManifest.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 4871306669..86fc53bb18 100755
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -2098,6 +2098,7 @@
<activity android:name=".bluetooth.BluetoothPairingDialog"
android:label="@string/bluetooth_pairing_request"
+ android:permission="android.permission.BLUETOOTH_PRIVILEGED"
android:excludeFromRecents="true"
android:windowSoftInputMode="stateVisible|adjustResize"
android:theme="@*android:style/Theme.DeviceDefault.Light.Dialog.Alert">

29
Patches/LineageOS-14.1/android_packages_apps_Settings/323458.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yanting Yang <yantingyang@google.com>
Date: Thu, 14 Oct 2021 15:06:33 +0000
Subject: [PATCH] Rephrase dialog message of clear storage dialog for security
concern
Bug: 193890833
Test: visual
Change-Id: I8f0b066de710169ee8b922c44b6519ca21b9c7ef
(cherry picked from commit 0c359da620498d536d81cb97d5ae48048201c226)
(cherry picked from commit 7d22136fb086da3edff0664d8fe5f5e0b70fd77d)
Merged-In:I8f0b066de710169ee8b922c44b6519ca21b9c7ef
---
res/values/strings.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index f98146b139..d63cbc6b60 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -3508,7 +3508,7 @@
<!-- Manage applications, individual application screen, confirmation dialog title. Displays when user selects to "Clear data". -->
<string name="clear_data_dlg_title">Delete app data?</string>
<!-- Manage applications, individual application screen, confirmation dialog message. Displays when user selects to "Clear data". It warns the user of the consequences of clearing the data for an app. -->
- <string name="clear_data_dlg_text">All this app\u2019s data will be deleted permanently. This includes all files, settings, accounts, databases, etc.</string>
+ <string name="clear_data_dlg_text">This app\u2019s data will be permanently deleted. This includes files, settings, databases, and other app data.</string>
<!-- Manage applications, individual application screen, confirmation dialog button. Displays when user selects to "Clear data". Goes through with the clearing of the data. -->
<string name="dlg_ok">OK</string>
<!-- Manage applications, individual application screen, confirmation dialog button. Displays when user selects to "Clear data". -->

85
Patches/LineageOS-14.1/android_packages_apps_Settings/325994.patch Normal file
View File

@ -0,0 +1,85 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Edgar Wang <edgarwang@google.com>
Date: Thu, 6 Jan 2022 20:53:48 +0800
Subject: [PATCH] Fix bypass CALL_PRIVILEGED permission in
AppRestrictionsFragment
In onReceive of AppRestrictionsFragment.java, there is a possible way to
start a phone call without permissions due to a confused deputy.
This could lead to local escalation of privilege with no additional
execution privileges needed.
We should not allow the restrictionsIntent to startActivity simply
because it resolves to multiple activities.
Instead, we should call resolveActivity and check the result's package
name is same as current package name, then it is safe to startActivity.
Bug: 200688991
Test: manual verify
Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a
Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a
(cherry picked from commit 359512cd9553c940af3c9045b856647b7529731a)
(cherry picked from commit f57d75f127fe96e91250585208a339763f1a2253)
Merged-In:Iaa2d3a9497c3266babe0789961befc9776a4db7a
---
.../users/AppRestrictionsFragment.java | 24 +++++++++++++------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index f72bf9e97b..ee2114219e 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java
@@ -17,6 +17,7 @@
package com.android.settings.users;
import android.app.Activity;
+import android.content.ActivityNotFoundException;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
@@ -44,6 +45,7 @@ import android.support.v7.preference.Preference.OnPreferenceChangeListener;
import android.support.v7.preference.Preference.OnPreferenceClickListener;
import android.support.v7.preference.PreferenceGroup;
import android.support.v7.preference.PreferenceViewHolder;
+import android.util.EventLog;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
@@ -634,7 +636,15 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
} else if (restrictionsIntent != null) {
preference.setRestrictions(restrictions);
if (invokeIfCustom && AppRestrictionsFragment.this.isResumed()) {
- assertSafeToStartCustomActivity(restrictionsIntent);
+ try {
+ assertSafeToStartCustomActivity(restrictionsIntent);
+ } catch (ActivityNotFoundException | SecurityException e) {
+ // return without startActivity
+ Log.e(TAG, "Cannot start restrictionsIntent " + e);
+ EventLog.writeEvent(0x534e4554, "200688991", -1 /* UID */, "");
+ return;
+ }
+
int requestCode = generateCustomActivityRequestCode(
RestrictionsResultReceiver.this.preference);
AppRestrictionsFragment.this.startActivityForResult(
@@ -648,14 +658,14 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
return;
}
- // Activity can be started if intent resolves to multiple activities
- List<ResolveInfo> resolveInfos = AppRestrictionsFragment.this.mPackageManager
- .queryIntentActivities(intent, 0 /* no flags */);
- if (resolveInfos.size() != 1) {
- return;
+ ResolveInfo resolveInfo = mPackageManager.resolveActivity(
+ intent, PackageManager.MATCH_DEFAULT_ONLY);
+
+ if (resolveInfo == null) {
+ throw new ActivityNotFoundException("No result for resolving " + intent);
}
// Prevent potential privilege escalation
- ActivityInfo activityInfo = resolveInfos.get(0).activityInfo;
+ ActivityInfo activityInfo = resolveInfo.activityInfo;
if (!packageName.equals(activityInfo.packageName)) {
throw new SecurityException("Application " + packageName
+ " is not allowed to start activity " + intent);

79
Patches/LineageOS-14.1/android_packages_apps_Settings/327099.patch Normal file
View File

@ -0,0 +1,79 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alex Johnston <acjohnston@google.com>
Date: Wed, 5 Jan 2022 22:19:29 +0000
Subject: [PATCH] Add caller check to com.android.credentials.RESET [Backport]
* Only the Settings app can reset credentials
via com.android.credentials.RESET.
* com.android.credentials.INSTALL should still be
callable by CertInstaller.
Manual testing steps:
* Install certificate via Settings
* Verify unable to reset certificates via test app
provided in the bug (app-debug.apk)
* Verify able to reset certificates via Settings
* Verify com.android.credentials.INSTALL isn't changed
Bug: 200164168
Test: manual
Change-Id: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 4c1272a921bb9037e17a01e1e5a0692f7f704c3d)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
(cherry picked from commit 35e3d0c1b0598b2032fc6c134c657255f1907594)
Merged-In: I9dfde586616d004befbee529f2ae842d22795065
---
.../android/settings/CredentialStorage.java | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index eed380bae4..1c82bff713 100644
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -17,6 +17,7 @@
package com.android.settings;
import android.app.Activity;
+import android.app.ActivityManagerNative;
import android.app.AlertDialog;
import android.app.admin.DevicePolicyManager;
import android.content.Context;
@@ -27,6 +28,7 @@ import android.content.pm.UserInfo;
import android.content.res.Resources;
import android.os.AsyncTask;
import android.os.Bundle;
+import android.os.IBinder;
import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
@@ -128,7 +130,7 @@ public final class CredentialStorage extends Activity {
String action = intent.getAction();
UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE);
if (!userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) {
- if (ACTION_RESET.equals(action)) {
+ if (ACTION_RESET.equals(action) && checkCallerIsSelf()) {
new ResetDialog();
} else {
if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) {
@@ -405,6 +407,20 @@ public final class CredentialStorage extends Activity {
}
}
+ /**
+ * Check that the caller is Settings.
+ */
+ private boolean checkCallerIsSelf() {
+ try {
+ IBinder activityToken = getActivityToken();
+ return Process.myUid() == ActivityManagerNative.getDefault()
+ .getLaunchedFromUid(activityToken);
+ } catch (RemoteException re) {
+ // Error talking to ActivityManager, just give up
+ return false;
+ }
+ }
+
/**
* Check that the caller is either certinstaller or Settings running in a profile of this user.
*/

39
Patches/LineageOS-14.1/android_packages_apps_Settings/334037.patch Normal file
View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Edgar Wang <edgarwang@google.com>
Date: Wed, 6 Apr 2022 17:30:27 +0800
Subject: [PATCH] Fix LaunchAnyWhere in AppRestrictionsFragment
If the intent's package equals to the app's package, this intent
will be allowed to startActivityForResult.
But this check is unsafe, because if the component of this intent
is set, the package field will just be ignored. So if we set the
component to any activity we like and set package to the app's
package, it will pass the assertSafeToStartCustomActivity check
and now we can launch anywhere.
Bug: 223578534
Test: robotest and manual verify
Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
(cherry picked from commit 90e095dbe372f29823ad4788c0cc2d781ae3bb24)
(cherry picked from commit b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad)
Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4
---
src/com/android/settings/users/AppRestrictionsFragment.java | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java
index ee2114219e..feb8b9ef01 100644
--- a/src/com/android/settings/users/AppRestrictionsFragment.java
+++ b/src/com/android/settings/users/AppRestrictionsFragment.java
@@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen
}
private void assertSafeToStartCustomActivity(Intent intent) {
- // Activity can be started if it belongs to the same app
- if (intent.getPackage() != null && intent.getPackage().equals(packageName)) {
- return;
- }
+ EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, "");
ResolveInfo resolveInfo = mPackageManager.resolveActivity(
intent, PackageManager.MATCH_DEFAULT_ONLY);

54
Patches/LineageOS-14.1/android_packages_apps_Settings/334874.patch Normal file
View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Fri, 6 May 2022 17:42:30 +0800
Subject: [PATCH] Verify ringtone from ringtone picker is audio
To improve privacy.
Bug: 221041256
Test: atest com.android.settings.DefaultRingtonePreferenceTest
Change-Id: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
(cherry picked from commit e4c22580c9a66a3d5523782c2daa707531210227)
(cherry picked from commit 640eab60f2baa9052d395fccd4a0324103ad6c7a)
Merged-In: I0a9ca163f5ae91b67c9f957fde4c6db326b8718d
---
.../settings/DefaultRingtonePreference.java | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 4e0e1e7403..3333016565 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -22,6 +22,7 @@ import android.content.Intent;
import android.media.RingtoneManager;
import android.net.Uri;
import android.util.AttributeSet;
+import android.util.Log;
public class DefaultRingtonePreference extends RingtonePreference {
private static final String TAG = "DefaultRingtonePreference";
@@ -43,6 +44,23 @@ public class DefaultRingtonePreference extends RingtonePreference {
@Override
protected void onSaveRingtone(Uri ringtoneUri) {
+ String mimeType = getContext().getContentResolver().getType(ringtoneUri);
+ if (mimeType == null) {
+ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+ + " ignored: failure to find mimeType (no access from this context?)");
+ return;
+ }
+
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
+ Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+ + " ignored: associated mimeType:" + mimeType + " is not an audio type");
+ return;
+ }
+
+ setActualDefaultRingtoneUri(ringtoneUri);
+ }
+
+ void setActualDefaultRingtoneUri(Uri ringtoneUri) {
RingtoneManager.setActualDefaultRingtoneUri(getContext(), getRingtoneType(), ringtoneUri);
}

40
Patches/LineageOS-14.1/android_packages_apps_Settings/334875.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Mon, 16 May 2022 14:36:19 +0800
Subject: [PATCH] Fix Settings crash when setting a null ringtone
Ringtone picker may callback a null ringtone Uri
if users select None.
This change pass null ringtone Uri to RingtoneManager
and return.
Bug: 232502532
Bug: 221041256
Test: maunal
Settings - Sound & Vibration -> Phone ringtone
-> My Sounds -> None
Change-Id: I044b680871472a3c272f6264c4ef272df542112e
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
(cherry picked from commit d94b73b3041614a5ff57c7745f50f235bf6c7783)
Merged-In: I044b680871472a3c272f6264c4ef272df542112e
---
src/com/android/settings/DefaultRingtonePreference.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 3333016565..75c527fa31 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -44,6 +44,11 @@ public class DefaultRingtonePreference extends RingtonePreference {
@Override
protected void onSaveRingtone(Uri ringtoneUri) {
+ if (ringtoneUri == null) {
+ setActualDefaultRingtoneUri(ringtoneUri);
+ return;
+ }
+
String mimeType = getContext().getContentResolver().getType(ringtoneUri);
if (mimeType == null) {
Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri

150
Patches/LineageOS-14.1/android_packages_providers_ContactsProvider/334876.patch Normal file
View File

@ -0,0 +1,150 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 28 Apr 2022 16:53:40 -0700
Subject: [PATCH] enforce stricter CallLogProvider query
changes:
- phoneNumber is now a selectionArgument
- if the user makes a query request for the CALLS_FILTER case,
throw a SE if the cursor is empty && SQL is detected
Bug: 224771921
Test: 2 manual,
manual 1: test app 1 can still make valid call filter query
manual 2: test app 2 with invalid query crashes b/c of SE
2 CTS tests,
test 1: ensures the existing functionality still works
test 2: ensures a SE is thrown on an invalid query for call filter
Change-Id: Ia445bb59581abb14e247aa8d9f0177e02307cf96
Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96
(cherry picked from commit c8b6397d364c2741baf5d850bfdd1693782af940)
Merged-In: Ia445bb59581abb14e247aa8d9f0177e02307cf96
---
.../providers/contacts/CallLogProvider.java | 77 ++++++++++++++++++-
1 file changed, 75 insertions(+), 2 deletions(-)
diff --git a/src/com/android/providers/contacts/CallLogProvider.java b/src/com/android/providers/contacts/CallLogProvider.java
index 2d4639dc..8010dee2 100755
--- a/src/com/android/providers/contacts/CallLogProvider.java
+++ b/src/com/android/providers/contacts/CallLogProvider.java
@@ -31,6 +31,7 @@ import android.database.Cursor;
import android.database.DatabaseUtils;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteQueryBuilder;
+import android.database.sqlite.SQLiteTokenizer;
import android.net.Uri;
import android.os.Binder;
import android.os.Handler;
@@ -48,6 +49,7 @@ import android.telecom.PhoneAccount;
import android.telecom.PhoneAccountHandle;
import android.telecom.TelecomManager;
import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
@@ -59,6 +61,9 @@ import com.android.providers.contacts.util.UserUtils;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.UUID;
import java.util.concurrent.CountDownLatch;
/**
@@ -273,9 +278,10 @@ public class CallLogProvider extends ContentProvider {
List<String> pathSegments = uri.getPathSegments();
String phoneNumber = pathSegments.size() >= 2 ? pathSegments.get(2) : null;
if (!TextUtils.isEmpty(phoneNumber)) {
- qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ");
- qb.appendWhereEscapeString(phoneNumber);
+ qb.appendWhere("PHONE_NUMBERS_EQUAL(number, ?");
qb.appendWhere(mUseStrictPhoneNumberComparation ? ", 1)" : ", 0)");
+ selectionArgs = copyArrayAndAppendElement(selectionArgs,
+ "'" + phoneNumber + "'");
} else {
qb.appendWhere(Calls.NUMBER_PRESENTATION + "!="
+ Calls.PRESENTATION_ALLOWED);
@@ -299,12 +305,79 @@ public class CallLogProvider extends ContentProvider {
final SQLiteDatabase db = mDbHelper.getReadableDatabase();
final Cursor c = qb.query(db, projection, selectionBuilder.build(), selectionArgs, groupby,
null, sortOrder, limitClause);
+
+ if (match == CALLS_FILTER && selectionArgs.length > 0) {
+ // throw SE if the user is sending requests that try to bypass voicemail permissions
+ examineEmptyCursorCause(c, selectionArgs[selectionArgs.length - 1]);
+ }
+
if (c != null) {
c.setNotificationUri(getContext().getContentResolver(), CallLog.CONTENT_URI);
}
return c;
}
+ /**
+ * Helper method for queryInternal that appends an extra argument to the existing selection
+ * arguments array.
+ *
+ * @param oldSelectionArguments the existing selection argument array in queryInternal
+ * @param phoneNumber the phoneNumber that was passed into queryInternal
+ * @return the new selection argument array with the phoneNumber as the last argument
+ */
+ private String[] copyArrayAndAppendElement(String[] oldSelectionArguments, String phoneNumber) {
+ if (oldSelectionArguments == null) {
+ return new String[]{phoneNumber};
+ }
+ String[] newSelectionArguments = new String[oldSelectionArguments.length + 1];
+ System.arraycopy(oldSelectionArguments, 0, newSelectionArguments, 0,
+ oldSelectionArguments.length);
+ newSelectionArguments[oldSelectionArguments.length] = phoneNumber;
+ return newSelectionArguments;
+ }
+
+ /**
+ * Helper that throws a Security Exception if the Cursor object is empty && the phoneNumber
+ * appears to have SQL.
+ *
+ * @param cursor returned from the query.
+ * @param phoneNumber string to check for SQL.
+ */
+ private void examineEmptyCursorCause(Cursor cursor, String phoneNumber) {
+ // checks if the cursor is empty
+ if ((cursor == null) || !cursor.moveToFirst()) {
+ try {
+ // tokenize the phoneNumber and run each token through a checker
+ SQLiteTokenizer.tokenize(phoneNumber, SQLiteTokenizer.OPTION_NONE,
+ this::enforceStrictPhoneNumber);
+ } catch (IllegalArgumentException e) {
+ EventLog.writeEvent(0x534e4554, "224771921", Binder.getCallingUid(),
+ ("invalid phoneNumber passed to queryInternal"));
+ throw new SecurityException("invalid phoneNumber passed to queryInternal");
+ }
+ }
+ }
+
+ private void enforceStrictPhoneNumber(String token) {
+ boolean isAllowedKeyword = SQLiteTokenizer.isKeyword(token);
+ switch (token.toUpperCase(Locale.US)) {
+ case "SELECT":
+ case "FROM":
+ case "WHERE":
+ case "GROUP":
+ case "HAVING":
+ case "WINDOW":
+ case "VALUES":
+ case "ORDER":
+ case "LIMIT":
+ isAllowedKeyword = false;
+ break;
+ }
+ if (!isAllowedKeyword) {
+ throw new IllegalArgumentException("Invalid token " + token);
+ }
+ }
+
private void queryForTesting(Uri uri) {
if (!uri.getBooleanQueryParameter(PARAM_KEY_QUERY_FOR_TESTING, false)) {
return;

147
Patches/LineageOS-14.1/android_packages_providers_MediaProvider/324248.patch Normal file
View File

@ -0,0 +1,147 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Zim <zezeozue@google.com>
Date: Thu, 4 Nov 2021 11:05:39 +0000
Subject: [PATCH] Open all files with O_NOFOLLOW.
SD cards don't support symlinks, so we have no reason to try
following them if somehow an evil caller is able to sneak them into
the database.
Bug: 124329382
Bug: 200682135
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: Idb1f3ee1db90913a97a50515003f211519037066
Merged-In: Idb1f3ee1db90913a97a50515003f211519037066
(cherry picked from commit b50868065a4cf0c15e96aea66732afc89c388022)
Merged-In: Idb1f3ee1db90913a97a50515003f211519037066
---
.../media/MediaDocumentsProvider.java | 4 +-
.../providers/media/MediaProvider.java | 77 ++++++++++++++++++-
2 files changed, 76 insertions(+), 5 deletions(-)
diff --git a/src/com/android/providers/media/MediaDocumentsProvider.java b/src/com/android/providers/media/MediaDocumentsProvider.java
index 7c3d773a6..c2877731c 100644
--- a/src/com/android/providers/media/MediaDocumentsProvider.java
+++ b/src/com/android/providers/media/MediaDocumentsProvider.java
@@ -799,7 +799,7 @@ public class MediaDocumentsProvider extends DocumentsProvider {
null, signal);
if (cursor.moveToFirst()) {
final String data = cursor.getString(ImageThumbnailQuery._DATA);
- return ParcelFileDescriptor.open(
+ return MediaProvider.openSafely(
new File(data), ParcelFileDescriptor.MODE_READ_ONLY);
}
} finally {
@@ -886,7 +886,7 @@ public class MediaDocumentsProvider extends DocumentsProvider {
null, signal);
if (cursor.moveToFirst()) {
final String data = cursor.getString(VideoThumbnailQuery._DATA);
- return new AssetFileDescriptor(ParcelFileDescriptor.open(
+ return new AssetFileDescriptor(MediaProvider.openSafely(
new File(data), ParcelFileDescriptor.MODE_READ_ONLY), 0,
AssetFileDescriptor.UNKNOWN_LENGTH);
}
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index f0370d7a3..d8a68cff2 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -21,9 +21,25 @@ import static android.Manifest.permission.INTERACT_ACROSS_USERS;
import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
import static android.Manifest.permission.WRITE_EXTERNAL_STORAGE;
import static android.Manifest.permission.WRITE_MEDIA_STORAGE;
+import static android.os.ParcelFileDescriptor.MODE_APPEND;
+import static android.os.ParcelFileDescriptor.MODE_CREATE;
import static android.os.ParcelFileDescriptor.MODE_READ_ONLY;
+import static android.os.ParcelFileDescriptor.MODE_READ_WRITE;
+import static android.os.ParcelFileDescriptor.MODE_TRUNCATE;
import static android.os.ParcelFileDescriptor.MODE_WRITE_ONLY;
-
+import static android.system.OsConstants.O_APPEND;
+import static android.system.OsConstants.O_CLOEXEC;
+import static android.system.OsConstants.O_CREAT;
+import static android.system.OsConstants.O_NOFOLLOW;
+import static android.system.OsConstants.O_RDONLY;
+import static android.system.OsConstants.O_RDWR;
+import static android.system.OsConstants.O_TRUNC;
+import static android.system.OsConstants.O_WRONLY;
+import static android.system.OsConstants.S_IRWXG;
+import static android.system.OsConstants.S_IRWXU;
+
+import android.annotation.NonNull;
+import android.annotation.Nullable;
import android.app.AppOpsManager;
import android.app.SearchManager;
import android.content.BroadcastReceiver;
@@ -5035,7 +5051,62 @@ public class MediaProvider extends ContentProvider {
file = Environment.maybeTranslateEmulatedPathToInternal(file);
}
- return ParcelFileDescriptor.open(file, modeBits);
+ return openSafely(file, modeBits);
+ }
+
+ /**
+ * Drop-in replacement for {@link ParcelFileDescriptor#open(File, int)}
+ * which adds security features like {@link OsConstants#O_CLOEXEC} and
+ * {@link OsConstants#O_NOFOLLOW}.
+ */
+ public static @NonNull ParcelFileDescriptor openSafely(@NonNull File file, int pfdFlags)
+ throws FileNotFoundException {
+ final int posixFlags = translateModePfdToPosix(pfdFlags) | O_CLOEXEC | O_NOFOLLOW;
+ try {
+ final FileDescriptor fd = Os.open(file.getAbsolutePath(), posixFlags,
+ S_IRWXU | S_IRWXG);
+ try {
+ return ParcelFileDescriptor.dup(fd);
+ } finally {
+ closeQuietly(fd);
+ }
+ } catch (IOException | ErrnoException e) {
+ throw new FileNotFoundException(e.getMessage());
+ }
+ }
+
+ private static void closeQuietly(@Nullable FileDescriptor fd) {
+ if (fd == null) return;
+ try {
+ Os.close(fd);
+ } catch (ErrnoException ignored) {
+ }
+ }
+
+ /**
+ * Shamelessly borrowed from {@code android.os.FileUtils}.
+ */
+ private static int translateModePfdToPosix(int mode) {
+ int res = 0;
+ if ((mode & MODE_READ_WRITE) == MODE_READ_WRITE) {
+ res = O_RDWR;
+ } else if ((mode & MODE_WRITE_ONLY) == MODE_WRITE_ONLY) {
+ res = O_WRONLY;
+ } else if ((mode & MODE_READ_ONLY) == MODE_READ_ONLY) {
+ res = O_RDONLY;
+ } else {
+ throw new IllegalArgumentException("Bad mode: " + mode);
+ }
+ if ((mode & MODE_CREATE) == MODE_CREATE) {
+ res |= O_CREAT;
+ }
+ if ((mode & MODE_TRUNCATE) == MODE_TRUNCATE) {
+ res |= O_TRUNC;
+ }
+ if ((mode & MODE_APPEND) == MODE_APPEND) {
+ res |= O_APPEND;
+ }
+ return res;
}
private void deleteIfAllowed(Uri uri, String path) {
@@ -5268,7 +5339,7 @@ public class MediaProvider extends ContentProvider {
}
try {
File f = new File(path);
- ParcelFileDescriptor pfd = ParcelFileDescriptor.open(f,
+ ParcelFileDescriptor pfd = openSafely(f,
ParcelFileDescriptor.MODE_READ_ONLY);
try (MediaScanner scanner = new MediaScanner(context, INTERNAL_VOLUME)) {

64
Patches/LineageOS-14.1/android_packages_services_Telecomm/332456.patch Normal file
View File

@ -0,0 +1,64 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Sat, 15 Jan 2022 01:15:29 +0000
Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10
bug: 209814693
Bug: 217934478
Test: CTS
Change-Id: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
(cherry picked from commit eb3394e3a8e21cd07c4f7a7ad43494ba14a8cbf4)
Merged-In: I3042a3973dd0dcc8d2fdc96c23d6d41522dc00af
---
.../server/telecom/PhoneAccountRegistrar.java | 23 +++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java
index 122036bbe..536f11826 100644
--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java
+++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java
@@ -126,6 +126,7 @@ public class PhoneAccountRegistrar {
private static final String FILE_NAME = "phone-account-registrar-state.xml";
@VisibleForTesting
public static final int EXPECTED_STATE_VERSION = 9;
+ public static final int MAX_PHONE_ACCOUNT_REGISTRATIONS = 10;
/** Keep in sync with the same in SipSettings.java */
private static final String SIP_SHARED_PREFERENCES = "SIP_PREFERENCES";
@@ -636,8 +637,13 @@ public class PhoneAccountRegistrar {
return getPhoneAccountHandles(0, null, packageName, false, userHandle);
}
- // TODO: Should we implement an artificial limit for # of accounts associated with a single
- // ComponentName?
+ /**
+ * Performs checks before calling addOrReplacePhoneAccount(PhoneAccount)
+ *
+ * @param account The {@code PhoneAccount} to add or replace.
+ * @throws SecurityException if package does not have BIND_TELECOM_CONNECTION_SERVICE permission
+ * @throws IllegalArgumentException if MAX_PHONE_ACCOUNT_REGISTRATIONS are reached
+ */
public void registerPhoneAccount(PhoneAccount account) {
// Enforce the requirement that a connection service for a phone account has the correct
// permission.
@@ -648,6 +654,19 @@ public class PhoneAccountRegistrar {
throw new SecurityException("PhoneAccount connection service requires "
+ "BIND_TELECOM_CONNECTION_SERVICE permission.");
}
+ //Enforce an upper bound on the number of PhoneAccount's a package can register.
+ // Most apps should only require 1-2.
+ if (getPhoneAccountsForPackage(
+ account.getAccountHandle().getComponentName().getPackageName(),
+ account.getAccountHandle().getUserHandle()).size()
+ >= MAX_PHONE_ACCOUNT_REGISTRATIONS) {
+ Log.w(this, "Phone account %s reached max registration limit for package",
+ account.getAccountHandle());
+ throw new IllegalArgumentException(
+ "Error, cannot register phone account " + account.getAccountHandle()
+ + " because the limit, " + MAX_PHONE_ACCOUNT_REGISTRATIONS
+ + ", has been reached");
+ }
addOrReplacePhoneAccount(account);
}

50
Patches/LineageOS-14.1/android_system_bt/315718.patch Normal file
View File

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sumit Deshmukh <sumitd@codeaurora.org>
Date: Tue, 16 Apr 2019 12:38:32 +0530
Subject: [PATCH] BLE: [IOT] Initiate disconnection when encryption fails
during pairing
Usecase:
1. Keep remote device (IOGEAR Keyboard) in advertising mode.
2. Pair and connect remote device with DUT.
3. Disconnect remote from settings menu.
4. Keep remote back in pairing mode. (This deletes link key
at remote side.)
5. Select remote for connection from Settings menu from
paired devices.
Issue:
Device is seen stuck in "Connecting state" in settings app.
Root Cause:
When pairing is initiated again from DUT (step 5), encryption
change event is received with status "PIN or Key Missing" after
connection complete but disconnection is not initiated by DUT
thereafter.
Fix:
Trigger disconnection if encyption fails with reason like
HCI_ERR_AUTH_FAILURE, HCI_ERR_KEY_MISSING,
HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE etc
CRs-Fixed: 2427750
Change-Id: Ie93938a5dc68c6bbd4b6c375c360f09e797f9e77
---
stack/btm/btm_ble.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
index 51fd748c0..6bb85a4ce 100644
--- a/stack/btm/btm_ble.c
+++ b/stack/btm/btm_ble.c
@@ -1643,7 +1643,9 @@ void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
{
if (encr_enable)
btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, TRUE);
- else if (p_dev_rec->role_master)
+ else if (p_dev_rec->sec_flags & ~BTM_SEC_LE_LINK_KEY_KNOWN) {
+ btm_sec_dev_rec_cback_event(p_dev_rec, BTM_FAILED_ON_SECURITY, TRUE);
+ } else if (p_dev_rec->role_master)
btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, TRUE);
}

29
Patches/LineageOS-14.1/android_system_bt/315719.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Mon, 7 Jun 2021 11:06:17 -0700
Subject: [PATCH] SMP: Reject pairing if public_key.x match
Bug: 189329824
Test: POC
Test: pair an LE device
Change-Id: If6d8a72075f0cf657cadfab033cacffeb22868cb
Tag: #security
(cherry picked from commit 9fbf77d1a81b3a1e09d4efa96070a568431e844d)
---
stack/smp/smp_act.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index 8702e1095..fffee6f75 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -757,8 +757,7 @@ void smp_process_pairing_public_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
- if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN) &&
- !memcmp(p_cb->peer_publ_key.y, p_cb->loc_publ_key.y, BT_OCTET32_LEN))
+ if (!memcmp(p_cb->peer_publ_key.x, p_cb->loc_publ_key.x, BT_OCTET32_LEN))
{
android_errorWriteLog(0x534e4554, "174886838");
SMP_TRACE_WARNING("Remote and local public keys can't match");

38
Patches/LineageOS-14.1/android_system_bt/320420.patch Normal file
View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Wed, 29 Sep 2021 17:49:25 -0700
Subject: [PATCH] osi: Prevent memory allocations with MSB set
Limit allocations on 32bit to 2 GB
Limit allocations on 64bit to 8 Exabyte
Bug: 197868577
Tag: #refactor
Test: gd/cert/run
Ignore-AOSP-First: Security
Change-Id: I1c347084d7617b1e364a3241f1b37b398a2a6c6a
(cherry picked from commit cee4d086c959e174328a0e173398d99f59ccbb1f)
---
osi/src/allocator.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/osi/src/allocator.c b/osi/src/allocator.c
index 3d821a826..a81a206a9 100644
--- a/osi/src/allocator.c
+++ b/osi/src/allocator.c
@@ -63,6 +63,7 @@ char *osi_strndup(const char *str, size_t len) {
}
void *osi_malloc(size_t size) {
+ assert((ssize_t)size >= 0);
size_t real_size = allocation_tracker_resize_for_canary(size);
void *ptr = malloc(real_size);
assert(ptr);
@@ -70,6 +71,7 @@ void *osi_malloc(size_t size) {
}
void *osi_calloc(size_t size) {
+ assert((ssize_t)size >= 0);
size_t real_size = allocation_tracker_resize_for_canary(size);
void *ptr = calloc(1, real_size);
assert(ptr);

53
Patches/LineageOS-14.1/android_system_bt/323456.patch Normal file
View File

@ -0,0 +1,53 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Mon, 8 Nov 2021 16:45:42 -0800
Subject: [PATCH] security: Use-After-Free in btm_sec_[dis]connected
Bug: 201083442
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security
Change-Id: I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
(cherry picked from commit 4f3fdf141b248cacd7c7dd09c06d058931726c98)
Merged-In:I69c362d1eb644a3b7fd967cd526a8a58c3b4d975
---
stack/btm/btm_sec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index b27b7e071..175fefeae 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c
@@ -4472,7 +4472,6 @@ static void btm_sec_connect_after_cc_page_tout (UNUSED_ATTR void *data)
*******************************************************************************/
void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
{
- tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
UINT8 res;
BOOLEAN is_pairing_device = FALSE;
tACL_CONN *p_acl_cb;
@@ -4480,6 +4479,7 @@ void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
btm_acl_resubmit_page();
+ tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
/* Commenting out trace due to obf/compilation problems.
*/
#if (BT_USE_TRACES == TRUE)
@@ -4836,7 +4836,6 @@ tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
*******************************************************************************/
void btm_sec_disconnected (UINT16 handle, UINT8 reason)
{
- tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
UINT8 old_pairing_flags = btm_cb.pairing_flags;
int result = HCI_ERR_AUTH_FAILURE;
tBTM_SEC_CALLBACK *p_callback = NULL;
@@ -4847,6 +4846,7 @@ void btm_sec_disconnected (UINT16 handle, UINT8 reason)
btm_acl_resubmit_page();
+ tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
if (!p_dev_rec)
return;

50
Patches/LineageOS-14.1/android_system_bt/323457.patch Normal file
View File

@ -0,0 +1,50 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Martin Brabham <optedoblivion@google.com>
Date: Fri, 29 Oct 2021 21:27:27 +0000
Subject: [PATCH] Reset the IRK after all devices are unpaired
Bug: 204355134
Bug: 195410559
Test: Check IRK, pair devices, unpair all devices, Check IRK
Tag: #security
Change-Id: I8e44f010a72dcdec595d81293a05f49ccc054065
Merged-In: I8e44f010a72dcdec595d81293a05f49ccc054065
(cherry picked from commit 6b3c0f6a368dbf6fe9d0d3ca625d47a69fe15d2f)
Merged-In:I8e44f010a72dcdec595d81293a05f49ccc054065
---
bta/dm/bta_dm_act.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index ff25cef00..74dc74704 100644
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -35,6 +35,7 @@
#include "bta_dm_co.h"
#include "bta_dm_int.h"
#include "bta_sys.h"
+#include "btif/include/btif_storage.h"
#include "btm_api.h"
#include "btm_int.h"
#include "btu.h"
@@ -44,6 +45,7 @@
#include "osi/include/log.h"
#include "osi/include/osi.h"
#include "sdp_api.h"
+#include "stack/btm/btm_ble_int.h"
#include "utl.h"
#if (GAP_INCLUDED == TRUE)
@@ -865,6 +867,12 @@ void bta_dm_remove_device(tBTA_DM_MSG *p_data)
BD_ADDR dummy_bda = {0};
if (continue_delete_other_dev && (bdcmp(other_address, dummy_bda) != 0))
bta_dm_process_remove_device(other_address);
+
+ /* Check the length of the paired devices, and if 0 then reset IRK */
+ if (btif_storage_get_num_bonded_devices() < 1) {
+ LOG_INFO(LOG_TAG, "Last paired device removed, resetting IRK");
+ btm_ble_reset_id();
+ }
}
/*******************************************************************************

46
Patches/LineageOS-14.1/android_system_bt/328306.patch Normal file
View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 13 Jan 2022 15:00:32 +0800
Subject: [PATCH] Security fix OOB read due to invalid count in
stack/avrc/avrc_pars_ct
Bug: 205837191
Tag: #security
Test: PoC test program
Ignore-AOSP-First: Security
Change-Id: I7b5bcb6551a8c0c015566327e13ba719271ce374
Merged-In: I7b5bcb6551a8c0c015566327e13ba719271ce374
(cherry picked from commit 60a5d2f63bf95ed386a2ca6c43f1d88bb1d07003)
Merged-In:I7b5bcb6551a8c0c015566327e13ba719271ce374
---
stack/avrc/avrc_pars_ct.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index cff7bffbe..077ef1210 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -285,6 +285,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
__func__, p_result->get_caps.capability_id, p_result->get_caps.count);
if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID)
{
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID)
+ {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
if (len < min_len) goto length_error;
for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_COMP_ID));
@@ -295,6 +300,11 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
}
else if (p_result->get_caps.capability_id == AVRC_CAP_EVENTS_SUPPORTED)
{
+ if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID)
+ {
+ android_errorWriteLog(0x534e4554, "205837191");
+ return AVRC_STS_INTERNAL_ERR;
+ }
min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
if (len < min_len) goto length_error;
for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_EVT_ID));

31
Patches/LineageOS-14.1/android_system_bt/334032.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chen Chen <cncn@google.com>
Date: Fri, 15 Apr 2022 14:24:48 -0700
Subject: [PATCH] Security: Fix out of bound write in HFP client
Bug: 224536184
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
(cherry picked from commit 01136338f6d739226e027716b6e5304df379fa4c)
Merged-In: I9f0be0de6c4e1569095a43e92e9d8f9d73ca5fda
---
bta/hf_client/bta_hf_client_at.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bta/hf_client/bta_hf_client_at.c b/bta/hf_client/bta_hf_client_at.c
index 76575f730..f790dd432 100644
--- a/bta/hf_client/bta_hf_client_at.c
+++ b/bta/hf_client/bta_hf_client_at.c
@@ -355,6 +355,10 @@ static void bta_hf_client_handle_cind_list_item(char *name, UINT32 min, UINT32 m
APPL_TRACE_DEBUG("%s %lu.%s <%lu:%lu>", __FUNCTION__, index, name, min, max);
+ if (index >= BTA_HF_CLIENT_AT_INDICATOR_COUNT) {
+ return;
+ }
+
/* look for a matching indicator on list of supported ones */
for(i = 0; i < BTA_HF_CLIENT_AT_SUPPORTED_INDICATOR_COUNT; i++)
{

33
Patches/LineageOS-14.1/android_system_bt/334033.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: William Escande <wescande@google.com>
Date: Mon, 2 May 2022 09:48:59 -0700
Subject: [PATCH] Check Avrcp packet vendor length before extracting length
Bug: 205571133
Test: build + ag/18105403 for sts test
Ignore-AOSP-First: Security vulnerability
Change-Id: Ic9fa9400ab15785cfdb251af66b1867daf09570e
(cherry picked from commit 003e42896493afb7a0cd7406720987725d4e9da3)
Merged-In: Ic9fa9400ab15785cfdb251af66b1867daf09570e
---
stack/avrc/avrc_pars_tg.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/stack/avrc/avrc_pars_tg.c b/stack/avrc/avrc_pars_tg.c
index 78bd18a43..d976a0d14 100644
--- a/stack/avrc/avrc_pars_tg.c
+++ b/stack/avrc/avrc_pars_tg.c
@@ -44,6 +44,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAN
{
tAVRC_STS status = AVRC_STS_NO_ERROR;
+ if (p_msg->vendor_len < 4)
+ { /* 4 == pdu + reserved byte + len as uint16 */
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+ __func__, p_msg->vendor_len);
+ android_errorWriteLog(0x534e4554, "205571133");
+ return AVRC_STS_INTERNAL_ERR;
+ }
UINT8 *p = p_msg->p_vendor_data;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("%s pdu:0x%x", __func__, p_result->pdu);

29
Patches/LineageOS-14.1/android_system_bt/334034.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Josh Wu <joshwu@google.com>
Date: Fri, 29 Apr 2022 00:02:23 -0700
Subject: [PATCH] Security: Fix out of bound read in AT_SKIP_REST
Bug: 220732646
Test: build
Tag: #security
Ignore-AOSP-First: Security bug
Change-Id: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
(cherry picked from commit 4ce5a3c374fb5d24f367a202a6a3dcab4ba4dffd)
Merged-In: Ia49f26e4979f9e57c448190a52d0d01b70e342c4
---
bta/hf_client/bta_hf_client_at.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bta/hf_client/bta_hf_client_at.c b/bta/hf_client/bta_hf_client_at.c
index f790dd432..695c4fb32 100644
--- a/bta/hf_client/bta_hf_client_at.c
+++ b/bta/hf_client/bta_hf_client_at.c
@@ -622,7 +622,7 @@ static void bta_hf_client_handle_cgmm(char *manf_model)
buf += sizeof("\r\n") - 1;
/* skip rest of AT string up to <cr> */
-#define AT_SKIP_REST(buf) while(*buf != '\r') buf++;
+#define AT_SKIP_REST(buf) while(*buf != '\r' && *buf != '\0') buf++;
static char *bta_hf_client_parse_ok(char *buffer)
{

43
Patches/LineageOS-14.1/android_system_bt/334877.patch Normal file
View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Roopa Sattiraju <sattiraju@google.com>
Date: Wed, 25 May 2022 21:00:01 +0000
Subject: [PATCH] Removing bonded device when auth fails due to missing keys
Bug: 231161832
Test: Test against trying to connect using the same address
Change-Id: I2a23440303758faf281989abdb2a614708f05d36
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
(cherry picked from commit 21df1076a4b9c1d1bbe3f5ecb475fe0b7c1b8c2a)
Merged-In: I2a23440303758faf281989abdb2a614708f05d36
---
btif/src/btif_dm.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index 3b6f2a744..8dfbae924 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
@@ -1387,7 +1387,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
break;
case HCI_ERR_PAIRING_NOT_ALLOWED:
- btif_storage_remove_bonded_device(&bd_addr);
status = BT_STATUS_AUTH_REJECTED;
break;
@@ -1398,7 +1397,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
/* map the auth failure codes, so we can retry pairing if necessary */
case HCI_ERR_AUTH_FAILURE:
case HCI_ERR_KEY_MISSING:
- btif_storage_remove_bonded_device(&bd_addr);
case HCI_ERR_HOST_REJECT_SECURITY:
case HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE:
case HCI_ERR_UNIT_KEY_USED:
@@ -1429,7 +1427,6 @@ static void btif_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
if (check_cod(&bd_addr, COD_HID_POINTING)) {
/* Remove Device as bonded in nvram as authentication failed */
BTIF_TRACE_DEBUG("%s(): removing hid pointing device from nvram", __FUNCTION__);
- btif_storage_remove_bonded_device(&bd_addr);
}
bond_state_changed(status, &bd_addr, state);
}

52
Patches/LineageOS-14.1/android_system_bt/337998.patch Normal file
View File

@ -0,0 +1,52 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Wed, 30 Jan 2019 19:17:03 +0800
Subject: [PATCH] Fix OOB in BNEP_Write
Bug: 112050583
Test: PoC
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index 3e866d100..dc349299a 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -374,10 +374,16 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
/* Check MTU size */
if (p_buf->len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", p_buf->len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, p_buf->len, BNEP_MTU_SIZE);
osi_free(p_buf);
return (BNEP_MTU_EXCEDED);
}
+ else if (p_buf->len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, p_buf->len);
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
+ }
/* Check if the packet should be filtered out */
p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
@@ -484,9 +490,14 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
/* Check MTU size. Consider the possibility of having extension headers */
if (len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, len, BNEP_MTU_SIZE);
return (BNEP_MTU_EXCEDED);
}
+ else if (len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, len);
+ return BNEP_IGNORE_CMD;
+ }
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS))
return (BNEP_WRONG_HANDLE);

119
Patches/LineageOS-14.1/android_system_bt/337999.patch Normal file
View File

@ -0,0 +1,119 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Tue, 12 Feb 2019 16:01:00 +0800
Subject: [PATCH] Fix OOB in bnep_is_packet_allowed
Bug: 112050983
Test: PoC
Change-Id: I5d331f46cdba86c8e61de206a2ede1d2b348d7e4
(cherry picked from commit 230f252b8a1a1073ec1a4081545b2ff62393d16d)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.c | 15 +++++++++++++--
stack/bnep/bnep_int.h | 2 +-
stack/bnep/bnep_utils.c | 13 ++++++++++++-
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index dc349299a..e1c9f2e3d 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -387,7 +387,8 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
/* Check if the packet should be filtered out */
p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
- if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present, p_data) != BNEP_SUCCESS)
+ if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present,
+ p_data, p_buf->len) != BNEP_SUCCESS)
{
/*
** If packet is filtered and ext headers are present
@@ -401,6 +402,11 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
org_len = p_buf->len;
new_len = 0;
do {
+ if ((new_len + 2) > org_len)
+ {
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
length = *p_data++;
@@ -505,7 +511,8 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
p_bcb = &(bnep_cb.bcb[handle - 1]);
/* Check if the packet should be filtered out */
- if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present, p_data) != BNEP_SUCCESS)
+ if (bnep_is_packet_allowed (p_bcb, p_dest_addr, protocol, fw_ext_present,
+ p_data, len) != BNEP_SUCCESS)
{
/*
** If packet is filtered and ext headers are present
@@ -520,6 +527,10 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
new_len = 0;
p = p_data;
do {
+ if ((new_len + 2) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
length = *p_data++;
diff --git a/stack/bnep/bnep_int.h b/stack/bnep/bnep_int.h
index 126be04fe..b10098122 100644
--- a/stack/bnep/bnep_int.h
+++ b/stack/bnep/bnep_int.h
@@ -236,7 +236,7 @@ extern UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UI
extern void bnep_sec_check_complete (BD_ADDR bd_addr, tBT_TRANSPORT trasnport,
void *p_ref_data, UINT8 result);
extern tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb, BD_ADDR p_dest_addr, UINT16 protocol,
- BOOLEAN fw_ext_present, UINT8 *p_data);
+ BOOLEAN fw_ext_present, UINT8 *p_data, UINT16 org_len);
extern UINT32 bnep_get_uuid32 (tBT_UUID *src_uuid);
diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c
index 65acd33f6..09f2d13c2 100644
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -1336,7 +1336,7 @@ tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb,
BD_ADDR p_dest_addr,
UINT16 protocol,
BOOLEAN fw_ext_present,
- UINT8 *p_data)
+ UINT8 *p_data, UINT16 org_len)
{
if (p_bcb->rcvd_num_filters)
{
@@ -1346,18 +1346,29 @@ tBNEP_RESULT bnep_is_packet_allowed (tBNEP_CONN *p_bcb,
proto = protocol;
if (proto == BNEP_802_1_P_PROTOCOL)
{
+ UINT16 new_len = 0;
if (fw_ext_present)
{
UINT8 len, ext;
/* parse the extension headers and findout actual protocol */
do {
+ if ((new_len + 2) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
ext = *p_data++;
len = *p_data++;
p_data += len;
+ new_len += (len + 2);
+
} while (ext & 0x80);
}
+ if ((new_len + 4) > org_len)
+ {
+ return BNEP_IGNORE_CMD;
+ }
p_data += 2;
BE_STREAM_TO_UINT16 (proto, p_data);
}

40
Patches/LineageOS-14.1/android_system_bt/338000.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Venkata Jagadeesh Garaga <quic_vgaraga@quicinc.com>
Date: Tue, 22 Mar 2022 13:35:43 +0530
Subject: [PATCH] Fix OOB in reassemble_and_dispatch
Fix OOB while reading L2cap length in HCI pkt
Change-Id: I7f32b171e8c68b9724f95fcf2327959539e2d0d5
CRs-Fixed: 3155132
---
hci/src/packet_fragmenter.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hci/src/packet_fragmenter.c b/hci/src/packet_fragmenter.c
index f1d302238..b2ebefe0e 100644
--- a/hci/src/packet_fragmenter.c
+++ b/hci/src/packet_fragmenter.c
@@ -130,12 +130,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
uint8_t *stream = packet->data;
uint16_t handle;
- uint16_t l2cap_length;
uint16_t acl_length;
STREAM_TO_UINT16(handle, stream);
STREAM_TO_UINT16(acl_length, stream);
- STREAM_TO_UINT16(l2cap_length, stream);
assert(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
@@ -166,6 +164,9 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
return;
}
+ uint16_t l2cap_length;
+ STREAM_TO_UINT16(l2cap_length, stream);
+
uint16_t full_length = l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
// Check for buffer overflow and that the full packet size + BT_HDR size is less than

47
Patches/LineageOS-14.1/android_system_core/332457.patch Normal file
View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shaju Mathew <shaju@google.com>
Date: Tue, 5 Apr 2022 04:01:04 -0700
Subject: [PATCH] Backport of Win-specific suppression of potentially rogue
construct that can engage
in directory traversal on the host.
Bug:209438553
Ignore-AOSP-First: Resolution for potential security exploit.
Test: Synced just system/core, therefore relying on presubmits for now.
Will followup with a full-fledged sync and manual cursory test.
Signed-off-by: Shaju Mathew <shaju@google.com>
Change-Id: I993a00ce6130478b7becfdbea816c348824f319f
Merged-In: Ie1f82db2fb14e1bdd183bf8d3d93d5e9f974be5d
(cherry picked from commit a36a342ec9721240e5a48ca50e833b9a35bef256)
Merged-In: I993a00ce6130478b7becfdbea816c348824f319f
---
adb/file_sync_client.cpp | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/adb/file_sync_client.cpp b/adb/file_sync_client.cpp
index 56ff68c58..9920c0b2f 100644
--- a/adb/file_sync_client.cpp
+++ b/adb/file_sync_client.cpp
@@ -554,6 +554,18 @@ static bool sync_ls(SyncConnection& sc, const char* path,
if (!ReadFdExactly(sc.fd, buf, len)) return false;
buf[len] = 0;
+ // Address the unlikely scenario wherein a
+ // compromised device/service might be able to
+ // traverse across directories on the host. Let's
+ // shut that door!
+ if (strchr(buf, '/')
+#if defined(_WIN32)
+ || strchr(buf, '\\')
+#endif
+ ) {
+ return false;
+ }
+
func(msg.dent.mode, msg.dent.size, msg.dent.time, buf);
}
}

54
Patches/LineageOS-15.1/android_external_expat/337988-backport.patch Normal file
View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Fri, 3 Jun 2022 03:40:21 +0000
Subject: [PATCH 1/2] Prevent integer overflow in function doProlog
Bug: http://b/221256678
Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3)
Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
---
lib/xmlparse.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91f50034..0e57538a 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -4671,23 +4671,29 @@ doProlog(XML_Parser parser,
if (dtd->in_eldecl) {
ELEMENT_TYPE *el;
const XML_Char *name;
- int nameLen;
- const char *nxt = (quant == XML_CQUANT_NONE
- ? next
- : next - enc->minBytesPerChar);
+ size_t nameLen;
+ const char *nxt
+ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
int myindex = nextScaffoldPart(parser);
if (myindex < 0)
return XML_ERROR_NO_MEMORY;
dtd->scaffold[myindex].type = XML_CTYPE_NAME;
dtd->scaffold[myindex].quant = quant;
el = getElementType(parser, enc, s, nxt);
- if (!el)
+ if (! el)
return XML_ERROR_NO_MEMORY;
name = el->name;
dtd->scaffold[myindex].name = name;
nameLen = 0;
- for (; name[nameLen++]; );
- dtd->contentStringLen += nameLen;
+ for (; name[nameLen++];)
+ ;
+
+ /* Detect and prevent integer overflow */
+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ dtd->contentStringLen += (unsigned)nameLen;
if (elementDeclHandler)
handleDefault = XML_FALSE;
}

244
Patches/LineageOS-15.1/android_external_expat/337989-backport.patch Normal file
View File

@ -0,0 +1,244 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Wed, 15 Jun 2022 04:14:33 +0000
Subject: [PATCH 2/2] Prevent more integer overflows
Bug: http://b/219942275
Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d
(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a)
Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
---
lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 150 insertions(+), 2 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 0e57538a..7b25a0b8 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2784,18 +2784,54 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
/* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, attsSize, atts);
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - nDefaultAtts) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
if (n + nDefaultAtts > attsSize) {
int oldAttsSize = attsSize;
ATTRIBUTE *temp;
#ifdef XML_ATTR_INFO
XML_AttrInfo *temp2;
#endif
+
+ /* Detect and prevent integer overflow */
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+ attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp = (ATTRIBUTE *)REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE));
if (temp == NULL)
return XML_ERROR_NO_MEMORY;
atts = temp;
#ifdef XML_ATTR_INFO
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
+ attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp2 = (XML_AttrInfo *)REALLOC((void *)attInfo, attsSize * sizeof(XML_AttrInfo));
if (temp2 == NULL)
return XML_ERROR_NO_MEMORY;
@@ -3073,9 +3109,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
tagNamePtr->prefixLen = prefixLen;
for (i = 0; localPart[i++];)
; /* i includes null terminator */
+
+ /* Detect and prevent integer overflow */
+ if (binding->uriLen > INT_MAX - prefixLen
+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
n = i + binding->uriLen + prefixLen;
if (n > binding->uriAlloc) {
TAG *p;
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
uri = (XML_Char *)MALLOC((n + EXPAND_SPARE) * sizeof(XML_Char));
if (!uri)
return XML_ERROR_NO_MEMORY;
@@ -3176,6 +3234,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
if (freeBindingList) {
b = freeBindingList;
if (len > b->uriAlloc) {
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
XML_Char *temp = (XML_Char *)REALLOC(b->uri,
sizeof(XML_Char) * (len + EXPAND_SPARE));
if (temp == NULL)
@@ -3189,6 +3262,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
b = (BINDING *)MALLOC(sizeof(BINDING));
if (!b)
return XML_ERROR_NO_MEMORY;
+
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
b->uri = (XML_Char *)MALLOC(sizeof(XML_Char) * (len + EXPAND_SPARE));
if (!b->uri) {
FREE(b);
@@ -5441,7 +5529,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
}
else {
DEFAULT_ATTRIBUTE *temp;
+
+ /* Detect and prevent integer overflow */
+ if (type->allocDefaultAtts > INT_MAX / 2) {
+ return 0;
+ }
+
int count = type->allocDefaultAtts * 2;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
+ return 0;
+ }
+#endif
+
temp = (DEFAULT_ATTRIBUTE *)
REALLOC(type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
if (temp == NULL)
@@ -6070,8 +6175,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
/* check for overflow (table is half full) */
if (table->used >> (table->power - 1)) {
unsigned char newPower = table->power + 1;
+
+ /* Detect and prevent invalid shift */
+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
+ return NULL;
+ }
+
size_t newSize = (size_t)1 << newPower;
unsigned long newMask = (unsigned long)newSize - 1;
+
+ /* Detect and prevent integer overflow */
+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
+ return NULL;
+ }
+
size_t tsize = newSize * sizeof(NAMED *);
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
if (!newV)
@@ -6362,6 +6479,20 @@ nextScaffoldPart(XML_Parser parser)
if (dtd->scaffCount >= dtd->scaffSize) {
CONTENT_SCAFFOLD *temp;
if (dtd->scaffold) {
+ /* Detect and prevent integer overflow */
+ if (dtd->scaffSize > UINT_MAX / 2u) {
+ return -1;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
+ return -1;
+ }
+#endif
+
temp = (CONTENT_SCAFFOLD *)
REALLOC(dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
if (temp == NULL)
@@ -6438,8 +6569,25 @@ build_model (XML_Parser parser)
XML_Content *ret;
XML_Content *cpos;
XML_Char * str;
- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
- + (dtd->contentStringLen * sizeof(XML_Char)));
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
+ return NULL;
+ }
+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
+ return NULL;
+ }
+#endif
+ if (dtd->scaffCount * sizeof(XML_Content)
+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
+ return NULL;
+ }
+
+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ + (dtd->contentStringLen * sizeof(XML_Char)));
ret = (XML_Content *)MALLOC(allocsize);
if (!ret)

15
Scripts/LineageOS-14.1/Functions.sh
View File

@ -105,22 +105,7 @@ patchWorkspace() {
source build/envsetup.sh;
#repopick -it bt-sbc-hd-dualchannel-nougat;
repopick -i 315718; #CVE-2021-1957
repopick -it n-asb-2021-09;
repopick -it n-asb-2021-10;
repopick -it n-asb-2021-11;
repopick -it n-asb-2021-12;
repopick -it n-asb-2022-01;
repopick -it n-asb-2022-02;
repopick -it n-asb-2022-03;
repopick -it n-asb-2022-04;
repopick -it tzdb_N;
repopick -it n-asb-2022-05;
repopick -it n-asb-2022-06;
repopick -it n-asb-2022-07;
repopick -i 334325; #Modify conditions for preventing updated system apps from being downgraded
repopick -it n-asb-2022-08;
repopick -it n-asb-2022-09;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

123
Scripts/LineageOS-14.1/Patch.sh
View File

@ -86,15 +86,77 @@ if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPI
if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available
fi;
if enterAndClear "external/expat"; then
applyPatch "$DOS_PATCHES/android_external_expat/337987-backport.patch"; #n-asb-2022-09 Prevent XML_GetBuffer signed integer overflow
applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
fi;
if enterAndClear "external/libavc"; then
applyPatch "$DOS_PATCHES/android_external_libavc/315711.patch"; #n-asb-2021-09 Decoder: Update check for increment u2_cur_slice_num
applyPatch "$DOS_PATCHES/android_external_libavc/323462.patch"; #n-asb-2022-02 Move slice increments after completing header parsing
fi;
if enterAndClear "external/libexif"; then
applyPatch "$DOS_PATCHES/android_external_libexif/323459.patch"; #n-asb-2022-02 Fix MakerNote tag size overflow issues at read time.
applyPatch "$DOS_PATCHES/android_external_libexif/323460.patch"; #n-asb-2022-02 Ensure MakeNote data pointers are initialized with NULL.
applyPatch "$DOS_PATCHES/android_external_libexif/323461.patch"; #n-asb-2022-02 Zero initialize ExifMnoteData<vendor> during construction with exif_mnote_data_<vendor>_new.
fi;
if enterAndClear "external/libnfc-nci"; then
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/317037.patch"; #n-asb-2021-10 Type confusion due to race condition on tag type change
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/318515.patch"; #n-asb-2021-11 OOBW in phNxpNciHal_process_ext_rsp
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332458.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332459.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332460.patch"; #n-asb-2022-06 Double Free in ce_t4t_data_cback
fi;
if enterAndClear "external/sonivox"; then
applyPatch "$DOS_PATCHES/android_external_sonivox/317038.patch"; #n-asb-2021-10 Fix global buffer overflow in WT_InterpolateNoLoop
fi;
if enterAndClear "external/sqlite"; then
applyPatch "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (AndroidHardening-13.0)
fi;
if enterAndClear "external/tremolo"; then
applyPatch "$DOS_PATCHES/android_external_tremolo/319986.patch"; #n-asb-2021-12 handle cases where order isn't a multiple of dimension
fi;
if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/212799.patch"; #FLAC extractor CVE-2017-0592. alt: 212827/174106 (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_av/319987.patch"; #n-asb-2021-12 Fix heap-buffer-overflow in MPEG4Extractor
applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 SimpleDecodingSource:Prevent OOB write in heap mem
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/315712.patch"; #n-asb-2021-09 Fix race condition between lockNow() and updateLockscreenTimeout
applyPatch "$DOS_PATCHES/android_frameworks_base/315713.patch"; #n-asb-2021-09 Improve ellipsize performance
applyPatch "$DOS_PATCHES/android_frameworks_base/315740.patch"; #n-asb-2021-09 Fix side effects of trace-ipc and dumpheap commands
applyPatch "$DOS_PATCHES/android_frameworks_base/315741.patch"; #n-asb-2021-09 Don't attach private Notification to A11yEvent when user locked
applyPatch "$DOS_PATCHES/android_frameworks_base/317035.patch"; #n-asb-2021-10 Fix a potential thread safety issue in VectorDrawable
applyPatch "$DOS_PATCHES/android_frameworks_base/317036.patch"; #n-asb-2021-10 Apply a maximum char count to the load label api
applyPatch "$DOS_PATCHES/android_frameworks_base/317049.patch"; #n-asb-2021-10 Change ownership of the account request notification.
applyPatch "$DOS_PATCHES/android_frameworks_base/317050.patch"; #n-asb-2021-10 Send targeted broadcasts to prevent other apps from receiving them.
applyPatch "$DOS_PATCHES/android_frameworks_base/318516.patch"; #n-asb-2021-11 camera2: Fix exception swallowing in params classes createFromParcel
applyPatch "$DOS_PATCHES/android_frameworks_base/318517.patch"; #n-asb-2021-11 Bluetooth: Fix formatting in getAlias()
applyPatch "$DOS_PATCHES/android_frameworks_base/319988.patch"; #n-asb-2021-12 Fix serialization bug in GpsNavigationMessage
applyPatch "$DOS_PATCHES/android_frameworks_base/322452.patch"; #n-asb-2022-01 Fix another AddAccountSettings memory leak
applyPatch "$DOS_PATCHES/android_frameworks_base/322453.patch"; #n-asb-2022-01 Force-set a ClipData to prevent later migration.
applyPatch "$DOS_PATCHES/android_frameworks_base/322454.patch"; #n-asb-2022-01 Prevent apps from spamming addAccountExplicitly.
applyPatch "$DOS_PATCHES/android_frameworks_base/331108.patch"; #n-asb-2022-05 Always restart apps if base.apk gets updated.
applyPatch "$DOS_PATCHES/android_frameworks_base/332444.patch"; #n-asb-2022-06 Fixed a concurrent modification crash
applyPatch "$DOS_PATCHES/android_frameworks_base/332445.patch"; #n-asb-2022-06 Fix security hole in GateKeeperResponse
applyPatch "$DOS_PATCHES/android_frameworks_base/332446.patch"; #n-asb-2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
applyPatch "$DOS_PATCHES/android_frameworks_base/332447.patch"; #n-asb-2022-06 Prevent non-admin users from deleting system apps.
applyPatch "$DOS_PATCHES/android_frameworks_base/334325.patch"; #n-asb-2022-06-FIXUP Modify conditions for preventing updated system apps from being downgraded
applyPatch "$DOS_PATCHES/android_frameworks_base/332448.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
applyPatch "$DOS_PATCHES/android_frameworks_base/332449.patch"; #n-asb-2022-06 Add an OEM configurable limit for zen rules
applyPatch "$DOS_PATCHES/android_frameworks_base/334035.patch"; #n-asb-2022-07 Crash invalid FGS notifications
applyPatch "$DOS_PATCHES/android_frameworks_base/334871.patch"; #n-asb-2022-08 Only allow system and same app to apply relinquishTaskIdentity
applyPatch "$DOS_PATCHES/android_frameworks_base/334872.patch"; #n-asb-2022-08 Stop using invalid URL to prevent unexpected crash
applyPatch "$DOS_PATCHES/android_frameworks_base/334873.patch"; #n-asb-2022-08 Only allow the system server to connect to sync adapters
applyPatch "$DOS_PATCHES/android_frameworks_base/338003.patch"; #n-asb-2022-09 IMMS: Make IMMS PendingIntents immutable
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -112,6 +174,8 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta
fi;
if enterAndClear "frameworks/native"; then
applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references
applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
fi;
@ -199,7 +263,15 @@ if enterAndClear "hardware/qcom/media-caf/msm8994"; then
applyPatch "$DOS_PATCHES/android_hardware_qcom_media/227622.patch"; #n_asb_09-2018-qcom (CAF)
fi;
if enterAndClear "packages/apps/Bluetooth"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
fi;
if enterAndClear "packages/apps/Contacts"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/318518.patch"; #n-asb-2021-11 Add permission to start NFC activity to ensure it is from NFC stack
applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/319989.patch"; #n-asb-2021-12 Address photo editing security bug
applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332453.patch"; #n-asb-2022-06 No longer export CallSubjectDialog
applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Contacts/0004-No_GMaps.patch"; #Use common intent for directions instead of Google Maps URL (GrapheneOS)
fi;
@ -210,11 +282,36 @@ applyPatch "$DOS_PATCHES/android_packages_apps_CMParts/0002-Reduced_Resolution.p
cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update contributors cloud
fi;
if enterAndClear "packages/apps/Dialer"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332454.patch"; #n-asb-2022-06 No longer export CallSubjectDialog
fi;
if enterAndClear "packages/apps/KeyChain"; then
applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/319990.patch"; #n-asb-2021-12 Hide overlay on KeyChainActivity
applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334036.patch"; #n-asb-2022-07 Encode authority part of uri before showing in UI
fi;
if enterAndClear "packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/315715.patch"; #n-asb-2021-09 Add HIDE_NON_SYSTEM_OVERLAY_WINDOWS permission to Nfc
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328308.patch"; #n-asb-2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
fi;
if enterAndClear "packages/apps/PackageInstaller"; then
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/64d8b44.patch"; #Fix an issue with Permission Review (AOSP/452540)
fi;
if enterAndClear "packages/apps/Settings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/315716.patch"; #n-asb-2021-09 Update string
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/315717.patch"; #n-asb-2021-09 Fix phishing attacks over Bluetooth due to unclear warning message
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/318519.patch"; #n-asb-2021-11 Import translations.
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/319991.patch"; #n-asb-2021-12 BluetoothSecurity: Add BLUETOOTH_PRIVILEGED permission for pairing dialog
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/323458.patch"; #n-asb-2022-02 Rephrase dialog message of clear storage dialog for security concern
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/325994.patch"; #n-asb-2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-2022-03 Add caller check to com.android.credentials.RESET
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -251,12 +348,37 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0001-Voic
applyPatch "$DOS_PATCHES_COMMON/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
fi;
if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10
fi;
if enterAndClear "packages/services/Telephony"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
fi;
if enterAndClear "packages/providers/ContactsProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/334876.patch"; #n-asb-2022-08 enforce stricter CallLogProvider query
fi;
if enterAndClear "packages/providers/MediaProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/324248.patch"; #n-asb-2022-02 Open all files with O_NOFOLLOW.
fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/315718.patch"; #BLE: [IOT] Initiate disconnection when encryption fails during pairing #CVE-2021-1957
applyPatch "$DOS_PATCHES/android_system_bt/315719.patch"; #n-asb-2021-09 SMP: Reject pairing if public_key.x match
applyPatch "$DOS_PATCHES/android_system_bt/320420.patch"; #n-asb-2021-12 osi: Prevent memory allocations with MSB set
applyPatch "$DOS_PATCHES/android_system_bt/323456.patch"; #n-asb-2022-02 security: Use-After-Free in btm_sec_[dis]connected
applyPatch "$DOS_PATCHES/android_system_bt/323457.patch"; #n-asb-2022-02 Reset the IRK after all devices are unpaired
applyPatch "$DOS_PATCHES/android_system_bt/328306.patch"; #n-asb-2022-04 Security fix OOB read due to invalid count in stack/avrc/avrc_pars_ct
applyPatch "$DOS_PATCHES/android_system_bt/334032.patch"; #n-asb-2022-07 Security: Fix out of bound write in HFP client
applyPatch "$DOS_PATCHES/android_system_bt/334033.patch"; #n-asb-2022-07 Check Avrcp packet vendor length before extracting length
applyPatch "$DOS_PATCHES/android_system_bt/334034.patch"; #n-asb-2022-07 Security: Fix out of bound read in AT_SKIP_REST
applyPatch "$DOS_PATCHES/android_system_bt/334877.patch"; #n-asb-2022-08 Removing bonded device when auth fails due to missing keys
applyPatch "$DOS_PATCHES/android_system_bt/337998.patch"; #n-asb-2022-09 Fix OOB in BNEP_Write
applyPatch "$DOS_PATCHES/android_system_bt/337999.patch"; #n-asb-2022-09 Fix OOB in bnep_is_packet_allowed
applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB in reassemble_and_dispatch
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)
@ -264,6 +386,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/0001-NO_READENCRKEYSIZE.patch"; #Add
fi;
if enterAndClear "system/core"; then
applyPatch "$DOS_PATCHES/android_system_core/332457.patch"; #n-asb-2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f2cd81645b15f; #Always update recovery XXX: This doesn't seem to work
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)

2
Scripts/LineageOS-15.1/Patch.sh
View File

@ -98,6 +98,8 @@ fi;
if enterAndClear "external/expat"; then
applyPatch "$DOS_PATCHES/android_external_expat/337987.patch"; #Q_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
fi;
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then