17.1: July 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-17.1/android_frameworks_base/0010-Exec_Based_Spawning-1.patch

@@ -145,7 +145,7 @@ index f0e779694c90..9f41a4136db9 100644
                  OsConstants._LINUX_CAPABILITY_VERSION_3, 0);
          StructCapUserData[] data;
 diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
-index 52d0adba0a05..478ccfb2f568 100644
+index fe2ff54194fb..6a46a0b7b8ec 100644
 --- a/core/java/com/android/internal/os/ZygoteConnection.java
 +++ b/core/java/com/android/internal/os/ZygoteConnection.java
 @@ -33,6 +33,7 @@ import android.net.Credentials;
@@ -156,7 +156,7 @@ index 52d0adba0a05..478ccfb2f568 100644
  import android.os.Trace;
  import android.system.ErrnoException;
  import android.system.Os;
-@@ -595,6 +596,13 @@ class ZygoteConnection {
+@@ -598,6 +599,13 @@ class ZygoteConnection {
              throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
          } else {
              if (!isZygote) {

Patches/LineageOS-17.1/android_frameworks_base/0010-Exec_Based_Spawning-3.patch

@@ -10,10 +10,10 @@ spawning when doing debugging.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
-index 478ccfb2f568..355c1115fb4f 100644
+index 6a46a0b7b8ec..c71a5c5f3d9b 100644
 --- a/core/java/com/android/internal/os/ZygoteConnection.java
 +++ b/core/java/com/android/internal/os/ZygoteConnection.java
-@@ -596,7 +596,8 @@ class ZygoteConnection {
+@@ -599,7 +599,8 @@ class ZygoteConnection {
              throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
          } else {
              if (!isZygote) {

Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-1.patch

@@ -22,7 +22,7 @@ index a8dd041454c9..6940b9eb36ed 100644
      <!-- Allows applications to access information about networks.
           <p>Protection level: normal
 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-index f247610fa8a3..a57a2b819f84 100644
+index 7784e4a9717c..c2c2624bf063 100644
 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 @@ -1025,7 +1025,7 @@ public class PermissionManagerService {

Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch

@@ -100,7 +100,7 @@ index 2cf2b923ef90..ae206c1f5872 100644
      <string name="permlab_readCalendar">Read calendar events and details</string>
      <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-index a57a2b819f84..ecbee40cf574 100644
+index c2c2624bf063..b826a90f1270 100644
 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 @@ -1025,7 +1025,7 @@ public class PermissionManagerService {

Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch

@@ -25,7 +25,7 @@ index d27b5ad0d646..32b022455451 100644
                          Process.SYSTEM_UID, userId, delayingPermCallback);
                  // Allow app op later as we are holding mPackages
 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
-index ed551795aad5..f247610fa8a3 100644
+index b342f443d9ac..7784e4a9717c 100644
 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
 @@ -1024,6 +1024,10 @@ public class PermissionManagerService {

Patches/LineageOS-17.1/android_frameworks_base/397542.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@google.com>
+Date: Thu, 29 Feb 2024 12:03:05 +0000
+Subject: [PATCH] Verify UID of incoming Zygote connections.
+
+Only the system UID should be allowed to connect to the Zygote. While
+for generic Zygotes this is also covered by SELinux policy, this is not
+true for App Zygotes: the preload code running in an app zygote could
+connect to another app zygote socket, if it had access to its (random)
+socket address.
+
+On the Java layer, simply check the UID when the connection is made. In
+the native layer, this check was already present, but it actually didn't
+work in the case where we receive a new incoming connection on the
+socket, and receive a 'non-fork' command: in that case, we will simply
+exit the native loop, and let the Java layer handle the command, without
+any further UID checking.
+
+Modified the native logic to drop new connections with a mismatching
+UID, and to keep serving the existing connection (if it was still
+there).
+
+ [Backport: No native layer for ZygoteCommandBuffer present]
+
+Bug: 319081336
+Test: manual
+(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
+Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
+Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
+---
+ core/java/com/android/internal/os/ZygoteConnection.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
+index 52d0adba0a05..fe2ff54194fb 100644
+--- a/core/java/com/android/internal/os/ZygoteConnection.java
++++ b/core/java/com/android/internal/os/ZygoteConnection.java
+@@ -106,6 +106,9 @@ class ZygoteConnection {
+             throw ex;
+         }
+ 
++        if (peer.getUid() != Process.SYSTEM_UID) {
++            throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
++        }
+         isEof = false;
+     }
+ 

Patches/LineageOS-17.1/android_frameworks_base/397543.patch

@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yi-an Chen <theianchen@google.com>
+Date: Tue, 23 Apr 2024 21:53:02 +0000
+Subject: [PATCH] Fix security vulnerability of non-dynamic permission removal
+
+The original removePermission() code in PermissionManagerService
+missed a logical negation operator when handling non-dynamic
+permissions, causing both
+testPermissionPermission_nonDynamicPermission_permissionUnchanged and
+testRemovePermission_dynamicPermission_permissionRemoved tests in
+DynamicPermissionsTest to fail.
+
+The corresponding test DynamicPermissionsTest is also updated in the
+other CL: ag/27073864
+
+Bug: 321711213
+Test: DynamicPermissionsTest on sc-dev and tm-dev locally
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35d77a77feef62dc108f6478cb9228cc6044f70d)
+Merged-In: Id573b75cdcfce3a1df5731ffb00c4228c513e686
+Change-Id: Id573b75cdcfce3a1df5731ffb00c4228c513e686
+---
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index ed551795aad5..b342f443d9ac 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -1011,7 +1011,7 @@ public class PermissionManagerService {
+             if (bp == null) {
+                 return;
+             }
+-            if (bp.isDynamic()) {
++            if (!bp.isDynamic()) {
+                 // TODO: switch this back to SecurityException
+                 Slog.wtf(TAG, "Not allowed to modify non-dynamic permission "
+                         + permName);

Patches/LineageOS-17.1/android_system_bt/397545.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:14:56 +0000
+Subject: [PATCH] Fix an authentication bypass bug in SMP
+
+When pairing with BLE legacy pairing initiated
+from remote, authentication can be bypassed.
+This change fixes it.
+
+Bug: 251514170
+Test: m com.android.btservices
+Test: manual run against PoC
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
+Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+---
+ stack/smp/smp_act.cc | 12 ++++++++++++
+ stack/smp/smp_int.h  |  1 +
+ 2 files changed, 13 insertions(+)
+
+diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
+index c1f143e92..199c5abb3 100644
+--- a/stack/smp/smp_act.cc
++++ b/stack/smp/smp_act.cc
+@@ -284,6 +284,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+ void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+   SMP_TRACE_DEBUG("%s", __func__);
+   smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
++  p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
+ }
+ 
+ /*******************************************************************************
+@@ -645,6 +646,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+     return;
+   }
+ 
++  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
++        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
++      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
++    // in legacy pairing, the peer should send its rand after
++    // we send our confirm
++    tSMP_INT_DATA smp_int_data{};
++    smp_int_data.status = SMP_INVALID_PARAMETERS;
++    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
++    return;
++  }
++
+   /* save the SRand for comparison */
+   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
+ }
+diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
+index 72fdf55a9..e3063c57d 100644
+--- a/stack/smp/smp_int.h
++++ b/stack/smp/smp_int.h
+@@ -241,6 +241,7 @@ typedef union {
+   (1 << 7) /* used to resolve race condition */
+ #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
+   (1 << 8) /* used on slave to resolve race condition */
++#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
+ 
+ /* check if authentication requirement need MITM protection */
+ #define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/397546.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:14:56 +0000
+Subject: [PATCH] Fix an authentication bypass bug in SMP
+
+When pairing with BLE legacy pairing initiated
+from remote, authentication can be bypassed.
+This change fixes it.
+
+Bug: 251514170
+Test: m com.android.btservices
+Test: manual run against PoC
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
+Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
+---
+ stack/smp/smp_act.cc | 12 ++++++++++++
+ stack/smp/smp_int.h  |  1 +
+ 2 files changed, 13 insertions(+)
+
+diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
+index a18d8389b..cb8b16329 100755
+--- a/stack/smp/smp_act.cc
++++ b/stack/smp/smp_act.cc
+@@ -290,6 +290,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+ void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+   SMP_TRACE_DEBUG("%s", __func__);
+   smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
++  p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
+ }
+ 
+ /*******************************************************************************
+@@ -671,6 +672,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+     return;
+   }
+ 
++  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
++        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
++      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
++    // in legacy pairing, the peer should send its rand after
++    // we send our confirm
++    tSMP_INT_DATA smp_int_data{};
++    smp_int_data.status = SMP_INVALID_PARAMETERS;
++    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
++    return;
++  }
++
+   /* save the SRand for comparison */
+   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
+ }
+diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
+index a9b4471fc..4aab2408a 100644
+--- a/stack/smp/smp_int.h
++++ b/stack/smp/smp_int.h
+@@ -248,6 +248,7 @@ enum {
+   (1 << 7) /* used to resolve race condition */
+ #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
+   (1 << 8) /* used on slave to resolve race condition */
++#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
+ 
+ /* check if authentication requirement need MITM protection */
+ #define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)