diff --git a/Patches/LineageOS-14.1/android_external_freetype/360899.patch b/Patches/LineageOS-14.1/android_external_freetype/360899.patch new file mode 100644 index 00000000..f045b275 --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_freetype/360899.patch @@ -0,0 +1,51 @@ +From 82159c4fb4f274c5f0b21c987f44cb48cf3b28a3 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 19 Mar 2022 06:40:17 +0100 +Subject: [PATCH] DO NOT MERGE - Cherry-pick two upstream changes + +This cherry picks following two changes: + +0c2bdb01a2e1d24a3e592377a6d0822856e10df2 +22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 + +Bug: 271680254 +Test: N/A +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0f8930701bf19229075cc930ad15813ff5fb07b) +Merged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e +Change-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e + +Change-Id: Ia584ab1f2633a84e5896c09113513c582ce95dad +--- + src/base/ftobjs.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 9006b598b..4e1d32aa0 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -2118,6 +2118,14 @@ + FT_Module* cur; + FT_Module* limit; + ++ /* only use lower 31 bits together with sign bit */ ++ if ( face_index > 0 ) ++ face_index &= 0x7FFFFFFFL; ++ else ++ { ++ face_index &= 0x7FFFFFFFL; ++ face_index = -face_index; ++ } + + /* test for valid `library' delayed to `FT_Stream_New' */ + +@@ -2953,6 +2961,9 @@ + if ( !face ) + return FT_THROW( Invalid_Face_Handle ); + ++ if ( !face->size ) ++ return FT_THROW( Invalid_Size_Handle ); ++ + if ( !req || req->width < 0 || req->height < 0 || + req->type >= FT_SIZE_REQUEST_TYPE_MAX ) + return FT_THROW( Invalid_Argument ); diff --git a/Patches/LineageOS-14.1/android_external_libnfc-nci/360898.patch b/Patches/LineageOS-14.1/android_external_libnfc-nci/360898.patch new file mode 100644 index 00000000..2d7b266f --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_libnfc-nci/360898.patch @@ -0,0 +1,37 @@ +From f73e2d95da050a0b08e3ed5ae8c04968e8297230 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 2 May 2023 14:20:57 -0700 +Subject: [PATCH] OOBW in rw_i93_send_to_upper() + +Bug: 271849189 +Test: tag r/w +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8) +Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 +Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 + +Change-Id: I9cd9658bf50144092c1cf196fd9272ffbac2fc55 +--- + src/nfc/tags/rw_i93.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c +index 3773324..ecf7c37 100644 +--- a/src/nfc/tags/rw_i93.c ++++ b/src/nfc/tags/rw_i93.c +@@ -437,6 +437,16 @@ void rw_i93_send_to_upper (BT_HDR *p_resp) + case I93_CMD_READ_MULTI_BLOCK: + case I93_CMD_GET_MULTI_BLK_SEC: + ++ if (UINT16_MAX - length < BT_HDR_SIZE) ++ { ++ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED; ++ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd; ++ rw_cb.tcb.i93.sent_cmd = 0; ++ ++ event = RW_I93_CMD_CMPL_EVT; ++ break; ++ } ++ + /* forward tag data or security status */ + p_buff = (BT_HDR*) GKI_getbuf ((UINT16) (length + BT_HDR_SIZE)); + diff --git a/Patches/LineageOS-14.1/android_frameworks_base/360893.patch b/Patches/LineageOS-14.1/android_frameworks_base/360893.patch new file mode 100644 index 00000000..17db6379 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/360893.patch @@ -0,0 +1,148 @@ +From 2f780d815579ec2500046fadd4a3c7b09aa0bf62 Mon Sep 17 00:00:00 2001 +From: Lucas Lin +Date: Fri, 3 Mar 2023 08:13:50 +0000 +Subject: [PATCH] Sanitize VPN label to prevent HTML injection + +This commit will try to sanitize the content of VpnDialog. This +commit creates a function which will try to sanitize the VPN +label, if the sanitized VPN label is different from the original +one, which means the VPN label might contain HTML tag or the VPN +label violates the words restriction(may contain some wording +which will mislead the user). For this kind of case, show the +package name instead of the VPN label to prevent misleading the +user. + +The malicious VPN app might be able to add a large number of line +breaks with HTML in order to hide the system-displayed text from +the user in the connection request dialog. Thus, sanitizing the +content of the dialog is needed. + +Bug: 204554636 +Test: N/A +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab) +Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d +Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d + +Change-Id: Ieb148594d8e9a6505567f80d78810f687bb6e489 +--- + packages/VpnDialogs/res/values/strings.xml | 29 ++++++++++ + .../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++-- + 2 files changed, 77 insertions(+), 5 deletions(-) + +diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml +index 406bcc34a1015..7389f765c717d 100644 +--- a/packages/VpnDialogs/res/values/strings.xml ++++ b/packages/VpnDialogs/res/values/strings.xml +@@ -50,4 +50,33 @@ + %1$s bytes / + %2$s packets + ++ ++ ++ ++ %1$s… ( ++ %2$s) ++ ++ ++ ++ ++ %1$s ( ++ %2$s) ++ + +diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +index 09339743db5c5..43d18df3a10dd 100644 +--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java ++++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java +@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity + implements DialogInterface.OnClickListener, ImageGetter { + private static final String TAG = "VpnConfirm"; + ++ // Usually the label represents the app name, 150 code points might be enough to display the app ++ // name, and 150 code points won't cover the warning message from VpnDialog. ++ static final int MAX_VPN_LABEL_LENGTH = 150; ++ + private String mPackage; + + private IConnectivityManager mService; + ++ private View mView; ++ ++ /** ++ * This function will use the string resource to combine the VPN label and the package name. ++ * ++ * If the VPN label violates the length restriction, the first 30 code points of VPN label and ++ * the package name will be returned. Or return the VPN label and the package name directly if ++ * the VPN label doesn't violate the length restriction. ++ * ++ * The result will be something like, ++ * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app) ++ * if the VPN label violates the length restriction. ++ * or ++ * - VpnLabelWith<br>HtmlTag (com.vpn.app) ++ * if the VPN label doesn't violate the length restriction. ++ * ++ */ ++ private String getSimplifiedLabel(String vpnLabel, String packageName) { ++ if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) { ++ return getString(R.string.sanitized_vpn_label_with_ellipsis, ++ vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)), ++ packageName); ++ } ++ ++ return getString(R.string.sanitized_vpn_label, vpnLabel, packageName); ++ } ++ ++ protected String getSanitizedVpnLabel(String vpnLabel, String packageName) { ++ final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel); ++ final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0, ++ sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH; ++ if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) { ++ return getSimplifiedLabel(sanitizedVpnLabel, packageName); ++ } ++ ++ return sanitizedVpnLabel; ++ } ++ + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); +@@ -68,15 +110,16 @@ protected void onCreate(Bundle savedInstanceState) { + finish(); + return; + } +- View view = View.inflate(this, R.layout.confirm, null); +- ((TextView) view.findViewById(R.id.warning)).setText( +- Html.fromHtml(getString(R.string.warning, getVpnLabel()), +- this, null /* tagHandler */)); ++ mView = View.inflate(this, R.layout.confirm, null); ++ ((TextView) mView.findViewById(R.id.warning)).setText( ++ Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel( ++ getVpnLabel().toString(), mPackage)), ++ this /* imageGetter */, null /* tagHandler */)); + mAlertParams.mTitle = getText(R.string.prompt); + mAlertParams.mPositiveButtonText = getText(android.R.string.ok); + mAlertParams.mPositiveButtonListener = this; + mAlertParams.mNegativeButtonText = getText(android.R.string.cancel); +- mAlertParams.mView = view; ++ mAlertParams.mView = mView; + setupAlert(); + + getWindow().setCloseOnTouchOutside(false); diff --git a/Patches/LineageOS-14.1/android_frameworks_base/360894.patch b/Patches/LineageOS-14.1/android_frameworks_base/360894.patch new file mode 100644 index 00000000..c243c211 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/360894.patch @@ -0,0 +1,84 @@ +From 0459c2c0db0c0187a8d9a3074534a34c1cbf2ccc Mon Sep 17 00:00:00 2001 +From: Michael Groover +Date: Fri, 31 Mar 2023 21:31:22 +0000 +Subject: [PATCH] Limit the number of supported v1 and v2 signers + +The v1 and v2 APK Signature Schemes support multiple signers; this +was intended to allow multiple entities to sign an APK. Previously, +the platform had no limits placed on the number of signers supported +in an APK, but this commit sets a hard limit of 10 supported signers +for these signature schemes to ensure a large number of signers +does not place undue burden on the platform. + +Bug: 266580022 +Test: Manually verified the platform only allowed an APK with the + maximum number of supported signers. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597) +Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091 +--- + .../util/apk/ApkSignatureSchemeV2Verifier.java | 10 ++++++++++ + core/java/android/util/jar/StrictJarVerifier.java | 11 +++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +index 78d3b7bf81d28..f4631c68832b2 100644 +--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java ++++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java +@@ -79,6 +79,11 @@ public class ApkSignatureSchemeV2Verifier { + public static final String SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME = "X-Android-APK-Signed"; + public static final int SF_ATTRIBUTE_ANDROID_APK_SIGNED_ID = 2; + ++ /** ++ * The maximum number of signers supported by the v2 APK signature scheme. ++ */ ++ private static final int MAX_V2_SIGNERS = 10; ++ + /** + * Returns {@code true} if the provided APK contains an APK Signature Scheme V2 signature. + * +@@ -219,6 +224,11 @@ private static X509Certificate[][] verify( + } + while (signers.hasRemaining()) { + signerCount++; ++ if (signerCount > MAX_V2_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS ++ + " signers"); ++ } + try { + ByteBuffer signer = getLengthPrefixedSlice(signers); + X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory); +diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java +index cb71ecc1da8b3..1ce078704be32 100644 +--- a/core/java/android/util/jar/StrictJarVerifier.java ++++ b/core/java/android/util/jar/StrictJarVerifier.java +@@ -70,6 +70,11 @@ class StrictJarVerifier { + "SHA1", + }; + ++ /** ++ * The maximum number of signers supported by the JAR signature scheme. ++ */ ++ private static final int MAX_JAR_SIGNERS = 10; ++ + private final String jarName; + private final StrictJarManifest manifest; + private final HashMap metaEntries; +@@ -285,10 +290,16 @@ synchronized boolean readCertificates() { + return false; + } + ++ int signerCount = 0; + Iterator it = metaEntries.keySet().iterator(); + while (it.hasNext()) { + String key = it.next(); + if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) { ++ if (++signerCount > MAX_JAR_SIGNERS) { ++ throw new SecurityException( ++ "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS ++ + " signers"); ++ } + verifyCertificate(key); + it.remove(); + } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/360895.patch b/Patches/LineageOS-14.1/android_frameworks_base/360895.patch new file mode 100644 index 00000000..6d791ee8 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/360895.patch @@ -0,0 +1,99 @@ +From 303a97a99b75bae716c109b810e6bccb732483df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= +Date: Fri, 21 Apr 2023 09:45:07 +0000 +Subject: [PATCH] Truncate ShortcutInfo Id + +Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput. +This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior. + +Fixes: 273729476 +Test: atest ShortcutManagerTest2 +Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e) +Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 +Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5 +--- + .../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++--- + .../server/pm/ShortcutManagerTest2.java | 10 ++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java +index a854b899a82af..3ac20ff39327b 100644 +--- a/core/java/android/content/pm/ShortcutInfo.java ++++ b/core/java/android/content/pm/ShortcutInfo.java +@@ -128,6 +128,12 @@ public final class ShortcutInfo implements Parcelable { + public static final int CLONE_REMOVE_FOR_LAUNCHER = CLONE_REMOVE_ICON | CLONE_REMOVE_INTENT + | CLONE_REMOVE_RES_NAMES; + ++ /** ++ * The maximum length of Shortcut ID. IDs will be truncated at this limit. ++ * @hide ++ */ ++ public static final int MAX_ID_LENGTH = 1000; ++ + /** @hide */ + @IntDef(flag = true, + value = { +@@ -226,8 +232,7 @@ public final class ShortcutInfo implements Parcelable { + + private ShortcutInfo(Builder b) { + mUserId = b.mContext.getUserId(); +- +- mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided")); + + // Note we can't do other null checks here because SM.updateShortcuts() takes partial + // information. +@@ -309,6 +314,14 @@ private static PersistableBundle[] clonePersistableBundle(PersistableBundle[] bu + return ret; + } + ++ @NonNull ++ private static String getSafeId(@NonNull String id) { ++ if (id.length() > MAX_ID_LENGTH) { ++ return id.substring(0, MAX_ID_LENGTH); ++ } ++ return id; ++ } ++ + /** + * Throws if any of the mandatory fields is not set. + * +@@ -1602,7 +1615,8 @@ private ShortcutInfo(Parcel source) { + final ClassLoader cl = getClass().getClassLoader(); + + mUserId = source.readInt(); +- mId = source.readString(); ++ mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(), ++ "Shortcut ID must be provided")); + mPackageName = source.readString(); + mActivity = source.readParcelable(cl); + mFlags = source.readInt(); +diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +index d25923c019cac..6b86ef0e0704c 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java ++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java +@@ -53,6 +53,7 @@ + import java.io.PrintWriter; + import java.io.StringWriter; + import java.io.Writer; ++import java.util.Collections; + import java.util.Locale; + + /** +@@ -223,6 +224,15 @@ public void testShortcutInfoMissingMandatoryFields() { + }); + } + ++ public void testShortcutIdTruncated() { ++ ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(), ++ String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build(); ++ ++ assertTrue( ++ "id must be truncated to MAX_ID_LENGTH", ++ si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH); ++ } ++ + public void testShortcutInfoParcel() { + setCaller(CALLING_PACKAGE_1, USER_10); + ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext) diff --git a/Patches/LineageOS-14.1/android_system_bt/360892.patch b/Patches/LineageOS-14.1/android_system_bt/360892.patch new file mode 100644 index 00000000..fc6a16f0 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/360892.patch @@ -0,0 +1,46 @@ +From fa5c4429ae75e687b87313b79512c4a90f90ee3b Mon Sep 17 00:00:00 2001 +From: tyiu +Date: Tue, 28 Mar 2023 18:40:51 +0000 +Subject: [PATCH] Fix gatt_end_operation buffer overflow + +Added boundary check for gatt_end_operation to prevent writing out of +boundary. + +Since response of the GATT server is handled in +gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum +lenth that can be passed into the handlers is bounded by +GATT_MAX_MTU_SIZE, which is set to 517, which is greater than +GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec +that gaurentees MTU response to be less than or equal to 512 bytes can +cause a buffer overflow when performing memcpy without length check. + +Bug: 261068592 +Test: No test since not affecting behavior +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200) +Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 +--- + stack/gatt/gatt_utils.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/stack/gatt/gatt_utils.c b/stack/gatt/gatt_utils.c +index 4582b5ae477..e56c1a4e793 100644 +--- a/stack/gatt/gatt_utils.c ++++ b/stack/gatt/gatt_utils.c +@@ -2190,6 +2190,14 @@ void gatt_end_operation(tGATT_CLCB *p_clcb, tGATT_STATUS status, void *p_data) + cb_data.att_value.handle = p_clcb->s_handle; + cb_data.att_value.len = p_clcb->counter; + ++ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) ++ { ++ GATT_TRACE_DEBUG ("%s", __func__); ++ GATT_TRACE_DEBUG ("Large cb_data.att_value, size=%d", ++ cb_data.att_value.len); ++ cb_data.att_value.len = GATT_MAX_ATTR_LEN; ++ } ++ + if (p_data && p_clcb->counter) + memcpy (cb_data.att_value.value, p_data, cb_data.att_value.len); + } diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index b65f3f7b..e270164c 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-06 #XXX +sed -i 's/2021-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-07 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -100,6 +100,10 @@ applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649) fi; +if enterAndClear "external/freetype"; then +applyPatch "$DOS_PATCHES/android_external_freetype/360899.patch"; #n-asb-2023-07 Cherry-pick two upstream changes +fi; + if enterAndClear "external/libavc"; then applyPatch "$DOS_PATCHES/android_external_libavc/315711.patch"; #n-asb-2021-09 Decoder: Update check for increment u2_cur_slice_num applyPatch "$DOS_PATCHES/android_external_libavc/323462.patch"; #n-asb-2022-02 Move slice increments after completing header parsing @@ -120,6 +124,7 @@ applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332460.patch"; #n-asb-2022- applyPatch "$DOS_PATCHES/android_external_libnfc-nci/341071.patch"; #n-asb-2022-10 The length of a packet should be non-zero applyPatch "$DOS_PATCHES/android_external_libnfc-nci/343955.patch"; #n-asb-2022-11 OOBW in phNxpNciHal_write_unlocked() applyPatch "$DOS_PATCHES/android_external_libnfc-nci/353760.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd() +applyPatch "$DOS_PATCHES/android_external_libnfc-nci/360898.patch"; #n-asb-2023-07 OOBW in rw_i93_send_to_upper() fi; if enterAndClear "external/sonivox"; then @@ -199,6 +204,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 C applyPatch "$DOS_PATCHES/android_frameworks_base/358732.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi applyPatch "$DOS_PATCHES/android_frameworks_base/358733.patch"; #n-asb-2023-06 Check key intent for selectors and prohibited flags applyPatch "$DOS_PATCHES/android_frameworks_base/358734.patch"; #n-asb-2023-06 Handle invalid data during job loading. +applyPatch "$DOS_PATCHES/android_frameworks_base/360893.patch"; #n-asb-2023-07 Sanitize VPN label to prevent HTML injection +applyPatch "$DOS_PATCHES/android_frameworks_base/360894.patch"; #n-asb-2023-07 Limit the number of supported v1 and v2 signers +applyPatch "$DOS_PATCHES/android_frameworks_base/360895.patch"; #n-asb-2023-07 Truncate ShortcutInfo Id git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -464,6 +472,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an applyPatch "$DOS_PATCHES/android_system_bt/358735.patch"; #n-asb-2023-06 Prevent use-after-free of HID reports applyPatch "$DOS_PATCHES/android_system_bt/358736.patch"; #n-asb-2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq"" applyPatch "$DOS_PATCHES/android_system_bt/358737.patch"; #n-asb-2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" +applyPatch "$DOS_PATCHES/android_system_bt/360892.patch"; #n-asb-2023-07 Fix gatt_end_operation buffer overflow applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie) diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index a8294472..af8660a7 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -114,10 +114,11 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -it eleven-firewall; #repopick -i 314453; #TaskViewTouchController: Null check current animation on drag #repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default + repopick -it R_asb_2023-07; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index b6ec7175..1cc12fe6 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -95,6 +95,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig +sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #R_asb_2023-07 #XXX fi; if enterAndClear "build/soong"; then diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index ddbf9747..8c3e2dcb 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -88,9 +88,10 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -ift twelve-bt-sbc-hd-dualchannel; #repopick -it twelve-colors; + repopick -it S_asb_2023-07; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 224ea96f..3d03f95e 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -97,6 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig +sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #S_asb_2023-07 #XXX fi; if enterAndClear "build/soong"; then @@ -113,6 +114,10 @@ if enterAndClear "external/conscrypt"; then if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) fi; +if enterAndClear "external/freetype"; then +git fetch https://github.com/LineageOS/android_external_freetype refs/changes/29/360929/1 && git cherry-pick FETCH_HEAD; #S_asb_2023-07 +fi; + if [ "$DOS_GRAPHENE_MALLOC" = true ]; then if enterAndClear "external/hardened_malloc"; then applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras-1.patch"; #Workarounds for Pixel 3 SoC era camera driver bugs (GrapheneOS) @@ -421,6 +426,10 @@ if enterAndClear "system/update_engine"; then git revert --no-edit a5a18ac5e2a2377fe036fcae93548967a7b40470; #Do not skip payload signature verification fi; +if enterAndClear "tools/apksig"; then +git fetch https://github.com/LineageOS/android_tools_apksig refs/changes/46/360946/1 && git cherry-pick FETCH_HEAD; #S_asb_2023-07 +fi; + if enterAndClear "vendor/lineage"; then rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics