From 26cf500dad94c862a8c6496146ae57d49cc79953 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 18 Apr 2023 20:46:36 -0400 Subject: [PATCH] 15.1 April ASB work + picks Signed-off-by: Tad --- .../354242-backport.patch | 97 +++++++++++++++++++ .../android_frameworks_base/354243.patch | 33 +++++++ .../354244-backport.patch | 71 ++++++++++++++ .../android_frameworks_base/354245.patch | 34 +++++++ .../android_system_bt/354246.patch | 54 +++++++++++ .../android_system_bt/354247.patch | 34 +++++++ .../android_system_nfc/353760-backport.patch | 30 ++++++ .../353760-backport.patch | 30 ++++++ .../0007-Always_Restict_Serial.patch | 4 +- Scripts/LineageOS-15.1/Patch.sh | 10 +- Scripts/LineageOS-16.0/Functions.sh | 1 + Scripts/LineageOS-16.0/Patch.sh | 2 +- 12 files changed, 396 insertions(+), 4 deletions(-) create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/354242-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/354243.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/354244-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/354245.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/354246.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/354247.patch create mode 100644 Patches/LineageOS-15.1/android_system_nfc/353760-backport.patch create mode 100644 Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch diff --git a/Patches/LineageOS-15.1/android_frameworks_base/354242-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/354242-backport.patch new file mode 100644 index 00000000..0dc3fde4 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/354242-backport.patch @@ -0,0 +1,97 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 4 Aug 2022 11:36:26 -0700 +Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started + from SHELL only now. + +Or, if an instrumentation starts another instrumentation and so on, +and the original instrumentation is started from SHELL, allow all +Context#startInstrumentation calls in this chain. + +Otherwise, it'll throw a SecurityException. + +Bug: 237766679 +Test: atest CtsAppTestCases:InstrumentationTest +Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c +Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c +Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892 +Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1) +Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +--- + .../server/am/ActivityManagerService.java | 34 +++++++++++++++++++ + .../com/android/server/am/ProcessRecord.java | 4 +++ + 2 files changed, 38 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index e6f400c31bde..3feb040b9f47 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -4331,6 +4331,26 @@ public class ActivityManagerService extends IActivityManager.Stub + return procState; + } + ++ @GuardedBy("this") ++ private boolean hasActiveInstrumentationLocked(int pid) { ++ if (pid == 0) { ++ return false; ++ } ++ synchronized (mPidsSelfLocked) { ++ ProcessRecord process = mPidsSelfLocked.get(pid); ++ return process != null && process.getActiveInstrumentation() != null; ++ } ++ } ++ private String getPackageNameByPid(int pid) { ++ synchronized (mPidsSelfLocked) { ++ final ProcessRecord app = mPidsSelfLocked.get(pid); ++ if (app != null && app.info != null) { ++ return app.info.packageName; ++ } ++ return null; ++ } ++ } ++ + private boolean isCallerShell() { + final int callingUid = Binder.getCallingUid(); + return callingUid == SHELL_UID || callingUid == ROOT_UID; +@@ -20059,6 +20079,8 @@ public class ActivityManagerService extends IActivityManager.Stub + IInstrumentationWatcher watcher, IUiAutomationConnection uiAutomationConnection, + int userId, String abiOverride) { + enforceNotIsolatedCaller("startInstrumentation"); ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); + userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), + userId, false, ALLOW_FULL_ONLY, "startInstrumentation", null); + // Refuse possible leaked file descriptors +@@ -20107,6 +20129,18 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + ++ if (!Build.IS_DEBUGGABLE && callingUid != ROOT_UID && callingUid != SHELL_UID ++ && callingUid != SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) { ++ // If it's not debug build and not called from root/shell/system uid, reject it. ++ final String msg = "Permission Denial: instrumentation test " ++ + className + " from pid=" + callingPid + ", uid=" + callingUid ++ + ", pkgName=" + getPackageNameByPid(callingPid) ++ + " not allowed because it's not started from SHELL"; ++ Slog.wtfQuiet(TAG, msg); ++ reportStartInstrumentationFailureLocked(watcher, className, msg); ++ throw new SecurityException(msg); ++ } ++ + ActiveInstrumentation activeInstr = new ActiveInstrumentation(this); + activeInstr.mClass = className; + String defProcess = ai.processName;; +diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java +index 7e037eea285c..14edfe89ad0f 100644 +--- a/services/core/java/com/android/server/am/ProcessRecord.java ++++ b/services/core/java/com/android/server/am/ProcessRecord.java +@@ -771,4 +771,8 @@ final class ProcessRecord { + } + return list; + } ++ ++ ActiveInstrumentation getActiveInstrumentation() { ++ return instr; ++ } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/354243.patch b/Patches/LineageOS-15.1/android_frameworks_base/354243.patch new file mode 100644 index 00000000..f14eb808 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/354243.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Mon, 7 Nov 2022 23:33:55 +0000 +Subject: [PATCH] Checking if package belongs to UID before registering + broadcast receiver + +Test: manual testing done on device by installing test APK and checking if receiver can register +Bug: 242040055 +Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0) +(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130) +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +--- + services/core/java/com/android/server/am/ActiveServices.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java +index 67443611cf78..d3f04fe6285d 100644 +--- a/services/core/java/com/android/server/am/ActiveServices.java ++++ b/services/core/java/com/android/server/am/ActiveServices.java +@@ -1756,6 +1756,11 @@ public final class ActiveServices { + throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " + name + + " is not an isolatedProcess"); + } ++ if (AppGlobals.getPackageManager().getPackageUid(callingPackage, ++ 0, userId) != callingUid) { ++ throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " ++ + "calling package not owned by calling UID "); ++ } + // Run the service under the calling package's application. + ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo( + callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/354244-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/354244-backport.patch new file mode 100644 index 00000000..4c118f68 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/354244-backport.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hao Ke +Date: Mon, 12 Dec 2022 15:49:16 +0000 +Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass + +The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call. + +This CL did the following: + +- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null. + +Bug: 260567867 +Bug: 262230405 +Test: local test, see b/262230405 +Test: atest CtsAccountManagerTestCases +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477 +(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981) +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +--- + .../server/accounts/AccountManagerService.java | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 7b7ef41d5b41..ee56b9e3ad9b 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -3396,8 +3396,7 @@ public class AccountManagerService + Bundle.setDefusable(result, true); + mNumResults++; + Intent intent = null; +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { +@@ -4757,8 +4756,10 @@ public class AccountManagerService + EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); + return false; + } +- + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ if (intent == null) { ++ return true; ++ } + // Explicitly set an empty ClipData to ensure that we don't offer to + // promote any Uris contained inside for granting purposes + if (intent.getClipData() == null) { +@@ -4809,7 +4810,10 @@ public class AccountManagerService + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); +- return (intent.filterEquals(simulateIntent)); ++ if (intent == null) { ++ return (simulateIntent == null); ++ } ++ return intent.filterEquals(simulateIntent); + } + + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { +@@ -4954,8 +4958,7 @@ public class AccountManagerService + } + } + } +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/354245.patch b/Patches/LineageOS-15.1/android_frameworks_base/354245.patch new file mode 100644 index 00000000..69972c9e --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/354245.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Winson Chiu +Date: Fri, 6 Jan 2023 21:26:24 +0000 +Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT + AUTOMERGE + +Avoids deserialization error when the scheme contains a +reserved character. + +Bug: 261858325 + +Test: atest android.content.cts.IntentTest#testEncoding + +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4) +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +--- + core/java/android/content/Intent.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index 08acfb651b18..c0ccd33273e9 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -9494,7 +9494,7 @@ public class Intent implements Parcelable, Cloneable { + private void toUriInner(StringBuilder uri, String scheme, String defAction, + String defPackage, int flags) { + if (scheme != null) { +- uri.append("scheme=").append(scheme).append(';'); ++ uri.append("scheme=").append(Uri.encode(scheme)).append(';'); + } + if (mAction != null && !mAction.equals(defAction)) { + uri.append("action=").append(Uri.encode(mAction)).append(';'); diff --git a/Patches/LineageOS-15.1/android_system_bt/354246.patch b/Patches/LineageOS-15.1/android_system_bt/354246.patch new file mode 100644 index 00000000..3dd40098 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/354246.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 8 Dec 2022 01:08:11 +0000 +Subject: [PATCH] Fix OOB access in avdt_scb_hdl_pkt_no_frag + +This is a back port of the following 2 CLs: +- Id13b1ebde8f603123c8b7a49922b2f1378ab788f +- If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4 + +Regression test: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54 + +Bug: 142546355 258057241 +Test: atest net_test_stack_avdtp +Ignore-AOSP-First: security +Change-Id: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +(cherry picked from commit b0b968e8c6214e20a5dc3617d66567225df0884f) +Merged-In: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +--- + stack/avdt/avdt_scb_act.cc | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index ea9c0bceb..865eb30d6 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -256,19 +256,24 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { + if (offset > len) goto length_error; + p += 2; + BE_STREAM_TO_UINT16(ex_len, p); +- offset += ex_len * 4; + p += ex_len * 4; + } + ++ if ((p - p_start) >= len) { ++ AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__); ++ osi_free_and_reset((void**)&p_data->p_pkt); ++ return; ++ } ++ offset = p - p_start; ++ + /* adjust length for any padding at end of packet */ + if (o_p) { + /* padding length in last byte of packet */ +- pad_len = *(p_start + p_data->p_pkt->len); ++ pad_len = *(p_start + len - 1); + } + + /* do sanity check */ +- if ((offset > p_data->p_pkt->len) || +- ((pad_len + offset) > p_data->p_pkt->len)) { ++ if (pad_len >= (len - offset)) { + AVDT_TRACE_WARNING("Got bad media packet"); + osi_free_and_reset((void**)&p_data->p_pkt); + } diff --git a/Patches/LineageOS-15.1/android_system_bt/354247.patch b/Patches/LineageOS-15.1/android_system_bt/354247.patch new file mode 100644 index 00000000..a040fa15 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/354247.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 20 Jan 2023 19:39:30 +0000 +Subject: [PATCH] Fix an OOB bug in register_notification_rsp + +This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f +to rvc-dev. + +Bug: 245916076 +Test: manual +Ignore-AOSP-First: security +Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765 +(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf) +Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765 +--- + btif/src/btif_rc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc +index edd073062..1fd1c3c79 100644 +--- a/btif/src/btif_rc.cc ++++ b/btif/src/btif_rc.cc +@@ -1877,6 +1877,11 @@ static bt_status_t register_notification_rsp( + dump_rc_notification_event_id(event_id)); + std::unique_lock lock(btif_rc_cb.lock); + ++ if (event_id > MAX_RC_NOTIFICATIONS) { ++ BTIF_TRACE_ERROR("Invalid event id"); ++ return BT_STATUS_PARM_INVALID; ++ } ++ + memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP)); + + avrc_rsp.reg_notif.event_id = event_id; diff --git a/Patches/LineageOS-15.1/android_system_nfc/353760-backport.patch b/Patches/LineageOS-15.1/android_system_nfc/353760-backport.patch new file mode 100644 index 00000000..fde996cd --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_nfc/353760-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + src/nfc/nci/nci_hmsgs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/nfc/nci/nci_hmsgs.c b/src/nfc/nci/nci_hmsgs.c +index aa4aa94..a840d60 100644 +--- a/src/nfc/nci/nci_hmsgs.c ++++ b/src/nfc/nci/nci_hmsgs.c +@@ -597,6 +597,11 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) ++ { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=FALSE and num routing entries=0) */ diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch new file mode 100644 index 00000000..b7a25f74 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + src/nfc/nci/nci_hmsgs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/nfc/nci/nci_hmsgs.c b/src/nfc/nci/nci_hmsgs.c +index 913fe15c..0701c345 100644 +--- a/src/nfc/nci/nci_hmsgs.c ++++ b/src/nfc/nci/nci_hmsgs.c +@@ -718,6 +718,11 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) ++ { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=false and num routing entries=0) */ diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch index 01a6ec63..154766e3 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0007-Always_Restict_Serial.patch @@ -10,10 +10,10 @@ requiring the READ_PHONE_STATE permission. 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index dd41196e62a4..5821599753bd 100644 +index f522b20f7ccd..8380e5059b5f 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java -@@ -7888,13 +7888,7 @@ public class ActivityManagerService extends IActivityManager.Stub +@@ -7908,13 +7908,7 @@ public class ActivityManagerService extends IActivityManager.Stub } } diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index cc618462..cec5ed5e 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -174,6 +174,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/347051-backport.patch"; #P_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/349330.patch"; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED applyPatch "$DOS_PATCHES/android_frameworks_base/349331.patch"; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity applyPatch "$DOS_PATCHES/android_frameworks_base/352086.patch"; #n-asb-2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag +applyPatch "$DOS_PATCHES/android_frameworks_base/354242-backport.patch"; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +applyPatch "$DOS_PATCHES/android_frameworks_base/354243.patch"; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +applyPatch "$DOS_PATCHES/android_frameworks_base/354244-backport.patch"; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +applyPatch "$DOS_PATCHES/android_frameworks_base/354245.patch"; #P_asb_2023-04 Encode Intent scheme when serializing to URI string applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) @@ -391,6 +395,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bou applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute +applyPatch "$DOS_PATCHES/android_system_bt/354246.patch"; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp fi; if enterAndClear "system/core"; then @@ -405,6 +411,7 @@ if enterAndClear "system/nfc"; then applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback applyPatch "$DOS_PATCHES/android_system_nfc/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config applyPatch "$DOS_PATCHES/android_system_nfc/344180-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +applyPatch "$DOS_PATCHES/android_system_nfc/353760-backport.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd() fi; if enterAndClear "system/sepolicy"; then @@ -422,6 +429,7 @@ applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/33277 applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd() fi; if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index dcc6771c..9c0cd971 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -89,6 +89,7 @@ patchWorkspaceReal() { repopick -it P_asb_2023-01 -e 347129; repopick -it P_asb_2023-02 -e 349337; repopick -it P_asb_2023-03; + repopick -it P_asb_2023-04; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 64cc2b63..a7f37073 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-03 #XXX +sed -i 's/2022-01-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-04 #XXX fi; if enterAndClear "build/soong"; then