diff --git a/Patches/LineageOS-15.1/android_frameworks_av/385670.patch b/Patches/LineageOS-15.1/android_frameworks_av/385670.patch new file mode 100644 index 00000000..7000027f --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_av/385670.patch @@ -0,0 +1,105 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Haripriya Deshmukh +Date: Tue, 19 Sep 2023 20:42:45 +0000 +Subject: [PATCH] Validate OMX Params for VPx encoders + +Bug: 273936274 +Bug: 273937171 +Bug: 273937136 +Bug: 273936553 +Bug: 273936601 +Test: POC in bug descriptions +(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7) +(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6) +Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757 +Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757 +--- + media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp | 10 ++++++++++ + media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp | 10 ++++++++++ + media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp | 9 +++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp +index 04737a9ccf..9198b7c327 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp +@@ -120,6 +120,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalSetParameter(OMX_INDEXTYPE index, + + OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( + OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { ++ if (!isValidOMXParam(vp8Params)) { ++ android_errorWriteLog(0x534e4554, "273936274"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params( + + OMX_ERRORTYPE SoftVP8Encoder::internalSetVp8Params( + const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) { ++ if (!isValidOMXParam(vp8Params)) { ++ android_errorWriteLog(0x534e4554, "273937171"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp8Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +diff --git a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp +index 4c7290db14..1ab5046daf 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp +@@ -112,6 +112,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalSetParameter( + + OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( + OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { ++ if (!isValidOMXParam(vp9Params)) { ++ android_errorWriteLog(0x534e4554, "273936553"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp9Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -126,6 +131,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params( + + OMX_ERRORTYPE SoftVP9Encoder::internalSetVp9Params( + const OMX_VIDEO_PARAM_VP9TYPE *vp9Params) { ++ if (!isValidOMXParam(vp9Params)) { ++ android_errorWriteLog(0x534e4554, "273937136"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vp9Params->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +index f6257b1556..173bbe37d6 100644 +--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp ++++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp +@@ -484,6 +484,11 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetBitrateParams( + + OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( + OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { ++ if (!isValidOMXParam(vpxAndroidParams)) { ++ android_errorWriteLog(0x534e4554, "273936601"); ++ return OMX_ErrorBadParameter; ++ } ++ + if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } +@@ -500,6 +505,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams( + + OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVpxParams( + const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) { ++ if (!isValidOMXParam(vpxAndroidParams)) { ++ android_errorWriteLog(0x534e4554, "273937551"); ++ return OMX_ErrorBadParameter; ++ } + if (vpxAndroidParams->nPortIndex != kOutputPortIndex) { + return OMX_ErrorUnsupportedIndex; + } diff --git a/Patches/LineageOS-15.1/android_frameworks_av/385671.patch b/Patches/LineageOS-15.1/android_frameworks_av/385671.patch new file mode 100644 index 00000000..115f0c65 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_av/385671.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Haripriya Deshmukh +Date: Tue, 5 Dec 2023 18:32:38 +0000 +Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue + +Bug: 276442130 +Test: POC in bug descriptions +(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643) +(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47) +Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1 +Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1 +--- + media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +index 39b67abd5e..fde9a849ae 100644 +--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp ++++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp +@@ -308,8 +308,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) { + outHeader->nFilledLen = frameSize; + + List::iterator it = outQueue.begin(); +- while ((*it)->mHeader != outHeader) { +- ++it; ++ while (it != outQueue.end() && (*it)->mHeader != outHeader) { ++ ++it; ++ } ++ if (it == outQueue.end()) { ++ return; + } + + BufferInfo *outInfo = *it; diff --git a/Patches/LineageOS-15.1/android_frameworks_base/385672.patch b/Patches/LineageOS-15.1/android_frameworks_base/385672.patch new file mode 100644 index 00000000..cc600dfc --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/385672.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: kumarashishg +Date: Mon, 17 Jul 2023 12:01:18 +0000 +Subject: [PATCH] Resolve custom printer icon boundary exploit. + +Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation. + +Bug: 281525042 +Test: Build and flash the code. Try to reproduce the issue with +mentioned steps in the bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83) +Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce +Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce +--- + .../server/print/PrintManagerService.java | 34 ++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java +index 5121c29d688d..703118fdb26c 100644 +--- a/services/print/java/com/android/server/print/PrintManagerService.java ++++ b/services/print/java/com/android/server/print/PrintManagerService.java +@@ -202,12 +202,44 @@ public final class PrintManagerService extends SystemService { + } + final long identity = Binder.clearCallingIdentity(); + try { +- return userState.getCustomPrinterIcon(printerId); ++ Icon icon = userState.getCustomPrinterIcon(printerId); ++ return validateIconUserBoundary(icon); + } finally { + Binder.restoreCallingIdentity(identity); + } + } + ++ /** ++ * Validates the custom printer icon to see if it's not in the calling user space. ++ * If the condition is not met, return null. Otherwise, return the original icon. ++ * ++ * @param icon ++ * @return icon (validated) ++ */ ++ private Icon validateIconUserBoundary(Icon icon) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ // resolve encoded user ++ final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId); ++ ++ synchronized (mLock) { ++ // Only the current group members can get the printer icons. ++ if (resolveCallingProfileParentLocked(resolvedUserId) ++ != getCurrentUserId()) { ++ return null; ++ } ++ } ++ } ++ } ++ return icon; ++ } ++ + @Override + public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) { + if (printJobId == null) { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/385673.patch b/Patches/LineageOS-15.1/android_frameworks_base/385673.patch new file mode 100644 index 00000000..ee8611f9 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/385673.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alex Buynytskyy +Date: Wed, 20 Dec 2023 01:50:36 +0000 +Subject: [PATCH] Disallow system apps to be installed/updated as instant. + +Bug: 299441833 +Test: atest android.content.pm.cts.PackageManagerTest +(cherry picked from commit 496e78a1951f2ed69290f03c5625c0f8382f4d31) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d0f185c0d526c1dac0a8894b2c2f2e378328d73) +Merged-In: Idd89a6dd72f0e68259095f677185f0494391025c +Change-Id: Idd89a6dd72f0e68259095f677185f0494391025c +--- + .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 682dc46e5713..e2f257e1fce0 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -15429,6 +15429,9 @@ public class PackageManagerService extends IPackageManager.Stub + if (pkgSetting == null) { + return PackageManager.INSTALL_FAILED_INVALID_URI; + } ++ if (instantApp && (pkgSetting.isSystem() || isUpdatedSystemApp(pkgSetting))) { ++ return PackageManager.INSTALL_FAILED_INVALID_URI; ++ } + if (!canViewInstantApps(callingUid, UserHandle.getUserId(callingUid))) { + // only allow the existing package to be used if it's installed as a full + // application for at least one user diff --git a/Patches/LineageOS-15.1/android_frameworks_base/385674.patch b/Patches/LineageOS-15.1/android_frameworks_base/385674.patch new file mode 100644 index 00000000..23586932 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/385674.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Wed, 3 Jan 2024 09:26:56 -0800 +Subject: [PATCH] Close AccountManagerService.session after timeout. + +Bug: 303905130 +Bug: 316893159 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09) +Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 +Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073 +--- + .../android/server/accounts/AccountManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index e06c4b3ef480..b06fce9128e6 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -178,6 +178,7 @@ public class AccountManagerService + + final MessageHandler mHandler; + ++ private static final int TIMEOUT_DELAY_MS = 1000 * 60 * 15; + // Messages that can be sent on mHandler + private static final int MESSAGE_TIMED_OUT = 3; + private static final int MESSAGE_COPY_SHARED_ACCOUNT = 4; +@@ -4723,6 +4724,7 @@ public class AccountManagerService + synchronized (mSessions) { + mSessions.put(toString(), this); + } ++ scheduleTimeout(); + if (response != null) { + try { + response.asBinder().linkToDeath(this, 0 /* flags */); +@@ -4887,6 +4889,11 @@ public class AccountManagerService + } + } + ++ private void scheduleTimeout() { ++ mHandler.sendMessageDelayed( ++ mHandler.obtainMessage(MESSAGE_TIMED_OUT, this), TIMEOUT_DELAY_MS); ++ } ++ + public void cancelTimeout() { + mHandler.removeMessages(MESSAGE_TIMED_OUT, this); + } +@@ -4923,6 +4930,9 @@ public class AccountManagerService + + public void onTimedOut() { + IAccountManagerResponse response = getResponseAndClose(); ++ if (Log.isLoggable(TAG, Log.VERBOSE)) { ++ Log.v(TAG, "Session.onTimedOut"); ++ } + if (response != null) { + try { + response.onError(AccountManager.ERROR_CODE_REMOTE_EXCEPTION, diff --git a/Patches/LineageOS-15.1/android_system_bt/385675.patch b/Patches/LineageOS-15.1/android_system_bt/385675.patch new file mode 100644 index 00000000..f84c878d --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/385675.patch @@ -0,0 +1,133 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ugo Yu +Date: Thu, 29 Nov 2018 17:55:40 +0800 +Subject: [PATCH] Fix OOB caused by invalid SMP packet length + +Bug: 111850706 +Bug: 111213909 +Bug: 111214770 +Bug: 111214470 +Test: PoC, Manully +Change-Id: I889d2de97b1aab706c850a950f668aba558f240f +--- + stack/smp/smp_act.cc | 34 ++++++++++++++++++++++++++++++++++ + stack/smp/smp_int.h | 1 + + stack/smp/smp_utils.cc | 27 +++++++++++++++++++++++++++ + 3 files changed, 62 insertions(+) + +diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc +index 7b6ae6f2c..8667cc8fd 100644 +--- a/stack/smp/smp_act.cc ++++ b/stack/smp/smp_act.cc +@@ -503,6 +503,14 @@ void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + + p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; + ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111850706"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + STREAM_TO_UINT8(p_cb->peer_io_caps, p); + STREAM_TO_UINT8(p_cb->peer_oob_flag, p); + STREAM_TO_UINT8(p_cb->peer_auth_req, p); +@@ -776,6 +784,14 @@ void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + + p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR; + ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111213909"); ++ smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + STREAM_TO_UINT8(p_cb->peer_io_caps, p); + STREAM_TO_UINT8(p_cb->peer_oob_flag, p); + STREAM_TO_UINT8(p_cb->peer_auth_req, p); +@@ -981,6 +997,15 @@ void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + tBTM_LE_KEY_VALUE pid_key; + + SMP_TRACE_DEBUG("%s", __func__); ++ ++ if (smp_command_has_invalid_parameters(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111214770"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true); + + STREAM_TO_UINT8(pid_key.pid_key.addr_type, p); +@@ -1007,6 +1032,15 @@ void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + tBTM_LE_KEY_VALUE le_key; + + SMP_TRACE_DEBUG("%s", __func__); ++ ++ if (smp_command_has_invalid_parameters(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ android_errorWriteLog(0x534e4554, "111214470"); ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true); + + /* save CSRK to security record */ +diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h +index fc8717f7c..e0ee76a1a 100644 +--- a/stack/smp/smp_int.h ++++ b/stack/smp/smp_int.h +@@ -479,6 +479,7 @@ extern void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b); + extern bool smp_encrypt_data(uint8_t* key, uint8_t key_len, uint8_t* plain_text, + uint8_t pt_len, tSMP_ENC* p_out); + extern bool smp_command_has_invalid_parameters(tSMP_CB* p_cb); ++extern bool smp_command_has_invalid_length(tSMP_CB* p_cb); + extern void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr); + extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb); + extern void smp_reverse_array(uint8_t* arr, uint8_t len); +diff --git a/stack/smp/smp_utils.cc b/stack/smp/smp_utils.cc +index 441b178d1..36a7b1be8 100644 +--- a/stack/smp/smp_utils.cc ++++ b/stack/smp/smp_utils.cc +@@ -936,6 +936,33 @@ void smp_proc_pairing_cmpl(tSMP_CB* p_cb) { + if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data); + } + ++/******************************************************************************* ++ * ++ * Function smp_command_has_invalid_length ++ * ++ * Description Checks if the received SMP command has invalid length ++ * It returns true if the command has invalid length. ++ * ++ * Returns true if the command has invalid length, false otherwise. ++ * ++ ******************************************************************************/ ++bool smp_command_has_invalid_length(tSMP_CB* p_cb) { ++ uint8_t cmd_code = p_cb->rcvd_cmd_code; ++ ++ if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) || ++ (cmd_code < SMP_OPCODE_MIN)) { ++ SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x", ++ __func__, cmd_code); ++ return true; ++ } ++ ++ if (!smp_command_has_valid_fixed_length(p_cb)) { ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function smp_command_has_invalid_parameters diff --git a/Patches/LineageOS-15.1/android_system_bt/385676-backport.patch b/Patches/LineageOS-15.1/android_system_bt/385676-backport.patch new file mode 100644 index 00000000..e6009cf2 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/385676-backport.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 28 Nov 2023 19:57:20 +0000 +Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req + +This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d + +Bug: 300903400 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef) +Merged-In: Id4c65801ff8519aff18b24007e344934493cab55 +Change-Id: Id4c65801ff8519aff18b24007e344934493cab55 +--- + stack/smp/smp_act.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc +index 8667cc8fd..f814b9cf1 100644 +--- a/stack/smp/smp_act.cc ++++ b/stack/smp/smp_act.cc +@@ -414,6 +414,13 @@ void smp_send_ltk_reply(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + * Description process security request. + ******************************************************************************/ + void smp_proc_sec_req(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { ++ if (smp_command_has_invalid_length(p_cb)) { ++ tSMP_INT_DATA smp_int_data; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ*)p_data; + tBTM_BLE_SEC_REQ_ACT sec_req_act; + uint8_t reason; diff --git a/Patches/LineageOS-15.1/android_system_bt/385677.patch b/Patches/LineageOS-15.1/android_system_bt/385677.patch new file mode 100644 index 00000000..e61ca0c9 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/385677.patch @@ -0,0 +1,115 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 15 Dec 2023 22:55:33 +0000 +Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd + +This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285 + +Bug: 295887535 +Bug: 315127634 +Test: m com.android.btservices +Test: atest net_test_stack_gatt +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c) +Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72 +Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72 +--- + stack/gatt/att_protocol.cc | 56 ++++++++++++++++++++++++++++++-------- + 1 file changed, 45 insertions(+), 11 deletions(-) + +diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc +index 35be063ee..c113c825f 100644 +--- a/stack/gatt/att_protocol.cc ++++ b/stack/gatt/att_protocol.cc +@@ -277,46 +277,80 @@ BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { + BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, + uint16_t handle, uint16_t offset, uint16_t len, + uint8_t* p_data) { +- uint8_t *p, *pp, pair_len, *p_pair_len; ++ uint8_t *p, *pp, *p_pair_len; ++ size_t pair_len; ++ size_t size_now = 1; ++ ++#define CHECK_SIZE() \ ++ do { \ ++ if (size_now > payload_size) { \ ++ LOG(ERROR) << "payload size too small"; \ ++ osi_free(p_buf); \ ++ return nullptr; \ ++ } \ ++ } while (false) ++ + BT_HDR* p_buf = + (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + + p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; ++ ++ CHECK_SIZE(); + UINT8_TO_STREAM(p, op_code); + p_buf->offset = L2CAP_MIN_OFFSET; +- p_buf->len = 1; + + if (op_code == GATT_RSP_READ_BY_TYPE) { +- p_pair_len = p; ++ p_pair_len = p++; + pair_len = len + 2; +- UINT8_TO_STREAM(p, pair_len); +- p_buf->len += 1; ++ size_now += 1; ++ CHECK_SIZE(); ++ // this field will be backfilled in the end of this function + } ++ + if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { ++ size_now += 2; ++ CHECK_SIZE(); + UINT16_TO_STREAM(p, handle); +- p_buf->len += 2; + } + + if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { ++ size_now += 2; ++ CHECK_SIZE(); + UINT16_TO_STREAM(p, offset); +- p_buf->len += 2; + } + + if (len > 0 && p_data != NULL) { + /* ensure data not exceed MTU size */ +- if (payload_size - p_buf->len < len) { +- len = payload_size - p_buf->len; ++ if (payload_size - size_now < len) { ++ len = payload_size - size_now; + /* update handle value pair length */ +- if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); ++ if (op_code == GATT_RSP_READ_BY_TYPE) { ++ pair_len = (len + 2); ++ } + + LOG(WARNING) << StringPrintf( + "attribute value too long, to be truncated to %d", len); + } + ++ size_now += len; ++ CHECK_SIZE(); + ARRAY_TO_STREAM(p, p_data, len); +- p_buf->len += len; + } + ++ // backfill pair len field ++ if (op_code == GATT_RSP_READ_BY_TYPE) { ++ if (pair_len > UINT8_MAX) { ++ LOG(ERROR) << StringPrintf("pair_len greater than %d", UINT8_MAX); ++ osi_free(p_buf); ++ return nullptr; ++ } ++ ++ *p_pair_len = (uint8_t)pair_len; ++ } ++ ++#undef CHECK_SIZE ++ ++ p_buf->len = (uint16_t)size_now; + return p_buf; + } + diff --git a/Patches/LineageOS-15.1/android_system_bt/385678.patch b/Patches/LineageOS-15.1/android_system_bt/385678.patch new file mode 100644 index 00000000..4c0ebda7 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/385678.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 9 Jan 2024 22:38:20 +0000 +Subject: [PATCH] Fix a security bypass issue in + access_secure_service_from_temp_bond + +Backport I48df2c2d77810077e97d4131540277273d441998 +to rvc-dev + +Bug: 318374503 +Test: m com.android.btservices | manual test against PoC | QA +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8) +Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f +Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f +--- + stack/btm/btm_sec.cc | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 29ca8320f..21d03d19a 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -231,8 +231,7 @@ static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_r + bool locally_initiated, + uint16_t security_req) { + return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && +- btm_dev_authenticated(p_dev_rec) && +- p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; ++ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; + } + + /******************************************************************************* diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index e04ff1cd..43c0a2fd 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2024-03-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -152,6 +152,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test. applyPatch "$DOS_PATCHES/android_frameworks_av/373949.patch"; #R_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer +applyPatch "$DOS_PATCHES/android_frameworks_av/385670.patch"; #P_asb_2024-03 Validate OMX Params for VPx encoders +applyPatch "$DOS_PATCHES/android_frameworks_av/385671.patch"; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue fi; if enterAndClear "frameworks/base"; then @@ -235,6 +237,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions #applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding #XXX: TileLifecycleManager.java:197.17: The method onNullBinding(ComponentName) of type TileLifecycleManager must override or implement a supertype method +applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit. +applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant. +applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout. applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) @@ -508,6 +513,10 @@ applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-2.patch"; #R_asb_2024-0 applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing applyPatch "$DOS_PATCHES/android_system_bt/381894-backport.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd +#applyPatch "$DOS_PATCHES/android_system_bt/385675.patch"; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length #XXX: needs to switch to `reason =` or backport `smp_int_data.status` +#applyPatch "$DOS_PATCHES/android_system_bt/385676-backport.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req #XXX: alternatively forward-port 385236 & 385237 +applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond fi; if enterAndClear "system/ca-certificates"; then