mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
16.0 July ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
4db68c3de1
commit
293f97d678
@ -0,0 +1,50 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Lemberg <wl@gnu.org>
|
||||
Date: Sat, 19 Mar 2022 06:40:17 +0100
|
||||
Subject: [PATCH] DO NOT MERGE - Cherry-pick two upstream changes
|
||||
|
||||
This cherry picks following two changes:
|
||||
|
||||
0c2bdb01a2e1d24a3e592377a6d0822856e10df2
|
||||
22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
|
||||
|
||||
Bug: 271680254
|
||||
Test: N/A
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0f8930701bf19229075cc930ad15813ff5fb07b)
|
||||
Merged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e
|
||||
Change-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e
|
||||
---
|
||||
src/base/ftobjs.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
|
||||
index 8d07e35ae..fda7e21de 100644
|
||||
--- a/src/base/ftobjs.c
|
||||
+++ b/src/base/ftobjs.c
|
||||
@@ -2345,6 +2345,15 @@
|
||||
#endif
|
||||
|
||||
|
||||
+ /* only use lower 31 bits together with sign bit */
|
||||
+ if ( face_index > 0 )
|
||||
+ face_index &= 0x7FFFFFFFL;
|
||||
+ else
|
||||
+ {
|
||||
+ face_index &= 0x7FFFFFFFL;
|
||||
+ face_index = -face_index;
|
||||
+ }
|
||||
+
|
||||
#ifdef FT_DEBUG_LEVEL_TRACE
|
||||
FT_TRACE3(( "FT_Open_Face: " ));
|
||||
if ( face_index < 0 )
|
||||
@@ -3200,6 +3209,9 @@
|
||||
if ( !face )
|
||||
return FT_THROW( Invalid_Face_Handle );
|
||||
|
||||
+ if ( !face->size )
|
||||
+ return FT_THROW( Invalid_Size_Handle );
|
||||
+
|
||||
if ( !req || req->width < 0 || req->height < 0 ||
|
||||
req->type >= FT_SIZE_REQUEST_TYPE_MAX )
|
||||
return FT_THROW( Invalid_Argument );
|
@ -0,0 +1,145 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Lucas Lin <lucaslin@google.com>
|
||||
Date: Fri, 3 Mar 2023 08:13:50 +0000
|
||||
Subject: [PATCH] Sanitize VPN label to prevent HTML injection
|
||||
|
||||
This commit will try to sanitize the content of VpnDialog. This
|
||||
commit creates a function which will try to sanitize the VPN
|
||||
label, if the sanitized VPN label is different from the original
|
||||
one, which means the VPN label might contain HTML tag or the VPN
|
||||
label violates the words restriction(may contain some wording
|
||||
which will mislead the user). For this kind of case, show the
|
||||
package name instead of the VPN label to prevent misleading the
|
||||
user.
|
||||
|
||||
The malicious VPN app might be able to add a large number of line
|
||||
breaks with HTML in order to hide the system-displayed text from
|
||||
the user in the connection request dialog. Thus, sanitizing the
|
||||
content of the dialog is needed.
|
||||
|
||||
Bug: 204554636
|
||||
Test: N/A
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab)
|
||||
Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
|
||||
Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
|
||||
---
|
||||
packages/VpnDialogs/res/values/strings.xml | 28 ++++++++++
|
||||
.../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++--
|
||||
2 files changed, 76 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml
|
||||
index 443a9bc33b90..b4166f0bedfd 100644
|
||||
--- a/packages/VpnDialogs/res/values/strings.xml
|
||||
+++ b/packages/VpnDialogs/res/values/strings.xml
|
||||
@@ -89,4 +89,32 @@
|
||||
without any consequences. [CHAR LIMIT=20] -->
|
||||
<string name="dismiss">Dismiss</string>
|
||||
|
||||
+ <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
|
||||
+ into displaying what they want. The system will attempt to sanitize the label, and if the
|
||||
+ label is deemed dangerous, then this string is used instead. The first argument is the
|
||||
+ first 30 characters of the label, and the second argument is the package name of the app.
|
||||
+ Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
|
||||
+ "My VPN app wants to set up a VPN connection...". If the label is very long, then, this
|
||||
+ will be used to show "VerylongVPNlabel… (com.my.vpn.app) wants to set up a VPN
|
||||
+ connection...". For this case, the code will refer to sanitized_vpn_label_with_ellipsis.
|
||||
+ -->
|
||||
+ <string name="sanitized_vpn_label_with_ellipsis">
|
||||
+ <xliff:g id="sanitized_vpn_label_with_ellipsis" example="My VPN app">%1$s</xliff:g>… (
|
||||
+ <xliff:g id="sanitized_vpn_label_with_ellipsis" example="com.my.vpn.app">%2$s</xliff:g>)
|
||||
+ </string>
|
||||
+
|
||||
+ <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
|
||||
+ into displaying what they want. The system will attempt to sanitize the label, and if the
|
||||
+ label is deemed dangerous, then this string is used instead. The first argument is the
|
||||
+ label, and the second argument is the package name of the app.
|
||||
+ Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
|
||||
+ "My VPN app wants to set up a VPN connection...". If the VPN label contains HTML tag but
|
||||
+ the length is not very long, the dialog will show "VpnLabelWith<br>HtmlTag
|
||||
+ (com.my.vpn.app) wants to set up a VPN connection...". For this case, the code will refer
|
||||
+ to sanitized_vpn_label.
|
||||
+ -->
|
||||
+ <string name="sanitized_vpn_label">
|
||||
+ <xliff:g id="sanitized_vpn_label" example="My VPN app">%1$s</xliff:g> (
|
||||
+ <xliff:g id="sanitized_vpn_label" example="com.my.vpn.app">%2$s</xliff:g>)
|
||||
+ </string>
|
||||
</resources>
|
||||
diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
index 09339743db5c..43d18df3a10d 100644
|
||||
--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
+++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity
|
||||
implements DialogInterface.OnClickListener, ImageGetter {
|
||||
private static final String TAG = "VpnConfirm";
|
||||
|
||||
+ // Usually the label represents the app name, 150 code points might be enough to display the app
|
||||
+ // name, and 150 code points won't cover the warning message from VpnDialog.
|
||||
+ static final int MAX_VPN_LABEL_LENGTH = 150;
|
||||
+
|
||||
private String mPackage;
|
||||
|
||||
private IConnectivityManager mService;
|
||||
|
||||
+ private View mView;
|
||||
+
|
||||
+ /**
|
||||
+ * This function will use the string resource to combine the VPN label and the package name.
|
||||
+ *
|
||||
+ * If the VPN label violates the length restriction, the first 30 code points of VPN label and
|
||||
+ * the package name will be returned. Or return the VPN label and the package name directly if
|
||||
+ * the VPN label doesn't violate the length restriction.
|
||||
+ *
|
||||
+ * The result will be something like,
|
||||
+ * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app)
|
||||
+ * if the VPN label violates the length restriction.
|
||||
+ * or
|
||||
+ * - VpnLabelWith<br>HtmlTag (com.vpn.app)
|
||||
+ * if the VPN label doesn't violate the length restriction.
|
||||
+ *
|
||||
+ */
|
||||
+ private String getSimplifiedLabel(String vpnLabel, String packageName) {
|
||||
+ if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) {
|
||||
+ return getString(R.string.sanitized_vpn_label_with_ellipsis,
|
||||
+ vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)),
|
||||
+ packageName);
|
||||
+ }
|
||||
+
|
||||
+ return getString(R.string.sanitized_vpn_label, vpnLabel, packageName);
|
||||
+ }
|
||||
+
|
||||
+ protected String getSanitizedVpnLabel(String vpnLabel, String packageName) {
|
||||
+ final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel);
|
||||
+ final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0,
|
||||
+ sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH;
|
||||
+ if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) {
|
||||
+ return getSimplifiedLabel(sanitizedVpnLabel, packageName);
|
||||
+ }
|
||||
+
|
||||
+ return sanitizedVpnLabel;
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
protected void onCreate(Bundle savedInstanceState) {
|
||||
super.onCreate(savedInstanceState);
|
||||
@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity
|
||||
finish();
|
||||
return;
|
||||
}
|
||||
- View view = View.inflate(this, R.layout.confirm, null);
|
||||
- ((TextView) view.findViewById(R.id.warning)).setText(
|
||||
- Html.fromHtml(getString(R.string.warning, getVpnLabel()),
|
||||
- this, null /* tagHandler */));
|
||||
+ mView = View.inflate(this, R.layout.confirm, null);
|
||||
+ ((TextView) mView.findViewById(R.id.warning)).setText(
|
||||
+ Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel(
|
||||
+ getVpnLabel().toString(), mPackage)),
|
||||
+ this /* imageGetter */, null /* tagHandler */));
|
||||
mAlertParams.mTitle = getText(R.string.prompt);
|
||||
mAlertParams.mPositiveButtonText = getText(android.R.string.ok);
|
||||
mAlertParams.mPositiveButtonListener = this;
|
||||
mAlertParams.mNegativeButtonText = getText(android.R.string.cancel);
|
||||
- mAlertParams.mView = view;
|
||||
+ mAlertParams.mView = mView;
|
||||
setupAlert();
|
||||
|
||||
getWindow().setCloseOnTouchOutside(false);
|
84
Patches/LineageOS-16.0/android_frameworks_base/360954.patch
Normal file
84
Patches/LineageOS-16.0/android_frameworks_base/360954.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Groover <mpgroover@google.com>
|
||||
Date: Fri, 31 Mar 2023 21:31:22 +0000
|
||||
Subject: [PATCH] Limit the number of supported v1 and v2 signers
|
||||
|
||||
The v1 and v2 APK Signature Schemes support multiple signers; this
|
||||
was intended to allow multiple entities to sign an APK. Previously,
|
||||
the platform had no limits placed on the number of signers supported
|
||||
in an APK, but this commit sets a hard limit of 10 supported signers
|
||||
for these signature schemes to ensure a large number of signers
|
||||
does not place undue burden on the platform.
|
||||
|
||||
Bug: 266580022
|
||||
Test: Manually verified the platform only allowed an APK with the
|
||||
maximum number of supported signers.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
|
||||
Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
|
||||
Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091
|
||||
---
|
||||
.../util/apk/ApkSignatureSchemeV2Verifier.java | 10 ++++++++++
|
||||
core/java/android/util/jar/StrictJarVerifier.java | 11 +++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
index 533d72590f0a..d5f6ebe8c2e9 100644
|
||||
--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
+++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
@@ -83,6 +83,11 @@ public class ApkSignatureSchemeV2Verifier {
|
||||
|
||||
private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a;
|
||||
|
||||
+ /**
|
||||
+ * The maximum number of signers supported by the v2 APK signature scheme.
|
||||
+ */
|
||||
+ private static final int MAX_V2_SIGNERS = 10;
|
||||
+
|
||||
/**
|
||||
* Returns {@code true} if the provided APK contains an APK Signature Scheme V2 signature.
|
||||
*
|
||||
@@ -188,6 +193,11 @@ public class ApkSignatureSchemeV2Verifier {
|
||||
}
|
||||
while (signers.hasRemaining()) {
|
||||
signerCount++;
|
||||
+ if (signerCount > MAX_V2_SIGNERS) {
|
||||
+ throw new SecurityException(
|
||||
+ "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS
|
||||
+ + " signers");
|
||||
+ }
|
||||
try {
|
||||
ByteBuffer signer = getLengthPrefixedSlice(signers);
|
||||
X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory);
|
||||
diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java
|
||||
index 45254908c5c9..a6aca330d323 100644
|
||||
--- a/core/java/android/util/jar/StrictJarVerifier.java
|
||||
+++ b/core/java/android/util/jar/StrictJarVerifier.java
|
||||
@@ -78,6 +78,11 @@ class StrictJarVerifier {
|
||||
"SHA1",
|
||||
};
|
||||
|
||||
+ /**
|
||||
+ * The maximum number of signers supported by the JAR signature scheme.
|
||||
+ */
|
||||
+ private static final int MAX_JAR_SIGNERS = 10;
|
||||
+
|
||||
private final String jarName;
|
||||
private final StrictJarManifest manifest;
|
||||
private final HashMap<String, byte[]> metaEntries;
|
||||
@@ -293,10 +298,16 @@ class StrictJarVerifier {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ int signerCount = 0;
|
||||
Iterator<String> it = metaEntries.keySet().iterator();
|
||||
while (it.hasNext()) {
|
||||
String key = it.next();
|
||||
if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
|
||||
+ if (++signerCount > MAX_JAR_SIGNERS) {
|
||||
+ throw new SecurityException(
|
||||
+ "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS
|
||||
+ + " signers");
|
||||
+ }
|
||||
verifyCertificate(key);
|
||||
it.remove();
|
||||
}
|
1034
Patches/LineageOS-16.0/android_frameworks_base/360955-backport.patch
Normal file
1034
Patches/LineageOS-16.0/android_frameworks_base/360955-backport.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,39 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Aaron Liu <aaronjli@google.com>
|
||||
Date: Tue, 28 Mar 2023 13:15:04 -0700
|
||||
Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
|
||||
|
||||
security method is none. This is mostly to fix the case where we auth
|
||||
sim pin in the set up wizard and it goes straight to keyguard instead of
|
||||
the setup wizard activity.
|
||||
|
||||
This works with the prevent bypass keyguard flag because the device
|
||||
should be noe secure in this case.
|
||||
|
||||
Fixes: 222446076
|
||||
Test: turn locked sim on, which opens the sim pin screen. Auth the
|
||||
screen and observe that keyguard is not shown.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
|
||||
Cherry-picking this CL as a security fix
|
||||
|
||||
Bug: 222446076
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
|
||||
Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
|
||||
Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
|
||||
---
|
||||
.../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
|
||||
index 6a71cf84759c..bb205956e932 100644
|
||||
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
|
||||
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
|
||||
@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
|
||||
case SimPuk:
|
||||
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
|
||||
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
|
||||
- if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
|
||||
+ if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
|
||||
KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
finish = true;
|
||||
} else {
|
@ -0,0 +1,99 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= <kurucz@google.com>
|
||||
Date: Fri, 21 Apr 2023 09:45:07 +0000
|
||||
Subject: [PATCH] Truncate ShortcutInfo Id
|
||||
|
||||
Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput.
|
||||
This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior.
|
||||
|
||||
Fixes: 273729476
|
||||
Test: atest ShortcutManagerTest2
|
||||
Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e)
|
||||
Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
|
||||
Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
|
||||
---
|
||||
.../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++---
|
||||
.../server/pm/ShortcutManagerTest2.java | 10 ++++++++++
|
||||
2 files changed, 27 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java
|
||||
index ea476b0abf33..cddad1798219 100644
|
||||
--- a/core/java/android/content/pm/ShortcutInfo.java
|
||||
+++ b/core/java/android/content/pm/ShortcutInfo.java
|
||||
@@ -214,6 +214,12 @@ public final class ShortcutInfo implements Parcelable {
|
||||
*/
|
||||
public static final int DISABLED_REASON_OTHER_RESTORE_ISSUE = 103;
|
||||
|
||||
+ /**
|
||||
+ * The maximum length of Shortcut ID. IDs will be truncated at this limit.
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static final int MAX_ID_LENGTH = 1000;
|
||||
+
|
||||
/** @hide */
|
||||
@IntDef(prefix = { "DISABLED_REASON_" }, value = {
|
||||
DISABLED_REASON_NOT_DISABLED,
|
||||
@@ -380,8 +386,7 @@ public final class ShortcutInfo implements Parcelable {
|
||||
|
||||
private ShortcutInfo(Builder b) {
|
||||
mUserId = b.mContext.getUserId();
|
||||
-
|
||||
- mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided");
|
||||
+ mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"));
|
||||
|
||||
// Note we can't do other null checks here because SM.updateShortcuts() takes partial
|
||||
// information.
|
||||
@@ -463,6 +468,14 @@ public final class ShortcutInfo implements Parcelable {
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ @NonNull
|
||||
+ private static String getSafeId(@NonNull String id) {
|
||||
+ if (id.length() > MAX_ID_LENGTH) {
|
||||
+ return id.substring(0, MAX_ID_LENGTH);
|
||||
+ }
|
||||
+ return id;
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Throws if any of the mandatory fields is not set.
|
||||
*
|
||||
@@ -1851,7 +1864,8 @@ public final class ShortcutInfo implements Parcelable {
|
||||
final ClassLoader cl = getClass().getClassLoader();
|
||||
|
||||
mUserId = source.readInt();
|
||||
- mId = source.readString();
|
||||
+ mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(),
|
||||
+ "Shortcut ID must be provided"));
|
||||
mPackageName = source.readString();
|
||||
mActivity = source.readParcelable(cl);
|
||||
mFlags = source.readInt();
|
||||
diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
index fcdadaccd2ac..464f563640c1 100644
|
||||
--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
+++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
@@ -53,6 +53,7 @@ import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
import java.io.StringWriter;
|
||||
import java.io.Writer;
|
||||
+import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
|
||||
/**
|
||||
@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
|
||||
});
|
||||
}
|
||||
|
||||
+ public void testShortcutIdTruncated() {
|
||||
+ ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(),
|
||||
+ String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build();
|
||||
+
|
||||
+ assertTrue(
|
||||
+ "id must be truncated to MAX_ID_LENGTH",
|
||||
+ si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH);
|
||||
+ }
|
||||
+
|
||||
public void testShortcutInfoParcel() {
|
||||
setCaller(CALLING_PACKAGE_1, USER_10);
|
||||
ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext)
|
@ -0,0 +1,128 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ioana Alexandru <aioana@google.com>
|
||||
Date: Thu, 27 Apr 2023 12:36:05 +0000
|
||||
Subject: [PATCH] Visit URIs in landscape/portrait custom remote views.
|
||||
|
||||
Bug: 277740848
|
||||
Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e8acb2f660bdb03616989852f9dbbf1726f8237e)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e1ae4e0d408604b9e3c18ac0e9bf87529b92a8)
|
||||
Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517
|
||||
Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517
|
||||
---
|
||||
core/java/android/widget/RemoteViews.java | 6 ++
|
||||
.../src/android/widget/RemoteViewsTest.java | 65 +++++++++++++++++++
|
||||
2 files changed, 71 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
|
||||
index 4865dab6056a..10053dddb0fb 100644
|
||||
--- a/core/java/android/widget/RemoteViews.java
|
||||
+++ b/core/java/android/widget/RemoteViews.java
|
||||
@@ -543,6 +543,12 @@ public class RemoteViews implements Parcelable, Filter {
|
||||
mActions.get(i).visitUris(visitor);
|
||||
}
|
||||
}
|
||||
+ if (mLandscape != null) {
|
||||
+ mLandscape.visitUris(visitor);
|
||||
+ }
|
||||
+ if (mPortrait != null) {
|
||||
+ mPortrait.visitUris(visitor);
|
||||
+ }
|
||||
}
|
||||
|
||||
private static void visitIconUri(Icon icon, @NonNull Consumer<Uri> visitor) {
|
||||
diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
index 70cf097f42a3..7d2e07ecbd71 100644
|
||||
--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
+++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
|
||||
@@ -19,6 +19,10 @@ package android.widget;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertSame;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
+import static org.mockito.ArgumentMatchers.eq;
|
||||
+import static org.mockito.Mockito.spy;
|
||||
+import static org.mockito.Mockito.times;
|
||||
+import static org.mockito.Mockito.verify;
|
||||
|
||||
import android.app.PendingIntent;
|
||||
import android.content.Context;
|
||||
@@ -26,6 +30,8 @@ import android.content.Intent;
|
||||
import android.graphics.Bitmap;
|
||||
import android.graphics.drawable.BitmapDrawable;
|
||||
import android.graphics.drawable.Drawable;
|
||||
+import android.graphics.drawable.Icon;
|
||||
+import android.net.Uri;
|
||||
import android.os.AsyncTask;
|
||||
import android.os.Binder;
|
||||
import android.os.Parcel;
|
||||
@@ -46,6 +52,7 @@ import org.junit.runner.RunWith;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.concurrent.CountDownLatch;
|
||||
+import java.util.function.Consumer;
|
||||
|
||||
/**
|
||||
* Tests for RemoteViews.
|
||||
@@ -444,4 +451,62 @@ public class RemoteViewsTest {
|
||||
}
|
||||
return found[0];
|
||||
}
|
||||
+
|
||||
+
|
||||
+ @Test
|
||||
+ public void visitUris() {
|
||||
+ RemoteViews views = new RemoteViews(mPackage, R.layout.remote_views_test);
|
||||
+
|
||||
+ final Uri imageUri = Uri.parse("content://media/image");
|
||||
+ final Icon icon1 = Icon.createWithContentUri("content://media/icon1");
|
||||
+ final Icon icon2 = Icon.createWithContentUri("content://media/icon2");
|
||||
+ final Icon icon3 = Icon.createWithContentUri("content://media/icon3");
|
||||
+ final Icon icon4 = Icon.createWithContentUri("content://media/icon4");
|
||||
+ views.setImageViewUri(R.id.image, imageUri);
|
||||
+ views.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4);
|
||||
+
|
||||
+ Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
|
||||
+ views.visitUris(visitor);
|
||||
+ verify(visitor, times(1)).accept(eq(imageUri));
|
||||
+ verify(visitor, times(1)).accept(eq(icon1.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon2.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon3.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon4.getUri()));
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void visitUris_separateOrientation() {
|
||||
+ final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test);
|
||||
+ final Uri imageUriL = Uri.parse("content://landscape/image");
|
||||
+ final Icon icon1L = Icon.createWithContentUri("content://landscape/icon1");
|
||||
+ final Icon icon2L = Icon.createWithContentUri("content://landscape/icon2");
|
||||
+ final Icon icon3L = Icon.createWithContentUri("content://landscape/icon3");
|
||||
+ final Icon icon4L = Icon.createWithContentUri("content://landscape/icon4");
|
||||
+ landscape.setImageViewUri(R.id.image, imageUriL);
|
||||
+ landscape.setTextViewCompoundDrawables(R.id.text, icon1L, icon2L, icon3L, icon4L);
|
||||
+
|
||||
+ final RemoteViews portrait = new RemoteViews(mPackage, 33);
|
||||
+ final Uri imageUriP = Uri.parse("content://portrait/image");
|
||||
+ final Icon icon1P = Icon.createWithContentUri("content://portrait/icon1");
|
||||
+ final Icon icon2P = Icon.createWithContentUri("content://portrait/icon2");
|
||||
+ final Icon icon3P = Icon.createWithContentUri("content://portrait/icon3");
|
||||
+ final Icon icon4P = Icon.createWithContentUri("content://portrait/icon4");
|
||||
+ portrait.setImageViewUri(R.id.image, imageUriP);
|
||||
+ portrait.setTextViewCompoundDrawables(R.id.text, icon1P, icon2P, icon3P, icon4P);
|
||||
+
|
||||
+ RemoteViews views = new RemoteViews(landscape, portrait);
|
||||
+
|
||||
+ Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
|
||||
+ views.visitUris(visitor);
|
||||
+ verify(visitor, times(1)).accept(eq(imageUriL));
|
||||
+ verify(visitor, times(1)).accept(eq(icon1L.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon2L.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon3L.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon4L.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(imageUriP));
|
||||
+ verify(visitor, times(1)).accept(eq(icon1P.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon2P.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon3P.getUri()));
|
||||
+ verify(visitor, times(1)).accept(eq(icon4P.getUri()));
|
||||
+ }
|
||||
}
|
45
Patches/LineageOS-16.0/android_system_bt/360969.patch
Normal file
45
Patches/LineageOS-16.0/android_system_bt/360969.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: tyiu <tyiu@google.com>
|
||||
Date: Tue, 28 Mar 2023 18:40:51 +0000
|
||||
Subject: [PATCH] Fix gatt_end_operation buffer overflow
|
||||
|
||||
Added boundary check for gatt_end_operation to prevent writing out of
|
||||
boundary.
|
||||
|
||||
Since response of the GATT server is handled in
|
||||
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
|
||||
lenth that can be passed into the handlers is bounded by
|
||||
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
|
||||
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
|
||||
that gaurentees MTU response to be less than or equal to 512 bytes can
|
||||
cause a buffer overflow when performing memcpy without length check.
|
||||
|
||||
Bug: 261068592
|
||||
Test: No test since not affecting behavior
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)
|
||||
Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
||||
Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
||||
---
|
||||
stack/gatt/gatt_utils.cc | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc
|
||||
index 9e8d3b930..52891efc4 100644
|
||||
--- a/stack/gatt/gatt_utils.cc
|
||||
+++ b/stack/gatt/gatt_utils.cc
|
||||
@@ -1193,6 +1193,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) {
|
||||
cb_data.att_value.handle = p_clcb->s_handle;
|
||||
cb_data.att_value.len = p_clcb->counter;
|
||||
|
||||
+ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) {
|
||||
+ LOG(WARNING) << __func__
|
||||
+ << StringPrintf(" Large cb_data.att_value, size=%d",
|
||||
+ cb_data.att_value.len);
|
||||
+ cb_data.att_value.len = GATT_MAX_ATTR_LEN;
|
||||
+ }
|
||||
+
|
||||
if (p_data && p_clcb->counter)
|
||||
memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len);
|
||||
}
|
34
Patches/LineageOS-16.0/android_system_nfc/360972.patch
Normal file
34
Patches/LineageOS-16.0/android_system_nfc/360972.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Tue, 2 May 2023 14:20:57 -0700
|
||||
Subject: [PATCH] OOBW in rw_i93_send_to_upper()
|
||||
|
||||
Bug: 271849189
|
||||
Test: tag r/w
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8)
|
||||
Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
---
|
||||
src/nfc/tags/rw_i93.cc | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
|
||||
index acf28a6..232a4dd 100644
|
||||
--- a/src/nfc/tags/rw_i93.cc
|
||||
+++ b/src/nfc/tags/rw_i93.cc
|
||||
@@ -507,6 +507,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) {
|
||||
case I93_CMD_GET_MULTI_BLK_SEC:
|
||||
case I93_CMD_EXT_GET_MULTI_BLK_SEC:
|
||||
|
||||
+ if (UINT16_MAX - length < NFC_HDR_SIZE) {
|
||||
+ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
|
||||
+ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
|
||||
+ rw_cb.tcb.i93.sent_cmd = 0;
|
||||
+
|
||||
+ event = RW_I93_CMD_CMPL_EVT;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
/* forward tag data or security status */
|
||||
p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Tue, 2 May 2023 14:20:57 -0700
|
||||
Subject: [PATCH] OOBW in rw_i93_send_to_upper()
|
||||
|
||||
Bug: 271849189
|
||||
Test: tag r/w
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8)
|
||||
Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
|
||||
Change-Id: Ia10491e388a495a164462c73ced7ea1965808860
|
||||
---
|
||||
src/nfc/tags/rw_i93.cc | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
|
||||
index 62c5b54c..13ccaf0e 100755
|
||||
--- a/src/nfc/tags/rw_i93.cc
|
||||
+++ b/src/nfc/tags/rw_i93.cc
|
||||
@@ -472,6 +472,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) {
|
||||
case I93_CMD_GET_MULTI_BLK_SEC:
|
||||
case I93_CMD_EXT_GET_MULTI_BLK_SEC:
|
||||
|
||||
+ if (UINT16_MAX - length < NFC_HDR_SIZE) {
|
||||
+ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
|
||||
+ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
|
||||
+ rw_cb.tcb.i93.sent_cmd = 0;
|
||||
+
|
||||
+ event = RW_I93_CMD_CMPL_EVT;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
/* forward tag data or security status */
|
||||
p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
|
||||
|
@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2022-01-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-06 #XXX
|
||||
sed -i 's/2022-01-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-07 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -132,6 +132,10 @@ git fetch https://github.com/LineageOS/android_external_expat refs/changes/56/33
|
||||
git fetch https://github.com/LineageOS/android_external_expat refs/changes/28/349328/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-02
|
||||
fi;
|
||||
|
||||
if enterAndClear "external/freetype"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes
|
||||
fi;
|
||||
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
|
||||
if enterAndClear "external/hardened_malloc"; then
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
|
||||
@ -151,6 +155,12 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360954.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360955-backport.patch"; #R_asb_2023-07 Import translations.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360959-backport.patch"; #R_asb_2023-07 Dismiss keyguard when simpin auth'd and security method is none.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360963-backport.patch"; #R_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
|
||||
@ -335,6 +345,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -356,6 +367,14 @@ if enterAndClear "system/extras"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/nfc"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_nfc/360972.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/sepolicy"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)
|
||||
|
@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
||||
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
|
||||
sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #R_asb_2023-07 #XXX
|
||||
sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-07 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
|
Loading…
Reference in New Issue
Block a user