From 2af8dc9582c9445d3d0f9543015380125f0b96e0 Mon Sep 17 00:00:00 2001
From: Tavi <tavi@divested.dev>
Date: Mon, 8 Jan 2024 22:12:15 -0500
Subject: [PATCH] 17.1: January ASB work

Signed-off-by: Tavi <tavi@divested.dev>
---
 .../android_frameworks_av/379143.patch        |  32 ++
 .../android_frameworks_av/379144.patch        |  31 ++
 .../0007-Always_Restict_Serial.patch          |   4 +-
 .../android_frameworks_base/379145.patch      |  40 +++
 .../379146-backport.patch                     |  62 ++++
 .../379147-backport.patch                     | 104 +++++++
 .../379148-backport.patch                     |  38 +++
 .../379149-backport.patch                     |  74 +++++
 .../android_frameworks_base/379150.patch      |  40 +++
 .../379151.patch                              |  36 +++
 .../android_packages_apps_Nfc/379152.patch    |  30 ++
 .../379153-backport.patch                     | 280 ++++++++++++++++++
 .../android_system_bt/379154.patch            | 135 +++++++++
 .../379155.patch                              |  30 ++
 .../379156.patch                              | 135 +++++++++
 Scripts/LineageOS-17.1/Patch.sh               |  27 ++
 16 files changed, 1096 insertions(+), 2 deletions(-)
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_av/379143.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_av/379144.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379145.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379146-backport.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379147-backport.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379148-backport.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379149-backport.patch
 create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/379150.patch
 create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Camera2/379151.patch
 create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Nfc/379152.patch
 create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Settings/379153-backport.patch
 create mode 100644 Patches/LineageOS-17.1/android_system_bt/379154.patch
 create mode 100644 Patches/LineageOS-17.1/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch
 create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/379156.patch

diff --git a/Patches/LineageOS-17.1/android_frameworks_av/379143.patch b/Patches/LineageOS-17.1/android_frameworks_av/379143.patch
new file mode 100644
index 00000000..91d707d6
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_av/379143.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
+Date: Mon, 28 Aug 2023 17:35:56 +0000
+Subject: [PATCH] Codec2BufferUtils: Use cropped dimensions in RGB to YUV
+ conversion
+
+Bug: 283099444
+Test: poc in the bug
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:3875b858a347e25db94574e6362798a849bf9ebd)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4eba80f6698cb2d7aa48ea4f7728dbdf11f29fd3)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d83225b43057dd25deb5083772e6ebc2f5e5253b)
+Merged-In: I42c71616c9d50f61c92f461f6a91f5addb1d724a
+Change-Id: I42c71616c9d50f61c92f461f6a91f5addb1d724a
+---
+ media/codec2/sfplugin/utils/Codec2BufferUtils.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp b/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
+index bf2a07ee52..9bc8eb9c4c 100644
+--- a/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
++++ b/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
+@@ -361,8 +361,8 @@ status_t ConvertRGBToPlanarYUV(
+     const uint8_t *pBlue  = src.data()[C2PlanarLayout::PLANE_B];
+ 
+ #define CLIP3(x,y,z) (((z) < (x)) ? (x) : (((z) > (y)) ? (y) : (z)))
+-    for (size_t y = 0; y < src.height(); ++y) {
+-        for (size_t x = 0; x < src.width(); ++x) {
++    for (size_t y = 0; y < src.crop().height; ++y) {
++        for (size_t x = 0; x < src.crop().width; ++x) {
+             uint8_t red = *pRed;
+             uint8_t green = *pGreen;
+             uint8_t blue = *pBlue;
diff --git a/Patches/LineageOS-17.1/android_frameworks_av/379144.patch b/Patches/LineageOS-17.1/android_frameworks_av/379144.patch
new file mode 100644
index 00000000..888b9a66
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_av/379144.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songyue Han <songyueh@google.com>
+Date: Tue, 3 Oct 2023 22:40:14 +0000
+Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for
+ unsupported cropwidth.
+
+Bug: 300476626
+Test: color_conversion_fuzzer
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c)
+Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733
+Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733
+---
+ media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
+index d685321028..c491d8043b 100644
+--- a/media/libstagefright/colorconversion/ColorConverter.cpp
++++ b/media/libstagefright/colorconversion/ColorConverter.cpp
+@@ -648,7 +648,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410(
+ 
+         uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1;
+         size_t x = 0;
+-        for (; x < src.cropWidth() - 3; x += 4) {
++        // x % 4 is always 0 so x + 3 will never overflow.
++        for (; x + 3 < src.cropWidth(); x += 4) {
+             u01 = *((uint32_t*)ptr_u); ptr_u += 2;
+             v01 = *((uint32_t*)ptr_v); ptr_v += 2;
+ 
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
index 07c1f50f..3eea18eb 100644
--- a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
@@ -10,10 +10,10 @@ requiring the READ_PHONE_STATE permission.
  1 file changed, 1 insertion(+), 6 deletions(-)
 
 diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
-index faeb5f348834..120c5c10cb16 100644
+index 41b1ddaf887b..78bdde0c5ef9 100644
 --- a/services/core/java/com/android/server/am/ActivityManagerService.java
 +++ b/services/core/java/com/android/server/am/ActivityManagerService.java
-@@ -5026,12 +5026,7 @@ public class ActivityManagerService extends IActivityManager.Stub
+@@ -5025,12 +5025,7 @@ public class ActivityManagerService extends IActivityManager.Stub
                  }
              }
  
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379145.patch b/Patches/LineageOS-17.1/android_frameworks_base/379145.patch
new file mode 100644
index 00000000..54605c41
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379145.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Tue, 28 Mar 2023 13:15:04 -0700
+Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
+
+security method is none. This is mostly to fix the case where we auth
+sim pin in the set up wizard and it goes straight to keyguard instead of
+the setup wizard activity.
+
+This works with the prevent bypass keyguard flag because the device
+should be noe secure in this case.
+
+Fixes: 222446076
+Test: turn locked sim on, which opens the sim pin screen. Auth the
+screen and observe that keyguard is not shown.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
+Cherry-picking this CL as a security fix
+
+Bug: 222446076
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
+Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+AOSP-Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+Change-Id: Id6eb8eff88481f9ec2c9cbcde9d7b0f78a349d98
+---
+ .../src/com/android/keyguard/KeyguardSecurityContainer.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index 89514a52d0bd..bd555e7360d8 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -529,7 +529,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
++                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+                             KeyguardUpdateMonitor.getCurrentUser())) {
+                         finish = true;
+                         eventSubtype = BOUNCER_DISMISS_SIM;
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379146-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/379146-backport.patch
new file mode 100644
index 00000000..424717b9
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379146-backport.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Fri, 11 Aug 2023 11:02:33 -0700
+Subject: [PATCH] DO NOT MERGE Ensure finish lockscreen when usersetup
+ incomplete
+
+Ensure that when the usersetup for the user is not complete, we do not
+want to go to lockscreen, even if lockscreen is not disabled.
+
+Bug: 222446076
+Test: add Unit test,
+Test: Wipe device, auth sim pin in setup, observe that lockscreen is
+not there.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01ea2f91df5a1c67da2546d83beeee75c2c1ef94)
+Merged-In: I8e33db8eb6e2c917966cab3d6a4f982670473040
+Change-Id: I8e33db8eb6e2c917966cab3d6a4f982670473040
+---
+ .../android/keyguard/KeyguardSecurityContainer.java    | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index bd555e7360d8..31cfffee2a68 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -49,6 +49,7 @@ import com.android.systemui.Dependency;
+ import com.android.systemui.R;
+ import com.android.systemui.SystemUIFactory;
+ import com.android.systemui.statusbar.phone.UnlockMethodCache;
++import com.android.systemui.statusbar.policy.DeviceProvisionedController;
+ import com.android.systemui.util.InjectionInflationController;
+ 
+ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSecurityView {
+@@ -100,6 +101,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+     private int mActivePointerId = -1;
+     private boolean mIsDragging;
+     private float mStartTouchY = -1;
++    private final DeviceProvisionedController mDeviceProvisionedController;
+ 
+     // Used to notify the container when something interesting happens.
+     public interface SecurityCallback {
+@@ -136,6 +138,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+             SystemUIFactory.getInstance().getRootComponent());
+         mUnlockMethodCache = UnlockMethodCache.getInstance(context);
+         mViewConfiguration = ViewConfiguration.get(context);
++        mDeviceProvisionedController = Dependency.get(DeviceProvisionedController.class);
+     }
+ 
+     public void setSecurityCallback(SecurityCallback callback) {
+@@ -529,8 +532,11 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+-                            KeyguardUpdateMonitor.getCurrentUser())) {
++                    boolean isLockscreenDisabled = mLockPatternUtils.isLockScreenDisabled(
++                            KeyguardUpdateMonitor.getCurrentUser())
++                            || !mDeviceProvisionedController.isUserSetup(targetUserId);
++
++                    if (securityMode == SecurityMode.None && isLockscreenDisabled) {
+                         finish = true;
+                         eventSubtype = BOUNCER_DISMISS_SIM;
+                     } else {
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379147-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/379147-backport.patch
new file mode 100644
index 00000000..933f4d40
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379147-backport.patch
@@ -0,0 +1,104 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tetiana Meronyk <tetianameronyk@google.com>
+Date: Thu, 24 Aug 2023 16:27:30 +0000
+Subject: [PATCH] Truncate user data to a limit of 500 characters
+
+Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
+
+By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
+
+Bug: 293602317
+Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827)
+Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
+Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
+---
+ .../android/server/pm/UserManagerService.java | 27 +++++++++++++------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index b7e9c7907f2c..318c11141cfe 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -225,6 +225,8 @@ public class UserManagerService extends IUserManager.Stub {
+ 
+     private static final int USER_VERSION = 7;
+ 
++    private static final int MAX_USER_STRING_LENGTH = 500;
++
+     private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
+ 
+     // Maximum number of managed profiles permitted per user is 1. This cannot be increased
+@@ -2417,15 +2419,17 @@ public class UserManagerService extends IUserManager.Stub {
+         // Write seed data
+         if (userData.persistSeedData) {
+             if (userData.seedAccountName != null) {
+-                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
++                serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
++                        truncateString(userData.seedAccountName));
+             }
+             if (userData.seedAccountType != null) {
+-                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
++                serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
++                        truncateString(userData.seedAccountType));
+             }
+         }
+         if (userInfo.name != null) {
+             serializer.startTag(null, TAG_NAME);
+-            serializer.text(userInfo.name);
++            serializer.text(truncateString(userInfo.name));
+             serializer.endTag(null, TAG_NAME);
+         }
+         synchronized (mRestrictionsLock) {
+@@ -2466,6 +2470,13 @@ public class UserManagerService extends IUserManager.Stub {
+         serializer.endDocument();
+     }
+ 
++    private String truncateString(String original) {
++        if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
++            return original;
++        }
++        return original.substring(0, MAX_USER_STRING_LENGTH);
++    }
++
+     /*
+      * Writes the user list file in this format:
+      *
+@@ -2808,7 +2819,7 @@ public class UserManagerService extends IUserManager.Stub {
+     private UserInfo createUserInternalUncheckedNoTracing(@Nullable String name,
+             @UserInfoFlag int flags, @UserIdInt int parentId, boolean preCreate,
+             @Nullable String[] disallowedPackages, @NonNull TimingsTraceLog t) {
+-
++        String truncatedName = truncateString(name);
+         // First try to use a pre-created user (if available).
+         // NOTE: currently we don't support pre-created managed profiles
+         if (!preCreate && (parentId < 0 && !UserInfo.isManagedProfile(flags))) {
+@@ -2835,7 +2846,7 @@ public class UserManagerService extends IUserManager.Stub {
+                             + UserInfo.flagsToString(preCreatedUser.flags)
+                             + " new-user flags: " + UserInfo.flagsToString(flags));
+                 }
+-                preCreatedUser.name = name;
++                preCreatedUser.name = truncatedName;
+                 preCreatedUser.preCreated = false;
+                 preCreatedUser.creationTime = getCreationTime();
+ 
+@@ -2934,7 +2945,7 @@ public class UserManagerService extends IUserManager.Stub {
+                         flags |= UserInfo.FLAG_EPHEMERAL;
+                     }
+ 
+-                    userInfo = new UserInfo(userId, name, null, flags);
++                    userInfo = new UserInfo(userId, truncatedName, null, flags);
+                     userInfo.serialNumber = mNextSerialNumber++;
+                     userInfo.creationTime = getCreationTime();
+                     userInfo.partial = true;
+@@ -3866,8 +3877,8 @@ public class UserManagerService extends IUserManager.Stub {
+                     Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
+                     return;
+                 }
+-                userData.seedAccountName = accountName;
+-                userData.seedAccountType = accountType;
++                userData.seedAccountName = truncateString(accountName);
++                userData.seedAccountType = truncateString(accountType);
+                 userData.seedAccountOptions = accountOptions;
+                 userData.persistSeedData = persist;
+             }
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379148-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/379148-backport.patch
new file mode 100644
index 00000000..07d464c9
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379148-backport.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raphael Kim <raphk@google.com>
+Date: Mon, 18 Sep 2023 14:07:23 -0700
+Subject: [PATCH] Validate component name length before requesting notification
+ access.
+
+Bug: 295335110
+Test: Test app with long component name
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8)
+Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
+Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
+---
+ .../server/companion/CompanionDeviceManagerService.java      | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index d8827aafeb69..73b8ff7067ef 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -109,6 +109,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
+     private static final boolean DEBUG = false;
+     private static final String LOG_TAG = "CompanionDeviceManagerService";
+ 
++    private static final int MAX_CN_LENGTH = 500;
++
+     private static final String XML_TAG_ASSOCIATIONS = "associations";
+     private static final String XML_TAG_ASSOCIATION = "association";
+     private static final String XML_ATTR_PACKAGE = "package";
+@@ -309,6 +311,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
+             String callingPackage = component.getPackageName();
+             checkCanCallNotificationApi(callingPackage);
+             int userId = getCallingUserId();
++            if (component.flattenToString().length() > MAX_CN_LENGTH) {
++                throw new IllegalArgumentException("Component name is too long.");
++            }
+             final long identity = Binder.clearCallingIdentity();
+             try {
+                 return PendingIntent.getActivityAsUser(getContext(),
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379149-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/379149-backport.patch
new file mode 100644
index 00000000..b32575e6
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379149-backport.patch
@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nan Wu <wnan@google.com>
+Date: Fri, 25 Aug 2023 15:02:28 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when
+ sending non-PI target
+
+Log ActivityManagerService.sendIntentSender if the target is not a
+PendingIntent and a non-null whitelistToken is sent to the client.
+This is simply to detect if there are real cases this would happen
+before we decide simply remove whitelistToken in that case.
+
+Do not pass  whitelistToken when sending non-PI target
+
+In ActivityManagerService.sendIntentSender, if the target is not a
+PendingIntent, do not send whitelistToken to the client.
+
+Bug: 279428283
+Test: Manual test
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52)
+Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810
+Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810
+---
+ .../server/am/ActivityManagerService.java     | 20 +++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index faeb5f348834..41b1ddaf887b 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -160,7 +160,6 @@ import android.app.AppOpsManager;
+ import android.app.AppOpsManagerInternal.CheckOpsDelegate;
+ import android.app.ApplicationErrorReport;
+ import android.app.ApplicationThreadConstants;
+-import android.app.AppOpsManager;
+ import android.app.BroadcastOptions;
+ import android.app.ContentProviderHolder;
+ import android.app.Dialog;
+@@ -5465,12 +5464,12 @@ public class ActivityManagerService extends IActivityManager.Stub
+     }
+ 
+     @Override
+-    public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code,
++    public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code,
+             Intent intent, String resolvedType,
+             IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) {
+         if (target instanceof PendingIntentRecord) {
+             return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType,
+-                    whitelistToken, finishedReceiver, requiredPermission, options);
++                    allowlistToken, finishedReceiver, requiredPermission, options);
+         } else {
+             if (intent == null) {
+                 // Weird case: someone has given us their own custom IIntentSender, and now
+@@ -5482,7 +5481,20 @@ public class ActivityManagerService extends IActivityManager.Stub
+                 intent = new Intent(Intent.ACTION_MAIN);
+             }
+             try {
+-                target.send(code, intent, resolvedType, whitelistToken, null,
++                if (allowlistToken != null) {
++                    final int callingUid = Binder.getCallingUid();
++                    final String packageName;
++                    final long token = Binder.clearCallingIdentity();
++                    try {
++                        packageName = AppGlobals.getPackageManager().getNameForUid(callingUid);
++                    } finally {
++                        Binder.restoreCallingIdentity(token);
++                    }
++                    Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target."
++                            + " Calling package: " + packageName + "; intent: " + intent
++                            + "; options: " + options);
++                }
++                target.send(code, intent, resolvedType, null, null,
+                         requiredPermission, options);
+             } catch (RemoteException e) {
+             }
diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379150.patch b/Patches/LineageOS-17.1/android_frameworks_base/379150.patch
new file mode 100644
index 00000000..915f1043
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_frameworks_base/379150.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Will Leshner <wleshner@google.com>
+Date: Tue, 31 Oct 2023 13:23:08 -0700
+Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
+ activities
+
+Test: Flashed device and verified dream settings works as expected
+Test: Installed APK from bug and verified the dream didn't allow
+launching the inappropriate settings activity.
+Fixes: 300090204
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
+Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
+Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
+---
+ .../com/android/settingslib/dream/DreamBackend.java  | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+index 3c0f6fe8ccbb..0b771580fff4 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
++++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+@@ -332,7 +332,17 @@ public class DreamBackend {
+         if (cn != null && cn.indexOf('/') < 0) {
+             cn = resolveInfo.serviceInfo.packageName + "/" + cn;
+         }
+-        return cn == null ? null : ComponentName.unflattenFromString(cn);
++        // Ensure that the component is from the same package as the dream service. If not,
++        // treat the component as invalid and return null instead.
++        final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
++        if (result != null
++                && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
++            Log.w(TAG,
++                    "Inconsistent package name in component: " + result.getPackageName()
++                            + ", should be: " + resolveInfo.serviceInfo.packageName);
++            return null;
++        }
++        return result;
+     }
+ 
+     private static void logd(String msg, Object... args) {
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Camera2/379151.patch b/Patches/LineageOS-17.1/android_packages_apps_Camera2/379151.patch
new file mode 100644
index 00000000..5193d6f1
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_packages_apps_Camera2/379151.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shuzhen Wang <shuzhenwang@google.com>
+Date: Fri, 27 Oct 2023 16:08:05 -0700
+Subject: [PATCH] Camera2: Do not pass location info for startActivity case
+
+If the Camera2 activity is started by startActivity, we shouldn't
+unconditionally grant location.
+
+Test: Use Camera2 app both independently and with INTENT
+Bug: 285142084
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c097bb0e516b1d071f00ac99a8f29f4a72579ff)
+Merged-In: I3b78840f9b0fefeadea44150ea319886f06c1485
+Change-Id: I3b78840f9b0fefeadea44150ea319886f06c1485
+---
+ src/com/android/camera/CameraActivity.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/camera/CameraActivity.java b/src/com/android/camera/CameraActivity.java
+index af64c1091..026c8397f 100644
+--- a/src/com/android/camera/CameraActivity.java
++++ b/src/com/android/camera/CameraActivity.java
+@@ -1760,8 +1760,12 @@ public class CameraActivity extends QuickActivity
+     private boolean shouldUseNoOpLocation () {
+         String callingPackage = getCallingPackage();
+         if (callingPackage == null) {
+-            // Activity not started through startActivityForResult.
+-            return false;
++            if (isCaptureIntent()) {
++                // Activity not started through startActivityForResult.
++                return true;
++            } else {
++                callingPackage = mAppContext.getPackageName();
++            }
+         }
+         PackageInfo packageInfo = null;
+         try {
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Nfc/379152.patch b/Patches/LineageOS-17.1/android_packages_apps_Nfc/379152.patch
new file mode 100644
index 00000000..ec1d6d1d
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_packages_apps_Nfc/379152.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Oct 2023 11:13:03 -0700
+Subject: [PATCH] Possible deadlock on the NfcService object
+
+Bug: 268038643
+Bug: 307489565
+Test: CtsVerifier
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2d8ea70c65831313d73784fb3c78f64ff0cbd627)
+Merged-In: I683ae425dafa4e209b9517b62ada7d8a694f84a9
+Change-Id: I683ae425dafa4e209b9517b62ada7d8a694f84a9
+---
+ src/com/android/nfc/NfcService.java | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
+index 0e02cd03..00a0147d 100644
+--- a/src/com/android/nfc/NfcService.java
++++ b/src/com/android/nfc/NfcService.java
+@@ -852,9 +852,7 @@ public class NfcService implements DeviceHostListener {
+     }
+ 
+     public boolean isSecureNfcEnabled() {
+-        synchronized (NfcService.this) {
+-            return mIsSecureNfcEnabled;
+-        }
++        return mIsSecureNfcEnabled;
+     }
+ 
+     final class NfcAdapterService extends INfcAdapter.Stub {
diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/379153-backport.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/379153-backport.patch
new file mode 100644
index 00000000..eb6ecfca
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/379153-backport.patch
@@ -0,0 +1,280 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <valiiftime@google.com>
+Date: Tue, 3 Oct 2023 17:28:34 +0200
+Subject: [PATCH] Validate ringtone URIs before setting
+
+ Add checks URIs for content from other users.
+ Fail for users that are not profiles of the current user.
+
+Test: atest DefaultRingtonePreferenceTest
+Bug: 299614635
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7ba175eaeb6e8f1ea54e2ec13685d1cf1e9aad1c)
+Merged-In: Ib266b285a3a1c6c5265ae2321159e61e08e349f6
+Change-Id: Ib266b285a3a1c6c5265ae2321159e61e08e349f6
+---
+ .../settings/DefaultRingtonePreference.java   | 11 +--
+ .../android/settings/RingtonePreference.java  | 82 +++++++++++++++++++
+ .../DefaultRingtonePreferenceTest.java        | 75 ++++++++++++++++-
+ 3 files changed, 155 insertions(+), 13 deletions(-)
+
+diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
+index 9bf626c9898..4c654887227 100644
+--- a/src/com/android/settings/DefaultRingtonePreference.java
++++ b/src/com/android/settings/DefaultRingtonePreference.java
+@@ -51,16 +51,9 @@ public class DefaultRingtonePreference extends RingtonePreference {
+             return;
+         }
+ 
+-        String mimeType = mUserContext.getContentResolver().getType(ringtoneUri);
+-        if (mimeType == null) {
++        if (!isValidRingtoneUri(ringtoneUri)) {
+             Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+-                    + " ignored: failure to find mimeType (no access from this context?)");
+-            return;
+-        }
+-
+-        if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
+-            Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
+-                    + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                    + " ignored: invalid ringtone Uri");
+             return;
+         }
+ 
+diff --git a/src/com/android/settings/RingtonePreference.java b/src/com/android/settings/RingtonePreference.java
+index 8f9c618d5e8..d283e390fc7 100644
+--- a/src/com/android/settings/RingtonePreference.java
++++ b/src/com/android/settings/RingtonePreference.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.settings;
+ 
++import android.content.ContentProvider;
++import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
+ import android.content.res.TypedArray;
+@@ -23,9 +25,11 @@ import android.media.AudioAttributes;
+ import android.media.RingtoneManager;
+ import android.net.Uri;
+ import android.os.UserHandle;
++import android.os.UserManager;
+ import android.provider.Settings.System;
+ import android.text.TextUtils;
+ import android.util.AttributeSet;
++import android.util.Log;
+ 
+ import androidx.preference.Preference;
+ import androidx.preference.PreferenceManager;
+@@ -239,4 +243,82 @@ public class RingtonePreference extends Preference {
+         return true;
+     }
+ 
++    public boolean isDefaultRingtone(Uri ringtoneUri) {
++        // null URIs are valid (None/silence)
++        return ringtoneUri == null || RingtoneManager.isDefault(ringtoneUri);
++    }
++
++    protected boolean isValidRingtoneUri(Uri ringtoneUri) {
++        if (isDefaultRingtone(ringtoneUri)) {
++            return true;
++        }
++
++        // Return early for android resource URIs
++        if (ContentResolver.SCHEME_ANDROID_RESOURCE.equals(ringtoneUri.getScheme())) {
++            return true;
++        }
++
++        String mimeType = mUserContext.getContentResolver().getType(ringtoneUri);
++        if (mimeType == null) {
++            Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
++                    + " failed: failure to find mimeType (no access from this context?)");
++            return false;
++        }
++
++        if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                || mimeType.equals("application/x-flac"))) {
++            Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
++                    + " failed: associated mimeType:" + mimeType + " is not an audio type");
++            return false;
++        }
++
++        // Validate userId from URIs: content://{userId}@...
++        final int userIdFromUri = ContentProvider.getUserIdFromUri(ringtoneUri, mUserId);
++        if (userIdFromUri != mUserId) {
++            final UserManager userManager = mUserContext.getSystemService(UserManager.class);
++
++            if (!userManager.isSameProfileGroup(mUserId, userIdFromUri)) {
++                Log.e(TAG,
++                    "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + userIdFromUri
++                        + " and user " + mUserId + " are not in the same profile group");
++                return false;
++            }
++
++            final int parentUserId;
++            final int profileUserId;
++            if (userManager.isProfile()) {
++                profileUserId = mUserId;
++                parentUserId = userIdFromUri;
++            } else {
++                parentUserId = mUserId;
++                profileUserId = userIdFromUri;
++            }
++
++            final UserHandle parent = userManager.getProfileParent(UserHandle.of(profileUserId));
++            if (parent == null || parent.getIdentifier() != parentUserId) {
++                Log.e(TAG,
++                    "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + profileUserId
++                        + " is not a profile of user " + parentUserId);
++                return false;
++            }
++
++            // Allow parent <-> managed profile sharing, unless restricted
++            if (userManager.hasUserRestrictionForUser(
++                UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, UserHandle.of(parentUserId))) {
++                Log.e(TAG,
++                    "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + parentUserId
++                        + " has restriction: " + UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE);
++                return false;
++            }
++
++            if (!userManager.isManagedProfile(profileUserId)) {
++                Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
++                    + " failed: user " + profileUserId + " is not a managed profile");
++                return false;
++            }
++        }
++
++        return true;
++    }
++
+ }
+diff --git a/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java b/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
+index 7877684dce6..360a8a555b4 100644
+--- a/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
++++ b/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
+@@ -16,16 +16,19 @@
+ 
+ package com.android.settings;
+ 
++import static org.mockito.ArgumentMatchers.any;
+ import static org.mockito.Mockito.doReturn;
+ import static org.mockito.Mockito.never;
+ import static org.mockito.Mockito.spy;
+ import static org.mockito.Mockito.verify;
+ import static org.mockito.Mockito.when;
+ 
++import android.content.ContentInterface;
+ import android.content.ContentResolver;
+ import android.content.Context;
+-import android.media.RingtoneManager;
+ import android.net.Uri;
++import android.os.UserHandle;
++import android.os.UserManager;
+ 
+ import androidx.test.core.app.ApplicationProvider;
+ import androidx.test.ext.junit.runners.AndroidJUnit4;
+@@ -34,17 +37,22 @@ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
+ import org.mockito.Mock;
++import org.mockito.Mockito;
+ import org.mockito.MockitoAnnotations;
+ 
+ /** Unittest for DefaultRingtonePreference. */
+ @RunWith(AndroidJUnit4.class)
+ public class DefaultRingtonePreferenceTest {
+ 
++    private static final int OWNER_USER_ID = 1;
++    private static final int OTHER_USER_ID = 10;
++    private static final int INVALID_RINGTONE_TYPE = 0;
+     private DefaultRingtonePreference mDefaultRingtonePreference;
+ 
+     @Mock
+     private ContentResolver mContentResolver;
+     @Mock
++    private UserManager mUserManager;
+     private Uri mRingtoneUri;
+ 
+     @Before
+@@ -52,14 +60,24 @@ public class DefaultRingtonePreferenceTest {
+         MockitoAnnotations.initMocks(this);
+ 
+         Context context = spy(ApplicationProvider.getApplicationContext());
+-        doReturn(mContentResolver).when(context).getContentResolver();
++        mContentResolver = ContentResolver.wrap(Mockito.mock(ContentInterface.class));
++        when(context.getContentResolver()).thenReturn(mContentResolver);
+ 
+         mDefaultRingtonePreference = spy(new DefaultRingtonePreference(context, null /* attrs */));
+         doReturn(context).when(mDefaultRingtonePreference).getContext();
++
++        // Use INVALID_RINGTONE_TYPE to return early in RingtoneManager.setActualDefaultRingtoneUri
+         when(mDefaultRingtonePreference.getRingtoneType())
+-                .thenReturn(RingtoneManager.TYPE_RINGTONE);
+-        mDefaultRingtonePreference.setUserId(1);
++                .thenReturn(INVALID_RINGTONE_TYPE);
++
++        mDefaultRingtonePreference.setUserId(OWNER_USER_ID);
+         mDefaultRingtonePreference.mUserContext = context;
++        when(mDefaultRingtonePreference.isDefaultRingtone(any(Uri.class))).thenReturn(false);
++
++        when(context.getSystemServiceName(UserManager.class)).thenReturn(Context.USER_SERVICE);
++        when(context.getSystemService(Context.USER_SERVICE)).thenReturn(mUserManager);
++
++        mRingtoneUri = Uri.parse("content://none");
+     }
+ 
+     @Test
+@@ -79,4 +97,53 @@ public class DefaultRingtonePreferenceTest {
+ 
+         verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
+     }
++
++    @Test
++    public void onSaveRingtone_notManagedProfile_shouldNotSetRingtone() {
++        mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
++        when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
++        when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(true);
++        when(mUserManager.getProfileParent(UserHandle.of(OTHER_USER_ID))).thenReturn(
++                UserHandle.of(OWNER_USER_ID));
++        when(mUserManager.isManagedProfile(OTHER_USER_ID)).thenReturn(false);
++
++        mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
++
++        verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
++    }
++
++    @Test
++    public void onSaveRingtone_notSameUser_shouldNotSetRingtone() {
++        mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
++        when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
++        when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(false);
++
++        mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
++
++        verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
++    }
++
++    @Test
++    public void onSaveRingtone_isManagedProfile_shouldSetRingtone() {
++        mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
++        when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
++        when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(true);
++        when(mUserManager.getProfileParent(UserHandle.of(OTHER_USER_ID))).thenReturn(
++                UserHandle.of(OWNER_USER_ID));
++        when(mUserManager.isManagedProfile(OTHER_USER_ID)).thenReturn(true);
++
++        mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
++
++        verify(mDefaultRingtonePreference).setActualDefaultRingtoneUri(mRingtoneUri);
++    }
++
++    @Test
++    public void onSaveRingtone_defaultUri_shouldSetRingtone() {
++        mRingtoneUri = Uri.parse("default_ringtone");
++        when(mDefaultRingtonePreference.isDefaultRingtone(any(Uri.class))).thenReturn(true);
++
++        mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
++
++        verify(mDefaultRingtonePreference).setActualDefaultRingtoneUri(mRingtoneUri);
++    }
+ }
diff --git a/Patches/LineageOS-17.1/android_system_bt/379154.patch b/Patches/LineageOS-17.1/android_system_bt/379154.patch
new file mode 100644
index 00000000..d159ab2f
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_system_bt/379154.patch
@@ -0,0 +1,135 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 23 May 2023 23:23:11 +0000
+Subject: [PATCH] Fix some OOB errors in BTM parsing
+
+Some HCI BLE events are missing bounds checks, leading to possible OOB
+access.  Add the appropriate bounds checks on the packets.
+
+Bug: 279169188
+Test: atest bluetooth_test_gd_unit, net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
+Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+---
+ stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
+ stack/btu/btu_hcif.cc    |  6 +++++
+ 2 files changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
+index 7f94bb8cb..ff86bd511 100644
+--- a/stack/btm/btm_ble_gap.cc
++++ b/stack/btm/btm_ble_gap.cc
+@@ -1774,19 +1774,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+       advertising_sid;
+   int8_t rssi, tx_power;
+   uint16_t event_type, periodic_adv_int, direct_address_type;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                  "for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR(
+-          "Malformed LE Extended Advertising Report Event from controller - "
+-          "can't loop the data");
++    bytes_to_process += 24;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for metadata";
+       return;
+     }
+ 
+@@ -1806,8 +1814,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the next packet*/
+-    if (p > data + data_len) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    bytes_to_process += pkt_data_len;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for packet data";
+       return;
+     }
+ 
+@@ -1836,17 +1847,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+   uint8_t* p = data;
+   uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
+   int8_t rssi;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR)
++        << "Malformed LE advertising packet: not enough room for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
++    bytes_to_process += 9;
++
++    if (data_len < bytes_to_process) {
++      LOG(ERROR)
++          << "Malformed LE advertising packet: not enough room for metadata";
+       return;
+     }
+ 
+@@ -1858,8 +1880,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the rssi byte */
+-    if (p > data + data_len - sizeof(rssi)) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    // include rssi for this check
++    bytes_to_process += pkt_data_len + 1;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
++                    "packet data and/or RSSI";
+       return;
+     }
+ 
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index 52d5d60f8..7bf385ea3 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -2180,6 +2180,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
+     return;
+   }
+ 
++  // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
++  if (evt_len < 8) {
++    LOG_ERROR(LOG_TAG, "Event packet too short");
++    return;
++  }
++
+   STREAM_TO_UINT16(handle, p);
+   STREAM_TO_UINT16(tx_data_len, p);
+   p += 2; /* Skip the TxTimer */
diff --git a/Patches/LineageOS-17.1/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch
new file mode 100644
index 00000000..91c196b4
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Oct 2023 11:13:03 -0700
+Subject: [PATCH] Possible deadlock on the NfcService object
+
+Bug: 268038643
+Bug: 307489565
+Test: CtsVerifier
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2d8ea70c65831313d73784fb3c78f64ff0cbd627)
+Merged-In: I683ae425dafa4e209b9517b62ada7d8a694f84a9
+Change-Id: I683ae425dafa4e209b9517b62ada7d8a694f84a9
+---
+ src/com/android/nfc/NfcService.java | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
+index d41ea4f2..c69c9466 100644
+--- a/src/com/android/nfc/NfcService.java
++++ b/src/com/android/nfc/NfcService.java
+@@ -1135,9 +1135,7 @@ public class NfcService implements DeviceHostListener {
+     }
+ 
+     public boolean isSecureNfcEnabled() {
+-        synchronized (NfcService.this) {
+-            return mIsSecureNfcEnabled;
+-        }
++        return mIsSecureNfcEnabled;
+     }
+ 
+     final class NfcAdapterService extends INfcAdapter.Stub {
diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/379156.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/379156.patch
new file mode 100644
index 00000000..0fd9f0f0
--- /dev/null
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/379156.patch
@@ -0,0 +1,135 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 23 May 2023 23:23:11 +0000
+Subject: [PATCH] Fix some OOB errors in BTM parsing
+
+Some HCI BLE events are missing bounds checks, leading to possible OOB
+access.  Add the appropriate bounds checks on the packets.
+
+Bug: 279169188
+Test: atest bluetooth_test_gd_unit, net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
+Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
+---
+ stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
+ stack/btu/btu_hcif.cc    |  6 +++++
+ 2 files changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
+index 1bd5b73c7..84af4eefa 100644
+--- a/stack/btm/btm_ble_gap.cc
++++ b/stack/btm/btm_ble_gap.cc
+@@ -1877,19 +1877,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+       advertising_sid;
+   int8_t rssi, tx_power;
+   uint16_t event_type, periodic_adv_int, direct_address_type;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                  "for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR(
+-          "Malformed LE Extended Advertising Report Event from controller - "
+-          "can't loop the data");
++    bytes_to_process += 24;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for metadata";
+       return;
+     }
+ 
+@@ -1909,8 +1917,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the next packet*/
+-    if (p > data + data_len) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    bytes_to_process += pkt_data_len;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
++                    "for packet data";
+       return;
+     }
+ 
+@@ -1942,17 +1953,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+   uint8_t* p = data;
+   uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
+   int8_t rssi;
++  size_t bytes_to_process;
+ 
+   /* Only process the results if the inquiry is still active */
+   if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ 
++  bytes_to_process = 1;
++
++  if (data_len < bytes_to_process) {
++    LOG(ERROR)
++        << "Malformed LE advertising packet: not enough room for num reports";
++    return;
++  }
++
+   /* Extract the number of reports in this event. */
+   STREAM_TO_UINT8(num_reports, p);
+ 
+   while (num_reports--) {
+-    if (p > data + data_len) {
+-      // TODO(jpawlowski): we should crash the stack here
+-      BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
++    bytes_to_process += 9;
++
++    if (data_len < bytes_to_process) {
++      LOG(ERROR)
++          << "Malformed LE advertising packet: not enough room for metadata";
+       return;
+     }
+ 
+@@ -1964,8 +1986,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
+ 
+     uint8_t* pkt_data = p;
+     p += pkt_data_len; /* Advance to the the rssi byte */
+-    if (p > data + data_len - sizeof(rssi)) {
+-      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
++
++    // include rssi for this check
++    bytes_to_process += pkt_data_len + 1;
++    if (data_len < bytes_to_process) {
++      LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
++                    "packet data and/or RSSI";
+       return;
+     }
+ 
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index 6f16bff83..071aafce3 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -1923,6 +1923,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
+     return;
+   }
+ 
++  // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
++  if (evt_len < 8) {
++    LOG_ERROR(LOG_TAG, "Event packet too short");
++    return;
++  }
++
+   STREAM_TO_UINT16(handle, p);
+   STREAM_TO_UINT16(tx_data_len, p);
+   p += 2; /* Skip the TxTimer */
diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh
index 63effcca..37ef3f55 100644
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
+sed -i 's/2023-12-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-01
 fi;
 
 if enterAndClear "build/soong"; then
@@ -160,7 +161,18 @@ if enterAndClear "external/zlib"; then
 git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
 fi;
 
+if enterAndClear "frameworks/av"; then
+applyPatch "$DOS_PATCHES/android_frameworks_av/379143.patch"; #R_asb_2024-01 Codec2BufferUtils: Use cropped dimensions in RGB to YUV conversion
+applyPatch "$DOS_PATCHES/android_frameworks_av/379144.patch"; #R_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
+fi;
+
 if enterAndClear "frameworks/base"; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
+applyPatch "$DOS_PATCHES/android_frameworks_base/379146-backport.patch"; #R_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
+applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_2024-01 Truncate user data to a limit of 500 characters
+applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access.
+applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
+applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@@ -296,6 +308,10 @@ if enterAndClear "packages/apps/Bluetooth"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "packages/apps/Camera2"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_Camera2/379151.patch"; #R_asb_2024-01 Do not pass location info for startActivity case
+fi;
+
 #if enterAndClear "packages/apps/CarrierConfig"; then
 #rm -rf assets/*.xml;
 #cp $DOS_PATCHES_COMMON/android_packages_apps_CarrierConfig/*.xml assets/;
@@ -325,6 +341,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Messaging/0002-missing-cha
 fi;
 
 if enterAndClear "packages/apps/Nfc"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/379152.patch"; #R_asb_2024-01 Possible deadlock on the NfcService object
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
@@ -337,6 +354,7 @@ fi;
 
 if enterAndClear "packages/apps/Settings"; then
 git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
+#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/379153-backport.patch"; #R_asb_2024-01 Validate ringtone URIs before setting
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@@ -395,6 +413,7 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
 fi;
 
 if enterAndClear "system/bt"; then
+applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@@ -446,6 +465,14 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport-prereq.patch"; #R_
 applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
 fi;
 
+if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc"; then
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch"; #R_asb_2024-01 Possible deadlock on the NfcService object
+fi;
+
+if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/379156.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
+fi;
+
 if enterAndClear "vendor/lineage"; then
 rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys
 rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics