15.1 March ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_external_zlib/351909.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Tue, 22 Nov 2022 22:00:13 +0000
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Bug: http://b/242299736
+Test: TreeHugger
+
+Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
+(cherry picked from commit 1c4806afd7ae034aa9f86df35d4341a0b175a90a)
+Merged-In: I4eabb3e135c1568e06b2b9740651a3ae11b21140
+---
+ src/inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/inflate.c b/src/inflate.c
+index 4fd3f3c..5c111f5 100644
+--- a/src/inflate.c
++++ b/src/inflate.c
+@@ -736,8 +736,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);

Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch

@@ -0,0 +1,100 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tsung-Mao Fang <tmfang@google.com>
+Date: Mon, 3 Jan 2022 18:25:04 +0800
+Subject: [PATCH] FRP bypass defense in the settings app
+
+Over the last few years, there have been a number of
+Factory Reset Protection bypass bugs in the SUW flow.
+It's unlikely to defense all points from individual apps.
+
+Therefore, we decide to block some critical pages when
+user doesn't complete the SUW flow.
+
+Test: Can't open the certain pages in the suw flow.
+Bug: 258422561
+Fix: 200746457
+Bug: 202975040
+Fix: 213091525
+Fix: 213090835
+Fix: 201561699
+Fix: 213090827
+Fix: 213090875
+Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
+Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
+(cherry picked from commit ff5bfb40c8b09ab477efaae6a0199911a0d703dd)
+Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
+---
+ .../settings/SettingsPreferenceFragment.java  | 22 ++++++++++++++++++-
+ .../system/ResetDashboardFragment.java        |  5 +++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java
+index a3d26af8eb..6653dd0ba9 100644
+--- a/src/com/android/settings/SettingsPreferenceFragment.java
++++ b/src/com/android/settings/SettingsPreferenceFragment.java
+@@ -49,6 +49,7 @@ import com.android.settings.applications.LayoutPreference;
+ import com.android.settings.core.InstrumentedPreferenceFragment;
+ import com.android.settings.core.instrumentation.Instrumentable;
+ import com.android.settings.core.instrumentation.InstrumentedDialogFragment;
++import com.android.settings.Utils;
+ import com.android.settings.widget.LoadingViewController;
+ import com.android.settingslib.CustomDialogPreference;
+ import com.android.settingslib.CustomEditTextPreference;
+@@ -69,7 +70,7 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
+      **/
+     public static final String HELP_URI_RESOURCE_KEY = "help_uri_resource";
+ 
+-    private static final String TAG = "SettingsPreference";
++    private static final String TAG = "SettingsPreferenceFragment";
+ 
+     @VisibleForTesting
+     static final int DELAY_HIGHLIGHT_DURATION_MILLIS = 600;
+@@ -141,6 +142,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
+     @VisibleForTesting
+     public boolean mPreferenceHighlighted = false;
+ 
++    @Override
++    public void onAttach(Context context) {
++        if (shouldSkipForInitialSUW() && !Utils.isDeviceProvisioned(getContext())) {
++            Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed.");
++            finish();
++        }
++        super.onAttach(context);
++    }
++
+     @Override
+     public void onCreate(Bundle icicle) {
+         super.onCreate(icicle);
+@@ -281,6 +291,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
+         }
+     }
+ 
++    /**
++     * Whether UI should be skipped in the initial SUW flow.
++     *
++     * @return {@code true} when UI should be skipped in the initial SUW flow.
++     * {@code false} when UI should not be skipped in the initial SUW flow.
++     */
++    protected boolean shouldSkipForInitialSUW() {
++        return false;
++    }
++
+     protected void onDataSetChanged() {
+         highlightPreferenceIfNeeded();
+         updateEmptyView();
+diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java
+index 48295a42e1..add340f230 100644
+--- a/src/com/android/settings/system/ResetDashboardFragment.java
++++ b/src/com/android/settings/system/ResetDashboardFragment.java
+@@ -56,6 +56,11 @@ public class ResetDashboardFragment extends DashboardFragment {
+         return buildPreferenceControllers(context, getLifecycle());
+     }
+ 
++    @Override
++    protected boolean shouldSkipForInitialSUW() {
++        return true;
++    }
++
+     private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
+             Lifecycle lifecycle) {
+         final List<AbstractPreferenceController> controllers = new ArrayList<>();

Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yanting Yang <yantingyang@google.com>
+Date: Wed, 4 Jan 2023 09:40:38 +0000
+Subject: [PATCH] Add DISALLOW_APPS_CONTROL check into uninstall app for all
+ users
+
+Settings App info page supports a "Uninstall for all users" function
+when multiple users are enabled. It bypasses the restriction of
+DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
+
+To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
+restriction to provide the "Uninstall for all users" function.
+
+Bug: 258653813
+Test: manual & robotests
+Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
+Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
+(cherry picked from commit 86914bedc84474c152e4536fb3cfa2fb488030b8)
+Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
+---
+ .../settings/applications/InstalledAppDetails.java        | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/applications/InstalledAppDetails.java b/src/com/android/settings/applications/InstalledAppDetails.java
+index 8bdbffca9b..9ffbc25ce2 100755
+--- a/src/com/android/settings/applications/InstalledAppDetails.java
++++ b/src/com/android/settings/applications/InstalledAppDetails.java
+@@ -522,7 +522,13 @@ public class InstalledAppDetails extends AppInfoBase
+         if (mFinishing) {
+             return;
+         }
+-        menu.findItem(UNINSTALL_ALL_USERS_MENU).setVisible(shouldShowUninstallForAll(mAppEntry));
++        final MenuItem uninstallAllUsersItem = menu.findItem(UNINSTALL_ALL_USERS_MENU);
++        uninstallAllUsersItem.setVisible(
++                shouldShowUninstallForAll(mAppEntry) && !mAppsControlDisallowedBySystem);
++        if (uninstallAllUsersItem.isVisible()) {
++            RestrictedLockUtils.setMenuItemAsDisabledByAdmin(getActivity(),
++                    uninstallAllUsersItem, mAppsControlDisallowedAdmin);
++        }
+         mUpdatedSysApp = (mAppEntry.info.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0;
+         MenuItem uninstallUpdatesItem = menu.findItem(UNINSTALL_UPDATES);
+         uninstallUpdatesItem.setVisible(mUpdatedSysApp && !mAppsControlDisallowedBySystem);

Patches/LineageOS-15.1/android_system_bt/351916.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 28 Dec 2022 00:32:37 +0000
+Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
+
+this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
+
+Bug: 258652631
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
+(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
+Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
+---
+ stack/gatt/gatt_cl.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
+index 9a28ff04a..014240888 100644
+--- a/stack/gatt/gatt_cl.cc
++++ b/stack/gatt/gatt_cl.cc
+@@ -569,7 +569,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+   LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
+                              gatt_dbg_op_name(op_code), len);
+ 
+-  if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
++  if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
++      len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
+     LOG(ERROR) << "illegal prepare write response length, discard";
+     gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
+     return;
+@@ -578,7 +579,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+   STREAM_TO_UINT16(value.handle, p);
+   STREAM_TO_UINT16(value.offset, p);
+ 
+-  value.len = len - 4;
++  value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
+ 
+   memcpy(value.value, p, value.len);
+ 

Patches/LineageOS-15.1/android_system_bt/351917.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Mon, 2 Jan 2023 22:05:45 +0000
+Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+
+In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
+`-=` operation on it may result in integer underflow and
+OOB write with the computed pointer passed to
+A2DP_BuildMediaPayloadHeaderSbc.
+
+This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb
+Test: atest net_test_stack_a2dp_codecs_native
+Ignore-AOSP-First: security
+Tag:#security
+
+Bug: 186803518
+Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec
+(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7)
+Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
+---
+ stack/a2dp/a2dp_sbc.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
+index 54c3d1a26..f42939d54 100644
+--- a/stack/a2dp/a2dp_sbc.cc
++++ b/stack/a2dp/a2dp_sbc.cc
+@@ -859,6 +859,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
+                               BT_HDR* p_buf, uint16_t frames_per_packet) {
+   uint8_t* p;
+ 
++  // there is a timestamp right following p_buf
++  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
++    return false;
++  }
++
+   p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
+   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
+   p_buf->len += A2DP_SBC_MPL_HDR_LEN;

Patches/LineageOS-15.1/android_system_bt/351918.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 4 Jan 2023 22:45:13 +0000
+Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
+
+When the `attr_pad` becomes full, it is possible
+that un index of `-1` is computed write
+a zero byte to `p_val`, rusulting OOB write.
+
+```
+  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
+```
+
+This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b
+
+Bug: 261867748
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
+(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)
+Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
+---
+ stack/sdp/sdp_db.cc | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
+index d215260e9..8d5eb4073 100644
+--- a/stack/sdp/sdp_db.cc
++++ b/stack/sdp/sdp_db.cc
+@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+   uint16_t xx, yy, zz;
+   tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ 
++  if (p_val == nullptr) {
++    SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
++    return (false);
++  }
++
+   if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
+     if ((attr_type == UINT_DESC_TYPE) ||
+         (attr_type == TWO_COMP_INT_DESC_TYPE) ||
+@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+     if (p_rec->record_handle == handle) {
+       tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ 
++      // error out early, no need to look up
++      if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
++        SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
++                        "full, skip adding the attribute", handle);
++        return (false);
++      }
++
+       /* Found the record. Now, see if the attribute already exists */
+       for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
+         /* The attribute exists. replace it */
+@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
+           attr_len = 0;
+       }
+ 
+-      if ((attr_len > 0) && (p_val != 0)) {
++      if (attr_len > 0) {
+         p_attr->len = attr_len;
+         memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
+         p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
+         p_rec->free_pad_ptr += attr_len;
+-      } else if ((attr_len == 0 &&
+-                  p_attr->len !=
+-                      0) || /* if truncate to 0 length, simply don't add */
+-                 p_val == 0) {
++      } else if (attr_len == 0 && p_attr->len != 0) {
++        /* if truncate to 0 length, simply don't add */
+         SDP_TRACE_ERROR(
+             "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
+             attr_id, attr_len);

Scripts/LineageOS-15.1/Patch.sh

@@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
 applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -121,6 +121,10 @@ if enterAndClear "external/svox"; then
 git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 fi;
 
+if enterAndClear "external/zlib"; then
+applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate().
+fi;
+
 #if enterAndClear "frameworks/av"; then
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
 #fi;
@@ -304,6 +308,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_20
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then
@@ -382,6 +387,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT
 applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
 #applyPatch "$DOS_PATCHES/android_system_bt/349334-backport.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP XXX: doesn't compile
 applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
+applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
+applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute
 fi;
 
 if enterAndClear "system/core"; then