diff --git a/Patches/LineageOS-15.1/android_external_zlib/351909.patch b/Patches/LineageOS-15.1/android_external_zlib/351909.patch new file mode 100644 index 00000000..ecc58670 --- /dev/null +++ b/Patches/LineageOS-15.1/android_external_zlib/351909.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Tue, 22 Nov 2022 22:00:13 +0000 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. + +Bug: http://b/242299736 +Test: TreeHugger + +Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140 +(cherry picked from commit 1c4806afd7ae034aa9f86df35d4341a0b175a90a) +Merged-In: I4eabb3e135c1568e06b2b9740651a3ae11b21140 +--- + src/inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/inflate.c b/src/inflate.c +index 4fd3f3c..5c111f5 100644 +--- a/src/inflate.c ++++ b/src/inflate.c +@@ -736,8 +736,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch new file mode 100644 index 00000000..4b7f04c9 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tsung-Mao Fang +Date: Mon, 3 Jan 2022 18:25:04 +0800 +Subject: [PATCH] FRP bypass defense in the settings app + +Over the last few years, there have been a number of +Factory Reset Protection bypass bugs in the SUW flow. +It's unlikely to defense all points from individual apps. + +Therefore, we decide to block some critical pages when +user doesn't complete the SUW flow. + +Test: Can't open the certain pages in the suw flow. +Bug: 258422561 +Fix: 200746457 +Bug: 202975040 +Fix: 213091525 +Fix: 213090835 +Fix: 201561699 +Fix: 213090827 +Fix: 213090875 +Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e +Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e +(cherry picked from commit ff5bfb40c8b09ab477efaae6a0199911a0d703dd) +Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e +--- + .../settings/SettingsPreferenceFragment.java | 22 ++++++++++++++++++- + .../system/ResetDashboardFragment.java | 5 +++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java +index a3d26af8eb..6653dd0ba9 100644 +--- a/src/com/android/settings/SettingsPreferenceFragment.java ++++ b/src/com/android/settings/SettingsPreferenceFragment.java +@@ -49,6 +49,7 @@ import com.android.settings.applications.LayoutPreference; + import com.android.settings.core.InstrumentedPreferenceFragment; + import com.android.settings.core.instrumentation.Instrumentable; + import com.android.settings.core.instrumentation.InstrumentedDialogFragment; ++import com.android.settings.Utils; + import com.android.settings.widget.LoadingViewController; + import com.android.settingslib.CustomDialogPreference; + import com.android.settingslib.CustomEditTextPreference; +@@ -69,7 +70,7 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF + **/ + public static final String HELP_URI_RESOURCE_KEY = "help_uri_resource"; + +- private static final String TAG = "SettingsPreference"; ++ private static final String TAG = "SettingsPreferenceFragment"; + + @VisibleForTesting + static final int DELAY_HIGHLIGHT_DURATION_MILLIS = 600; +@@ -141,6 +142,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF + @VisibleForTesting + public boolean mPreferenceHighlighted = false; + ++ @Override ++ public void onAttach(Context context) { ++ if (shouldSkipForInitialSUW() && !Utils.isDeviceProvisioned(getContext())) { ++ Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed."); ++ finish(); ++ } ++ super.onAttach(context); ++ } ++ + @Override + public void onCreate(Bundle icicle) { + super.onCreate(icicle); +@@ -281,6 +291,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF + } + } + ++ /** ++ * Whether UI should be skipped in the initial SUW flow. ++ * ++ * @return {@code true} when UI should be skipped in the initial SUW flow. ++ * {@code false} when UI should not be skipped in the initial SUW flow. ++ */ ++ protected boolean shouldSkipForInitialSUW() { ++ return false; ++ } ++ + protected void onDataSetChanged() { + highlightPreferenceIfNeeded(); + updateEmptyView(); +diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java +index 48295a42e1..add340f230 100644 +--- a/src/com/android/settings/system/ResetDashboardFragment.java ++++ b/src/com/android/settings/system/ResetDashboardFragment.java +@@ -56,6 +56,11 @@ public class ResetDashboardFragment extends DashboardFragment { + return buildPreferenceControllers(context, getLifecycle()); + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + private static List buildPreferenceControllers(Context context, + Lifecycle lifecycle) { + final List controllers = new ArrayList<>(); diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch new file mode 100644 index 00000000..d2bed432 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yanting Yang +Date: Wed, 4 Jan 2023 09:40:38 +0000 +Subject: [PATCH] Add DISALLOW_APPS_CONTROL check into uninstall app for all + users + +Settings App info page supports a "Uninstall for all users" function +when multiple users are enabled. It bypasses the restriction of +DISALLOW_APPS_CONTROL which breaks the user isolation guideline. + +To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL +restriction to provide the "Uninstall for all users" function. + +Bug: 258653813 +Test: manual & robotests +Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +(cherry picked from commit 86914bedc84474c152e4536fb3cfa2fb488030b8) +Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6 +--- + .../settings/applications/InstalledAppDetails.java | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/applications/InstalledAppDetails.java b/src/com/android/settings/applications/InstalledAppDetails.java +index 8bdbffca9b..9ffbc25ce2 100755 +--- a/src/com/android/settings/applications/InstalledAppDetails.java ++++ b/src/com/android/settings/applications/InstalledAppDetails.java +@@ -522,7 +522,13 @@ public class InstalledAppDetails extends AppInfoBase + if (mFinishing) { + return; + } +- menu.findItem(UNINSTALL_ALL_USERS_MENU).setVisible(shouldShowUninstallForAll(mAppEntry)); ++ final MenuItem uninstallAllUsersItem = menu.findItem(UNINSTALL_ALL_USERS_MENU); ++ uninstallAllUsersItem.setVisible( ++ shouldShowUninstallForAll(mAppEntry) && !mAppsControlDisallowedBySystem); ++ if (uninstallAllUsersItem.isVisible()) { ++ RestrictedLockUtils.setMenuItemAsDisabledByAdmin(getActivity(), ++ uninstallAllUsersItem, mAppsControlDisallowedAdmin); ++ } + mUpdatedSysApp = (mAppEntry.info.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0; + MenuItem uninstallUpdatesItem = menu.findItem(UNINSTALL_UPDATES); + uninstallUpdatesItem.setVisible(mUpdatedSysApp && !mAppsControlDisallowedBySystem); diff --git a/Patches/LineageOS-15.1/android_system_bt/351916.patch b/Patches/LineageOS-15.1/android_system_bt/351916.patch new file mode 100644 index 00000000..ad2d7fa6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/351916.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 28 Dec 2022 00:32:37 +0000 +Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate + +this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084 + +Bug: 258652631 +Test: manual +Tag: #security +Ignore-AOSP-First: security +Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66 +(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03) +Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66 +--- + stack/gatt/gatt_cl.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc +index 9a28ff04a..014240888 100644 +--- a/stack/gatt/gatt_cl.cc ++++ b/stack/gatt/gatt_cl.cc +@@ -569,7 +569,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d", + gatt_dbg_op_name(op_code), len); + +- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) { ++ if (len < GATT_PREP_WRITE_RSP_MIN_LEN || ++ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) { + LOG(ERROR) << "illegal prepare write response length, discard"; + gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value); + return; +@@ -578,7 +579,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, + STREAM_TO_UINT16(value.handle, p); + STREAM_TO_UINT16(value.offset, p); + +- value.len = len - 4; ++ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN; + + memcpy(value.value, p, value.len); + diff --git a/Patches/LineageOS-15.1/android_system_bt/351917.patch b/Patches/LineageOS-15.1/android_system_bt/351917.patch new file mode 100644 index 00000000..1773075e --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/351917.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Mon, 2 Jan 2023 22:05:45 +0000 +Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc + +In A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the +`-=` operation on it may result in integer underflow and +OOB write with the computed pointer passed to +A2DP_BuildMediaPayloadHeaderSbc. + +This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb +Test: atest net_test_stack_a2dp_codecs_native +Ignore-AOSP-First: security +Tag:#security + +Bug: 186803518 +Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec +(cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7) +Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec +--- + stack/a2dp/a2dp_sbc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc +index 54c3d1a26..f42939d54 100644 +--- a/stack/a2dp/a2dp_sbc.cc ++++ b/stack/a2dp/a2dp_sbc.cc +@@ -859,6 +859,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info, + BT_HDR* p_buf, uint16_t frames_per_packet) { + uint8_t* p; + ++ // there is a timestamp right following p_buf ++ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) { ++ return false; ++ } ++ + p_buf->offset -= A2DP_SBC_MPL_HDR_LEN; + p = (uint8_t*)(p_buf + 1) + p_buf->offset; + p_buf->len += A2DP_SBC_MPL_HDR_LEN; diff --git a/Patches/LineageOS-15.1/android_system_bt/351918.patch b/Patches/LineageOS-15.1/android_system_bt/351918.patch new file mode 100644 index 00000000..50010538 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/351918.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 4 Jan 2023 22:45:13 +0000 +Subject: [PATCH] Fix an OOB write in SDP_AddAttribute + +When the `attr_pad` becomes full, it is possible +that un index of `-1` is computed write +a zero byte to `p_val`, rusulting OOB write. + +``` + p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0'; +``` + +This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b + +Bug: 261867748 +Test: manual +Tag: #security +Ignore-AOSP-First: security +Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1 +(cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2) +Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1 +--- + stack/sdp/sdp_db.cc | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc +index d215260e9..8d5eb4073 100644 +--- a/stack/sdp/sdp_db.cc ++++ b/stack/sdp/sdp_db.cc +@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + uint16_t xx, yy, zz; + tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0]; + ++ if (p_val == nullptr) { ++ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped"); ++ return (false); ++ } ++ + if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) { + if ((attr_type == UINT_DESC_TYPE) || + (attr_type == TWO_COMP_INT_DESC_TYPE) || +@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + if (p_rec->record_handle == handle) { + tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0]; + ++ // error out early, no need to look up ++ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) { ++ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is " ++ "full, skip adding the attribute", handle); ++ return (false); ++ } ++ + /* Found the record. Now, see if the attribute already exists */ + for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) { + /* The attribute exists. replace it */ +@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type, + attr_len = 0; + } + +- if ((attr_len > 0) && (p_val != 0)) { ++ if (attr_len > 0) { + p_attr->len = attr_len; + memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len); + p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr]; + p_rec->free_pad_ptr += attr_len; +- } else if ((attr_len == 0 && +- p_attr->len != +- 0) || /* if truncate to 0 length, simply don't add */ +- p_val == 0) { ++ } else if (attr_len == 0 && p_attr->len != 0) { ++ /* if truncate to 0 length, simply don't add */ + SDP_TRACE_ERROR( + "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ", + attr_id, attr_len); diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 013865ea..9ec44f6b 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -121,6 +121,10 @@ if enterAndClear "external/svox"; then git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles fi; +if enterAndClear "external/zlib"; then +applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate(). +fi; + #if enterAndClear "frameworks/av"; then #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS) #fi; @@ -304,6 +308,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_20 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker. applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) if [ "$DOS_SENSORS_PERM" = true ]; then @@ -382,6 +387,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields #applyPatch "$DOS_PATCHES/android_system_bt/349334-backport.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP XXX: doesn't compile applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc +applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate +applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc +applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute fi; if enterAndClear "system/core"; then