15.1 March ASB work

Signed-off-by: Tad <tad@spotco.us>
2025-01-13 00:19:27 -05:00 · 2023-03-22 22:06:51 -04:00 · 2023-03-22 22:06:51 -04:00 · 2c17747c82
commit 2c17747c82
parent f9cee4664b
7 changed files with 344 additions and 1 deletions
--- a/Patches/LineageOS-15.1/android_external_zlib/351909.patch
+++ b/Patches/LineageOS-15.1/android_external_zlib/351909.patch
@ -0,0 +1,38 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Sadaf Ebrahimi <sadafebrahimi@google.com>
 Date: Tue, 22 Nov 2022 22:00:13 +0000
 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
 inflate().
 If the extra field was larger than the space the user provided with
 inflateGetHeader(), and if multiple calls of inflate() delivered
 the extra header data, then there could be a buffer overflow of the
 provided space. This commit assures that provided space is not
 exceeded.
 Bug: http://b/242299736
 Test: TreeHugger
 Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
 (cherry picked from commit 1c4806afd7ae034aa9f86df35d4341a0b175a90a)
 Merged-In: I4eabb3e135c1568e06b2b9740651a3ae11b21140
 ---
 src/inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/inflate.c b/src/inflate.c
 index 4fd3f3c..5c111f5 100644
 --- a/src/inflate.c
 +++ b/src/inflate.c
@@ -736,8 +736,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
 -                        state->head->extra != Z_NULL) {
 -                        len = state->head->extra_len - state->length;
 +                        state->head->extra != Z_NULL &&
 +                        (len = state->head->extra_len - state->length) <
 +                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
--- a/Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/351914-backport.patch
@ -0,0 +1,100 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Tsung-Mao Fang <tmfang@google.com>
 Date: Mon, 3 Jan 2022 18:25:04 +0800
 Subject: [PATCH] FRP bypass defense in the settings app
 Over the last few years, there have been a number of
 Factory Reset Protection bypass bugs in the SUW flow.
 It's unlikely to defense all points from individual apps.
 Therefore, we decide to block some critical pages when
 user doesn't complete the SUW flow.
 Test: Can't open the certain pages in the suw flow.
 Bug: 258422561
 Fix: 200746457
 Bug: 202975040
 Fix: 213091525
 Fix: 213090835
 Fix: 201561699
 Fix: 213090827
 Fix: 213090875
 Change-Id: Ia18f367109df5af7da0a5acad7702898a459d32e
 Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
 (cherry picked from commit ff5bfb40c8b09ab477efaae6a0199911a0d703dd)
 Merged-In: Ia18f367109df5af7da0a5acad7702898a459d32e
 ---
 .../settings/SettingsPreferenceFragment.java  | 22 ++++++++++++++++++-
 .../system/ResetDashboardFragment.java        |  5 +++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 diff --git a/src/com/android/settings/SettingsPreferenceFragment.java b/src/com/android/settings/SettingsPreferenceFragment.java
 index a3d26af8eb..6653dd0ba9 100644
 --- a/src/com/android/settings/SettingsPreferenceFragment.java
 +++ b/src/com/android/settings/SettingsPreferenceFragment.java
@@ -49,6 +49,7 @@ import com.android.settings.applications.LayoutPreference;
 import com.android.settings.core.InstrumentedPreferenceFragment;
 import com.android.settings.core.instrumentation.Instrumentable;
 import com.android.settings.core.instrumentation.InstrumentedDialogFragment;
 +import com.android.settings.Utils;
 import com.android.settings.widget.LoadingViewController;
 import com.android.settingslib.CustomDialogPreference;
 import com.android.settingslib.CustomEditTextPreference;
@@ -69,7 +70,7 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
      **/
     public static final String HELP_URI_RESOURCE_KEY = "help_uri_resource";
 -    private static final String TAG = "SettingsPreference";
 +    private static final String TAG = "SettingsPreferenceFragment";
     @VisibleForTesting
     static final int DELAY_HIGHLIGHT_DURATION_MILLIS = 600;
@@ -141,6 +142,15 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
     @VisibleForTesting
     public boolean mPreferenceHighlighted = false;
 +    @Override
 +    public void onAttach(Context context) {
 +        if (shouldSkipForInitialSUW() && !Utils.isDeviceProvisioned(getContext())) {
 +            Log.w(TAG, "Skip " + getClass().getSimpleName() + " before SUW completed.");
 +            finish();
 +        }
 +        super.onAttach(context);
 +    }
 +
     @Override
     public void onCreate(Bundle icicle) {
         super.onCreate(icicle);
@@ -281,6 +291,16 @@ public abstract class SettingsPreferenceFragment extends InstrumentedPreferenceF
         }
     }
 +    /**
 +     * Whether UI should be skipped in the initial SUW flow.
 +     *
 +     * @return {@code true} when UI should be skipped in the initial SUW flow.
 +     * {@code false} when UI should not be skipped in the initial SUW flow.
 +     */
 +    protected boolean shouldSkipForInitialSUW() {
 +        return false;
 +    }
 +
     protected void onDataSetChanged() {
         highlightPreferenceIfNeeded();
         updateEmptyView();
 diff --git a/src/com/android/settings/system/ResetDashboardFragment.java b/src/com/android/settings/system/ResetDashboardFragment.java
 index 48295a42e1..add340f230 100644
 --- a/src/com/android/settings/system/ResetDashboardFragment.java
 +++ b/src/com/android/settings/system/ResetDashboardFragment.java
@@ -56,6 +56,11 @@ public class ResetDashboardFragment extends DashboardFragment {
         return buildPreferenceControllers(context, getLifecycle());
     }
 +    @Override
 +    protected boolean shouldSkipForInitialSUW() {
 +        return true;
 +    }
 +
     private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
             Lifecycle lifecycle) {
         final List<AbstractPreferenceController> controllers = new ArrayList<>();
--- a/Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/351915-backport.patch
@ -0,0 +1,42 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Yanting Yang <yantingyang@google.com>
 Date: Wed, 4 Jan 2023 09:40:38 +0000
 Subject: [PATCH] Add DISALLOW_APPS_CONTROL check into uninstall app for all
 users
 Settings App info page supports a "Uninstall for all users" function
 when multiple users are enabled. It bypasses the restriction of
 DISALLOW_APPS_CONTROL which breaks the user isolation guideline.
 To fix this vulnerability, we should check the DISALLOW_APPS_CONTROL
 restriction to provide the "Uninstall for all users" function.
 Bug: 258653813
 Test: manual & robotests
 Change-Id: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
 Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
 (cherry picked from commit 86914bedc84474c152e4536fb3cfa2fb488030b8)
 Merged-In: I5d3bbcbaac439c4f7a1e6a9ade7775ff4f2f2ec6
 ---
 .../settings/applications/InstalledAppDetails.java        | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/com/android/settings/applications/InstalledAppDetails.java b/src/com/android/settings/applications/InstalledAppDetails.java
 index 8bdbffca9b..9ffbc25ce2 100755
 --- a/src/com/android/settings/applications/InstalledAppDetails.java
 +++ b/src/com/android/settings/applications/InstalledAppDetails.java
@@ -522,7 +522,13 @@ public class InstalledAppDetails extends AppInfoBase
         if (mFinishing) {
             return;
         }
 -        menu.findItem(UNINSTALL_ALL_USERS_MENU).setVisible(shouldShowUninstallForAll(mAppEntry));
 +        final MenuItem uninstallAllUsersItem = menu.findItem(UNINSTALL_ALL_USERS_MENU);
 +        uninstallAllUsersItem.setVisible(
 +                shouldShowUninstallForAll(mAppEntry) && !mAppsControlDisallowedBySystem);
 +        if (uninstallAllUsersItem.isVisible()) {
 +            RestrictedLockUtils.setMenuItemAsDisabledByAdmin(getActivity(),
 +                    uninstallAllUsersItem, mAppsControlDisallowedAdmin);
 +        }
         mUpdatedSysApp = (mAppEntry.info.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0;
         MenuItem uninstallUpdatesItem = menu.findItem(UNINSTALL_UPDATES);
         uninstallUpdatesItem.setVisible(mUpdatedSysApp && !mAppsControlDisallowedBySystem);
--- a/Patches/LineageOS-15.1/android_system_bt/351916.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/351916.patch
@ -0,0 +1,41 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Hui Peng <phui@google.com>
 Date: Wed, 28 Dec 2022 00:32:37 +0000
 Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
 this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
 Bug: 258652631
 Test: manual
 Tag: #security
 Ignore-AOSP-First: security
 Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
 (cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
 Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
 ---
 stack/gatt/gatt_cl.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
 index 9a28ff04a..014240888 100644
 --- a/stack/gatt/gatt_cl.cc
 +++ b/stack/gatt/gatt_cl.cc
@@ -569,7 +569,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
   LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
                              gatt_dbg_op_name(op_code), len);
 -  if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
 +  if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
 +      len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
     LOG(ERROR) << "illegal prepare write response length, discard";
     gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
     return;
@@ -578,7 +579,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
   STREAM_TO_UINT16(value.handle, p);
   STREAM_TO_UINT16(value.offset, p);
 -  value.len = len - 4;
 +  value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
   memcpy(value.value, p, value.len);
--- a/Patches/LineageOS-15.1/android_system_bt/351917.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/351917.patch
@ -0,0 +1,39 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Hui Peng <phui@google.com>
 Date: Mon, 2 Jan 2023 22:05:45 +0000
 Subject: [PATCH] Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
 In  A2DP_BuildCodecHeaderSbc when p_buf->offset is 0, the
 `-=` operation on it may result in integer underflow and
 OOB write with the computed pointer passed to
 A2DP_BuildMediaPayloadHeaderSbc.
 This is a backport of I45320085b1e458d3b0e0d86162a35aaaae7b34cb
 Test: atest net_test_stack_a2dp_codecs_native
 Ignore-AOSP-First: security
 Tag:#security
 Bug: 186803518
 Change-Id: I4ff1a1de71884b8de23008b2569fdea3650e85ec
 (cherry picked from commit a710300216be4a86373a65c6a685aeef8509cfa7)
 Merged-In: I4ff1a1de71884b8de23008b2569fdea3650e85ec
 ---
 stack/a2dp/a2dp_sbc.cc | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
 index 54c3d1a26..f42939d54 100644
 --- a/stack/a2dp/a2dp_sbc.cc
 +++ b/stack/a2dp/a2dp_sbc.cc
@@ -859,6 +859,11 @@ bool A2DP_BuildCodecHeaderSbc(UNUSED_ATTR const uint8_t* p_codec_info,
                               BT_HDR* p_buf, uint16_t frames_per_packet) {
   uint8_t* p;
 +  // there is a timestamp right following p_buf
 +  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
 +    return false;
 +  }
 +
   p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   p_buf->len += A2DP_SBC_MPL_HDR_LEN;
--- a/Patches/LineageOS-15.1/android_system_bt/351918.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/351918.patch
@ -0,0 +1,75 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Hui Peng <phui@google.com>
 Date: Wed, 4 Jan 2023 22:45:13 +0000
 Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
 When the `attr_pad` becomes full, it is possible
 that un index of `-1` is computed write
 a zero byte to `p_val`, rusulting OOB write.
 ```
  p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
 ```
 This is a backport of I937d22a2df26fca1d7f06b10182c4e713ddfed1b
 Bug: 261867748
 Test: manual
 Tag: #security
 Ignore-AOSP-First: security
 Change-Id: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
 (cherry picked from commit cc527a97f78a2999a0156a579e488afe9e3675b2)
 Merged-In: Ibdda754e628cfc9d1706c14db114919a15d8d6b1
 ---
 stack/sdp/sdp_db.cc | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)
 diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
 index d215260e9..8d5eb4073 100644
 --- a/stack/sdp/sdp_db.cc
 +++ b/stack/sdp/sdp_db.cc
@@ -362,6 +362,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
   uint16_t xx, yy, zz;
   tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
 +  if (p_val == nullptr) {
 +    SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
 +    return (false);
 +  }
 +
   if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
     if ((attr_type == UINT_DESC_TYPE) ||
         (attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -398,6 +403,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
     if (p_rec->record_handle == handle) {
       tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
 +      // error out early, no need to look up
 +      if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
 +        SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
 +                        "full, skip adding the attribute", handle);
 +        return (false);
 +      }
 +
       /* Found the record. Now, see if the attribute already exists */
       for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
         /* The attribute exists. replace it */
@@ -437,15 +449,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
           attr_len = 0;
       }
 -      if ((attr_len > 0) && (p_val != 0)) {
 +      if (attr_len > 0) {
         p_attr->len = attr_len;
         memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
         p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
         p_rec->free_pad_ptr += attr_len;
 -      } else if ((attr_len == 0 &&
 -                  p_attr->len !=
 -                      0) || /* if truncate to 0 length, simply don't add */
 -                 p_val == 0) {
 +      } else if (attr_len == 0 && p_attr->len != 0) {
 +        /* if truncate to 0 length, simply don't add */
         SDP_TRACE_ERROR(
             "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
             attr_id, attr_len);
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
 applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 if enterAndClear "build/soong"; then
@ -121,6 +121,10 @@ if enterAndClear "external/svox"; then
 git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 fi;
 if enterAndClear "external/zlib"; then
 applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate().
 fi;
 #if enterAndClear "frameworks/av"; then
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
 #fi;
@ -304,6 +308,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_20
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then
@ -382,6 +387,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT
 applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
 #applyPatch "$DOS_PATCHES/android_system_bt/349334-backport.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP XXX: doesn't compile
 applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
 applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
 applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
 applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute
 fi;
 if enterAndClear "system/core"; then