15.1: July 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-07-17 17:54:17 -04:00
parent 105767c7a7
commit 3400a35eb1
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
5 changed files with 116 additions and 3 deletions

View File

@ -68,7 +68,7 @@ external/caliper 4a0d9aba0856d0aa965d5653bfa4c138f0e8a8ba
external/cblas d063db8bdddfcde61e4bad3bfe65941fd73e8094 external/cblas d063db8bdddfcde61e4bad3bfe65941fd73e8094
external/chromium-libpac 0ac78251d11006d764ba1aad8cc0867827fafe5c external/chromium-libpac 0ac78251d11006d764ba1aad8cc0867827fafe5c
external/chromium-trace 8b2c0074e71a8086dee98ca8730acfdc5eddf7a1 external/chromium-trace 8b2c0074e71a8086dee98ca8730acfdc5eddf7a1
external/chromium-webview 55628131e0608ae5877fd6934719369e5002b679 external/chromium-webview 170a4ad46bc61af284392a04dda7dc378a638976
external/clang 751a76679b0fb5798ea6cab75906df07edcab315 external/clang 751a76679b0fb5798ea6cab75906df07edcab315
external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4 external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4
external/compiler-rt 0c46c9e892a3f68420635032ef2f6152dabd197c external/compiler-rt 0c46c9e892a3f68420635032ef2f6152dabd197c

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Thu, 29 Feb 2024 12:03:05 +0000
Subject: [PATCH] Verify UID of incoming Zygote connections.
Only the system UID should be allowed to connect to the Zygote. While
for generic Zygotes this is also covered by SELinux policy, this is not
true for App Zygotes: the preload code running in an app zygote could
connect to another app zygote socket, if it had access to its (random)
socket address.
On the Java layer, simply check the UID when the connection is made. In
the native layer, this check was already present, but it actually didn't
work in the case where we receive a new incoming connection on the
socket, and receive a 'non-fork' command: in that case, we will simply
exit the native loop, and let the Java layer handle the command, without
any further UID checking.
Modified the native logic to drop new connections with a mismatching
UID, and to keep serving the existing connection (if it was still
there).
[Backport: No native layer for ZygoteCommandBuffer present]
Bug: 319081336
Test: manual
(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
---
core/java/com/android/internal/os/ZygoteConnection.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 9fa3239b60cf..6b11ed43f171 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -98,6 +98,9 @@ class ZygoteConnection {
throw ex;
}
+ if (peer.getUid() != Process.SYSTEM_UID) {
+ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
+ }
isEof = false;
}

View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 21:14:56 +0000
Subject: [PATCH] Fix an authentication bypass bug in SMP
When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.
Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
---
stack/smp/smp_act.cc | 12 ++++++++++++
stack/smp/smp_int.h | 1 +
2 files changed, 13 insertions(+)
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 7b6ae6f2c..db0617904 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -275,6 +275,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
}
/*******************************************************************************
@@ -631,6 +632,17 @@ void smp_proc_rand(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
return;
}
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+ // in legacy pairing, the peer should send its rand after
+ // we send our confirm
+ tSMP_INT_DATA smp_int_data{};
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
/* save the SRand for comparison */
STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
}
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index fc8717f7c..b3e13b3ee 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -239,6 +239,7 @@ typedef union {
(1 << 7) /* used to resolve race condition */
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
(1 << 8) /* used on slave to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
/* check if authentication requirement need MITM protection */
#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

View File

@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #XXX sed -i 's/2021-10-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #XXX
fi; fi;
if enterAndClear "build/soong"; then if enterAndClear "build/soong"; then
@ -263,6 +263,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 A
applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions
applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update. applyPatch "$DOS_PATCHES/android_frameworks_base/394881-backport.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
applyPatch "$DOS_PATCHES/android_frameworks_base/397594.patch"; #P_asb_2024-07 Verify UID of incoming Zygote connections.
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@ -539,6 +540,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an
#applyPatch "$DOS_PATCHES/android_system_bt/385676-backport.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req #XXX: alternatively forward-port 385236 & 385237 #applyPatch "$DOS_PATCHES/android_system_bt/385676-backport.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req #XXX: alternatively forward-port 385236 & 385237
applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP
fi; fi;
if enterAndClear "system/ca-certificates"; then if enterAndClear "system/ca-certificates"; then

View File

@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-06 #XXX sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-07 #XXX
fi; fi;
if enterAndClear "build/soong"; then if enterAndClear "build/soong"; then