Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

14/19/20: ASB Picks

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-03-09 11:05:06 -05:00
parent f5a44efdff
commit 366140a179
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
11 changed files with 551 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Patches/LineageOS-14.1/android_frameworks_av/385240.patch Normal file
View File

@ -0,0 +1,34 @@
From 5e888da782da37b0e2df2bc078e5e68dc87340e3 Mon Sep 17 00:00:00 2001
From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
Date: Tue, 5 Dec 2023 18:32:38 +0000
Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue
Bug: 276442130
Test: POC in bug descriptions
(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643)
(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47)
Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1
Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1
---
media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
index 411a251d150..b14890300e1 100644
--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
@@ -316,8 +316,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
outHeader->nFilledLen = frameSize;
List<BufferInfo *>::iterator it = outQueue.begin();
- while ((*it)->mHeader != outHeader) {
- ++it;
+ while (it != outQueue.end() && (*it)->mHeader != outHeader) {
+ ++it;
+ }
+ if (it == outQueue.end()) {
+ return;
}
BufferInfo *outInfo = *it;

47
Patches/LineageOS-14.1/android_frameworks_av/385243.patch Normal file
View File

@ -0,0 +1,47 @@
From 63669b42bb2fbdf4b242944e88bb541d3a6fe465 Mon Sep 17 00:00:00 2001
From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
Date: Tue, 19 Sep 2023 20:42:45 +0000
Subject: [PATCH] Validate OMX Params for VPx encoders
Bug: 273936274
Bug: 273937171
Bug: 273937136
Bug: 273936553
Bug: 273936601
Test: POC in bug descriptions
(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7)
(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6)
Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757
Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757
---
media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
index 04d8dda075e..1be823c9755 100644
--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
@@ -532,6 +532,11 @@ OMX_ERRORTYPE SoftVPXEncoder::setConfig(
OMX_ERRORTYPE SoftVPXEncoder::internalSetVp8Params(
const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) {
+ if (!isValidOMXParam(vp8Params)) {
+ android_errorWriteLog(0x534e4554, "273937171");
+ return OMX_ErrorBadParameter;
+ }
+
if (vp8Params->nPortIndex != kOutputPortIndex) {
return OMX_ErrorUnsupportedIndex;
}
@@ -561,6 +566,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetVp8Params(
OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVp8Params(
const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE* vp8AndroidParams) {
+ if (!isValidOMXParam(vp8AndroidParams)) {
+ android_errorWriteLog(0x534e4554, "273937171");
+ return OMX_ErrorBadParameter;
+ }
if (vp8AndroidParams->nPortIndex != kOutputPortIndex) {
return OMX_ErrorUnsupportedIndex;
}

69
Patches/LineageOS-14.1/android_frameworks_base/385241.patch Normal file
View File

@ -0,0 +1,69 @@
From ca4c85efdba2b8f4318e34759d4fd8a6bd7c9943 Mon Sep 17 00:00:00 2001
From: kumarashishg <kumarashishg@google.com>
Date: Mon, 17 Jul 2023 12:01:18 +0000
Subject: [PATCH] Resolve custom printer icon boundary exploit.
Because Settings grants the INTERACT_ACROSS_USERS_FULL permission, an exploit is possible where the third party print plugin service can pass other's User Icon URI. This CL provides a lightweight solution for parsing the image URI to detect profile exploitation.
Bug: 281525042
Test: Build and flash the code. Try to reproduce the issue with
mentioned steps in the bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e0693ca9cb408d0dc82f6c6b3feb453fc8ddd83)
Merged-In: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
Change-Id: Iaaa6fe2a627a265c4d1d7b843a033a132e1fe2ce
Change-Id: Ic383eed92b599e5f9aa7f1c4a58135336e8e6e68
---
.../server/print/PrintManagerService.java | 34 ++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/services/print/java/com/android/server/print/PrintManagerService.java b/services/print/java/com/android/server/print/PrintManagerService.java
index 1feb81664e95c..9dc22162a2c1c 100644
--- a/services/print/java/com/android/server/print/PrintManagerService.java
+++ b/services/print/java/com/android/server/print/PrintManagerService.java
@@ -203,12 +203,44 @@ public Icon getCustomPrinterIcon(PrinterId printerId, int userId) {
}
final long identity = Binder.clearCallingIdentity();
try {
- return userState.getCustomPrinterIcon(printerId);
+ Icon icon = userState.getCustomPrinterIcon(printerId);
+ return validateIconUserBoundary(icon);
} finally {
Binder.restoreCallingIdentity(identity);
}
}
+ /**
+ * Validates the custom printer icon to see if it's not in the calling user space.
+ * If the condition is not met, return null. Otherwise, return the original icon.
+ *
+ * @param icon
+ * @return icon (validated)
+ */
+ private Icon validateIconUserBoundary(Icon icon) {
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
+ // incompatible types.
+ if (icon != null && (icon.getType() == Icon.TYPE_URI)) {
+ String encodedUser = icon.getUri().getEncodedUserInfo();
+
+ // If there is no encoded user, the URI is calling into the calling user space
+ if (encodedUser != null) {
+ int userId = Integer.parseInt(encodedUser);
+ // resolve encoded user
+ final int resolvedUserId = resolveCallingUserEnforcingPermissions(userId);
+
+ synchronized (mLock) {
+ // Only the current group members can get the printer icons.
+ if (resolveCallingProfileParentLocked(resolvedUserId)
+ != getCurrentUserId()) {
+ return null;
+ }
+ }
+ }
+ }
+ return icon;
+ }
+
@Override
public void cancelPrintJob(PrintJobId printJobId, int appId, int userId) {
if (printJobId == null) {

59
Patches/LineageOS-14.1/android_frameworks_base/385242.patch Normal file
View File

@ -0,0 +1,59 @@
From ace2c7017edeb221b293513497a9b7e4480bfcbd Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Wed, 3 Jan 2024 09:26:56 -0800
Subject: [PATCH] Close AccountManagerService.session after timeout.
Bug: 303905130
Bug: 316893159
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb53f192e0ceaa026a083da156ef0cb0140f0c09)
Merged-In: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073
Change-Id: Ib4cebf1750fc6324dc1c8853e0d716ea5e8ec073
Change-Id: I39afbe8f4bfc6b652365c798c64328797f27e5d4
---
.../android/server/accounts/AccountManagerService.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 126955add01a9..ecd642bebb669 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -180,6 +180,7 @@ public void onUnlockUser(int userHandle) {
final MessageHandler mMessageHandler;
+ private static final int TIMEOUT_DELAY_MS = 1000 * 60 * 15;
// Messages that can be sent on mHandler
private static final int MESSAGE_TIMED_OUT = 3;
private static final int MESSAGE_COPY_SHARED_ACCOUNT = 4;
@@ -4172,6 +4173,7 @@ public Session(UserAccounts accounts, IAccountManagerResponse response, String a
synchronized (mSessions) {
mSessions.put(toString(), this);
}
+ scheduleTimeout();
if (response != null) {
try {
response.asBinder().linkToDeath(this, 0 /* flags */);
@@ -4279,6 +4281,11 @@ private void unbind() {
}
}
+ private void scheduleTimeout() {
+ mMessageHandler.sendMessageDelayed(
+ mMessageHandler.obtainMessage(MESSAGE_TIMED_OUT, this), TIMEOUT_DELAY_MS);
+ }
+
public void cancelTimeout() {
mMessageHandler.removeMessages(MESSAGE_TIMED_OUT, this);
}
@@ -4315,6 +4322,9 @@ public void onServiceDisconnected(ComponentName name) {
public void onTimedOut() {
IAccountManagerResponse response = getResponseAndClose();
+ if (Log.isLoggable(TAG, Log.VERBOSE)) {
+ Log.v(TAG, "Session.onTimedOut");
+ }
if (response != null) {
try {
response.onError(AccountManager.ERROR_CODE_REMOTE_EXCEPTION,

140
Patches/LineageOS-14.1/android_system_bt/385236.patch Normal file
View File

@ -0,0 +1,140 @@
From b7bac88b9cfc050ee13fc620a19f1f78c8311f3d Mon Sep 17 00:00:00 2001
From: Ugo Yu <ugoyu@google.com>
Date: Thu, 29 Nov 2018 17:55:40 +0800
Subject: [PATCH] Fix OOB caused by invalid SMP packet length
Bug: 111850706
Bug: 111213909
Bug: 111214770
Bug: 111214470
Test: PoC, Manully
Change-Id: I889d2de97b1aab706c850a950f668aba558f240f
---
stack/smp/smp_act.c | 34 ++++++++++++++++++++++++++++++++++
stack/smp/smp_int.h | 1 +
stack/smp/smp_utils.c | 29 +++++++++++++++++++++++++++++
3 files changed, 64 insertions(+)
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index 8702e109578..c2dfc7205f8 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -579,6 +579,14 @@ void smp_proc_pair_cmd(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
+ if (smp_command_has_invalid_length(p_cb))
+ {
+ reason = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111850706");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_UINT8(p_cb->peer_io_caps, p);
STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
STREAM_TO_UINT8(p_cb->peer_auth_req, p);
@@ -890,6 +898,14 @@ void smp_br_process_pairing_command(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
p_cb->flags |= SMP_PAIR_FLAG_ENC_AFTER_PAIR;
+ if (smp_command_has_invalid_length(p_cb))
+ {
+ reason = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111213909");
+ smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_UINT8(p_cb->peer_io_caps, p);
STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
STREAM_TO_UINT8(p_cb->peer_auth_req, p);
@@ -1107,9 +1123,18 @@ void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
{
UINT8 *p = (UINT8 *)p_data;
+ UINT8 reason = SMP_INVALID_PARAMETERS;
tBTM_LE_KEY_VALUE pid_key;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb))
+ {
+ android_errorWriteLog(0x534e4554, "111214770");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE);
STREAM_TO_UINT8(pid_key.pid_key.addr_type, p);
@@ -1134,8 +1159,17 @@ void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
{
tBTM_LE_KEY_VALUE le_key;
+ UINT8 reason = SMP_INVALID_PARAMETERS;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb))
+ {
+ android_errorWriteLog(0x534e4554, "111214470");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE);
/* save CSRK to security record */
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index aea85380edd..bfac772b9d5 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -488,6 +488,7 @@ extern void smp_xor_128(BT_OCTET16 a, BT_OCTET16 b);
extern BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len,
UINT8 *plain_text, UINT8 pt_len,
tSMP_ENC *p_out);
+extern BOOLEAN smp_command_has_invalid_length(tSMP_CB *p_cb);
extern BOOLEAN smp_command_has_invalid_parameters(tSMP_CB *p_cb);
extern void smp_reject_unexpected_pairing_command(BD_ADDR bd_addr);
extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB *p_cb);
diff --git a/stack/smp/smp_utils.c b/stack/smp/smp_utils.c
index 6ea98f4bac5..ec6f0307d87 100644
--- a/stack/smp/smp_utils.c
+++ b/stack/smp/smp_utils.c
@@ -962,6 +962,35 @@ void smp_proc_pairing_cmpl(tSMP_CB *p_cb)
(*p_callback) (SMP_COMPLT_EVT, pairing_bda, &evt_data);
}
+/*******************************************************************************
+ *
+ * Function smp_command_has_invalid_length
+ *
+ * Description Checks if the received SMP command has invalid length
+ * It returns true if the command has invalid length.
+ *
+ * Returns true if the command has invalid length, false otherwise.
+ *
+ ******************************************************************************/
+BOOLEAN smp_command_has_invalid_length(tSMP_CB* p_cb)
+{
+ UINT8 cmd_code = p_cb->rcvd_cmd_code;
+
+ if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) ||
+ (cmd_code < SMP_OPCODE_MIN))
+ {
+ SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
+ __func__, cmd_code);
+ return TRUE;
+ }
+
+ if (!smp_command_has_valid_fixed_length(p_cb)) {
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
/*******************************************************************************
**
** Function smp_command_has_invalid_parameters

40
Patches/LineageOS-14.1/android_system_bt/385237.patch Normal file
View File

@ -0,0 +1,40 @@
From 6dec464a0690efa6f008779876ef90f2c45df691 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 28 Nov 2023 19:57:20 +0000
Subject: [PATCH] Fix an OOB bug in smp_proc_sec_req
This is a backport of I400cfa3523c6d8b25c233205748c2db5dc803d1d
Bug: 300903400
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:970c95d7c06c909c34a849587f701098129fc2ef)
Merged-In: Id4c65801ff8519aff18b24007e344934493cab55
Change-Id: Id4c65801ff8519aff18b24007e344934493cab55
---
stack/smp/smp_act.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index c2dfc7205f..dcbb54aee8 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -481,9 +481,17 @@ void smp_send_ltk_reply(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
*******************************************************************************/
void smp_proc_sec_req(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
{
+ UINT8 reason;
+
+ if (smp_command_has_invalid_length(p_cb))
+ {
+ reason = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
tBTM_LE_AUTH_REQ auth_req = *(tBTM_LE_AUTH_REQ *)p_data;
tBTM_BLE_SEC_REQ_ACT sec_req_act;
- UINT8 reason;
SMP_TRACE_DEBUG("%s auth_req=0x%x", __func__, auth_req);

117
Patches/LineageOS-14.1/android_system_bt/385238.patch Normal file
View File

@ -0,0 +1,117 @@
From a4e7043cca16478786da91619e312670f4f29015 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Fri, 15 Dec 2023 22:55:33 +0000
Subject: [PATCH] Reland: Fix an OOB write bug in attp_build_value_cmd
This is a backport of I291fd665a68d90813b8c21c80d23cc438f84f285
Bug: 295887535
Bug: 315127634
Test: m com.android.btservices
Test: atest net_test_stack_gatt
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70f7ff2b34e6683301c9c6cd021e1ddef76c5b1c)
Merged-In: Ieffac6db5c6359b071efc599f7a70de609b80b72
Change-Id: Ieffac6db5c6359b071efc599f7a70de609b80b72
---
stack/gatt/att_protocol.c | 58 +++++++++++++++++++++++++++++++--------
1 file changed, 47 insertions(+), 11 deletions(-)
diff --git a/stack/gatt/att_protocol.c b/stack/gatt/att_protocol.c
index e0963622049..7981950a30e 100644
--- a/stack/gatt/att_protocol.c
+++ b/stack/gatt/att_protocol.c
@@ -274,46 +274,82 @@ BT_HDR *attp_build_opcode_cmd(UINT8 op_code)
BT_HDR *attp_build_value_cmd (UINT16 payload_size, UINT8 op_code, UINT16 handle,
UINT16 offset, UINT16 len, UINT8 *p_data)
{
- UINT8 *p, *pp, pair_len, *p_pair_len;
+ UINT8 *p, *pp, *p_pair_len;
+ size_t pair_len;
+ size_t size_now = 1;
+
+#define CHECK_SIZE() \
+ do \
+ { \
+ if (size_now > payload_size) \
+ { \
+ GATT_TRACE_ERROR("payload size too small"); \
+ osi_free(p_buf); \
+ return NULL; \
+ } \
+ } while (false)
+
BT_HDR *p_buf =
(BT_HDR *)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = pp = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
+
+ CHECK_SIZE();
UINT8_TO_STREAM(p, op_code);
p_buf->offset = L2CAP_MIN_OFFSET;
- p_buf->len = 1;
if (op_code == GATT_RSP_READ_BY_TYPE) {
- p_pair_len = p;
+ p_pair_len = p++;
pair_len = len + 2;
- UINT8_TO_STREAM (p, pair_len);
- p_buf->len += 1;
+ size_now += 1;
+ CHECK_SIZE();
+ // this field will be backfilled in the end of this function
}
+
if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM (p, handle);
- p_buf->len += 2;
}
if (op_code == GATT_REQ_PREPARE_WRITE ||op_code == GATT_RSP_PREPARE_WRITE) {
+ size_now += 2;
+ CHECK_SIZE();
UINT16_TO_STREAM (p, offset);
- p_buf->len += 2;
}
if (len > 0 && p_data != NULL) {
/* ensure data not exceed MTU size */
- if (payload_size - p_buf->len < len) {
- len = payload_size - p_buf->len;
+ if (payload_size - size_now < len) {
+ len = payload_size - size_now;
/* update handle value pair length */
if (op_code == GATT_RSP_READ_BY_TYPE)
- *p_pair_len = (len + 2);
+ pair_len = (len + 2);
GATT_TRACE_WARNING("attribute value too long, to be truncated to %d", len);
}
+ size_now += len;
+ CHECK_SIZE();
ARRAY_TO_STREAM(p, p_data, len);
- p_buf->len += len;
}
+ // backfill pair len field
+ if (op_code == GATT_RSP_READ_BY_TYPE)
+ {
+ if (pair_len > UINT8_MAX)
+ {
+ GATT_TRACE_ERROR("pair_len greater than %d", UINT8_MAX);
+ osi_free(p_buf);
+ return NULL;
+ }
+
+ *p_pair_len = (uint8_t)pair_len;
+ }
+
+#undef CHECK_SIZE
+
+ p_buf->len = (uint16_t)size_now;
return p_buf;
}

33
Patches/LineageOS-14.1/android_system_bt/385239.patch Normal file
View File

@ -0,0 +1,33 @@
From 87a4f4196ec70bb7365a1e206be63073e102544b Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 9 Jan 2024 22:38:20 +0000
Subject: [PATCH] Fix a security bypass issue in
access_secure_service_from_temp_bond
Backport I48df2c2d77810077e97d4131540277273d441998
to rvc-dev
Bug: 318374503
Test: m com.android.btservices | manual test against PoC | QA
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e908c16d9157b9e4a936117f06b8f964cf8386b8)
Merged-In: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
Change-Id: Ib7cf66019b3d45a2a23d235ad5f9dc406394456f
---
stack/btm/btm_sec.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
index 23b334ce27..cf90725490 100644
--- a/stack/btm/btm_sec.c
+++ b/stack/btm/btm_sec.c
@@ -245,8 +245,7 @@ static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_de
uint16_t security_req)
{
return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
- btm_dev_authenticated(p_dev_rec) &&
- p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
}
/*******************************************************************************

10
Scripts/LineageOS-14.1/Patch.sh
View File

@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-02 #XXX
sed -i 's/2021-06-05/2024-03-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-03 #XXX
fi;
if enterAndClear "device/qcom/sepolicy"; then
@ -169,6 +169,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix
applyPatch "$DOS_PATCHES/android_frameworks_av/365698.patch"; #n-asb-2023-09 Fix Segv on unknown address error flagged by fuzzer test.
applyPatch "$DOS_PATCHES/android_frameworks_av/373035.patch"; #n-asb-2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
applyPatch "$DOS_PATCHES/android_frameworks_av/381852.patch"; #n-asb-2024-02 Update mtp packet buffer
applyPatch "$DOS_PATCHES/android_frameworks_av/385240.patch"; #n-asb-2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
applyPatch "$DOS_PATCHES/android_frameworks_av/385243.patch"; #n-asb-2024-03 Validate OMX Params for VPx encoders
fi;
if enterAndClear "frameworks/base"; then
@ -247,6 +249,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/377939.patch"; #n-asb-2023-12 R
applyPatch "$DOS_PATCHES/android_frameworks_base/378954.patch"; #n-asb-2024-01 Truncate user data to a limit of 500 characters
applyPatch "$DOS_PATCHES/android_frameworks_base/378955.patch"; #n-asb-2024-01 Fix vulnerability that allowed attackers to start arbitary activities
applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 Fix ActivityManager#killBackgroundProcesses permissions
applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit.
applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout.
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -542,6 +546,10 @@ applyPatch "$DOS_PATCHES/android_system_bt/378960.patch"; #n-asb-2024-01 LE Adve
applyPatch "$DOS_PATCHES/android_system_bt/378961.patch"; #n-asb-2024-01 Fix some OOB errors in BTM parsing
applyPatch "$DOS_PATCHES/android_system_bt/381850.patch"; #n-asb-2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/381851.patch"; #n-asb-2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/385236.patch"; #n-asb-2024-03 Fix OOB caused by invalid SMP packet length
applyPatch "$DOS_PATCHES/android_system_bt/385237.patch"; #n-asb-2024-03 Fix an OOB bug in smp_proc_sec_req
applyPatch "$DOS_PATCHES/android_system_bt/385238.patch"; #n-asb-2024-03 Fix an OOB write bug in attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/385239.patch"; #n-asb-2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)

3
Scripts/LineageOS-19.1/Functions.sh
View File

@ -66,9 +66,10 @@ patchWorkspaceReal() {
verifyAllPlatformTags;
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
#source build/envsetup.sh;
source build/envsetup.sh;
#repopick -ift twelve-bt-sbc-hd-dualchannel;
#repopick -it twelve-colors;
repopick -it S_asb_2024-03;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

1
Scripts/LineageOS-20.0/Functions.sh
View File

@ -161,6 +161,7 @@ patchWorkspaceReal() {
source build/envsetup.sh;
repopick -i 361248; #Launcher3: Allow toggling monochrome icons for all apps
repopick -it T_asb_2024-03;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";