mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-23 22:01:08 -05:00
15.1 September ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
51b28e6cdf
commit
3aa7e02455
32
Patches/LineageOS-15.1/android_frameworks_av/365962.patch
Normal file
32
Patches/LineageOS-15.1/android_frameworks_av/365962.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Shruti Bihani <shrutibihani@google.com>
|
||||||
|
Date: Thu, 6 Jul 2023 08:41:56 +0000
|
||||||
|
Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test.
|
||||||
|
|
||||||
|
The error is thrown when the destructor tries to free pointer memory.
|
||||||
|
This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.
|
||||||
|
|
||||||
|
Bug: 245135112
|
||||||
|
Test: Build mtp_host_property_fuzzer and run on the target device
|
||||||
|
(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
|
||||||
|
Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
|
||||||
|
Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
|
||||||
|
---
|
||||||
|
media/mtp/MtpProperty.h | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h
|
||||||
|
index 03c08e1eed..45fcbe8917 100644
|
||||||
|
--- a/media/mtp/MtpProperty.h
|
||||||
|
+++ b/media/mtp/MtpProperty.h
|
||||||
|
@@ -24,6 +24,9 @@ namespace android {
|
||||||
|
class MtpDataPacket;
|
||||||
|
|
||||||
|
struct MtpPropertyValue {
|
||||||
|
+ // pointer str initialized to NULL so that free operation
|
||||||
|
+ // is not called for pre-assigned value
|
||||||
|
+ MtpPropertyValue() : str (NULL) {}
|
||||||
|
union {
|
||||||
|
int8_t i8;
|
||||||
|
uint8_t u8;
|
28
Patches/LineageOS-15.1/android_frameworks_base/365967.patch
Normal file
28
Patches/LineageOS-15.1/android_frameworks_base/365967.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Dementyev <dementyev@google.com>
|
||||||
|
Date: Fri, 30 Jun 2023 14:36:44 -0700
|
||||||
|
Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly.
|
||||||
|
|
||||||
|
Bug: 265798288
|
||||||
|
Test: manual
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1)
|
||||||
|
Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
|
||||||
|
Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
|
||||||
|
---
|
||||||
|
.../com/android/server/accounts/AccountManagerService.java | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
index 39bb08e82b81..e06c4b3ef480 100644
|
||||||
|
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
|
||||||
|
@@ -4805,6 +4805,9 @@ public class AccountManagerService
|
||||||
|
Bundle simulateBundle = p.readBundle();
|
||||||
|
p.recycle();
|
||||||
|
Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
|
||||||
|
+ if (intent != null && intent.getClass() != Intent.class) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
|
||||||
|
if (intent == null) {
|
||||||
|
return (simulateIntent == null);
|
@ -0,0 +1,34 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Devin Moore <devinmoore@google.com>
|
||||||
|
Date: Tue, 25 Apr 2023 00:17:13 +0000
|
||||||
|
Subject: [PATCH] Allow sensors list to be empty
|
||||||
|
|
||||||
|
Test: atest VtsHalSensorManagerV1_0TargetTest
|
||||||
|
Bug: 278013275
|
||||||
|
Bug: 269014004
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9)
|
||||||
|
Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
|
||||||
|
Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
|
||||||
|
---
|
||||||
|
libs/sensor/SensorManager.cpp | 7 ++-----
|
||||||
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp
|
||||||
|
index e5a0438fc5..e24c3bcecd 100644
|
||||||
|
--- a/libs/sensor/SensorManager.cpp
|
||||||
|
+++ b/libs/sensor/SensorManager.cpp
|
||||||
|
@@ -171,11 +171,8 @@ status_t SensorManager::assertStateLocked() {
|
||||||
|
|
||||||
|
mSensors = mSensorServer->getSensorList(mOpPackageName);
|
||||||
|
size_t count = mSensors.size();
|
||||||
|
- if (count == 0) {
|
||||||
|
- ALOGE("Failed to get Sensor list");
|
||||||
|
- mSensorServer.clear();
|
||||||
|
- return UNKNOWN_ERROR;
|
||||||
|
- }
|
||||||
|
+ // If count is 0, mSensorList will be non-null. This is old
|
||||||
|
+ // existing behavior and callers expect this.
|
||||||
|
mSensorList =
|
||||||
|
static_cast<Sensor const**>(malloc(count * sizeof(Sensor*)));
|
||||||
|
LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL");
|
@ -0,0 +1,209 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Taran Singh <tarandeep@google.com>
|
||||||
|
Date: Fri, 19 May 2023 23:17:47 +0000
|
||||||
|
Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device
|
||||||
|
admin
|
||||||
|
|
||||||
|
Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
|
||||||
|
activate itself as device admin and cause various DoS attacks.
|
||||||
|
|
||||||
|
This CL ensures KeyEvent on "Activate" button can only come from system
|
||||||
|
apps.
|
||||||
|
|
||||||
|
Bug: 280793427
|
||||||
|
Test: atest DeviceAdminActivationTest
|
||||||
|
(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b)
|
||||||
|
Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
|
||||||
|
Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
|
||||||
|
---
|
||||||
|
src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++---------
|
||||||
|
1 file changed, 64 insertions(+), 56 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java
|
||||||
|
index ebad411531..981930987a 100644
|
||||||
|
--- a/src/com/android/settings/DeviceAdminAdd.java
|
||||||
|
+++ b/src/com/android/settings/DeviceAdminAdd.java
|
||||||
|
@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt;
|
||||||
|
import android.util.EventLog;
|
||||||
|
import android.util.Log;
|
||||||
|
import android.view.Display;
|
||||||
|
+import android.view.KeyEvent;
|
||||||
|
+import android.view.LayoutInflater;
|
||||||
|
import android.view.View;
|
||||||
|
import android.view.ViewGroup;
|
||||||
|
import android.view.ViewTreeObserver;
|
||||||
|
@@ -131,7 +133,7 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE);
|
||||||
|
PackageManager packageManager = getPackageManager();
|
||||||
|
|
||||||
|
- if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
|
||||||
|
+ if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
|
||||||
|
Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task");
|
||||||
|
finish();
|
||||||
|
return;
|
||||||
|
@@ -141,7 +143,7 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
EXTRA_CALLED_FROM_SUPPORT_DIALOG, false);
|
||||||
|
|
||||||
|
String action = getIntent().getAction();
|
||||||
|
- ComponentName who = (ComponentName)getIntent().getParcelableExtra(
|
||||||
|
+ ComponentName who = (ComponentName) getIntent().getParcelableExtra(
|
||||||
|
DevicePolicyManager.EXTRA_DEVICE_ADMIN);
|
||||||
|
if (who == null) {
|
||||||
|
String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME);
|
||||||
|
@@ -203,7 +205,7 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS);
|
||||||
|
int count = avail == null ? 0 : avail.size();
|
||||||
|
boolean found = false;
|
||||||
|
- for (int i=0; i<count; i++) {
|
||||||
|
+ for (int i = 0; i < count; i++) {
|
||||||
|
ResolveInfo ri = avail.get(i);
|
||||||
|
if (ai.packageName.equals(ri.activityInfo.packageName)
|
||||||
|
&& ai.name.equals(ri.activityInfo.name)) {
|
||||||
|
@@ -286,12 +288,12 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
|
||||||
|
setContentView(R.layout.device_admin_add);
|
||||||
|
|
||||||
|
- mAdminIcon = (ImageView)findViewById(R.id.admin_icon);
|
||||||
|
- mAdminName = (TextView)findViewById(R.id.admin_name);
|
||||||
|
- mAdminDescription = (TextView)findViewById(R.id.admin_description);
|
||||||
|
+ mAdminIcon = (ImageView) findViewById(R.id.admin_icon);
|
||||||
|
+ mAdminName = (TextView) findViewById(R.id.admin_name);
|
||||||
|
+ mAdminDescription = (TextView) findViewById(R.id.admin_description);
|
||||||
|
mProfileOwnerWarning = (TextView) findViewById(R.id.profile_owner_warning);
|
||||||
|
|
||||||
|
- mAddMsg = (TextView)findViewById(R.id.add_msg);
|
||||||
|
+ mAddMsg = (TextView) findViewById(R.id.add_msg);
|
||||||
|
mAddMsgExpander = (ImageView) findViewById(R.id.add_msg_expander);
|
||||||
|
final View.OnClickListener onClickListener = new View.OnClickListener() {
|
||||||
|
@Override
|
||||||
|
@@ -314,7 +316,7 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
mAddMsgExpander.setVisibility(hideMsgExpander ? View.GONE : View.VISIBLE);
|
||||||
|
if (hideMsgExpander) {
|
||||||
|
mAddMsg.setOnClickListener(null);
|
||||||
|
- ((View)mAddMsgExpander.getParent()).invalidate();
|
||||||
|
+ ((View) mAddMsgExpander.getParent()).invalidate();
|
||||||
|
}
|
||||||
|
mAddMsg.getViewTreeObserver().removeOnGlobalLayoutListener(this);
|
||||||
|
}
|
||||||
|
@@ -332,7 +334,7 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
mCancelButton.setOnClickListener(new View.OnClickListener() {
|
||||||
|
public void onClick(View v) {
|
||||||
|
EventLog.writeEvent(EventLogTags.EXP_DET_DEVICE_ADMIN_DECLINED_BY_USER,
|
||||||
|
- mDeviceAdmin.getActivityInfo().applicationInfo.uid);
|
||||||
|
+ mDeviceAdmin.getActivityInfo().applicationInfo.uid);
|
||||||
|
finish();
|
||||||
|
}
|
||||||
|
});
|
||||||
|
@@ -352,58 +354,64 @@ public class DeviceAdminAdd extends Activity {
|
||||||
|
|
||||||
|
final View restrictedAction = findViewById(R.id.restricted_action);
|
||||||
|
restrictedAction.setFilterTouchesWhenObscured(true);
|
||||||
|
- restrictedAction.setOnClickListener(new View.OnClickListener() {
|
||||||
|
- public void onClick(View v) {
|
||||||
|
- if (!mActionButton.isEnabled()) {
|
||||||
|
- showPolicyTransparencyDialogIfRequired();
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- if (mAdding) {
|
||||||
|
- addAndFinish();
|
||||||
|
- } else if (isManagedProfile(mDeviceAdmin)
|
||||||
|
- && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
|
||||||
|
- final int userId = UserHandle.myUserId();
|
||||||
|
- UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
|
||||||
|
- new DialogInterface.OnClickListener() {
|
||||||
|
- @Override
|
||||||
|
- public void onClick(DialogInterface dialog, int which) {
|
||||||
|
- UserManager um = UserManager.get(DeviceAdminAdd.this);
|
||||||
|
- um.removeUser(userId);
|
||||||
|
- finish();
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
+ final View.OnClickListener restrictedActionClickListener = v -> {
|
||||||
|
+ if (!mActionButton.isEnabled()) {
|
||||||
|
+ showPolicyTransparencyDialogIfRequired();
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ if (mAdding) {
|
||||||
|
+ addAndFinish();
|
||||||
|
+ } else if (isManagedProfile(mDeviceAdmin)
|
||||||
|
+ && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
|
||||||
|
+ final int userId = UserHandle.myUserId();
|
||||||
|
+ UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
|
||||||
|
+ new DialogInterface.OnClickListener() {
|
||||||
|
+ @Override
|
||||||
|
+ public void onClick(DialogInterface dialog, int which) {
|
||||||
|
+ UserManager um = UserManager.get(DeviceAdminAdd.this);
|
||||||
|
+ um.removeUser(userId);
|
||||||
|
+ finish();
|
||||||
|
}
|
||||||
|
- ).show();
|
||||||
|
- } else if (mUninstalling) {
|
||||||
|
- mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
|
||||||
|
- finish();
|
||||||
|
- } else if (!mWaitingForRemoveMsg) {
|
||||||
|
- try {
|
||||||
|
- // Don't allow the admin to put a dialog up in front
|
||||||
|
- // of us while we interact with the user.
|
||||||
|
- ActivityManager.getService().stopAppSwitches();
|
||||||
|
- } catch (RemoteException e) {
|
||||||
|
- }
|
||||||
|
- mWaitingForRemoveMsg = true;
|
||||||
|
- mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
|
||||||
|
- new RemoteCallback(new RemoteCallback.OnResultListener() {
|
||||||
|
- @Override
|
||||||
|
- public void onResult(Bundle result) {
|
||||||
|
- CharSequence msg = result != null
|
||||||
|
- ? result.getCharSequence(
|
||||||
|
- DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
|
||||||
|
- : null;
|
||||||
|
- continueRemoveAction(msg);
|
||||||
|
- }
|
||||||
|
- }, mHandler));
|
||||||
|
- // Don't want to wait too long.
|
||||||
|
- getWindow().getDecorView().getHandler().postDelayed(new Runnable() {
|
||||||
|
- @Override public void run() {
|
||||||
|
- continueRemoveAction(null);
|
||||||
|
}
|
||||||
|
- }, 2*1000);
|
||||||
|
+ ).show();
|
||||||
|
+ } else if (mUninstalling) {
|
||||||
|
+ mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
|
||||||
|
+ finish();
|
||||||
|
+ } else if (!mWaitingForRemoveMsg) {
|
||||||
|
+ try {
|
||||||
|
+ // Don't allow the admin to put a dialog up in front
|
||||||
|
+ // of us while we interact with the user.
|
||||||
|
+ ActivityManager.getService().stopAppSwitches();
|
||||||
|
+ } catch (RemoteException e) {
|
||||||
|
}
|
||||||
|
+ mWaitingForRemoveMsg = true;
|
||||||
|
+ mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
|
||||||
|
+ new RemoteCallback(new RemoteCallback.OnResultListener() {
|
||||||
|
+ @Override
|
||||||
|
+ public void onResult(Bundle result) {
|
||||||
|
+ CharSequence msg = result != null
|
||||||
|
+ ? result.getCharSequence(
|
||||||
|
+ DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
|
||||||
|
+ : null;
|
||||||
|
+ continueRemoveAction(msg);
|
||||||
|
+ }
|
||||||
|
+ }, mHandler));
|
||||||
|
+ // Don't want to wait too long.
|
||||||
|
+ getWindow().getDecorView().getHandler().postDelayed(
|
||||||
|
+ () -> continueRemoveAction(null), 2 * 1000);
|
||||||
|
+ }
|
||||||
|
+ };
|
||||||
|
+ restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> {
|
||||||
|
+ if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) {
|
||||||
|
+ Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app.");
|
||||||
|
+ // Consume event to suppress click.
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
+ // Fallback to view click handler.
|
||||||
|
+ return false;
|
||||||
|
});
|
||||||
|
+ restrictedAction.setOnClickListener(restrictedActionClickListener);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
@ -0,0 +1,56 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pinyao Ting <pinyaoting@google.com>
|
||||||
|
Date: Thu, 1 Jun 2023 18:12:44 -0700
|
||||||
|
Subject: [PATCH] Fix permission issue in legacy shortcut
|
||||||
|
|
||||||
|
When building legacy shortcut, Launcher calls
|
||||||
|
PackageManager#resolveActivity to retrieve necessary permission to
|
||||||
|
launch the intent.
|
||||||
|
|
||||||
|
However, when the source app wraps an arbitrary intent within
|
||||||
|
Intent#createChooser, the existing logic will fail because launching
|
||||||
|
Chooser doesn't require additional permission.
|
||||||
|
|
||||||
|
This CL fixes the security vulnerability by performing the permission
|
||||||
|
check against the intent that is wrapped within.
|
||||||
|
|
||||||
|
Bug: 270152142
|
||||||
|
Test: manual
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)
|
||||||
|
Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0
|
||||||
|
Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0
|
||||||
|
---
|
||||||
|
.../launcher3/util/PackageManagerHelper.java | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||||
|
index 13034dd9ec..1c05c993c7 100644
|
||||||
|
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||||
|
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||||
|
@@ -26,6 +26,7 @@ import android.content.pm.PackageManager.NameNotFoundException;
|
||||||
|
import android.content.pm.ResolveInfo;
|
||||||
|
import android.net.Uri;
|
||||||
|
import android.os.Build;
|
||||||
|
+import android.os.Bundle;
|
||||||
|
import android.os.UserHandle;
|
||||||
|
import android.text.TextUtils;
|
||||||
|
|
||||||
|
@@ -102,6 +103,18 @@ public class PackageManagerHelper {
|
||||||
|
* any permissions
|
||||||
|
*/
|
||||||
|
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
|
||||||
|
+ // b/270152142
|
||||||
|
+ if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
|
||||||
|
+ final Bundle extras = intent.getExtras();
|
||||||
|
+ if (extras == null) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
|
||||||
|
+ intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
|
||||||
|
+ if (intent == null) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
ResolveInfo target = mPm.resolveActivity(intent, 0);
|
||||||
|
if (target == null) {
|
||||||
|
// Not a valid target
|
@ -0,0 +1,138 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ashish Kumar <akgaurav@google.com>
|
||||||
|
Date: Fri, 26 May 2023 14:18:46 +0000
|
||||||
|
Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple
|
||||||
|
settings.
|
||||||
|
|
||||||
|
- Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.
|
||||||
|
- Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.
|
||||||
|
|
||||||
|
Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.
|
||||||
|
|
||||||
|
Bug: b/256591023 , b/256819787
|
||||||
|
|
||||||
|
Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.
|
||||||
|
Test2: Able to import contact from the primary user or uri with no user id
|
||||||
|
(These settings are not available for secondary users)
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d)
|
||||||
|
Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
|
||||||
|
Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
|
||||||
|
---
|
||||||
|
.../android/phone/GsmUmtsCallForwardOptions.java | 12 ++++++++++++
|
||||||
|
.../phone/settings/VoicemailSettingsActivity.java | 14 ++++++++++++++
|
||||||
|
.../phone/settings/fdn/EditFdnContactScreen.java | 13 +++++++++++++
|
||||||
|
3 files changed, 39 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||||
|
index 77cc6cca6..aa1c797d4 100644
|
||||||
|
--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||||
|
+++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java
|
||||||
|
@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface;
|
||||||
|
import com.android.internal.telephony.Phone;
|
||||||
|
|
||||||
|
import android.app.ActionBar;
|
||||||
|
+import android.content.ContentProvider;
|
||||||
|
import android.content.Intent;
|
||||||
|
import android.database.Cursor;
|
||||||
|
import android.os.Bundle;
|
||||||
|
+import android.os.Process;
|
||||||
|
+import android.os.UserHandle;
|
||||||
|
import android.preference.Preference;
|
||||||
|
import android.preference.PreferenceScreen;
|
||||||
|
import android.telephony.CarrierConfigManager;
|
||||||
|
@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity {
|
||||||
|
}
|
||||||
|
Cursor cursor = null;
|
||||||
|
try {
|
||||||
|
+ // check if the URI returned by the user belongs to the user
|
||||||
|
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||||
|
+ if (currentUser
|
||||||
|
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
|
||||||
|
+
|
||||||
|
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
|
||||||
|
+ + "cannot access");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
cursor = getContentResolver().query(data.getData(),
|
||||||
|
NUM_PROJECTION, null, null, null);
|
||||||
|
if ((cursor == null) || (!cursor.moveToFirst())) {
|
||||||
|
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||||
|
index 7c5dbf20c..ef8d9e535 100644
|
||||||
|
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||||
|
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||||
|
@@ -17,6 +17,7 @@
|
||||||
|
package com.android.phone.settings;
|
||||||
|
|
||||||
|
import android.app.Dialog;
|
||||||
|
+import android.content.ContentProvider;
|
||||||
|
import android.content.DialogInterface;
|
||||||
|
import android.content.Intent;
|
||||||
|
import android.database.Cursor;
|
||||||
|
@@ -24,6 +25,8 @@ import android.os.AsyncResult;
|
||||||
|
import android.os.Bundle;
|
||||||
|
import android.os.Handler;
|
||||||
|
import android.os.Message;
|
||||||
|
+import android.os.Process;
|
||||||
|
+import android.os.UserHandle;
|
||||||
|
import android.os.UserManager;
|
||||||
|
import android.preference.Preference;
|
||||||
|
import android.preference.PreferenceActivity;
|
||||||
|
@@ -508,6 +511,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity
|
||||||
|
|
||||||
|
Cursor cursor = null;
|
||||||
|
try {
|
||||||
|
+ // check if the URI returned by the user belongs to the user
|
||||||
|
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||||
|
+ if (currentUser
|
||||||
|
+ != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
|
||||||
|
+
|
||||||
|
+ if (DBG) {
|
||||||
|
+ log("onActivityResult: Contact data of different user, "
|
||||||
|
+ + "cannot access");
|
||||||
|
+ }
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
cursor = getContentResolver().query(data.getData(),
|
||||||
|
new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);
|
||||||
|
if ((cursor == null) || (!cursor.moveToFirst())) {
|
||||||
|
diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||||
|
index b8a761c47..d20b381cc 100644
|
||||||
|
--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||||
|
+++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
|
||||||
|
@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn;
|
||||||
|
|
||||||
|
import static android.view.Window.PROGRESS_VISIBILITY_OFF;
|
||||||
|
import static android.view.Window.PROGRESS_VISIBILITY_ON;
|
||||||
|
+import static android.app.Activity.RESULT_OK;
|
||||||
|
+
|
||||||
|
|
||||||
|
import android.app.Activity;
|
||||||
|
import android.content.AsyncQueryHandler;
|
||||||
|
+import android.content.ContentProvider;
|
||||||
|
import android.content.ContentResolver;
|
||||||
|
import android.content.ContentValues;
|
||||||
|
import android.content.Intent;
|
||||||
|
@@ -29,6 +32,8 @@ import android.database.Cursor;
|
||||||
|
import android.net.Uri;
|
||||||
|
import android.os.Bundle;
|
||||||
|
import android.os.Handler;
|
||||||
|
+import android.os.Process;
|
||||||
|
+import android.os.UserHandle;
|
||||||
|
import android.provider.Contacts.PeopleColumns;
|
||||||
|
import android.provider.Contacts.PhonesColumns;
|
||||||
|
import android.provider.ContactsContract.CommonDataKinds;
|
||||||
|
@@ -152,6 +157,14 @@ public class EditFdnContactScreen extends Activity {
|
||||||
|
}
|
||||||
|
Cursor cursor = null;
|
||||||
|
try {
|
||||||
|
+ // check if the URI returned by the user belongs to the user
|
||||||
|
+ final int currentUser = UserHandle.getUserId(Process.myUid());
|
||||||
|
+ if (currentUser
|
||||||
|
+ != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
|
||||||
|
+ Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
|
||||||
|
+ + "cannot access");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
cursor = getContentResolver().query(intent.getData(),
|
||||||
|
NUM_PROJECTION, null, null, null);
|
||||||
|
if ((cursor == null) || (!cursor.moveToFirst())) {
|
41
Patches/LineageOS-15.1/android_system_bt/365979.patch
Normal file
41
Patches/LineageOS-15.1/android_system_bt/365979.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hui Peng <phui@google.com>
|
||||||
|
Date: Tue, 16 May 2023 21:24:07 +0000
|
||||||
|
Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
|
||||||
|
|
||||||
|
This is a backport of
|
||||||
|
Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||||
|
to rvc-dev
|
||||||
|
|
||||||
|
Bug: 280633699
|
||||||
|
Test: manual
|
||||||
|
Ignore-AOSP-First: security
|
||||||
|
Tag: #security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639)
|
||||||
|
Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||||
|
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
|
||||||
|
---
|
||||||
|
stack/avdt/avdt_msg.cc | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
|
||||||
|
index b6a952bcf..b5f512a03 100644
|
||||||
|
--- a/stack/avdt/avdt_msg.cc
|
||||||
|
+++ b/stack/avdt/avdt_msg.cc
|
||||||
|
@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(tAVDT_CCB* p_ccb, BT_HDR* p_buf) {
|
||||||
|
* NOTE: The buffer is allocated above at the beginning of the
|
||||||
|
* reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
|
||||||
|
*/
|
||||||
|
- uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
|
||||||
|
+ size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
|
||||||
|
|
||||||
|
/* adjust offset and len of fragment for header byte */
|
||||||
|
p_buf->offset += AVDT_LEN_TYPE_CONT;
|
||||||
|
p_buf->len -= AVDT_LEN_TYPE_CONT;
|
||||||
|
|
||||||
|
/* verify length */
|
||||||
|
- if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
|
||||||
|
+ if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
|
||||||
|
/* won't fit; free everything */
|
||||||
|
AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
|
||||||
|
osi_free_and_reset((void**)&p_ccb->p_rx_msg);
|
64
Patches/LineageOS-15.1/android_system_bt/365980.patch
Normal file
64
Patches/LineageOS-15.1/android_system_bt/365980.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Fri, 19 May 2023 19:17:16 +0000
|
||||||
|
Subject: [PATCH] Fix integer overflow in build_read_multi_rsp
|
||||||
|
|
||||||
|
Local variables tracking structure size in build_read_multi_rsp are of
|
||||||
|
uint16 type but accept a full uint16 range from function arguments while
|
||||||
|
appending a fixed-length offset. This can lead to an integer overflow
|
||||||
|
and unexpected behavior.
|
||||||
|
|
||||||
|
Change the locals to size_t, and add a check during reasssignment.
|
||||||
|
|
||||||
|
Bug: 273966636
|
||||||
|
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
|
||||||
|
Tag: #security
|
||||||
|
Ignore-AOSP-First: Security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0)
|
||||||
|
Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
|
||||||
|
Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
|
||||||
|
---
|
||||||
|
stack/gatt/gatt_sr.cc | 17 ++++++++++++-----
|
||||||
|
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||||
|
index f9e8f537f..1b9988739 100644
|
||||||
|
--- a/stack/gatt/gatt_sr.cc
|
||||||
|
+++ b/stack/gatt/gatt_sr.cc
|
||||||
|
@@ -111,7 +111,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) {
|
||||||
|
******************************************************************************/
|
||||||
|
static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||||
|
tGATTS_RSP* p_msg, uint16_t mtu) {
|
||||||
|
- uint16_t ii, total_len, len;
|
||||||
|
+ uint16_t ii;
|
||||||
|
+ size_t total_len, len;
|
||||||
|
uint8_t* p;
|
||||||
|
bool is_overflow = false;
|
||||||
|
|
||||||
|
@@ -166,16 +167,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||||
|
len = p_rsp->attr_value.len - (total_len - mtu);
|
||||||
|
is_overflow = true;
|
||||||
|
VLOG(1) << StringPrintf(
|
||||||
|
- "multi read overflow available len=%d val_len=%d", len,
|
||||||
|
+ "multi read overflow available len=%zu val_len=%d", len,
|
||||||
|
p_rsp->attr_value.len);
|
||||||
|
} else {
|
||||||
|
len = p_rsp->attr_value.len;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
|
||||||
|
- memcpy(p, p_rsp->attr_value.value, len);
|
||||||
|
- if (!is_overflow) p += len;
|
||||||
|
- p_buf->len += len;
|
||||||
|
+ // check for possible integer overflow
|
||||||
|
+ if (p_buf->len + len <= UINT16_MAX) {
|
||||||
|
+ memcpy(p, p_rsp->attr_value.value, len);
|
||||||
|
+ if (!is_overflow) p += len;
|
||||||
|
+ p_buf->len += len;
|
||||||
|
+ } else {
|
||||||
|
+ p_cmd->status = GATT_NOT_FOUND;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
p_cmd->status = GATT_NOT_FOUND;
|
||||||
|
break;
|
40
Patches/LineageOS-15.1/android_system_bt/365981.patch
Normal file
40
Patches/LineageOS-15.1/android_system_bt/365981.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Thu, 27 Apr 2023 20:43:58 +0000
|
||||||
|
Subject: [PATCH] Fix potential abort in btu_av_act.cc
|
||||||
|
|
||||||
|
Partner analysis shows that bta_av_rc_msg does not respect handling
|
||||||
|
established for a null browse packet, instead dispatching the null
|
||||||
|
pointer to bta_av_rc_free_browse_msg. Strictly speaking this does
|
||||||
|
not cause a UAF, as osi_free_and_reset will find the null and abort,
|
||||||
|
but it will lead to improper program termination.
|
||||||
|
|
||||||
|
Handle the case instead.
|
||||||
|
|
||||||
|
Bug: 269253349
|
||||||
|
Test: atest bluetooth_test_gd_unit
|
||||||
|
Tag: #security
|
||||||
|
Ignore-AOSP-First: Security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
|
||||||
|
Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
|
||||||
|
Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
|
||||||
|
---
|
||||||
|
bta/av/bta_av_act.cc | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
|
||||||
|
index 541d68303..acd6f5281 100644
|
||||||
|
--- a/bta/av/bta_av_act.cc
|
||||||
|
+++ b/bta/av/bta_av_act.cc
|
||||||
|
@@ -1004,7 +1004,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
|
||||||
|
av.remote_cmd.rc_handle = p_data->rc_msg.handle;
|
||||||
|
(*p_cb->p_cback)(evt, &av);
|
||||||
|
/* If browsing message, then free the browse message buffer */
|
||||||
|
- bta_av_rc_free_browse_msg(p_cb, p_data);
|
||||||
|
+ if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
|
||||||
|
+ p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
|
||||||
|
+ bta_av_rc_free_browse_msg(p_cb, p_data);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian Delwiche <delwiche@google.com>
|
||||||
|
Date: Thu, 1 Jun 2023 23:57:58 +0000
|
||||||
|
Subject: [PATCH] Fix UAF in gatt_cl.cc
|
||||||
|
|
||||||
|
gatt_cl.cc accesses a header field after the buffer holding it may have
|
||||||
|
been freed.
|
||||||
|
|
||||||
|
Track the relevant state as a local variable instead.
|
||||||
|
|
||||||
|
Bug: 274617156
|
||||||
|
Test: atest: bluetooth, validated against fuzzer
|
||||||
|
Tag: #security
|
||||||
|
Ignore-AOSP-First: Security
|
||||||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
|
||||||
|
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
||||||
|
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
|
||||||
|
---
|
||||||
|
stack/gatt/gatt_cl.cc | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
|
||||||
|
index 014240888..305a54660 100644
|
||||||
|
--- a/stack/gatt/gatt_cl.cc
|
||||||
|
+++ b/stack/gatt/gatt_cl.cc
|
||||||
|
@@ -583,7 +583,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
||||||
|
|
||||||
|
memcpy(value.value, p, value.len);
|
||||||
|
|
||||||
|
- if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
|
||||||
|
+ bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
|
||||||
|
+
|
||||||
|
+ // We now know that we have not terminated, or else we would have returned
|
||||||
|
+ // early. We free the buffer only if the subtype is not equal to
|
||||||
|
+ // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
|
||||||
|
+ if (subtype_is_write_prepare) {
|
||||||
|
p_clcb->status = GATT_SUCCESS;
|
||||||
|
/* application should verify handle offset
|
||||||
|
and value are matched or not */
|
@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
|
|||||||
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
|
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
|
||||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||||
sed -i 's/2021-10-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #XXX
|
sed -i 's/2021-10-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "build/soong"; then
|
if enterAndClear "build/soong"; then
|
||||||
@ -138,6 +138,7 @@ fi;
|
|||||||
if enterAndClear "frameworks/av"; then
|
if enterAndClear "frameworks/av"; then
|
||||||
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
|
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
|
applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "frameworks/base"; then
|
if enterAndClear "frameworks/base"; then
|
||||||
@ -203,6 +204,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364033-backport.patch"; #R_asb_
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
|
applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
|
applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
|
applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
||||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
||||||
@ -230,6 +232,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_native/326752.patch"; #P_asb_2022-03
|
|||||||
applyPatch "$DOS_PATCHES/android_frameworks_native/355772.patch"; #R_asb_2023-05 Check for malformed Sensor Flattenable
|
applyPatch "$DOS_PATCHES/android_frameworks_native/355772.patch"; #R_asb_2023-05 Check for malformed Sensor Flattenable
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_native/355773-backport.patch"; #R_asb_2023-05 Remove some new memory leaks from SensorManager
|
applyPatch "$DOS_PATCHES/android_frameworks_native/355773-backport.patch"; #R_asb_2023-05 Remove some new memory leaks from SensorManager
|
||||||
applyPatch "$DOS_PATCHES/android_frameworks_native/355774-backport.patch"; #R_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
|
applyPatch "$DOS_PATCHES/android_frameworks_native/355774-backport.patch"; #R_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
|
||||||
|
applyPatch "$DOS_PATCHES/android_frameworks_native/365969-backport.patch"; #R_asb_2023-09 Allow sensors list to be empty
|
||||||
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
|
if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
@ -343,6 +346,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_20
|
|||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
|
||||||
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
|
||||||
git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
|
git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
||||||
if [ "$DOS_SENSORS_PERM" = true ]; then
|
if [ "$DOS_SENSORS_PERM" = true ]; then
|
||||||
@ -357,6 +361,10 @@ if enterAndClear "packages/apps/SetupWizard"; then
|
|||||||
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS)
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
if enterAndClear "packages/apps/Trebuchet"; then
|
||||||
|
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
|
||||||
|
fi;
|
||||||
|
|
||||||
if enterAndClear "packages/apps/TvSettings"; then
|
if enterAndClear "packages/apps/TvSettings"; then
|
||||||
applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358578.patch"; #R_asb_2023-06 Convert argument to intent in addAccount TvSettings.
|
applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358578.patch"; #R_asb_2023-06 Convert argument to intent in addAccount TvSettings.
|
||||||
fi;
|
fi;
|
||||||
@ -403,6 +411,7 @@ fi;
|
|||||||
|
|
||||||
if enterAndClear "packages/services/Telephony"; then
|
if enterAndClear "packages/services/Telephony"; then
|
||||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings
|
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings
|
||||||
|
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/365978-backport.patch"; #R_asb_2023-09 Fixed leak of cross user data in multiple settings.
|
||||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
|
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
|
||||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
|
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
|
||||||
fi;
|
fi;
|
||||||
@ -437,6 +446,10 @@ applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent
|
|||||||
applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
|
applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
|
applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
|
||||||
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
|
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/365979.patch"; #R_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix integer overflow in build_read_multi_rsp
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
|
||||||
|
applyPatch "$DOS_PATCHES/android_system_bt/365982-backport.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
if enterAndClear "system/ca-certificates"; then
|
if enterAndClear "system/ca-certificates"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user