15.1 September ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_frameworks_av/365962.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shruti Bihani <shrutibihani@google.com>
+Date: Thu, 6 Jul 2023 08:41:56 +0000
+Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test.
+
+The error is thrown when the destructor tries to free pointer memory.
+This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.
+
+Bug: 245135112
+Test: Build mtp_host_property_fuzzer and run on the target device
+(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
+Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
+Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
+---
+ media/mtp/MtpProperty.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h
+index 03c08e1eed..45fcbe8917 100644
+--- a/media/mtp/MtpProperty.h
++++ b/media/mtp/MtpProperty.h
+@@ -24,6 +24,9 @@ namespace android {
+ class MtpDataPacket;
+ 
+ struct MtpPropertyValue {
++    // pointer str initialized to NULL so that free operation
++    // is not called for pre-assigned value
++    MtpPropertyValue() : str (NULL) {}
+     union {
+         int8_t          i8;
+         uint8_t         u8;

Patches/LineageOS-15.1/android_frameworks_base/365967.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Fri, 30 Jun 2023 14:36:44 -0700
+Subject: [PATCH] Update AccountManagerService checkKeyIntentParceledCorrectly.
+
+Bug: 265798288
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b117b506ec0504ff9eb2fa523e82f1879ecb8cc1)
+Merged-In: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
+Change-Id: Iad33851af32a11c99d11bc2b5c76d124c3e97ebb
+---
+ .../com/android/server/accounts/AccountManagerService.java     | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 39bb08e82b81..e06c4b3ef480 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4805,6 +4805,9 @@ public class AccountManagerService
+             Bundle simulateBundle = p.readBundle();
+             p.recycle();
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            if (intent != null && intent.getClass() != Intent.class) {
++                return false;
++            }
+             Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+             if (intent == null) {
+                 return (simulateIntent == null);

Patches/LineageOS-15.1/android_frameworks_native/365969-backport.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Devin Moore <devinmoore@google.com>
+Date: Tue, 25 Apr 2023 00:17:13 +0000
+Subject: [PATCH] Allow sensors list to be empty
+
+Test: atest VtsHalSensorManagerV1_0TargetTest
+Bug: 278013275
+Bug: 269014004
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:49600b10aa5675d4e7e985203d69f252ead13e45)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7057a9f08d98bfec8ffbabcf00f2885d3909c6c9)
+Merged-In: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
+Change-Id: I091f57de9570b0ace3a8da76f16fe0e83f0aa624
+---
+ libs/sensor/SensorManager.cpp | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libs/sensor/SensorManager.cpp b/libs/sensor/SensorManager.cpp
+index e5a0438fc5..e24c3bcecd 100644
+--- a/libs/sensor/SensorManager.cpp
++++ b/libs/sensor/SensorManager.cpp
+@@ -171,11 +171,8 @@ status_t SensorManager::assertStateLocked() {
+ 
+         mSensors = mSensorServer->getSensorList(mOpPackageName);
+         size_t count = mSensors.size();
+-        if (count == 0) {
+-            ALOGE("Failed to get Sensor list");
+-            mSensorServer.clear();
+-            return UNKNOWN_ERROR;
+-        }
++        // If count is 0, mSensorList will be non-null. This is old
++        // existing behavior and callers expect this.
+         mSensorList =
+                 static_cast<Sensor const**>(malloc(count * sizeof(Sensor*)));
+         LOG_ALWAYS_FATAL_IF(mSensorList == NULL, "mSensorList NULL");

Patches/LineageOS-15.1/android_packages_apps_Settings/365973-backport.patch

@@ -0,0 +1,209 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Taran Singh <tarandeep@google.com>
+Date: Fri, 19 May 2023 23:17:47 +0000
+Subject: [PATCH] DO NOT MERGE: Prevent non-system IME from becoming device
+ admin
+
+Currently selected IME can inject KeyEvent on DeviceAdminAdd screen to
+activate itself as device admin and cause various DoS attacks.
+
+This CL ensures KeyEvent on "Activate" button can only come from system
+apps.
+
+Bug: 280793427
+Test: atest DeviceAdminActivationTest
+(cherry picked from commit 70a501d02e0a6aefd874767a15378ba998759373)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ee3b96e59f3e5699c919af3642130fb33cd263b)
+Merged-In: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
+Change-Id: I6470d1684d707f4b1e86f8b456be0b4e0af5f188
+---
+ src/com/android/settings/DeviceAdminAdd.java | 120 ++++++++++---------
+ 1 file changed, 64 insertions(+), 56 deletions(-)
+
+diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java
+index ebad411531..981930987a 100644
+--- a/src/com/android/settings/DeviceAdminAdd.java
++++ b/src/com/android/settings/DeviceAdminAdd.java
+@@ -49,6 +49,8 @@ import android.text.TextUtils.TruncateAt;
+ import android.util.EventLog;
+ import android.util.Log;
+ import android.view.Display;
++import android.view.KeyEvent;
++import android.view.LayoutInflater;
+ import android.view.View;
+ import android.view.ViewGroup;
+ import android.view.ViewTreeObserver;
+@@ -131,7 +133,7 @@ public class DeviceAdminAdd extends Activity {
+         mAppOps = (AppOpsManager)getSystemService(Context.APP_OPS_SERVICE);
+         PackageManager packageManager = getPackageManager();
+ 
+-        if ((getIntent().getFlags()&Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
++        if ((getIntent().getFlags() & Intent.FLAG_ACTIVITY_NEW_TASK) != 0) {
+             Log.w(TAG, "Cannot start ADD_DEVICE_ADMIN as a new task");
+             finish();
+             return;
+@@ -141,7 +143,7 @@ public class DeviceAdminAdd extends Activity {
+                 EXTRA_CALLED_FROM_SUPPORT_DIALOG, false);
+ 
+         String action = getIntent().getAction();
+-        ComponentName who = (ComponentName)getIntent().getParcelableExtra(
++        ComponentName who = (ComponentName) getIntent().getParcelableExtra(
+                 DevicePolicyManager.EXTRA_DEVICE_ADMIN);
+         if (who == null) {
+             String packageName = getIntent().getStringExtra(EXTRA_DEVICE_ADMIN_PACKAGE_NAME);
+@@ -203,7 +205,7 @@ public class DeviceAdminAdd extends Activity {
+                     PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS);
+             int count = avail == null ? 0 : avail.size();
+             boolean found = false;
+-            for (int i=0; i<count; i++) {
++            for (int i = 0; i < count; i++) {
+                 ResolveInfo ri = avail.get(i);
+                 if (ai.packageName.equals(ri.activityInfo.packageName)
+                         && ai.name.equals(ri.activityInfo.name)) {
+@@ -286,12 +288,12 @@ public class DeviceAdminAdd extends Activity {
+ 
+         setContentView(R.layout.device_admin_add);
+ 
+-        mAdminIcon = (ImageView)findViewById(R.id.admin_icon);
+-        mAdminName = (TextView)findViewById(R.id.admin_name);
+-        mAdminDescription = (TextView)findViewById(R.id.admin_description);
++        mAdminIcon = (ImageView) findViewById(R.id.admin_icon);
++        mAdminName = (TextView) findViewById(R.id.admin_name);
++        mAdminDescription = (TextView) findViewById(R.id.admin_description);
+         mProfileOwnerWarning = (TextView) findViewById(R.id.profile_owner_warning);
+ 
+-        mAddMsg = (TextView)findViewById(R.id.add_msg);
++        mAddMsg = (TextView) findViewById(R.id.add_msg);
+         mAddMsgExpander = (ImageView) findViewById(R.id.add_msg_expander);
+         final View.OnClickListener onClickListener = new View.OnClickListener() {
+             @Override
+@@ -314,7 +316,7 @@ public class DeviceAdminAdd extends Activity {
+                         mAddMsgExpander.setVisibility(hideMsgExpander ? View.GONE : View.VISIBLE);
+                         if (hideMsgExpander) {
+                             mAddMsg.setOnClickListener(null);
+-                            ((View)mAddMsgExpander.getParent()).invalidate();
++                            ((View) mAddMsgExpander.getParent()).invalidate();
+                         }
+                         mAddMsg.getViewTreeObserver().removeOnGlobalLayoutListener(this);
+                     }
+@@ -332,7 +334,7 @@ public class DeviceAdminAdd extends Activity {
+         mCancelButton.setOnClickListener(new View.OnClickListener() {
+             public void onClick(View v) {
+                 EventLog.writeEvent(EventLogTags.EXP_DET_DEVICE_ADMIN_DECLINED_BY_USER,
+-                    mDeviceAdmin.getActivityInfo().applicationInfo.uid);
++                        mDeviceAdmin.getActivityInfo().applicationInfo.uid);
+                 finish();
+             }
+         });
+@@ -352,58 +354,64 @@ public class DeviceAdminAdd extends Activity {
+ 
+         final View restrictedAction = findViewById(R.id.restricted_action);
+         restrictedAction.setFilterTouchesWhenObscured(true);
+-        restrictedAction.setOnClickListener(new View.OnClickListener() {
+-            public void onClick(View v) {
+-                if (!mActionButton.isEnabled()) {
+-                    showPolicyTransparencyDialogIfRequired();
+-                    return;
+-                }
+-                if (mAdding) {
+-                    addAndFinish();
+-                } else if (isManagedProfile(mDeviceAdmin)
+-                        && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
+-                    final int userId = UserHandle.myUserId();
+-                    UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
+-                            new DialogInterface.OnClickListener() {
+-                                @Override
+-                                public void onClick(DialogInterface dialog, int which) {
+-                                    UserManager um = UserManager.get(DeviceAdminAdd.this);
+-                                    um.removeUser(userId);
+-                                    finish();
+-                                }
++
++        final View.OnClickListener restrictedActionClickListener = v -> {
++            if (!mActionButton.isEnabled()) {
++                showPolicyTransparencyDialogIfRequired();
++                return;
++            }
++            if (mAdding) {
++                addAndFinish();
++            } else if (isManagedProfile(mDeviceAdmin)
++                    && mDeviceAdmin.getComponent().equals(mDPM.getProfileOwner())) {
++                final int userId = UserHandle.myUserId();
++                UserDialogs.createRemoveDialog(DeviceAdminAdd.this, userId,
++                        new DialogInterface.OnClickListener() {
++                            @Override
++                            public void onClick(DialogInterface dialog, int which) {
++                                UserManager um = UserManager.get(DeviceAdminAdd.this);
++                                um.removeUser(userId);
++                                finish();
+                             }
+-                    ).show();
+-                } else if (mUninstalling) {
+-                    mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
+-                    finish();
+-                } else if (!mWaitingForRemoveMsg) {
+-                    try {
+-                        // Don't allow the admin to put a dialog up in front
+-                        // of us while we interact with the user.
+-                        ActivityManager.getService().stopAppSwitches();
+-                    } catch (RemoteException e) {
+-                    }
+-                    mWaitingForRemoveMsg = true;
+-                    mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
+-                            new RemoteCallback(new RemoteCallback.OnResultListener() {
+-                                @Override
+-                                public void onResult(Bundle result) {
+-                                    CharSequence msg = result != null
+-                                            ? result.getCharSequence(
+-                                            DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
+-                                            : null;
+-                                    continueRemoveAction(msg);
+-                                }
+-                            }, mHandler));
+-                    // Don't want to wait too long.
+-                    getWindow().getDecorView().getHandler().postDelayed(new Runnable() {
+-                        @Override public void run() {
+-                            continueRemoveAction(null);
+                         }
+-                    }, 2*1000);
++                ).show();
++            } else if (mUninstalling) {
++                mDPM.uninstallPackageWithActiveAdmins(mDeviceAdmin.getPackageName());
++                finish();
++            } else if (!mWaitingForRemoveMsg) {
++                try {
++                    // Don't allow the admin to put a dialog up in front
++                    // of us while we interact with the user.
++                    ActivityManager.getService().stopAppSwitches();
++                } catch (RemoteException e) {
+                 }
++                mWaitingForRemoveMsg = true;
++                mDPM.getRemoveWarning(mDeviceAdmin.getComponent(),
++                        new RemoteCallback(new RemoteCallback.OnResultListener() {
++                            @Override
++                            public void onResult(Bundle result) {
++                                CharSequence msg = result != null
++                                        ? result.getCharSequence(
++                                        DeviceAdminReceiver.EXTRA_DISABLE_WARNING)
++                                        : null;
++                                continueRemoveAction(msg);
++                            }
++                        }, mHandler));
++                // Don't want to wait too long.
++                getWindow().getDecorView().getHandler().postDelayed(
++                        () -> continueRemoveAction(null), 2 * 1000);
++            }
++        };
++        restrictedAction.setOnKeyListener((view, keyCode, keyEvent) -> {
++            if ((keyEvent.getFlags() & KeyEvent.FLAG_FROM_SYSTEM) == 0) {
++                Log.e(TAG, "Can not activate device-admin with KeyEvent from non-system app.");
++                // Consume event to suppress click.
++                return true;
+             }
++            // Fallback to view click handler.
++            return false;
+         });
++        restrictedAction.setOnClickListener(restrictedActionClickListener);
+     }
+ 
+     /**

Patches/LineageOS-15.1/android_packages_apps_Trebuchet/365974.patch

@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 1 Jun 2023 18:12:44 -0700
+Subject: [PATCH] Fix permission issue in legacy shortcut
+
+When building legacy shortcut, Launcher calls
+PackageManager#resolveActivity to retrieve necessary permission to
+launch the intent.
+
+However, when the source app wraps an arbitrary intent within
+Intent#createChooser, the existing logic will fail because launching
+Chooser doesn't require additional permission.
+
+This CL fixes the security vulnerability by performing the permission
+check against the intent that is wrapped within.
+
+Bug: 270152142
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)
+Merged-In: If35344c08975e35085c7c2b9b814a3c457a144b0
+Change-Id: If35344c08975e35085c7c2b9b814a3c457a144b0
+---
+ .../launcher3/util/PackageManagerHelper.java        | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
+index 13034dd9ec..1c05c993c7 100644
+--- a/src/com/android/launcher3/util/PackageManagerHelper.java
++++ b/src/com/android/launcher3/util/PackageManagerHelper.java
+@@ -26,6 +26,7 @@ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.pm.ResolveInfo;
+ import android.net.Uri;
+ import android.os.Build;
++import android.os.Bundle;
+ import android.os.UserHandle;
+ import android.text.TextUtils;
+ 
+@@ -102,6 +103,18 @@ public class PackageManagerHelper {
+      * any permissions
+      */
+     public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
++        // b/270152142
++        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
++            final Bundle extras = intent.getExtras();
++            if (extras == null) {
++                return true;
++            }
++            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
++            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
++            if (intent == null) {
++                return true;
++            }
++        }
+         ResolveInfo target = mPm.resolveActivity(intent, 0);
+         if (target == null) {
+             // Not a valid target

Patches/LineageOS-15.1/android_packages_services_Telephony/365978-backport.patch

@@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar <akgaurav@google.com>
+Date: Fri, 26 May 2023 14:18:46 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Fixed leak of cross user data in multiple
+ settings.
+
+  - Any app is allowed to receive GET_CONTENT intent. Using this, an user puts back in the intent an uri with data of another user.
+  - Telephony service has INTERACT_ACROSS_USER permission. Using this, it reads and shows the deta to the evil user.
+
+Fix: When telephony service gets the intent result, it checks if the uri is from the current user or not.
+
+Bug: b/256591023 , b/256819787
+
+Test: The malicious behaviour was not being reproduced. Unable to import contact from other users data.
+Test2: Able to import contact from the primary user or uri with no user id
+(These settings are not available for secondary users)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36e10a6d0d7b9efc543f8004729fa85751f4f70d)
+Merged-In: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
+Change-Id: I1e3a643f17948153aecc1d0df9ffd9619ad678c1
+---
+ .../android/phone/GsmUmtsCallForwardOptions.java   | 12 ++++++++++++
+ .../phone/settings/VoicemailSettingsActivity.java  | 14 ++++++++++++++
+ .../phone/settings/fdn/EditFdnContactScreen.java   | 13 +++++++++++++
+ 3 files changed, 39 insertions(+)
+
+diff --git a/src/com/android/phone/GsmUmtsCallForwardOptions.java b/src/com/android/phone/GsmUmtsCallForwardOptions.java
+index 77cc6cca6..aa1c797d4 100644
+--- a/src/com/android/phone/GsmUmtsCallForwardOptions.java
++++ b/src/com/android/phone/GsmUmtsCallForwardOptions.java
+@@ -5,9 +5,12 @@ import com.android.internal.telephony.CommandsInterface;
+ import com.android.internal.telephony.Phone;
+ 
+ import android.app.ActionBar;
++import android.content.ContentProvider;
+ import android.content.Intent;
+ import android.database.Cursor;
+ import android.os.Bundle;
++import android.os.Process;
++import android.os.UserHandle;
+ import android.preference.Preference;
+ import android.preference.PreferenceScreen;
+ import android.telephony.CarrierConfigManager;
+@@ -156,6 +159,15 @@ public class GsmUmtsCallForwardOptions extends TimeConsumingPreferenceActivity {
+         }
+         Cursor cursor = null;
+         try {
++            // check if the URI returned by the user belongs to the user
++            final int currentUser = UserHandle.getUserId(Process.myUid());
++            if (currentUser
++                    != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
++
++                Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
++                        + "cannot access");
++                return;
++            }
+             cursor = getContentResolver().query(data.getData(),
+                 NUM_PROJECTION, null, null, null);
+             if ((cursor == null) || (!cursor.moveToFirst())) {
+diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
+index 7c5dbf20c..ef8d9e535 100644
+--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
++++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
+@@ -17,6 +17,7 @@
+ package com.android.phone.settings;
+ 
+ import android.app.Dialog;
++import android.content.ContentProvider;
+ import android.content.DialogInterface;
+ import android.content.Intent;
+ import android.database.Cursor;
+@@ -24,6 +25,8 @@ import android.os.AsyncResult;
+ import android.os.Bundle;
+ import android.os.Handler;
+ import android.os.Message;
++import android.os.Process;
++import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.preference.Preference;
+ import android.preference.PreferenceActivity;
+@@ -508,6 +511,17 @@ public class VoicemailSettingsActivity extends PreferenceActivity
+ 
+             Cursor cursor = null;
+             try {
++                // check if the URI returned by the user belongs to the user
++                final int currentUser = UserHandle.getUserId(Process.myUid());
++                if (currentUser
++                        != ContentProvider.getUserIdFromUri(data.getData(), currentUser)) {
++
++                    if (DBG) {
++                        log("onActivityResult: Contact data of different user, "
++                                + "cannot access");
++                    }
++                    return;
++                }
+                 cursor = getContentResolver().query(data.getData(),
+                     new String[] { CommonDataKinds.Phone.NUMBER }, null, null, null);
+                 if ((cursor == null) || (!cursor.moveToFirst())) {
+diff --git a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
+index b8a761c47..d20b381cc 100644
+--- a/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
++++ b/src/com/android/phone/settings/fdn/EditFdnContactScreen.java
+@@ -18,9 +18,12 @@ package com.android.phone.settings.fdn;
+ 
+ import static android.view.Window.PROGRESS_VISIBILITY_OFF;
+ import static android.view.Window.PROGRESS_VISIBILITY_ON;
++import static android.app.Activity.RESULT_OK;
++
+ 
+ import android.app.Activity;
+ import android.content.AsyncQueryHandler;
++import android.content.ContentProvider;
+ import android.content.ContentResolver;
+ import android.content.ContentValues;
+ import android.content.Intent;
+@@ -29,6 +32,8 @@ import android.database.Cursor;
+ import android.net.Uri;
+ import android.os.Bundle;
+ import android.os.Handler;
++import android.os.Process;
++import android.os.UserHandle;
+ import android.provider.Contacts.PeopleColumns;
+ import android.provider.Contacts.PhonesColumns;
+ import android.provider.ContactsContract.CommonDataKinds;
+@@ -152,6 +157,14 @@ public class EditFdnContactScreen extends Activity {
+                 }
+                 Cursor cursor = null;
+                 try {
++                    // check if the URI returned by the user belongs to the user
++                    final int currentUser = UserHandle.getUserId(Process.myUid());
++                    if (currentUser
++                            != ContentProvider.getUserIdFromUri(intent.getData(), currentUser)) {
++                        Log.w(LOG_TAG, "onActivityResult: Contact data of different user, "
++                                + "cannot access");
++                        return;
++                    }
+                     cursor = getContentResolver().query(intent.getData(),
+                         NUM_PROJECTION, null, null, null);
+                     if ((cursor == null) || (!cursor.moveToFirst())) {

Patches/LineageOS-15.1/android_system_bt/365979.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 16 May 2023 21:24:07 +0000
+Subject: [PATCH] Fix an integer overflow bug in avdt_msg_asmbl
+
+This is a backport of
+Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+to rvc-dev
+
+Bug: 280633699
+Test: manual
+Ignore-AOSP-First: security
+Tag: #security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26347d4bdba646bbba4d27337d2888a04de42639)
+Merged-In: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
+---
+ stack/avdt/avdt_msg.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
+index b6a952bcf..b5f512a03 100644
+--- a/stack/avdt/avdt_msg.cc
++++ b/stack/avdt/avdt_msg.cc
+@@ -1261,14 +1261,14 @@ BT_HDR* avdt_msg_asmbl(tAVDT_CCB* p_ccb, BT_HDR* p_buf) {
+        * NOTE: The buffer is allocated above at the beginning of the
+        * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.
+        */
+-      uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
++      size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);
+ 
+       /* adjust offset and len of fragment for header byte */
+       p_buf->offset += AVDT_LEN_TYPE_CONT;
+       p_buf->len -= AVDT_LEN_TYPE_CONT;
+ 
+       /* verify length */
+-      if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {
++      if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {
+         /* won't fit; free everything */
+         AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);
+         osi_free_and_reset((void**)&p_ccb->p_rx_msg);

Patches/LineageOS-15.1/android_system_bt/365980.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 19 May 2023 19:17:16 +0000
+Subject: [PATCH] Fix integer overflow in build_read_multi_rsp
+
+Local variables tracking structure size in build_read_multi_rsp are of
+uint16 type but accept a full uint16 range from function arguments while
+appending a fixed-length offset.  This can lead to an integer overflow
+and unexpected behavior.
+
+Change the locals to size_t, and add a check during reasssignment.
+
+Bug: 273966636
+Test: atest bluetooth_test_gd_unit, net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53f64274cbf2268ad6db5af9c61ceead9ef64fb0)
+Merged-In: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
+Change-Id: Iff252f0dd06aac9776e8548631e0b700b3ed85b9
+---
+ stack/gatt/gatt_sr.cc | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index f9e8f537f..1b9988739 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -111,7 +111,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) {
+  ******************************************************************************/
+ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+                                    tGATTS_RSP* p_msg, uint16_t mtu) {
+-  uint16_t ii, total_len, len;
++  uint16_t ii;
++  size_t total_len, len;
+   uint8_t* p;
+   bool is_overflow = false;
+ 
+@@ -166,16 +167,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+             len = p_rsp->attr_value.len - (total_len - mtu);
+             is_overflow = true;
+             VLOG(1) << StringPrintf(
+-                "multi read overflow available len=%d val_len=%d", len,
++                "multi read overflow available len=%zu val_len=%d", len,
+                 p_rsp->attr_value.len);
+           } else {
+             len = p_rsp->attr_value.len;
+           }
+ 
+           if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
+-            memcpy(p, p_rsp->attr_value.value, len);
+-            if (!is_overflow) p += len;
+-            p_buf->len += len;
++            // check for possible integer overflow
++            if (p_buf->len + len <= UINT16_MAX) {
++              memcpy(p, p_rsp->attr_value.value, len);
++              if (!is_overflow) p += len;
++              p_buf->len += len;
++            } else {
++              p_cmd->status = GATT_NOT_FOUND;
++              break;
++            }
+           } else {
+             p_cmd->status = GATT_NOT_FOUND;
+             break;

Patches/LineageOS-15.1/android_system_bt/365981.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 27 Apr 2023 20:43:58 +0000
+Subject: [PATCH] Fix potential abort in btu_av_act.cc
+
+Partner analysis shows that bta_av_rc_msg does not respect handling
+established for a null browse packet, instead dispatching the null
+pointer to bta_av_rc_free_browse_msg.  Strictly speaking this does
+not cause a UAF, as osi_free_and_reset will find the null and abort,
+but it will lead to improper program termination.
+
+Handle the case instead.
+
+Bug: 269253349
+Test: atest bluetooth_test_gd_unit
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:91f6d6215c101acc99a7397c5fb5a12fe6d7b8e9)
+Merged-In: I4df7045798b663fbefd7434288dc9383216171a7
+Change-Id: I4df7045798b663fbefd7434288dc9383216171a7
+---
+ bta/av/bta_av_act.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
+index 541d68303..acd6f5281 100644
+--- a/bta/av/bta_av_act.cc
++++ b/bta/av/bta_av_act.cc
+@@ -1004,7 +1004,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) {
+     av.remote_cmd.rc_handle = p_data->rc_msg.handle;
+     (*p_cb->p_cback)(evt, &av);
+     /* If browsing message, then free the browse message buffer */
+-    bta_av_rc_free_browse_msg(p_cb, p_data);
++    if (p_data->rc_msg.opcode == AVRC_OP_BROWSE &&
++        p_data->rc_msg.msg.browse.p_browse_pkt != NULL) {
++      bta_av_rc_free_browse_msg(p_cb, p_data);
++    }
+   }
+ }
+ 

Patches/LineageOS-15.1/android_system_bt/365982-backport.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 1 Jun 2023 23:57:58 +0000
+Subject: [PATCH] Fix UAF in gatt_cl.cc
+
+gatt_cl.cc accesses a header field after the buffer holding it may have
+been freed.
+
+Track the relevant state as a local variable instead.
+
+Bug: 274617156
+Test: atest: bluetooth, validated against fuzzer
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d7a7f7f3311202065de4b2c17b49994053dd1244)
+Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
+Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
+---
+ stack/gatt/gatt_cl.cc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
+index 014240888..305a54660 100644
+--- a/stack/gatt/gatt_cl.cc
++++ b/stack/gatt/gatt_cl.cc
+@@ -583,7 +583,12 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
+ 
+   memcpy(value.value, p, value.len);
+ 
+-  if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
++  bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);
++
++  // We now know that we have not terminated, or else we would have returned
++  // early.  We free the buffer only if the subtype is not equal to
++  // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
++  if (subtype_is_write_prepare) {
+     p_clcb->status = GATT_SUCCESS;
+     /* application should verify handle offset
+        and value are matched or not */

Scripts/LineageOS-15.1/Patch.sh

@@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -138,6 +138,7 @@ fi;
 if enterAndClear "frameworks/av"; then
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
+applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -203,6 +204,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/364033-backport.patch"; #R_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/364036-backport.patch"; #R_asb_2023-08 Verify URI permissions in MediaMetadata
 applyPatch "$DOS_PATCHES/android_frameworks_base/364037.patch"; #R_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
 applyPatch "$DOS_PATCHES/android_frameworks_base/364038-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
+applyPatch "$DOS_PATCHES/android_frameworks_base/365967.patch"; #R_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@@ -230,6 +232,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_native/326752.patch"; #P_asb_2022-03
 applyPatch "$DOS_PATCHES/android_frameworks_native/355772.patch"; #R_asb_2023-05 Check for malformed Sensor Flattenable
 applyPatch "$DOS_PATCHES/android_frameworks_native/355773-backport.patch"; #R_asb_2023-05 Remove some new memory leaks from SensorManager
 applyPatch "$DOS_PATCHES/android_frameworks_native/355774-backport.patch"; #R_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
+applyPatch "$DOS_PATCHES/android_frameworks_native/365969-backport.patch"; #R_asb_2023-09 Allow sensors list to be empty
 if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
 fi;
 
@@ -343,6 +346,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then
@@ -357,6 +361,10 @@ if enterAndClear "packages/apps/SetupWizard"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove analytics (DivestOS)
 fi;
 
+if enterAndClear "packages/apps/Trebuchet"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
+fi;
+
 if enterAndClear "packages/apps/TvSettings"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358578.patch"; #R_asb_2023-06 Convert argument to intent in addAccount TvSettings.
 fi;
@@ -403,6 +411,7 @@ fi;
 
 if enterAndClear "packages/services/Telephony"; then
 applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings
+applyPatch "$DOS_PATCHES/android_packages_services_Telephony/365978-backport.patch"; #R_asb_2023-09 Fixed leak of cross user data in multiple settings.
 applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
 applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 fi;
@@ -437,6 +446,10 @@ applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent
 applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
 applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
 applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
+applyPatch "$DOS_PATCHES/android_system_bt/365979.patch"; #R_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
+applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix integer overflow in build_read_multi_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
+applyPatch "$DOS_PATCHES/android_system_bt/365982-backport.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
 fi;
 
 if enterAndClear "system/ca-certificates"; then