From 3b2fde1dd6d631a307213152bc58ec74b4b9773c Mon Sep 17 00:00:00 2001 From: Tavi Date: Wed, 13 Mar 2024 20:34:31 -0400 Subject: [PATCH] 16: ASB picks Signed-off-by: Tavi --- .../android_frameworks_av/381886.patch | 35 ------ .../0013-Special_Permissions.patch | 4 +- .../381889-backport.patch | 110 ------------------ .../android_system_bt/381894.patch | 44 ------- .../android_system_bt/381895.patch | 38 ------ .../0024-Unprivileged_microG_Handling.patch | 4 +- Scripts/LineageOS-16.0/Functions.sh | 2 + Scripts/LineageOS-16.0/Patch.sh | 6 +- 8 files changed, 7 insertions(+), 236 deletions(-) delete mode 100644 Patches/LineageOS-16.0/android_frameworks_av/381886.patch delete mode 100644 Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch delete mode 100644 Patches/LineageOS-16.0/android_system_bt/381894.patch delete mode 100644 Patches/LineageOS-16.0/android_system_bt/381895.patch diff --git a/Patches/LineageOS-16.0/android_frameworks_av/381886.patch b/Patches/LineageOS-16.0/android_frameworks_av/381886.patch deleted file mode 100644 index 0fd71ace..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_av/381886.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Ashish Kumar Gupta -Date: Tue, 21 Nov 2023 08:48:43 +0530 -Subject: [PATCH] Update mtp packet buffer - -Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet. - -Bug: 300007708 -Test: build and flash the device. Check MTP works -Test: run fuzzer locally -(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24) -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd) -Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 -Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 ---- - media/mtp/MtpPacket.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp -index 917967cf17..d7567141d6 100644 ---- a/media/mtp/MtpPacket.cpp -+++ b/media/mtp/MtpPacket.cpp -@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) { - return; - } - int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t); -- if (mPacketSize < offset + sizeof(uint32_t)) -+ if (mPacketSize < offset + sizeof(uint32_t)) { - mPacketSize = offset + sizeof(uint32_t); -+ allocate(mPacketSize); -+ } - putUInt32(offset, value); - } - diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch index c6dc88cf..0f7d9f1e 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch @@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility. 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 25f70b23e68f..443d9a1a2f91 100644 +index 893268da7f36..f91fa76b53ce 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -19729,7 +19729,8 @@ public class PackageManagerService extends IPackageManager.Stub +@@ -19732,7 +19732,8 @@ public class PackageManagerService extends IPackageManager.Stub } // If this permission was granted by default, make sure it is. diff --git a/Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch deleted file mode 100644 index 4048fe7b..00000000 --- a/Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= -Date: Fri, 13 Oct 2023 16:19:27 -0400 -Subject: [PATCH] Unbind TileService onNullBinding - -Test: atest TileLifecycleManagerTest -Test: manual: adb shell dumpsys activity service -Test: sts test -Bug: 300903792 -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476) -Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1 -Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1 ---- - .../qs/external/TileLifecycleManager.java | 5 +++ - .../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++--- - 2 files changed, 34 insertions(+), 4 deletions(-) - -diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java -index 1170d7b6e8a9..c0d4736d4a97 100644 ---- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java -+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java -@@ -192,6 +192,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements - handlePendingMessages(); - } - -+ @Override -+ public void onNullBinding(ComponentName name) { -+ setBindService(false); -+ } -+ - @Override - public void onServiceDisconnected(ComponentName name) { - if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name); -diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java -index e5e8ae3311ef..4a389743a395 100644 ---- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java -+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java -@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals; - import static org.mockito.Mockito.any; - import static org.mockito.Mockito.anyInt; - import static org.mockito.Mockito.anyString; -+import static org.mockito.Mockito.mock; - import static org.mockito.Mockito.never; - import static org.mockito.Mockito.times; - import static org.mockito.Mockito.verify; - import static org.mockito.Mockito.when; - - import android.content.ComponentName; -+import android.content.Context; - import android.content.Intent; -+import android.content.ServiceConnection; - import android.content.pm.PackageInfo; - import android.content.pm.ServiceInfo; - import android.net.Uri; -@@ -49,7 +52,7 @@ import org.junit.After; - import org.junit.Before; - import org.junit.Test; - import org.junit.runner.RunWith; --import org.mockito.Mockito; -+import org.mockito.ArgumentCaptor; - - @SmallTest - @RunWith(AndroidJUnit4.class) -@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase { - private static final int TEST_FAIL_TIMEOUT = 5000; - - private final PackageManagerAdapter mMockPackageManagerAdapter = -- Mockito.mock(PackageManagerAdapter.class); -- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class); -+ mock(PackageManagerAdapter.class); -+ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class); - private ComponentName mTileServiceComponentName; - private Intent mTileServiceIntent; - private UserHandle mUser; -@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase { - mThread.start(); - mHandler = Handler.createAsync(mThread.getLooper()); - mStateManager = new TileLifecycleManager(mHandler, mContext, -- Mockito.mock(IQSService.class), new Tile(), -+ mock(IQSService.class), new Tile(), - mTileServiceIntent, - mUser, - mMockPackageManagerAdapter); -@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase { - verifyBind(2); - verify(mMockTileService, times(2)).onStartListening(); - } -+ -+ @Test -+ public void testNullBindingCallsUnbind() { -+ Context mockContext = mock(Context.class); -+ // Binding has to succeed -+ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true); -+ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext, -+ mock(IQSService.class), -+ new Tile(), -+ mTileServiceIntent, -+ mUser, -+ mMockPackageManagerAdapter, -+ mMockBroadcastDispatcher); -+ -+ manager.setBindService(true); -+ -+ ArgumentCaptor captor = ArgumentCaptor.forClass(ServiceConnection.class); -+ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any()); -+ -+ captor.getValue().onNullBinding(mTileServiceComponentName); -+ verify(mockContext).unbindService(captor.getValue()); -+ } - } diff --git a/Patches/LineageOS-16.0/android_system_bt/381894.patch b/Patches/LineageOS-16.0/android_system_bt/381894.patch deleted file mode 100644 index fac37519..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/381894.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Wed, 29 Nov 2023 00:53:33 +0000 -Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and - attp_build_value_cmd - -this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 - -Bug: 276898739 -Test: manual -Tag: #security -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e) -Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 -Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 ---- - btif/src/btif_gatt_util.cc | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc -index 16f227511..a0798df15 100644 ---- a/btif/src/btif_gatt_util.cc -+++ b/btif/src/btif_gatt_util.cc -@@ -18,6 +18,8 @@ - - #define LOG_TAG "bt_btif_gatt" - -+#include -+ - #include "btif_gatt_util.h" - - #include -@@ -48,9 +50,9 @@ using bluetooth::Uuid; - void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) { - p_dest->attr_value.auth_req = p_src->attr_value.auth_req; - p_dest->attr_value.handle = p_src->attr_value.handle; -- p_dest->attr_value.len = p_src->attr_value.len; -+ p_dest->attr_value.len = std::min(p_src->attr_value.len, GATT_MAX_ATTR_LEN); - p_dest->attr_value.offset = p_src->attr_value.offset; -- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN); -+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len); - } - - /******************************************************************************* diff --git a/Patches/LineageOS-16.0/android_system_bt/381895.patch b/Patches/LineageOS-16.0/android_system_bt/381895.patch deleted file mode 100644 index 0fa6022d..00000000 --- a/Patches/LineageOS-16.0/android_system_bt/381895.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hui Peng -Date: Wed, 29 Nov 2023 18:23:53 +0000 -Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd - -This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e - -Bug: 297524203 -Test: m com.android.btservices -Ignore-AOSP-First: security -(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7) -Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181 -Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181 ---- - stack/gatt/att_protocol.cc | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc -index 142216cc9..5bd814c88 100644 ---- a/stack/gatt/att_protocol.cc -+++ b/stack/gatt/att_protocol.cc -@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size, - tGATT_FIND_TYPE_VALUE* p_value_type) { - uint8_t* p; - uint16_t len = p_value_type->value_len; -- BT_HDR* p_buf = -- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); -+ BT_HDR* p_buf = nullptr; -+ -+ if (payload_size < 5) { -+ return nullptr; -+ } -+ -+ p_buf = -+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); - - p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; - p_buf->offset = L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch b/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch index 3c6501d6..a8fac89d 100644 --- a/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch +++ b/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch @@ -133,7 +133,7 @@ index 10f77144e022..eaa6bbb58679 100644 || newPkg.isForceQueryable() || ArrayUtils.contains(mForceQueryableByDevicePackageNames, diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 9611b381942c..c286aa93130b 100644 +index f284d58713e5..a0992aa25b12 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -4465,8 +4465,20 @@ public class PackageManagerService extends IPackageManager.Stub @@ -194,7 +194,7 @@ index 9611b381942c..c286aa93130b 100644 @Override public PackageInfo getPackageInfo(String packageName, int flags, int userId) { return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST, -@@ -21565,6 +21605,19 @@ public class PackageManagerService extends IPackageManager.Stub +@@ -21568,6 +21608,19 @@ public class PackageManagerService extends IPackageManager.Stub return null; } diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index f3553cac..aada802d 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -97,6 +97,8 @@ patchWorkspaceReal() { repopick -fit P_asb_2023-11 -e 374916; repopick -fit P_asb_2023-12; repopick -fit P_asb_2024-01; + repopick -fit P_asb_2024-02; + repopick -fit P_asb_2024-03; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index f199d65c..b377e170 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-02 #XXX +sed -i 's/2022-01-05/2024-03-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-03 #XXX fi; if enterAndClear "build/soong"; then @@ -161,12 +161,10 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav fi; if enterAndClear "frameworks/av"; then -applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS) fi; if enterAndClear "frameworks/base"; then -applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -367,8 +365,6 @@ fi; if enterAndClear "system/bt"; then applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow -applyPatch "$DOS_PATCHES/android_system_bt/381894.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd -applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi;