16: ASB picks

Signed-off-by: Tavi <tavi@divested.dev>
2024-10-01 01:35:54 -04:00 · 2024-03-13 20:34:31 -04:00 · 2024-03-13 20:34:31 -04:00 · 3b2fde1dd6
commit 3b2fde1dd6
parent 8157086726
8 changed files with 7 additions and 236 deletions
--- a/Patches/LineageOS-16.0/android_frameworks_av/381886.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_av/381886.patch
@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Gupta <kumarashishg@google.com>
-Date: Tue, 21 Nov 2023 08:48:43 +0530
-Subject: [PATCH] Update mtp packet buffer
-
-Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
-
-Bug: 300007708
-Test: build and flash the device. Check MTP works
-Test: run fuzzer locally
-(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
-(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
-(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
-Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
-Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
---
- media/mtp/MtpPacket.cpp | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
-index 917967cf17..d7567141d6 100644
--- a/media/mtp/MtpPacket.cpp
-+++ b/media/mtp/MtpPacket.cpp
-@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
-         return;
-     }
-     int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
-    if (mPacketSize < offset + sizeof(uint32_t))
-+    if (mPacketSize < offset + sizeof(uint32_t)) {
-         mPacketSize = offset + sizeof(uint32_t);
-+        allocate(mPacketSize);
-+    }
-     putUInt32(offset, value);
- }
- 
--- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch
@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility.
 2 files changed, 25 insertions(+), 8 deletions(-)

 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index 25f70b23e68f..443d9a1a2f91 100644
+index 893268da7f36..f91fa76b53ce 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
-@@ -19729,7 +19729,8 @@ public class PackageManagerService extends IPackageManager.Stub
+@@ -19732,7 +19732,8 @@ public class PackageManagerService extends IPackageManager.Stub
             }
 
             // If this permission was granted by default, make sure it is.
--- a/Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch
+++ b/Patches/LineageOS-16.0/android_frameworks_base/381889-backport.patch
@ -1,110 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
-Date: Fri, 13 Oct 2023 16:19:27 -0400
-Subject: [PATCH] Unbind TileService onNullBinding
-
-Test: atest TileLifecycleManagerTest
-Test: manual: adb shell dumpsys activity service
-Test: sts test
-Bug: 300903792
-(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
-Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
-Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
---
- .../qs/external/TileLifecycleManager.java     |  5 +++
- .../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
- 2 files changed, 34 insertions(+), 4 deletions(-)
-
-diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
-index 1170d7b6e8a9..c0d4736d4a97 100644
--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
-+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
-@@ -192,6 +192,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
-         handlePendingMessages();
-     }
- 
-+    @Override
-+    public void onNullBinding(ComponentName name) {
-+        setBindService(false);
-+    }
-+
-     @Override
-     public void onServiceDisconnected(ComponentName name) {
-         if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
-diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
-index e5e8ae3311ef..4a389743a395 100644
--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
-+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
-@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
- import static org.mockito.Mockito.any;
- import static org.mockito.Mockito.anyInt;
- import static org.mockito.Mockito.anyString;
-+import static org.mockito.Mockito.mock;
- import static org.mockito.Mockito.never;
- import static org.mockito.Mockito.times;
- import static org.mockito.Mockito.verify;
- import static org.mockito.Mockito.when;
- 
- import android.content.ComponentName;
-+import android.content.Context;
- import android.content.Intent;
-+import android.content.ServiceConnection;
- import android.content.pm.PackageInfo;
- import android.content.pm.ServiceInfo;
- import android.net.Uri;
-@@ -49,7 +52,7 @@ import org.junit.After;
- import org.junit.Before;
- import org.junit.Test;
- import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-+import org.mockito.ArgumentCaptor;
- 
- @SmallTest
- @RunWith(AndroidJUnit4.class)
-@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
-     private static final int TEST_FAIL_TIMEOUT = 5000;
- 
-     private final PackageManagerAdapter mMockPackageManagerAdapter =
-            Mockito.mock(PackageManagerAdapter.class);
-    private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
-+            mock(PackageManagerAdapter.class);
-+    private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
-     private ComponentName mTileServiceComponentName;
-     private Intent mTileServiceIntent;
-     private UserHandle mUser;
-@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
-         mThread.start();
-         mHandler = Handler.createAsync(mThread.getLooper());
-         mStateManager = new TileLifecycleManager(mHandler, mContext,
-                Mockito.mock(IQSService.class), new Tile(),
-+                mock(IQSService.class), new Tile(),
-                 mTileServiceIntent,
-                 mUser,
-                 mMockPackageManagerAdapter);
-@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
-         verifyBind(2);
-         verify(mMockTileService, times(2)).onStartListening();
-     }
-+
-+    @Test
-+    public void testNullBindingCallsUnbind() {
-+        Context mockContext = mock(Context.class);
-+        // Binding has to succeed
-+        when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
-+        TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
-+                mock(IQSService.class),
-+                new Tile(),
-+                mTileServiceIntent,
-+                mUser,
-+                mMockPackageManagerAdapter,
-+                mMockBroadcastDispatcher);
-+
-+        manager.setBindService(true);
-+
-+        ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
-+        verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
-+
-+        captor.getValue().onNullBinding(mTileServiceComponentName);
-+        verify(mockContext).unbindService(captor.getValue());
-+    }
- }
--- a/Patches/LineageOS-16.0/android_system_bt/381894.patch
+++ b/Patches/LineageOS-16.0/android_system_bt/381894.patch
@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hui Peng <phui@google.com>
-Date: Wed, 29 Nov 2023 00:53:33 +0000
-Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
- attp_build_value_cmd
-
-this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
-
-Bug: 276898739
-Test: manual
-Tag: #security
-Ignore-AOSP-First: security
-(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
-Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
-Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
---
- btif/src/btif_gatt_util.cc | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
-index 16f227511..a0798df15 100644
--- a/btif/src/btif_gatt_util.cc
-+++ b/btif/src/btif_gatt_util.cc
-@@ -18,6 +18,8 @@
- 
- #define LOG_TAG "bt_btif_gatt"
- 
-+#include <algorithm>
-+
- #include "btif_gatt_util.h"
- 
- #include <errno.h>
-@@ -48,9 +50,9 @@ using bluetooth::Uuid;
- void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
-   p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
-   p_dest->attr_value.handle = p_src->attr_value.handle;
-  p_dest->attr_value.len = p_src->attr_value.len;
-+  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
-   p_dest->attr_value.offset = p_src->attr_value.offset;
-  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
-+  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
- }
- 
- /*******************************************************************************
--- a/Patches/LineageOS-16.0/android_system_bt/381895.patch
+++ b/Patches/LineageOS-16.0/android_system_bt/381895.patch
@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hui Peng <phui@google.com>
-Date: Wed, 29 Nov 2023 18:23:53 +0000
-Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
-
-This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
-
-Bug: 297524203
-Test: m com.android.btservices
-Ignore-AOSP-First: security
-(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
-Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
-Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
---
- stack/gatt/att_protocol.cc | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
-index 142216cc9..5bd814c88 100644
--- a/stack/gatt/att_protocol.cc
-+++ b/stack/gatt/att_protocol.cc
-@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
-                                           tGATT_FIND_TYPE_VALUE* p_value_type) {
-   uint8_t* p;
-   uint16_t len = p_value_type->value_len;
-  BT_HDR* p_buf =
-      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
-+  BT_HDR* p_buf = nullptr;
-+
-+  if (payload_size < 5) {
-+    return nullptr;
-+  }
-+
-+  p_buf =
-+  (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
- 
-   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
-   p_buf->offset = L2CAP_MIN_OFFSET;
--- a/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch
+++ b/Patches/LineageOS-18.1/android_frameworks_base/0024-Unprivileged_microG_Handling.patch
@ -133,7 +133,7 @@ index 10f77144e022..eaa6bbb58679 100644
                         || newPkg.isForceQueryable()
                         || ArrayUtils.contains(mForceQueryableByDevicePackageNames,
 diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
-index 9611b381942c..c286aa93130b 100644
+index f284d58713e5..a0992aa25b12 100644
 --- a/services/core/java/com/android/server/pm/PackageManagerService.java
 +++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -4465,8 +4465,20 @@ public class PackageManagerService extends IPackageManager.Stub
@ -194,7 +194,7 @@ index 9611b381942c..c286aa93130b 100644
     @Override
     public PackageInfo getPackageInfo(String packageName, int flags, int userId) {
         return getPackageInfoInternal(packageName, PackageManager.VERSION_CODE_HIGHEST,
-@@ -21565,6 +21605,19 @@ public class PackageManagerService extends IPackageManager.Stub
+@@ -21568,6 +21608,19 @@ public class PackageManagerService extends IPackageManager.Stub
             return null;
         }
 
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@ -97,6 +97,8 @@ patchWorkspaceReal() {
 	repopick -fit P_asb_2023-11 -e 374916;
 	repopick -fit P_asb_2023-12;
 	repopick -fit P_asb_2024-01;
+	repopick -fit P_asb_2024-02;
+	repopick -fit P_asb_2024-03;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-02 #XXX
+sed -i 's/2022-01-05/2024-03-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-03 #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -161,12 +161,10 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
 fi;

 if enterAndClear "frameworks/av"; then
-applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
 fi;

 if enterAndClear "frameworks/base"; then
-applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -367,8 +365,6 @@ fi;
 if enterAndClear "system/bt"; then
 applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
 applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
-applyPatch "$DOS_PATCHES/android_system_bt/381894.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
-applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;