Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

17.1: September 2024 ASB work

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-09-15 12:40:58 -04:00
parent 4295434c99
commit 40f1367bdc
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
19 changed files with 1041 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Logs/resetWorkspace-LineageOS-17.1.txt
View File

@ -78,7 +78,7 @@ external/catch2 bcfbb791d09e390fb545c03ca002e570f764d960
external/cblas 61ee00692011385347a5dd1ad872556899a5cf7a
external/chromium-libpac c98fc96035e6fdc5b84d953d2bd38d2dcd175467
external/chromium-trace f4e722b911fcc6f7164026432de62a02ea3460fb
external/chromium-webview b270aa98312408d5893ee72fcd62b4d89937ceb2
external/chromium-webview 8400ae9b819741cd4d436cce372496426ec85fc9
external/clang 8343f599c9e1dda8e6c1bb779af323a673a052f9
external/cldr 4e0bdd442c1e01f5c6147cf6032ce4f8587f4ede
external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4

2
Patches/LineageOS-17.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch
View File

@ -1,4 +1,4 @@
From 33050b14552fd7d0767bdc56fc9448323443735e Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Thu, 22 Sep 2022 16:51:17 +0200
Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag

34
Patches/LineageOS-17.1/android_frameworks_av/401372.patch Normal file
View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wonsik Kim <wonsik@google.com>
Date: Fri, 28 Jun 2024 00:33:51 +0000
Subject: [PATCH] omx: check HDR10+ info param size
Bug: 329641908
Test: presubmit
Flag: EXEMPT security fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53298956ba6bb8f147a632d7aaed8566dfc203ee)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f816148a719d2a3bbf432f11da98b3d5fa7de74f)
Merged-In: I72523e1de61e5f947174272b732e170e1c2964df
Change-Id: I72523e1de61e5f947174272b732e170e1c2964df
---
media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
index 418302389d..4ab5d10609 100644
--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
@@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig(
if (!isValidOMXParam(outParams)) {
return OMX_ErrorBadParameter;
}
+ if (offsetof(DescribeHDR10PlusInfoParams, nValue) + outParams->nParamSize >
+ outParams->nSize) {
+ ALOGE("b/329641908: too large param size; nParamSize=%u nSize=%u",
+ outParams->nParamSize, outParams->nSize);
+ android_errorWriteLog(0x534e4554, "329641908");
+ return OMX_ErrorBadParameter;
+ }
outParams->nParamSizeUsed = info->size();

4
Patches/LineageOS-17.1/android_frameworks_av/402601.patch
View File

@ -1,4 +1,4 @@
From d4ac842dbe57dbacd69bc258d4ee8aecf672d8a9 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexander Grund <flamefire89@gmail.com>
Date: Tue, 27 Aug 2024 16:53:27 +0200
Subject: [PATCH] Fix flag check in JAudioTrack.cpp
@ -12,7 +12,7 @@ Change-Id: Ifd2e98e7bb394c35a8a2f4ebde512046823da043
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/media/libmediaplayer2/JAudioTrack.cpp b/media/libmediaplayer2/JAudioTrack.cpp
index fab6c649fc6..be91e9a920c 100644
index fab6c649fc..be91e9a920 100644
--- a/media/libmediaplayer2/JAudioTrack.cpp
+++ b/media/libmediaplayer2/JAudioTrack.cpp
@@ -695,26 +695,26 @@ jobject JAudioTrack::createVolumeShaperOperationObj(

4
Patches/LineageOS-17.1/android_frameworks_av/402602.patch
View File

@ -1,4 +1,4 @@
From 539af09596393c3817545ee116c1a036f5c5d580 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rakesh Kumar <rakesh.kumar@ittiam.com>
Date: Thu, 30 May 2024 11:17:48 +0000
Subject: [PATCH] StagefrightRecoder: Disabling B-frame support
@ -21,7 +21,7 @@ Change-Id: I4098655eb9687fb633085333bc140634441566e6
1 file changed, 5 insertions(+)
diff --git a/media/libmediaplayerservice/StagefrightRecorder.cpp b/media/libmediaplayerservice/StagefrightRecorder.cpp
index 71c79720fe7..e2a183e80c0 100644
index 71c79720fe..e2a183e80c 100644
--- a/media/libmediaplayerservice/StagefrightRecorder.cpp
+++ b/media/libmediaplayerservice/StagefrightRecorder.cpp
@@ -1797,6 +1797,11 @@ status_t StagefrightRecorder::setupVideoEncoder(

66
Patches/LineageOS-17.1/android_frameworks_base/401373.patch Normal file
View File

@ -0,0 +1,66 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kiran Ramachandra <kiranmr@google.com>
Date: Wed, 5 Jun 2024 21:03:33 +0000
Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme
delimiter
Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption
Bug: 261721900
Test: atest FrameworksCoreTests:android.net.UriTest
No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fd0421801c391dd619cafeeea8d379a9029074a)
Merged-In: I88b1550a5d8b3dc0f6286e28899884025d059645
Change-Id: I88b1550a5d8b3dc0f6286e28899884025d059645
---
core/java/android/net/Uri.java | 6 +++++-
core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
index 33acef7f9506..3f3501d1dbca 100644
--- a/core/java/android/net/Uri.java
+++ b/core/java/android/net/Uri.java
@@ -1380,7 +1380,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
* @param scheme name or {@code null} if this is a relative Uri
*/
public Builder scheme(String scheme) {
- this.scheme = scheme;
+ if (scheme != null) {
+ this.scheme = scheme.replace("://", "");
+ } else {
+ this.scheme = null;
+ }
return this;
}
diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
index 670aefd21d36..17a37831afdb 100644
--- a/core/tests/coretests/src/android/net/UriTest.java
+++ b/core/tests/coretests/src/android/net/UriTest.java
@@ -18,6 +18,7 @@ package android.net;
import android.content.ContentUris;
import android.os.Parcel;
+import android.platform.test.annotations.AsbSecurityTest;
import androidx.test.filters.SmallTest;
@@ -88,6 +89,16 @@ public class UriTest extends TestCase {
assertNull(u.getHost());
}
+ @AsbSecurityTest(cveBugId = 261721900)
+ @SmallTest
+ public void testSchemeSanitization() {
+ Uri uri = new Uri.Builder()
+ .scheme("http://https://evil.com:/te:st/")
+ .authority("google.com").path("one/way").build();
+ assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
+ assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
+ }
+
@SmallTest
public void testStringUri() {
assertEquals("bob lee",

6
Patches/LineageOS-17.1/android_frameworks_base/402603.patch
View File

@ -1,4 +1,4 @@
From 85be42f596b8a36cdf61e321a2d66903b9625679 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Makoto Onuki <omakoto@google.com>
Date: Thu, 10 Oct 2019 08:34:49 -0700
Subject: [PATCH] Stop using UserHandle' hidden constructor.
@ -11,10 +11,10 @@ Change-Id: Icf16bdcad34dcc580fcc42d64c98a46d36bf19f7
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/job/JobServiceContext.java b/services/core/java/com/android/server/job/JobServiceContext.java
index 7da128f9d3ecc..5ca628f6daa2d 100644
index 7da128f9d3ec..5ca628f6daa2 100644
--- a/services/core/java/com/android/server/job/JobServiceContext.java
+++ b/services/core/java/com/android/server/job/JobServiceContext.java
@@ -252,7 +252,7 @@ boolean executeRunnableJob(JobStatus job) {
@@ -252,7 +252,7 @@ public final class JobServiceContext implements ServiceConnection {
binding = mContext.bindServiceAsUser(intent, this,
Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND
| Context.BIND_NOT_PERCEPTIBLE,

12
Patches/LineageOS-17.1/android_frameworks_base/402604.patch
View File

@ -1,4 +1,4 @@
From 99185b565ac3298604e6351774e9bc20457d49b2 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nan Wu <wnan@google.com>
Date: Tue, 30 Apr 2024 17:20:29 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Backport preventing BAL bypass via bound
@ -19,7 +19,7 @@ Change-Id: Ib113e45aa18296b4475b90d6dcec5dd5664f4c80
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/services/core/java/com/android/server/content/SyncManager.java b/services/core/java/com/android/server/content/SyncManager.java
index fa8c48bdc7f78..586a9304e3e27 100644
index fa8c48bdc7f7..586a9304e3e2 100644
--- a/services/core/java/com/android/server/content/SyncManager.java
+++ b/services/core/java/com/android/server/content/SyncManager.java
@@ -217,7 +217,8 @@ public class SyncManager {
@ -33,10 +33,10 @@ index fa8c48bdc7f78..586a9304e3e27 100644
/** Singleton instance. */
@GuardedBy("SyncManager.class")
diff --git a/services/core/java/com/android/server/job/JobServiceContext.java b/services/core/java/com/android/server/job/JobServiceContext.java
index 5ca628f6daa2d..dd598ced4cb2c 100644
index 5ca628f6daa2..dd598ced4cb2 100644
--- a/services/core/java/com/android/server/job/JobServiceContext.java
+++ b/services/core/java/com/android/server/job/JobServiceContext.java
@@ -251,7 +251,7 @@ boolean executeRunnableJob(JobStatus job) {
@@ -251,7 +251,7 @@ public final class JobServiceContext implements ServiceConnection {
try {
binding = mContext.bindServiceAsUser(intent, this,
Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND
@ -46,10 +46,10 @@ index 5ca628f6daa2d..dd598ced4cb2c 100644
} catch (SecurityException e) {
// Some permission policy, for example INTERACT_ACROSS_USERS and
diff --git a/services/print/java/com/android/server/print/RemotePrintService.java b/services/print/java/com/android/server/print/RemotePrintService.java
index 502cd2c60f4aa..702ddbb9f912a 100644
index 502cd2c60f4a..702ddbb9f912 100644
--- a/services/print/java/com/android/server/print/RemotePrintService.java
+++ b/services/print/java/com/android/server/print/RemotePrintService.java
@@ -572,7 +572,8 @@ private void ensureBound() {
@@ -572,7 +572,8 @@ final class RemotePrintService implements DeathRecipient {
boolean wasBound = mContext.bindServiceAsUser(mIntent, mServiceConnection,
Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE

8
Patches/LineageOS-17.1/android_frameworks_base/402605.patch
View File

@ -1,4 +1,4 @@
From 277d3d387c624668019378f1613a699ed0acc50b Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kiran S <krns@google.com>
Date: Mon, 13 May 2024 05:49:06 +0000
Subject: [PATCH] Restrict USB poups while setup is in progress
@ -14,7 +14,7 @@ Change-Id: I7d54534696fd73f3b94c5b4250142eed9341c5d8
1 file changed, 21 insertions(+)
diff --git a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
index 74c3939a1b1cd..2e25798b25d81 100644
index 74c3939a1b1c..2e25798b25d8 100644
--- a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
+++ b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
@@ -16,6 +16,8 @@
@ -26,7 +26,7 @@ index 74c3939a1b1cd..2e25798b25d81 100644
import static com.android.internal.app.IntentForwarderActivity.FORWARD_INTENT_TO_MANAGED_PROFILE;
import android.annotation.NonNull;
@@ -42,6 +44,7 @@
@@ -42,6 +44,7 @@ import android.os.AsyncTask;
import android.os.Environment;
import android.os.UserHandle;
import android.os.UserManager;
@ -34,7 +34,7 @@ index 74c3939a1b1cd..2e25798b25d81 100644
import android.service.usb.UsbProfileGroupSettingsManagerProto;
import android.service.usb.UsbSettingsAccessoryPreferenceProto;
import android.service.usb.UsbSettingsDevicePreferenceProto;
@@ -762,10 +765,28 @@ private void resolveActivity(Intent intent, UsbDevice device, boolean showMtpNot
@@ -762,10 +765,28 @@ class UsbProfileGroupSettingsManager {
return;
}

6
Patches/LineageOS-17.1/android_frameworks_base/402606.patch
View File

@ -1,4 +1,4 @@
From d60e8484debe2c0de08f438563f4a1cdd026c501 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Linus Tufvesson <lus@google.com>
Date: Mon, 29 Apr 2024 16:32:15 +0200
Subject: [PATCH] Hide SAW subwindows
@ -17,10 +17,10 @@ Change-Id: If19240f5aec2e048de80d75cbbdc00be47622d7f
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java
index cca14d884cdd8..4c0aa6492f91c 100644
index cca14d884cdd..4c0aa6492f91 100644
--- a/services/core/java/com/android/server/wm/WindowState.java
+++ b/services/core/java/com/android/server/wm/WindowState.java
@@ -2730,8 +2730,9 @@ boolean hideLw(boolean doAnimation, boolean requestAnim) {
@@ -2730,8 +2730,9 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP
}
void setForceHideNonSystemOverlayWindowIfNeeded(boolean forceHide) {

28
Patches/LineageOS-17.1/android_packages_apps_Settings/401375-backport.patch Normal file
View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chaohui Wang <chaohuiw@google.com>
Date: Thu, 2 Nov 2023 11:43:00 +0800
Subject: [PATCH] Limit wifi item edit content's max length to 500
Bug: 293199910
Test: manual - on "Add network"
(cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad)
Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
---
res/values/styles.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/res/values/styles.xml b/res/values/styles.xml
index ec66bc8d1b8..d32c5c50cf1 100644
--- a/res/values/styles.xml
+++ b/res/values/styles.xml
@@ -147,6 +147,7 @@
<item name="android:textSize">18sp</item>
<item name="android:textAlignment">viewStart</item>
<item name="android:minHeight">@dimen/min_tap_target_size</item>
+ <item name="android:maxLength">500</item>
</style>
<style name="wifi_section">

33
Patches/LineageOS-17.1/android_packages_apps_Settings/316891059-17.patch → Patches/LineageOS-17.1/android_packages_apps_Settings/401376-backport.patch
View File

@ -1,8 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jason Chiu <chiujason@google.com>
Date: Wed, 31 Jan 2024 16:29:01 +0800
Subject: [PATCH] Replace getCallingActivity() with getLaunchedFromPackage()
getLaunchedFromPackage() reports who launched this Activity or built
PendingIntent used to launch it, whereas getCallingActivity() reports
who will get result of Activity.
Bug: 316891059
Test: robotest, manual
(cherry picked from commit ddc11bc03ab48e885f652b89df5f92ff283bcd4a)
(cherry picked from commit 8bdbb580da847d82f16fb57883a01a5e65ffa696)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7a8127d3bb6010617e507c03f7207dd50082953)
Merged-In: If97018c2741caef622f0596bbfeaa42ef1788b78
Change-Id: If97018c2741caef622f0596bbfeaa42ef1788b78
---
.../search/SearchFeatureProvider.java | 2 +-
.../search/SearchFeatureProviderImpl.java | 20 +++++++++----------
.../search/SearchResultTrampoline.java | 2 +-
.../search/SearchFeatureProviderImplTest.java | 15 +++++++-------
4 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/src/com/android/settings/search/SearchFeatureProvider.java b/src/com/android/settings/search/SearchFeatureProvider.java
index 20d4e7c16bd..d6950eb06aa 100644
index 896f6e5c78c..cc6662acf1e 100644
--- a/src/com/android/settings/search/SearchFeatureProvider.java
+++ b/src/com/android/settings/search/SearchFeatureProvider.java
@@ -49,7 +49,7 @@ public interface SearchFeatureProvider {
@@ -47,7 +47,7 @@ public interface SearchFeatureProvider {
* @throws IllegalArgumentException when caller is null
* @throws SecurityException when caller is not allowed to launch search result page
*/
@ -12,7 +35,7 @@ index 20d4e7c16bd..d6950eb06aa 100644
/**
diff --git a/src/com/android/settings/search/SearchFeatureProviderImpl.java b/src/com/android/settings/search/SearchFeatureProviderImpl.java
index 63bf420c027..eaadbc2af50 100644
index 63bf420c027..423779fbabf 100644
--- a/src/com/android/settings/search/SearchFeatureProviderImpl.java
+++ b/src/com/android/settings/search/SearchFeatureProviderImpl.java
@@ -17,13 +17,14 @@
@ -62,10 +85,10 @@ index 63bf420c027..eaadbc2af50 100644
}
throw new SecurityException("Search result intents must be called with from a "
diff --git a/src/com/android/settings/search/SearchResultTrampoline.java b/src/com/android/settings/search/SearchResultTrampoline.java
index e9304739460..c233e86b6fc 100644
index 3bbe6bd58a7..70387b021d4 100644
--- a/src/com/android/settings/search/SearchResultTrampoline.java
+++ b/src/com/android/settings/search/SearchResultTrampoline.java
@@ -39,7 +39,7 @@ public class SearchResultTrampoline extends Activity {
@@ -38,7 +38,7 @@ public class SearchResultTrampoline extends Activity {
// First make sure caller has privilege to launch a search result page.
FeatureFactory.getFactory(this)
.getSearchFeatureProvider()

111
Patches/LineageOS-17.1/android_packages_apps_Settings/401377.patch Normal file
View File

@ -0,0 +1,111 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Antol <cantol@google.com>
Date: Tue, 4 Jun 2024 17:00:46 +0000
Subject: [PATCH] Ignore fragment attr from ext authenticator resource
Bug: 341886134
Test: Unit Test
Test: Manual - see ticket for steps
Flag: EXEMPT <security>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2cb9b10ed97b1b9b29661115789605a762f3c2ef)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7e0b376b11318e1e79b31bac6aafc0c923868bc4)
Merged-In: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
Change-Id: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
---
.../accounts/AccountTypePreferenceLoader.java | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
index c639d1df2eb..84386a38f08 100644
--- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
@@ -32,6 +32,10 @@ import android.os.UserHandle;
import android.text.TextUtils;
import android.util.Log;
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+import androidx.annotation.VisibleForTesting;
+import androidx.collection.ArraySet;
import androidx.preference.Preference;
import androidx.preference.Preference.OnPreferenceClickListener;
import androidx.preference.PreferenceFragmentCompat;
@@ -45,6 +49,8 @@ import com.android.settings.utils.LocalClassLoaderContextThemeWrapper;
import com.android.settingslib.accounts.AuthenticatorHelper;
import com.android.settingslib.core.instrumentation.Instrumentable;
+import java.util.Set;
+
/**
* Class to load the preference screen to be added to the settings page for the specific account
* type as specified in the account-authenticator.
@@ -83,6 +89,7 @@ public class AccountTypePreferenceLoader {
try {
desc = mAuthenticatorHelper.getAccountTypeDescription(accountType);
if (desc != null && desc.accountPreferencesId != 0) {
+ Set<String> fragmentAllowList = generateFragmentAllowlist(parent);
// Load the context of the target package, then apply the
// base Settings theme (no references to local resources)
// and create a context theme wrapper so that we get the
@@ -98,6 +105,12 @@ public class AccountTypePreferenceLoader {
themedCtx.getTheme().setTo(baseTheme);
prefs = mFragment.getPreferenceManager().inflateFromResource(themedCtx,
desc.accountPreferencesId, parent);
+ // Ignore Fragments provided dynamically, as these are coming from external
+ // applications which must not have access to internal Settings' fragments.
+ // These preferences are rendered into Settings, so they also won't have access
+ // to their own Fragments, meaning there is no acceptable usage of
+ // android:fragment here.
+ filterBlockedFragments(prefs, fragmentAllowList);
}
} catch (PackageManager.NameNotFoundException e) {
Log.w(TAG, "Couldn't load preferences.xml file from " + desc.packageName);
@@ -182,6 +195,48 @@ public class AccountTypePreferenceLoader {
}
}
+ // Build allowlist from existing Fragments in PreferenceGroup
+ @VisibleForTesting
+ Set<String> generateFragmentAllowlist(@Nullable PreferenceGroup prefs) {
+ Set<String> fragmentAllowList = new ArraySet<>();
+ if (prefs == null) {
+ return fragmentAllowList;
+ }
+
+ for (int i = 0; i < prefs.getPreferenceCount(); i++) {
+ Preference pref = prefs.getPreference(i);
+ if (pref instanceof PreferenceGroup) {
+ fragmentAllowList.addAll(generateFragmentAllowlist((PreferenceGroup) pref));
+ }
+
+ String fragmentName = pref.getFragment();
+ if (!TextUtils.isEmpty(fragmentName)) {
+ fragmentAllowList.add(fragmentName);
+ }
+ }
+ return fragmentAllowList;
+ }
+
+ // Block clicks on any Preference with android:fragment that is not contained in the allowlist
+ @VisibleForTesting
+ void filterBlockedFragments(@Nullable PreferenceGroup prefs,
+ @NonNull Set<String> allowedFragments) {
+ if (prefs == null) {
+ return;
+ }
+ for (int i = 0; i < prefs.getPreferenceCount(); i++) {
+ Preference pref = prefs.getPreference(i);
+ if (pref instanceof PreferenceGroup) {
+ filterBlockedFragments((PreferenceGroup) pref, allowedFragments);
+ }
+
+ String fragmentName = pref.getFragment();
+ if (fragmentName != null && !allowedFragments.contains(fragmentName)) {
+ pref.setOnPreferenceClickListener(preference -> true);
+ }
+ }
+ }
+
/**
* Determines if the supplied Intent is safe. A safe intent is one that is
* will launch a exported=true activity or owned by the same uid as the

47
Patches/LineageOS-17.1/android_packages_apps_Settings/401378-backport.patch Normal file
View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Antol <cantol@google.com>
Date: Mon, 25 Mar 2024 23:49:35 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Restrict Settings Homepage prior to
provisioning
Bug: 327749022
Test: manual test
1. factory reset + launch Settings via ADB during Setup -> verify app closes
2. factory reset + bypass Setup + tap Settings icon in launcher -> verify app closes
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70a5a0fd353cc6203d2926627de93786155ae5bc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f1c4df02d153cb380a6147e86194bec2a564ab7)
Merged-In: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
Change-Id: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
---
.../settings/homepage/SettingsHomepageActivity.java | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/com/android/settings/homepage/SettingsHomepageActivity.java b/src/com/android/settings/homepage/SettingsHomepageActivity.java
index 5e6c54bb7c2..80e2e32e3e9 100644
--- a/src/com/android/settings/homepage/SettingsHomepageActivity.java
+++ b/src/com/android/settings/homepage/SettingsHomepageActivity.java
@@ -20,6 +20,7 @@ import android.animation.LayoutTransition;
import android.app.ActivityManager;
import android.app.settings.SettingsEnums;
import android.os.Bundle;
+import android.util.Log;
import android.view.View;
import android.widget.FrameLayout;
import android.widget.ImageView;
@@ -43,6 +44,16 @@ public class SettingsHomepageActivity extends FragmentActivity {
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ // Ensure device is provisioned in order to access Settings home
+ // TODO(b/331254029): This should later be replaced in favor of an allowlist
+ boolean unprovisioned = android.provider.Settings.Global.getInt(getContentResolver(),
+ android.provider.Settings.Global.DEVICE_PROVISIONED, 0) == 0;
+ if (unprovisioned) {
+ Log.e("SettingsHomepageActivity", "Device is not provisioned, exiting Settings");
+ finish();
+ return;
+ }
+
setContentView(R.layout.settings_homepage_container);
final View root = findViewById(R.id.settings_homepage_container);
root.setSystemUiVisibility(

649
Patches/LineageOS-17.1/android_packages_services_Telecomm/401380-backport.patch Normal file
View File

@ -0,0 +1,649 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Grant Menke <grantmenke@google.com>
Date: Thu, 25 Apr 2024 10:43:43 -0700
Subject: [PATCH] DO NOT MERGE Unbind CS if connection is not created within 15
seconds.
This CL adds a check to ensure that connection creation occurs within 15 seconds after binding to that ConnectionService. If the connection/conference is not created in that timespan, this CL adds logic to manually unbind the ConnectionService at that point in time. This prevents malicious apps from keeping a declared permission in forever even in the background.
Bug: 293458004
Test: manually using the provided apk + atest CallsManagerTest
Flag: EXEMPT Security High/Critical Severity CVE
(cherry picked from commit 7aa55ffca65d6166145fd9660e0f7340c07053bf)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:286781dfcb78d8b5c1a77f2390f5251f01943add)
Merged-In: I30caed1481dff5af2223a8ff589846597cee8229
Change-Id: I30caed1481dff5af2223a8ff589846597cee8229
---
src/com/android/server/telecom/Call.java | 25 ++
.../telecom/ConnectionServiceWrapper.java | 49 ++-
src/com/android/server/telecom/LogUtils.java | 1 +
.../server/telecom/tests/BasicCallTests.java | 2 +
.../telecom/tests/CallsManagerTest.java | 59 ++++
.../tests/ComponentContextFixture.java | 14 +
.../tests/TestScheduledExecutorService.java | 283 ++++++++++++++++++
7 files changed, 431 insertions(+), 2 deletions(-)
create mode 100644 tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
diff --git a/src/com/android/server/telecom/Call.java b/src/com/android/server/telecom/Call.java
index ecc635997..699c9ffee 100644
--- a/src/com/android/server/telecom/Call.java
+++ b/src/com/android/server/telecom/Call.java
@@ -313,6 +313,17 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
/** The state of the call. */
private int mState;
+ /**
+ * Determines whether the {@link ConnectionService} has responded to the initial request to
+ * create the connection.
+ *
+ * {@code false} indicates the {@link Call} has been added to Telecom, but the
+ * {@link Connection} has not yet been returned by the associated {@link ConnectionService}.
+ * {@code true} indicates the {@link Call} has an associated {@link Connection} reported by the
+ * {@link ConnectionService}.
+ */
+ private boolean mIsCreateConnectionComplete = false;
+
/** The handle with which to establish this call. */
private Uri mHandle;
@@ -816,6 +827,19 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
return mConnectionService;
}
+ /**
+ * @return {@code true} if the connection has been created by the underlying
+ * {@link ConnectionService}, {@code false} otherwise.
+ */
+ public boolean isCreateConnectionComplete() {
+ return mIsCreateConnectionComplete;
+ }
+
+ @VisibleForTesting
+ public void setIsCreateConnectionComplete(boolean isCreateConnectionComplete) {
+ mIsCreateConnectionComplete = isCreateConnectionComplete;
+ }
+
@VisibleForTesting
public int getState() {
return mState;
@@ -1739,6 +1763,7 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
CallIdMapper idMapper,
ParcelableConnection connection) {
Log.v(this, "handleCreateConnectionSuccessful %s", connection);
+ mIsCreateConnectionComplete = true;
setTargetPhoneAccount(connection.getPhoneAccount());
setHandle(connection.getHandle(), connection.getHandlePresentation());
setCallerDisplayName(
diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
index bd5e37f89..f3f2e9337 100644
--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
+++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
@@ -37,6 +37,7 @@ import android.telecom.ConnectionService;
import android.telecom.DisconnectCause;
import android.telecom.GatewayInfo;
import android.telecom.Log;
+import android.telecom.Logging.Runnable;
import android.telecom.Logging.Session;
import android.telecom.ParcelableConference;
import android.telecom.ParcelableConnection;
@@ -60,6 +61,11 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.TimeUnit;
/**
* Wrapper for {@link IConnectionService}s, handles binding to {@link IConnectionService} and keeps
@@ -71,6 +77,12 @@ import java.util.concurrent.ConcurrentHashMap;
public class ConnectionServiceWrapper extends ServiceBinder implements
ConnectionServiceFocusManager.ConnectionServiceFocus {
+ private static final long SERVICE_BINDING_TIMEOUT = 15000L;
+ private ScheduledExecutorService mScheduledExecutor =
+ Executors.newSingleThreadScheduledExecutor();
+ // Pre-allocate space for 2 calls; realistically thats all we should ever need (tm)
+ private final Map<Call, ScheduledFuture<?>> mScheduledFutureMap = new ConcurrentHashMap<>(2);
+
private final class Adapter extends IConnectionServiceAdapter.Stub {
@Override
@@ -82,6 +94,12 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
try {
synchronized (mLock) {
logIncoming("handleCreateConnectionComplete %s", callId);
+ Call call = mCallIdMapper.getCall(callId);
+ if (mScheduledFutureMap.containsKey(call)) {
+ ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);
+ existingTimeout.cancel(false /* cancelIfRunning */);
+ mScheduledFutureMap.remove(call);
+ }
// Check status hints image for cross user access
if (connection.getStatusHints() != null) {
Icon icon = connection.getStatusHints().getIcon();
@@ -1126,7 +1144,8 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
* @param context The context.
* @param userHandle The {@link UserHandle} to use when binding.
*/
- ConnectionServiceWrapper(
+ @VisibleForTesting
+ public ConnectionServiceWrapper(
ComponentName componentName,
ConnectionServiceRepository connectionServiceRepository,
PhoneAccountRegistrar phoneAccountRegistrar,
@@ -1229,6 +1248,26 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
.setRttPipeToInCall(call.getCsToInCallRttPipeForCs())
.build();
+ Runnable r = new Runnable("CSW.cC", mLock) {
+ @Override
+ public void loggedRun() {
+ if (!call.isCreateConnectionComplete()) {
+ Log.e(this, new Exception(),
+ "Connection %s creation timeout",
+ getComponentName());
+ Log.addEvent(call, LogUtils.Events.CREATE_CONNECTION_TIMEOUT,
+ Log.piiHandle(call.getHandle()) + " via:" +
+ getComponentName().getPackageName());
+ response.handleCreateConnectionFailure(
+ new DisconnectCause(DisconnectCause.ERROR));
+ }
+ }
+ };
+ // Post cleanup to the executor service and cache the future, so we can cancel it if
+ // needed.
+ ScheduledFuture<?> future = mScheduledExecutor.schedule(r.getRunnableToCancel(),
+ SERVICE_BINDING_TIMEOUT, TimeUnit.MILLISECONDS);
+ mScheduledFutureMap.put(call, future);
try {
mServiceInterface.createConnection(
call.getConnectionManagerPhoneAccount(),
@@ -1514,7 +1553,8 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
}
}
- void addCall(Call call) {
+ @VisibleForTesting
+ public void addCall(Call call) {
if (mCallIdMapper.getCallId(call) == null) {
mCallIdMapper.addCall(call);
}
@@ -1909,4 +1949,9 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
sb.append("]");
return sb.toString();
}
+
+ @VisibleForTesting
+ public void setScheduledExecutorService(ScheduledExecutorService service) {
+ mScheduledExecutor = service;
+ }
}
diff --git a/src/com/android/server/telecom/LogUtils.java b/src/com/android/server/telecom/LogUtils.java
index 760d24e10..37afdb8f6 100644
--- a/src/com/android/server/telecom/LogUtils.java
+++ b/src/com/android/server/telecom/LogUtils.java
@@ -87,6 +87,7 @@ public class LogUtils {
public static final String STOP_CALL_WAITING_TONE = "STOP_CALL_WAITING_TONE";
public static final String START_CONNECTION = "START_CONNECTION";
public static final String CREATE_CONNECTION_FAILED = "CREATE_CONNECTION_FAILED";
+ public static final String CREATE_CONNECTION_TIMEOUT = "CREATE_CONNECTION_TIMEOUT";
public static final String BIND_CS = "BIND_CS";
public static final String CS_BOUND = "CS_BOUND";
public static final String CONFERENCE_WITH = "CONF_WITH";
diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
index 7889d0487..46aa758b8 100644
--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java
+++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
@@ -939,6 +939,7 @@ public class BasicCallTests extends TelecomSystemTest {
call.setTargetPhoneAccount(mPhoneAccountA1.getAccountHandle());
assert(call.isVideoCallingSupportedByPhoneAccount());
assertEquals(VideoProfile.STATE_BIDIRECTIONAL, call.getVideoState());
+ call.setIsCreateConnectionComplete(true);
}
/**
@@ -962,6 +963,7 @@ public class BasicCallTests extends TelecomSystemTest {
call.setTargetPhoneAccount(mPhoneAccountA2.getAccountHandle());
assert(!call.isVideoCallingSupportedByPhoneAccount());
assertEquals(VideoProfile.STATE_AUDIO_ONLY, call.getVideoState());
+ call.setIsCreateConnectionComplete(true);
}
/**
diff --git a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
index 7adc99aa3..6145aca5d 100644
--- a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
+++ b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
@@ -40,6 +40,7 @@ import static org.mockito.Mockito.when;
import android.content.ComponentName;
import android.net.Uri;
import android.os.Bundle;
+import android.os.IBinder;
import android.os.Process;
import android.os.SystemClock;
import android.os.UserHandle;
@@ -55,6 +56,7 @@ import android.telephony.TelephonyManager;
import android.test.suitebuilder.annotation.MediumTest;
import android.test.suitebuilder.annotation.SmallTest;
+import com.android.internal.telecom.IConnectionService;
import com.android.internal.telephony.CallerInfo;
import com.android.server.telecom.AsyncRingtonePlayer;
import com.android.server.telecom.Call;
@@ -67,6 +69,7 @@ import com.android.server.telecom.CallsManager;
import com.android.server.telecom.ClockProxy;
import com.android.server.telecom.ConnectionServiceFocusManager;
import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory;
+import com.android.server.telecom.CreateConnectionResponse;
import com.android.server.telecom.ConnectionServiceWrapper;
import com.android.server.telecom.DefaultDialerCache;
import com.android.server.telecom.EmergencyCallHelper;
@@ -183,6 +186,7 @@ public class CallsManagerTest extends TelecomTestCase {
@Mock private CallAudioModeStateMachine.Factory mCallAudioModeStateMachineFactory;
@Mock private BluetoothStateReceiver mBluetoothStateReceiver;
@Mock private RoleManagerAdapter mRoleManagerAdapter;
+ @Mock private IConnectionService mIConnectionService;
private CallsManager mCallsManager;
@@ -240,8 +244,22 @@ public class CallsManagerTest extends TelecomTestCase {
eq(SIM_1_HANDLE), any())).thenReturn(SIM_1_ACCOUNT);
when(mPhoneAccountRegistrar.getPhoneAccount(
eq(SIM_2_HANDLE), any())).thenReturn(SIM_2_ACCOUNT);
+ when(mIConnectionService.asBinder()).thenReturn(mock(IBinder.class));
+
+ mComponentContextFixture.addConnectionService(new ComponentName(mContext.getPackageName(),
+ mContext.getPackageName().getClass().getName()), mIConnectionService);
}
+ @Override
+ @After
+ public void tearDown() throws Exception {
+ mComponentContextFixture.removeConnectionService(
+ new ComponentName(mContext.getPackageName(),
+ mContext.getPackageName().getClass().getName()),
+ mock(IConnectionService.class));
+ super.tearDown();
+ }
+
@MediumTest
@Test
public void testConstructPossiblePhoneAccounts() throws Exception {
@@ -1111,6 +1129,32 @@ public class CallsManagerTest extends TelecomTestCase {
assertTrue(argumentCaptor.getValue().contains("Unavailable phoneAccountHandle"));
}
+ @Test
+ public void testConnectionServiceCreateConnectionTimeout() throws Exception {
+ ConnectionServiceWrapper service = new ConnectionServiceWrapper(new ComponentName(
+ mContext.getPackageName(), mContext.getPackageName().getClass().getName()), null,
+ mPhoneAccountRegistrar, mCallsManager, mContext, mLock, null);
+ TestScheduledExecutorService scheduledExecutorService = new TestScheduledExecutorService();
+ service.setScheduledExecutorService(scheduledExecutorService);
+ Call call = addSpyCall();
+ service.addCall(call);
+ when(call.isCreateConnectionComplete()).thenReturn(false);
+ CreateConnectionResponse response = mock(CreateConnectionResponse.class);
+
+ service.createConnection(call, response);
+ waitUntilConditionIsTrueOrTimeout(new Condition() {
+ @Override
+ public Object expected() {
+ return true;
+ }
+
+ @Override
+ public Object actual() {
+ return scheduledExecutorService.isRunnableScheduledAtTime(15000L);
+ }
+ }, 5000L, "Expected job failed to schedule");
+ }
+
private Call addSpyCall() {
return addSpyCall(SIM_2_HANDLE, CallState.ACTIVE);
}
@@ -1189,4 +1233,19 @@ public class CallsManagerTest extends TelecomTestCase {
when(mPhoneAccountRegistrar.getSimPhoneAccountsOfCurrentUser()).thenReturn(
new ArrayList<>(Arrays.asList(SIM_1_HANDLE, SIM_2_HANDLE)));
}
+
+ private void waitUntilConditionIsTrueOrTimeout(Condition condition, long timeout,
+ String description) throws InterruptedException {
+ final long start = System.currentTimeMillis();
+ while (!condition.expected().equals(condition.actual())
+ && System.currentTimeMillis() - start < timeout) {
+ sleep(50);
+ }
+ assertEquals(description, condition.expected(), condition.actual());
+ }
+
+ protected interface Condition {
+ Object expected();
+ Object actual();
+ }
}
diff --git a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java b/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
index e6e8ba122..675913aa0 100644
--- a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
+++ b/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
@@ -549,6 +549,14 @@ public class ComponentContextFixture implements TestFixture<Context> {
mServiceInfoByComponentName.put(componentName, serviceInfo);
}
+ public void removeConnectionService(
+ ComponentName componentName,
+ IConnectionService service)
+ throws Exception {
+ removeService(ConnectionService.SERVICE_INTERFACE, componentName, service);
+ mServiceInfoByComponentName.remove(componentName);
+ }
+
public void addInCallService(
ComponentName componentName,
IInCallService service)
@@ -599,6 +607,12 @@ public class ComponentContextFixture implements TestFixture<Context> {
mComponentNameByService.put(service, name);
}
+ private void removeService(String action, ComponentName name, IInterface service) {
+ mComponentNamesByAction.remove(action, name);
+ mServiceByComponentName.remove(name);
+ mComponentNameByService.remove(service);
+ }
+
private List<ResolveInfo> doQueryIntentServices(Intent intent, int flags) {
List<ResolveInfo> result = new ArrayList<>();
for (ComponentName componentName : mComponentNamesByAction.get(intent.getAction())) {
diff --git a/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java b/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
new file mode 100644
index 000000000..8ddf42b9b
--- /dev/null
+++ b/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.telecom.tests;
+
+import android.util.Log;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.Callable;
+import java.util.concurrent.Delayed;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+/**
+ * A test implementation of a scheduled executor service.
+ */
+public class TestScheduledExecutorService implements ScheduledExecutorService {
+ private static final String TAG = "TestScheduledExecutorService";
+
+ private class CompletedFuture<T> implements Future<T>, ScheduledFuture<T> {
+
+ private final Callable<T> mTask;
+ private final long mDelayMs;
+ private Runnable mRunnable;
+
+ CompletedFuture(Callable<T> task) {
+ mTask = task;
+ mDelayMs = 0;
+ }
+
+ @SuppressWarnings("unused")
+ CompletedFuture(Callable<T> task, long delayMs) {
+ mTask = task;
+ mDelayMs = delayMs;
+ }
+
+ CompletedFuture(Runnable task, long delayMs) {
+ mRunnable = task;
+ mTask = (Callable<T>) Executors.callable(task);
+ mDelayMs = delayMs;
+ }
+
+ @Override
+ public boolean cancel(boolean mayInterruptIfRunning) {
+ cancelRunnable(mRunnable);
+ return true;
+ }
+
+ @Override
+ public boolean isCancelled() {
+ return false;
+ }
+
+ @Override
+ public boolean isDone() {
+ return true;
+ }
+
+ @Override
+ public T get() throws InterruptedException, ExecutionException {
+ try {
+ return mTask.call();
+ } catch (Exception e) {
+ throw new ExecutionException(e);
+ }
+ }
+
+ @Override
+ public T get(long timeout, TimeUnit unit)
+ throws InterruptedException, ExecutionException, TimeoutException {
+ try {
+ return mTask.call();
+ } catch (Exception e) {
+ throw new ExecutionException(e);
+ }
+ }
+
+ @Override
+ public long getDelay(TimeUnit unit) {
+ if (unit == TimeUnit.MILLISECONDS) {
+ return mDelayMs;
+ } else {
+ // not implemented
+ return 0;
+ }
+ }
+
+ @Override
+ public int compareTo(Delayed o) {
+ if (o == null) return 1;
+ if (o.getDelay(TimeUnit.MILLISECONDS) > mDelayMs) return -1;
+ if (o.getDelay(TimeUnit.MILLISECONDS) < mDelayMs) return 1;
+ return 0;
+ }
+ }
+
+ private long mClock = 0;
+ private Map<Long, Runnable> mScheduledRunnables = new HashMap<>();
+ private Map<Runnable, Long> mRepeatDuration = new HashMap<>();
+
+ @Override
+ public void shutdown() {
+ }
+
+ @Override
+ public List<Runnable> shutdownNow() {
+ return null;
+ }
+
+ @Override
+ public boolean isShutdown() {
+ return false;
+ }
+
+ @Override
+ public boolean isTerminated() {
+ return false;
+ }
+
+ @Override
+ public boolean awaitTermination(long timeout, TimeUnit unit) {
+ return false;
+ }
+
+ @Override
+ public <T> Future<T> submit(Callable<T> task) {
+ return new TestScheduledExecutorService.CompletedFuture<>(task);
+ }
+
+ @Override
+ public <T> Future<T> submit(Runnable task, T result) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public Future<?> submit(Runnable task) {
+ task.run();
+ return new TestScheduledExecutorService.CompletedFuture<>(() -> null);
+ }
+
+ @Override
+ public <T> List<Future<T>> invokeAll(Collection<? extends Callable<T>> tasks) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public <T> List<Future<T>> invokeAll(Collection<? extends Callable<T>> tasks, long timeout,
+ TimeUnit unit) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public <T> T invokeAny(Collection<? extends Callable<T>> tasks) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public <T> T invokeAny(Collection<? extends Callable<T>> tasks, long timeout, TimeUnit unit) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public ScheduledFuture<?> schedule(Runnable command, long delay, TimeUnit unit) {
+ // Schedule the runnable for execution at the specified time.
+ long scheduledTime = getNextExecutionTime(delay, unit);
+ mScheduledRunnables.put(scheduledTime, command);
+
+ Log.i(TAG, "schedule: runnable=" + System.identityHashCode(command) + ", time="
+ + scheduledTime);
+
+ return new TestScheduledExecutorService.CompletedFuture<Runnable>(command, delay);
+ }
+
+ @Override
+ public <V> ScheduledFuture<V> schedule(Callable<V> callable, long delay, TimeUnit unit) {
+ throw new UnsupportedOperationException("Not implemented");
+ }
+
+ @Override
+ public ScheduledFuture<?> scheduleAtFixedRate(Runnable command, long initialDelay, long period,
+ TimeUnit unit) {
+ return scheduleWithFixedDelay(command, initialDelay, period, unit);
+ }
+
+ @Override
+ public ScheduledFuture<?> scheduleWithFixedDelay(Runnable command, long initialDelay,
+ long delay, TimeUnit unit) {
+ // Schedule the runnable for execution at the specified time.
+ long nextScheduledTime = getNextExecutionTime(delay, unit);
+ mScheduledRunnables.put(nextScheduledTime, command);
+ mRepeatDuration.put(command, unit.toMillis(delay));
+
+ return new TestScheduledExecutorService.CompletedFuture<Runnable>(command, delay);
+ }
+
+ private long getNextExecutionTime(long delay, TimeUnit unit) {
+ long delayMillis = unit.toMillis(delay);
+ return mClock + delayMillis;
+ }
+
+ @Override
+ public void execute(Runnable command) {
+ command.run();
+ }
+
+ /**
+ * Used in unit tests, used to add a delta to the "clock" so that we can fire off scheduled
+ * items and reschedule the repeats.
+ * @param duration The duration (millis) to add to the clock.
+ */
+ public void advanceTime(long duration) {
+ Map<Long, Runnable> nextRepeats = new HashMap<>();
+ List<Runnable> toRun = new ArrayList<>();
+ mClock += duration;
+ Iterator<Map.Entry<Long, Runnable>> iterator = mScheduledRunnables.entrySet().iterator();
+ while (iterator.hasNext()) {
+ Map.Entry<Long, Runnable> entry = iterator.next();
+ if (mClock >= entry.getKey()) {
+ toRun.add(entry.getValue());
+
+ Runnable r = entry.getValue();
+ Log.i(TAG, "advanceTime: runningRunnable=" + System.identityHashCode(r));
+ // If this is a repeating scheduled item, schedule the repeat.
+ if (mRepeatDuration.containsKey(r)) {
+ // schedule next execution
+ nextRepeats.put(mClock + mRepeatDuration.get(r), entry.getValue());
+ }
+ iterator.remove();
+ }
+ }
+
+ // Update things at the end to avoid concurrent access.
+ mScheduledRunnables.putAll(nextRepeats);
+ toRun.forEach(r -> r.run());
+ }
+
+ /**
+ * Used from a {@link CompletedFuture} as defined above to cancel a scheduled task.
+ * @param r The runnable to cancel.
+ */
+ private void cancelRunnable(Runnable r) {
+ Optional<Map.Entry<Long, Runnable>> found = mScheduledRunnables.entrySet().stream()
+ .filter(e -> e.getValue() == r)
+ .findFirst();
+ if (found.isPresent()) {
+ mScheduledRunnables.remove(found.get().getKey());
+ }
+ mRepeatDuration.remove(r);
+ Log.i(TAG, "cancelRunnable: runnable=" + System.identityHashCode(r));
+ }
+
+ public int getNumberOfScheduledRunnables() {
+ return mScheduledRunnables.size();
+ }
+
+ public boolean isRunnableScheduledAtTime(long time) {
+ return mScheduledRunnables.containsKey(time);
+ }
+}
\ No newline at end of file

43
Patches/LineageOS-17.1/android_packages_services_Telecomm/401381.patch Normal file
View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pranav Madapurmath <pmadapurmath@google.com>
Date: Tue, 11 Jun 2024 15:51:39 +0000
Subject: [PATCH] Unbind CallScreeningService when timeout reached.
In a vulnerability, the exploiter showed that an app which implements a
service with role holding ROLE_CALL_SCREENING can be used to keep a
service alive. The assumption is that the CallScreeningService class
uses MSG_SCREEN_CALL to screen the call and results in the service being
unbound for outgoing calls once screening completes. However, a vanilla
service which holds the ROLE_CALL_SCREENING role can still be used as
the default call screening app which keeps the service alive.
This CL ensures that after the timeout is reached that we try to unbind
the service if possible.
Bug: 300904123
Test: Manual test to verify that onDestroy is called for the service
after the timeout is reached.
(cherry picked from commit 9d97cd5825066ac8e15bbf97f6755663c5341afb)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d57f25311acb7fb887fb0296364526345cc905bb)
Merged-In: I30d276867c571ece113106d3b363fce99d64f441
Change-Id: I30d276867c571ece113106d3b363fce99d64f441
---
.../android/server/telecom/CallScreeningServiceHelper.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/com/android/server/telecom/CallScreeningServiceHelper.java b/src/com/android/server/telecom/CallScreeningServiceHelper.java
index 89778e43a..5582a7da4 100644
--- a/src/com/android/server/telecom/CallScreeningServiceHelper.java
+++ b/src/com/android/server/telecom/CallScreeningServiceHelper.java
@@ -185,6 +185,10 @@ public class CallScreeningServiceHelper {
Log.w(TAG, "Cancelling call id process due to timeout");
}
mFuture.complete(null);
+ mContext.unbindService(serviceConnection);
+ } catch (IllegalArgumentException e) {
+ Log.i(this, "Exception when unbinding service %s : %s", serviceConnection,
+ e.getMessage());
} finally {
Log.endSession();
}

4
Patches/LineageOS-17.1/android_system_bt/402607.patch
View File

@ -1,4 +1,4 @@
From e6265d93946259f985ccafa975ed3426489c8cec Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 16:43:29 +0000
Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc
@ -24,7 +24,7 @@ Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
index 33f30b04211..94368ecbc51 100644
index 33f30b042..94368ecbc 100644
--- a/stack/sdp/sdp_utils.cc
+++ b/stack/sdp/sdp_utils.cc
@@ -943,8 +943,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2,

2
Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/402608.patch
View File

@ -1,4 +1,4 @@
From 63c86c2e26ce2d2b6b4119abf5d4fe1dbb8b00b6 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 16:43:29 +0000
Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc

13
Scripts/LineageOS-17.1/Patch.sh
View File

@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
sed -i 's/2023-02-05/2024-08-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-08
sed -i 's/2023-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-09
fi;
if enterAndClear "build/soong"; then
@ -122,7 +122,7 @@ fi;
if enterAndClear "external/expat"; then
applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch";
applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
fi;
@ -202,6 +202,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/391907.patch"; #Q_asb_2024-03 Sof
applyPatch "$DOS_PATCHES/android_frameworks_av/391908.patch"; #Q_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
applyPatch "$DOS_PATCHES/android_frameworks_av/402601.patch"; #Q_asb_2024-08 Fix flag check in JAudioTrack.cpp
applyPatch "$DOS_PATCHES/android_frameworks_av/402602.patch"; #Q_asb_2024-08 StagefrightRecoder: Disabling B-frame support
applyPatch "$DOS_PATCHES/android_frameworks_av/401372.patch"; #S_asb_2024-09 omx: check HDR10+ info param size
fi;
if enterAndClear "frameworks/base"; then
@ -326,6 +327,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/402603.patch"; #Q_asb_2024-08 S
applyPatch "$DOS_PATCHES/android_frameworks_base/402604.patch"; #Q_asb_2024-08 Backport preventing BAL bypass via bound service
applyPatch "$DOS_PATCHES/android_frameworks_base/402605.patch"; #Q_asb_2024-08 Restrict USB poups while setup is in progress
applyPatch "$DOS_PATCHES/android_frameworks_base/402606.patch"; #Q_asb_2024-08 Hide SAW subwindows
applyPatch "$DOS_PATCHES/android_frameworks_base/401373.patch"; #S_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -522,7 +524,10 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/368012.patch"; #Q_asb_20
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/378109.patch"; #Q_asb_2023-09 Settings: don't try to allow NLSes with too-long component names
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/378110.patch"; #Q_asb_2023-10 Restrict ApnEditor settings
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/380569.patch"; #Q_asb_2024-01 Validate ringtone URIs before setting
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/316891059-17.patch"; #x-asb_2024-05 Replace getCallingActivity() with getLaunchedFromPackage()
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401375-backport.patch"; #S_asb_2024-09 Limit wifi item edit content's max length to 500
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401376-backport.patch"; #S_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage()
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401377.patch"; #S_asb_2024-09 Ignore fragment attr from ext authenticator resource
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401378-backport.patch"; #S_asb_2024-09 Restrict Settings Homepage prior to provisioning
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -610,6 +615,8 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378122.patch"; #Q_as
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/369703.patch"; #Q_asb_2023-12 Fix vulnerability in CallRedirectionService.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378123.patch"; #Q_asb_2023-12 Support for API cleanups.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378065.patch"; #Q_asb_2023-12 Resolve account image icon profile boundary exploit.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/401380-backport.patch"; #S_asb_2024-09 Unbind CS if connection is not created within 15 seconds. #XXX
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/401381.patch"; #S_asb_2024-09 Unbind CallScreeningService when timeout reached.
fi;
if enterAndClear "packages/services/Telephony"; then