From 439af0cc9dba1fd653c31fbac4246752c57b4220 Mon Sep 17 00:00:00 2001 From: Tavi Date: Sat, 17 Aug 2024 10:04:14 -0400 Subject: [PATCH] 17.1: August 2024 ASB work Signed-off-by: Tavi --- .../android_frameworks_av/399741.patch | 38 +++++++++++ .../android_frameworks_base/399739.patch | 65 +++++++++++++++++++ .../android_frameworks_base/399740.patch | 33 ++++++++++ .../android_system_bt/399742.patch | 60 +++++++++++++++++ .../399743.patch | 60 +++++++++++++++++ Scripts/LineageOS-17.1/Patch.sh | 7 +- 6 files changed, 262 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-17.1/android_frameworks_av/399741.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/399739.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/399740.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/399742.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/399743.patch diff --git a/Patches/LineageOS-17.1/android_frameworks_av/399741.patch b/Patches/LineageOS-17.1/android_frameworks_av/399741.patch new file mode 100644 index 00000000..3e011cbe --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_av/399741.patch @@ -0,0 +1,38 @@ +From c68f62f62fc3ffe077098e45f26ffa2fb3300d6c Mon Sep 17 00:00:00 2001 +From: Rakesh Kumar +Date: Thu, 30 May 2024 11:17:48 +0000 +Subject: [PATCH] StagefrightRecoder: Disabling B-frame support + +Disabling b-frame support from stagefright recorder in case of +audio source as mic and video source is surface use case only +because screen recorder with microphone doesn't play in sync +if b-frame is enabled. +If the audio source selected is INTERNAL (i.e. device) or +MIC_AND_INTERNAL with screen recorder then b frame is supported. + +Bug: 288549440 +Test: manually check screen recording with audio from mic has audio/video in synch +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:af685c66bab17b71fe1624f76b5d55628f79e6fa) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:da3407f7688f35eb2dce79f1405feeb182241a3c) +Merged-In: I4098655eb9687fb633085333bc140634441566e6 +Change-Id: I4098655eb9687fb633085333bc140634441566e6 +--- + media/libmediaplayerservice/StagefrightRecorder.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/media/libmediaplayerservice/StagefrightRecorder.cpp b/media/libmediaplayerservice/StagefrightRecorder.cpp +index a7344de402b..c66def491b9 100644 +--- a/media/libmediaplayerservice/StagefrightRecorder.cpp ++++ b/media/libmediaplayerservice/StagefrightRecorder.cpp +@@ -1843,6 +1843,11 @@ status_t StagefrightRecorder::setupVideoEncoder( + + if (tsLayers > 1) { + uint32_t bLayers = std::min(2u, tsLayers - 1); // use up-to 2 B-layers ++ // TODO(b/341121900): Remove this once B frames are handled correctly in screen recorder ++ // use case in case of mic only ++ if (mAudioSource == AUDIO_SOURCE_MIC && mVideoSource == VIDEO_SOURCE_SURFACE) { ++ bLayers = 0; ++ } + uint32_t pLayers = tsLayers - bLayers; + format->setString( + "ts-schema", AStringPrintf("android.generic.%u+%u", pLayers, bLayers)); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/399739.patch b/Patches/LineageOS-17.1/android_frameworks_base/399739.patch new file mode 100644 index 00000000..b75607ad --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/399739.patch @@ -0,0 +1,65 @@ +From 45ee08b07a12600ead2f3a789d60094c9d886fb8 Mon Sep 17 00:00:00 2001 +From: Kiran S +Date: Mon, 13 May 2024 05:49:06 +0000 +Subject: [PATCH] Restrict USB poups while setup is in progress + +Test: Cherry pick of http://ag/27094197 +Bug: 294105066 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2ce2e54a040342373e401f9c2e70035ede4e63ad) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ec96cc3e3a81d21f2249db381c10638bb307cf39) +Merged-In: I7d54534696fd73f3b94c5b4250142eed9341c5d8 +Change-Id: I7d54534696fd73f3b94c5b4250142eed9341c5d8 +--- + .../usb/UsbProfileGroupSettingsManager.java | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java +index d7b6b5d0d36a2..de49091759df3 100644 +--- a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java ++++ b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java +@@ -16,6 +16,8 @@ + + package com.android.server.usb; + ++import static android.provider.Settings.Secure.USER_SETUP_COMPLETE; ++ + import static com.android.internal.app.IntentForwarderActivity.FORWARD_INTENT_TO_MANAGED_PROFILE; + + import android.annotation.NonNull; +@@ -42,6 +44,7 @@ + import android.os.Environment; + import android.os.UserHandle; + import android.os.UserManager; ++import android.provider.Settings; + import android.service.usb.UsbProfileGroupSettingsManagerProto; + import android.service.usb.UsbSettingsAccessoryPreferenceProto; + import android.service.usb.UsbSettingsDevicePreferenceProto; +@@ -900,10 +903,28 @@ private void resolveActivity(Intent intent, UsbDevice device, boolean showMtpNot + return; + } + ++ if (shouldRestrictOverlayActivities()) { ++ return; ++ } ++ + // Start activity with registered intent + resolveActivity(intent, matches, defaultActivity, device, null); + } + ++ private boolean shouldRestrictOverlayActivities() { ++ if (Settings.Secure.getIntForUser( ++ mContext.getContentResolver(), ++ USER_SETUP_COMPLETE, ++ /* defaultValue= */ 1, ++ UserHandle.CURRENT.getIdentifier()) ++ == 0) { ++ Slog.d(TAG, "restricting usb overlay activities as setup is not complete"); ++ return true; ++ } ++ ++ return false; ++ } ++ + public void deviceAttachedForFixedHandler(UsbDevice device, ComponentName component) { + final Intent intent = createDeviceAttachedIntent(device); + diff --git a/Patches/LineageOS-17.1/android_frameworks_base/399740.patch b/Patches/LineageOS-17.1/android_frameworks_base/399740.patch new file mode 100644 index 00000000..1b3d19dd --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/399740.patch @@ -0,0 +1,33 @@ +From 644e95940f57497b7dd155d42f6b0bf42b5540b3 Mon Sep 17 00:00:00 2001 +From: Linus Tufvesson +Date: Mon, 29 Apr 2024 16:32:15 +0200 +Subject: [PATCH] Hide SAW subwindows + +.. when top window is hidden through Window#setHideOverlayWindows + +Bug: 318683640 +Test: atest CtsWindowManagerDeviceWindow:HideOverlayWindowsTest +Flag: EXEMPT securityfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c37bc9147086f497ac7b1595083836014f524d5f) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:89bc634cb534b8e0ffd798ac9f9f89ac1be0f785) +Merged-In: If19240f5aec2e048de80d75cbbdc00be47622d7f +Change-Id: If19240f5aec2e048de80d75cbbdc00be47622d7f +--- + services/core/java/com/android/server/wm/WindowState.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java +index 319b7e88258db..12c301b300d69 100644 +--- a/services/core/java/com/android/server/wm/WindowState.java ++++ b/services/core/java/com/android/server/wm/WindowState.java +@@ -3041,8 +3041,9 @@ boolean hideLw(boolean doAnimation, boolean requestAnim) { + } + + void setForceHideNonSystemOverlayWindowIfNeeded(boolean forceHide) { ++ final int baseType = getBaseType(); + if (mOwnerCanAddInternalSystemWindow +- || (!isSystemAlertWindowType(mAttrs.type) && mAttrs.type != TYPE_TOAST)) { ++ || (!isSystemAlertWindowType(baseType) && baseType != TYPE_TOAST)) { + return; + } + if (mForceHideNonSystemOverlayWindow == forceHide) { diff --git a/Patches/LineageOS-17.1/android_system_bt/399742.patch b/Patches/LineageOS-17.1/android_system_bt/399742.patch new file mode 100644 index 00000000..2fdcf3db --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/399742.patch @@ -0,0 +1,60 @@ +From 2c0deba7d780ae11d16fc675fc6aa9abba344fd7 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 22 Apr 2024 16:43:29 +0000 +Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc + +Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with +an out of bounds comparison. Although the bug claims this is due to a +comparison of a uuid with a smaller data field thana the discovery +attribute, my research suggests that this instead stems from a +comparison of a 128 bit UUID with a discovery attribute of some other, +invalid size. + +Add checks for discovery attribute size. + +Bug: 287184435 +Test: atest bluetooth_test_gd_unit, net_test_stack_sdp +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99210e2f251e2189c1eede15942c832e017404c2) +Merged-In: Ib536cbeac454efbf6af3d713c05c8e3e077e069b +Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b +--- + stack/sdp/sdp_utils.cc | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc +index f8cde2c34c5..9581dc72a77 100644 +--- a/stack/sdp/sdp_utils.cc ++++ b/stack/sdp/sdp_utils.cc +@@ -949,8 +949,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2, + ******************************************************************************/ + bool sdpu_compare_uuid_with_attr(const Uuid& uuid, tSDP_DISC_ATTR* p_attr) { + int len = uuid.GetShortestRepresentationSize(); +- if (len == 2) return uuid.As16Bit() == p_attr->attr_value.v.u16; +- if (len == 4) return uuid.As32Bit() == p_attr->attr_value.v.u32; ++ if (len == 2) { ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes16) { ++ return uuid.As16Bit() == p_attr->attr_value.v.u16; ++ } else { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ } ++ if (len == 4) { ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes32) { ++ return uuid.As32Bit() == p_attr->attr_value.v.u32; ++ } else { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ } ++ ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) != Uuid::kNumBytes128) { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ + if (memcmp(uuid.To128BitBE().data(), (void*)p_attr->attr_value.v.array, + Uuid::kNumBytes128) == 0) + return (true); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/399743.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/399743.patch new file mode 100644 index 00000000..bceaab8a --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/399743.patch @@ -0,0 +1,60 @@ +From f33554bf3b2998d04a78d19c46d9db26f2d27478 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 22 Apr 2024 16:43:29 +0000 +Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc + +Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with +an out of bounds comparison. Although the bug claims this is due to a +comparison of a uuid with a smaller data field thana the discovery +attribute, my research suggests that this instead stems from a +comparison of a 128 bit UUID with a discovery attribute of some other, +invalid size. + +Add checks for discovery attribute size. + +Bug: 287184435 +Test: atest bluetooth_test_gd_unit, net_test_stack_sdp +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99210e2f251e2189c1eede15942c832e017404c2) +Merged-In: Ib536cbeac454efbf6af3d713c05c8e3e077e069b +Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b +--- + stack/sdp/sdp_utils.cc | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc +index ec48361fd..66f52c32f 100644 +--- a/stack/sdp/sdp_utils.cc ++++ b/stack/sdp/sdp_utils.cc +@@ -739,8 +739,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2, + ******************************************************************************/ + bool sdpu_compare_uuid_with_attr(const Uuid& uuid, tSDP_DISC_ATTR* p_attr) { + int len = uuid.GetShortestRepresentationSize(); +- if (len == 2) return uuid.As16Bit() == p_attr->attr_value.v.u16; +- if (len == 4) return uuid.As32Bit() == p_attr->attr_value.v.u32; ++ if (len == 2) { ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes16) { ++ return uuid.As16Bit() == p_attr->attr_value.v.u16; ++ } else { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ } ++ if (len == 4) { ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes32) { ++ return uuid.As32Bit() == p_attr->attr_value.v.u32; ++ } else { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ } ++ ++ if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) != Uuid::kNumBytes128) { ++ LOG(ERROR) << "invalid length for discovery attribute"; ++ return (false); ++ } ++ + if (memcmp(uuid.To128BitBE().data(), (void*)p_attr->attr_value.v.array, + Uuid::kNumBytes128) == 0) + return (true); diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 778cd162..a301193b 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) -sed -i 's/2023-02-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2024-07 +sed -i 's/2023-02-05/2024-08-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-08 fi; if enterAndClear "build/soong"; then @@ -193,6 +193,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/383255.patch"; #Q_asb_2024-02 Upd applyPatch "$DOS_PATCHES/android_frameworks_av/391906.patch"; #Q_asb_2024-03 Validate OMX Params for VPx encoders applyPatch "$DOS_PATCHES/android_frameworks_av/391907.patch"; #Q_asb_2024-03 SoftVideoDecodeOMXComponent: validate OMX params for dynamic HDR applyPatch "$DOS_PATCHES/android_frameworks_av/391908.patch"; #Q_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue +applyPatch "$DOS_PATCHES/android_frameworks_av/399741.patch"; #R_asb_2024-08 StagefrightRecoder: Disabling B-frame support fi; if enterAndClear "frameworks/base"; then @@ -313,6 +314,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/399086.patch"; #Q_asb_2024-06 A applyPatch "$DOS_PATCHES/android_frameworks_base/399413.patch"; #Q_asb_2024-06 Check permissions for CDM shell commands applyPatch "$DOS_PATCHES/android_frameworks_base/399088.patch"; #Q_asb_2024-07 Verify UID of incoming Zygote connections. applyPatch "$DOS_PATCHES/android_frameworks_base/399089.patch"; #Q_asb_2024-07 Fix security vulnerability of non-dynamic permission removal +applyPatch "$DOS_PATCHES/android_frameworks_base/399739.patch"; #R_asb_2024-08 Restrict USB poups while setup is in progress +applyPatch "$DOS_PATCHES/android_frameworks_base/399740.patch"; #R_asb_2024-08 Hide SAW subwindows #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -637,6 +640,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/391914.patch"; #Q_asb_2024-03 Fix an applyPatch "$DOS_PATCHES/android_system_bt/391915.patch"; #Q_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd applyPatch "$DOS_PATCHES/android_system_bt/391916.patch"; #Q_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES/android_system_bt/399092.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP +applyPatch "$DOS_PATCHES/android_system_bt/399742.patch"; #R_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -749,6 +753,7 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391917.patch"; applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391918.patch"; #Q_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391919.patch"; #Q_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399091.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399743.patch"; #R_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc fi; if enterAndClear "vendor/lineage"; then