Picks

Signed-off-by: Tavi <tavi@divested.dev>
2025-01-11 23:49:34 -05:00 · 2024-02-07 17:17:55 -05:00 · 2024-02-07 17:17:55 -05:00 · 44e57d0a5a
commit 44e57d0a5a
parent 215f358d58
13 changed files with 126 additions and 11 deletions
--- a/Patches/LineageOS-14.1/android_frameworks_av/381852.patch
+++ b/Patches/LineageOS-14.1/android_frameworks_av/381852.patch
@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Gupta <kumarashishg@google.com>
+Date: Tue, 21 Nov 2023 08:48:43 +0530
+Subject: [PATCH] Update mtp packet buffer
+
+Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
+
+Bug: 300007708
+Test: build and flash the device. Check MTP works
+Test: run fuzzer locally
+(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
+Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+---
+ media/mtp/MtpPacket.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
+index b7546c8437..d518ceb030 100644
+--- a/media/mtp/MtpPacket.cpp
+++ b/media/mtp/MtpPacket.cpp
+@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
+         return;
+     }
+     int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
+-    if (mPacketSize < offset + sizeof(uint32_t))
+    if (mPacketSize < offset + sizeof(uint32_t)) {
+         mPacketSize = offset + sizeof(uint32_t);
+        allocate(mPacketSize);
+    }
+     putUInt32(offset, value);
+ }
+ 
--- a/Patches/LineageOS-14.1/android_system_bt/381850.patch
+++ b/Patches/LineageOS-14.1/android_system_bt/381850.patch
@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 29 Nov 2023 00:53:33 +0000
+Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
+ attp_build_value_cmd
+
+this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
+
+Bug: 276898739
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
+Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
+Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
+---
+ btif/src/btif_gatt_util.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/btif/src/btif_gatt_util.c b/btif/src/btif_gatt_util.c
+index c93d866b4..4edc7cf29 100644
+--- a/btif/src/btif_gatt_util.c
+++ b/btif/src/btif_gatt_util.c
+@@ -113,9 +113,10 @@ void btif_to_bta_response(tBTA_GATTS_RSP *p_dest, btgatt_response_t* p_src)
+ {
+     p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
+     p_dest->attr_value.handle   = p_src->attr_value.handle;
+-    p_dest->attr_value.len      = p_src->attr_value.len;
+    p_dest->attr_value.len      = (p_dest->attr_value.len < GATT_MAX_ATTR_LEN) ?
+                                   p_dest->attr_value.len : GATT_MAX_ATTR_LEN;
+     p_dest->attr_value.offset   = p_src->attr_value.offset;
+-    memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+    memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
+ }
+ 
+ void btif_to_bta_uuid_mask(tBTA_DM_BLE_PF_COND_MASK *p_mask, bt_uuid_t *p_src)
--- a/Patches/LineageOS-14.1/android_system_bt/381851.patch
+++ b/Patches/LineageOS-14.1/android_system_bt/381851.patch
@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 29 Nov 2023 18:23:53 +0000
+Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
+
+This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
+
+Bug: 297524203
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
+Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
+Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
+---
+ stack/gatt/att_protocol.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/stack/gatt/att_protocol.c b/stack/gatt/att_protocol.c
+index e09636220..1e9948185 100644
+--- a/stack/gatt/att_protocol.c
+++ b/stack/gatt/att_protocol.c
+@@ -156,7 +156,14 @@ BT_HDR *attp_build_read_by_type_value_cmd (UINT16 payload_size, tGATT_FIND_TYPE_
+ {
+     UINT8 *p;
+     UINT16 len = p_value_type->value_len;
+-    BT_HDR *p_buf =
+    BT_HDR *p_buf = NULL;
+
+    if (payload_size < 5)
+    {
+        return NULL;
+    }
+
+    p_buf =
+         (BT_HDR *)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ 
+     p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET;
--- a/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch
@ -13,10 +13,10 @@ Change-Id: If891bfbcc144c9336ba013260bad2b7c7a59c054
 4 files changed, 46 insertions(+)

 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index 1c5650b540f0..1f606fefeb36 100644
+index 62805ae63b43..5c7851d3fb41 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -16395,6 +16395,13 @@ public final class Settings {
+@@ -16402,6 +16402,13 @@ public final class Settings {
          * @hide
          */
         public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode";
--- a/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch
@ -9,10 +9,10 @@ Subject: [PATCH] Bluetooth auto turn off
 2 files changed, 82 insertions(+)

 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index 1f606fefeb36..66f100ead954 100644
+index 5c7851d3fb41..8fb1272a5800 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -16402,6 +16402,12 @@ public final class Settings {
+@@ -16409,6 +16409,12 @@ public final class Settings {
          * @hide
          */
         public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout";
--- a/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch
@ -9,10 +9,10 @@ Subject: [PATCH] Wi-Fi auto turn off
 2 files changed, 75 insertions(+)

 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index 66f100ead954..d7cc36ff4ae2 100644
+index 8fb1272a5800..8cb77c608f4a 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -16396,6 +16396,12 @@ public final class Settings {
+@@ -16403,6 +16403,12 @@ public final class Settings {
          */
         public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode";
 
--- a/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch
@ -9,7 +9,7 @@ Subject: [PATCH] make monet based theming user configurable
 2 files changed, 65 insertions(+), 32 deletions(-)

 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index d7cc36ff4ae2..72e6362c0a96 100644
+index 8cb77c608f4a..f4db96f153e4 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
@@ -6341,6 +6341,27 @@ public final class Settings {
--- a/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch
+++ b/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch
@ -11,10 +11,10 @@ Change-Id: I5c31c319d198f09ace493e601278f8224a259f05
 3 files changed, 40 insertions(+)

 diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
-index 72e6362c0a96..123738e812b4 100644
+index f4db96f153e4..d43de7c19477 100644
 --- a/core/java/android/provider/Settings.java
 +++ b/core/java/android/provider/Settings.java
-@@ -16429,6 +16429,15 @@ public final class Settings {
+@@ -16436,6 +16436,15 @@ public final class Settings {
          * @hide
          */
         public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout";
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-01 #XXX
+sed -i 's/2021-06-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-02 #XXX
 fi;

 if enterAndClear "device/qcom/sepolicy"; then
@ -168,6 +168,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 Sim
 applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
 applyPatch "$DOS_PATCHES/android_frameworks_av/365698.patch"; #n-asb-2023-09 Fix Segv on unknown address error flagged by fuzzer test.
 applyPatch "$DOS_PATCHES/android_frameworks_av/373035.patch"; #n-asb-2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
+applyPatch "$DOS_PATCHES/android_frameworks_av/381852.patch"; #n-asb-2024-02 Update mtp packet buffer
 fi;

 if enterAndClear "frameworks/base"; then
@ -539,6 +540,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/378958.patch"; #n-asb-2024-01 Simplif
 applyPatch "$DOS_PATCHES/android_system_bt/378959.patch"; #n-asb-2024-01 Simplify LE Advertising Report Event processing
 applyPatch "$DOS_PATCHES/android_system_bt/378960.patch"; #n-asb-2024-01 LE Advertising Report parsing enhancements
 applyPatch "$DOS_PATCHES/android_system_bt/378961.patch"; #n-asb-2024-01 Fix some OOB errors in BTM parsing
+applyPatch "$DOS_PATCHES/android_system_bt/381850.patch"; #n-asb-2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/381851.patch"; #n-asb-2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)
--- a/Scripts/LineageOS-18.1/Functions.sh
+++ b/Scripts/LineageOS-18.1/Functions.sh
@ -123,6 +123,7 @@ patchWorkspaceReal() {
 	repopick -fit msm8974-gps-r;
 	repopick -fit hh-vsync;
 	repopick -fi 311299; #ble: Workaround malformed HCI_BLE_VENDOR_CAP response
+	repopick -it R_asb_2024-02;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-18.1/Patch.sh
+++ b/Scripts/LineageOS-18.1/Patch.sh
@ -96,6 +96,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
+sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-02
 fi;

 if enterAndClear "build/soong"; then
--- a/Scripts/LineageOS-19.1/Functions.sh
+++ b/Scripts/LineageOS-19.1/Functions.sh
@ -66,9 +66,10 @@ patchWorkspaceReal() {
 	verifyAllPlatformTags;
 	gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";

-	#source build/envsetup.sh;
+	source build/envsetup.sh;
 	#repopick -ift twelve-bt-sbc-hd-dualchannel;
 	#repopick -it twelve-colors;
+	repopick -it S_asb_2024-02;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-19.1/Patch.sh
+++ b/Scripts/LineageOS-19.1/Patch.sh
@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
+sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #S_asb_2024-02
 fi;

 if enterAndClear "build/soong"; then