From 44e57d0a5af2758e5863c5506e2bf6875faed23f Mon Sep 17 00:00:00 2001 From: Tavi Date: Wed, 7 Feb 2024 17:17:55 -0500 Subject: [PATCH] Picks Signed-off-by: Tavi --- .../android_frameworks_av/381852.patch | 35 ++++++++++++++++++ .../android_system_bt/381850.patch | 36 ++++++++++++++++++ .../android_system_bt/381851.patch | 37 +++++++++++++++++++ .../0014-Automatic_Reboot.patch | 4 +- .../0015-Bluetooth_Timeout.patch | 4 +- .../0016-WiFi_Timeout.patch | 4 +- .../0025-Monet_Toggle.patch | 2 +- .../0028-SUPL_Toggle.patch | 4 +- Scripts/LineageOS-14.1/Patch.sh | 5 ++- Scripts/LineageOS-18.1/Functions.sh | 1 + Scripts/LineageOS-18.1/Patch.sh | 1 + Scripts/LineageOS-19.1/Functions.sh | 3 +- Scripts/LineageOS-19.1/Patch.sh | 1 + 13 files changed, 126 insertions(+), 11 deletions(-) create mode 100644 Patches/LineageOS-14.1/android_frameworks_av/381852.patch create mode 100644 Patches/LineageOS-14.1/android_system_bt/381850.patch create mode 100644 Patches/LineageOS-14.1/android_system_bt/381851.patch diff --git a/Patches/LineageOS-14.1/android_frameworks_av/381852.patch b/Patches/LineageOS-14.1/android_frameworks_av/381852.patch new file mode 100644 index 00000000..0548dadc --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_av/381852.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ashish Kumar Gupta +Date: Tue, 21 Nov 2023 08:48:43 +0530 +Subject: [PATCH] Update mtp packet buffer + +Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet. + +Bug: 300007708 +Test: build and flash the device. Check MTP works +Test: run fuzzer locally +(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd) +Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 +Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528 +--- + media/mtp/MtpPacket.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp +index b7546c8437..d518ceb030 100644 +--- a/media/mtp/MtpPacket.cpp ++++ b/media/mtp/MtpPacket.cpp +@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) { + return; + } + int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t); +- if (mPacketSize < offset + sizeof(uint32_t)) ++ if (mPacketSize < offset + sizeof(uint32_t)) { + mPacketSize = offset + sizeof(uint32_t); ++ allocate(mPacketSize); ++ } + putUInt32(offset, value); + } + diff --git a/Patches/LineageOS-14.1/android_system_bt/381850.patch b/Patches/LineageOS-14.1/android_system_bt/381850.patch new file mode 100644 index 00000000..2b9108e9 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/381850.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 29 Nov 2023 00:53:33 +0000 +Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and + attp_build_value_cmd + +this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 + +Bug: 276898739 +Test: manual +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e) +Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 +Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3 +--- + btif/src/btif_gatt_util.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/btif/src/btif_gatt_util.c b/btif/src/btif_gatt_util.c +index c93d866b4..4edc7cf29 100644 +--- a/btif/src/btif_gatt_util.c ++++ b/btif/src/btif_gatt_util.c +@@ -113,9 +113,10 @@ void btif_to_bta_response(tBTA_GATTS_RSP *p_dest, btgatt_response_t* p_src) + { + p_dest->attr_value.auth_req = p_src->attr_value.auth_req; + p_dest->attr_value.handle = p_src->attr_value.handle; +- p_dest->attr_value.len = p_src->attr_value.len; ++ p_dest->attr_value.len = (p_dest->attr_value.len < GATT_MAX_ATTR_LEN) ? ++ p_dest->attr_value.len : GATT_MAX_ATTR_LEN; + p_dest->attr_value.offset = p_src->attr_value.offset; +- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN); ++ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len); + } + + void btif_to_bta_uuid_mask(tBTA_DM_BLE_PF_COND_MASK *p_mask, bt_uuid_t *p_src) diff --git a/Patches/LineageOS-14.1/android_system_bt/381851.patch b/Patches/LineageOS-14.1/android_system_bt/381851.patch new file mode 100644 index 00000000..40294eeb --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/381851.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 29 Nov 2023 18:23:53 +0000 +Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd + +This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e + +Bug: 297524203 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7) +Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181 +Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181 +--- + stack/gatt/att_protocol.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/stack/gatt/att_protocol.c b/stack/gatt/att_protocol.c +index e09636220..1e9948185 100644 +--- a/stack/gatt/att_protocol.c ++++ b/stack/gatt/att_protocol.c +@@ -156,7 +156,14 @@ BT_HDR *attp_build_read_by_type_value_cmd (UINT16 payload_size, tGATT_FIND_TYPE_ + { + UINT8 *p; + UINT16 len = p_value_type->value_len; +- BT_HDR *p_buf = ++ BT_HDR *p_buf = NULL; ++ ++ if (payload_size < 5) ++ { ++ return NULL; ++ } ++ ++ p_buf = + (BT_HDR *)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + + p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch b/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch index ca64d76c..fd21c32e 100644 --- a/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch +++ b/Patches/LineageOS-19.1/android_frameworks_base/0014-Automatic_Reboot.patch @@ -13,10 +13,10 @@ Change-Id: If891bfbcc144c9336ba013260bad2b7c7a59c054 4 files changed, 46 insertions(+) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java -index 1c5650b540f0..1f606fefeb36 100644 +index 62805ae63b43..5c7851d3fb41 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java -@@ -16395,6 +16395,13 @@ public final class Settings { +@@ -16402,6 +16402,13 @@ public final class Settings { * @hide */ public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode"; diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch b/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch index 8752fce4..f4a62b3d 100644 --- a/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch +++ b/Patches/LineageOS-19.1/android_frameworks_base/0015-Bluetooth_Timeout.patch @@ -9,10 +9,10 @@ Subject: [PATCH] Bluetooth auto turn off 2 files changed, 82 insertions(+) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java -index 1f606fefeb36..66f100ead954 100644 +index 5c7851d3fb41..8fb1272a5800 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java -@@ -16402,6 +16402,12 @@ public final class Settings { +@@ -16409,6 +16409,12 @@ public final class Settings { * @hide */ public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout"; diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch b/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch index faa8d8aa..769b9440 100644 --- a/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch +++ b/Patches/LineageOS-19.1/android_frameworks_base/0016-WiFi_Timeout.patch @@ -9,10 +9,10 @@ Subject: [PATCH] Wi-Fi auto turn off 2 files changed, 75 insertions(+) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java -index 66f100ead954..d7cc36ff4ae2 100644 +index 8fb1272a5800..8cb77c608f4a 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java -@@ -16396,6 +16396,12 @@ public final class Settings { +@@ -16403,6 +16403,12 @@ public final class Settings { */ public static final String RESTRICTED_NETWORKING_MODE = "restricted_networking_mode"; diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch b/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch index 12238469..512b936a 100644 --- a/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch +++ b/Patches/LineageOS-19.1/android_frameworks_base/0025-Monet_Toggle.patch @@ -9,7 +9,7 @@ Subject: [PATCH] make monet based theming user configurable 2 files changed, 65 insertions(+), 32 deletions(-) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java -index d7cc36ff4ae2..72e6362c0a96 100644 +index 8cb77c608f4a..f4db96f153e4 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -6341,6 +6341,27 @@ public final class Settings { diff --git a/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch b/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch index 7a94f509..21e371f5 100644 --- a/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch +++ b/Patches/LineageOS-19.1/android_frameworks_base/0028-SUPL_Toggle.patch @@ -11,10 +11,10 @@ Change-Id: I5c31c319d198f09ace493e601278f8224a259f05 3 files changed, 40 insertions(+) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java -index 72e6362c0a96..123738e812b4 100644 +index f4db96f153e4..d43de7c19477 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java -@@ -16429,6 +16429,15 @@ public final class Settings { +@@ -16436,6 +16436,15 @@ public final class Settings { * @hide */ public static final String SETTINGS_REBOOT_AFTER_TIMEOUT = "settings_reboot_after_timeout"; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index da405330..6575036a 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-01 #XXX +sed -i 's/2021-06-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-02 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -168,6 +168,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 Sim applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling applyPatch "$DOS_PATCHES/android_frameworks_av/365698.patch"; #n-asb-2023-09 Fix Segv on unknown address error flagged by fuzzer test. applyPatch "$DOS_PATCHES/android_frameworks_av/373035.patch"; #n-asb-2023-11 Fix for heap buffer overflow issue flagged by fuzzer test. +applyPatch "$DOS_PATCHES/android_frameworks_av/381852.patch"; #n-asb-2024-02 Update mtp packet buffer fi; if enterAndClear "frameworks/base"; then @@ -539,6 +540,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/378958.patch"; #n-asb-2024-01 Simplif applyPatch "$DOS_PATCHES/android_system_bt/378959.patch"; #n-asb-2024-01 Simplify LE Advertising Report Event processing applyPatch "$DOS_PATCHES/android_system_bt/378960.patch"; #n-asb-2024-01 LE Advertising Report parsing enhancements applyPatch "$DOS_PATCHES/android_system_bt/378961.patch"; #n-asb-2024-01 Fix some OOB errors in BTM parsing +applyPatch "$DOS_PATCHES/android_system_bt/381850.patch"; #n-asb-2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/381851.patch"; #n-asb-2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie) diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 2946d65a..da4650f6 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -123,6 +123,7 @@ patchWorkspaceReal() { repopick -fit msm8974-gps-r; repopick -fit hh-vsync; repopick -fi 311299; #ble: Workaround malformed HCI_BLE_VENDOR_CAP response + repopick -it R_asb_2024-02; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 72b95c53..5ec9b8b1 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -96,6 +96,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig +sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-02 fi; if enterAndClear "build/soong"; then diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index b16c7438..f3852efa 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -66,9 +66,10 @@ patchWorkspaceReal() { verifyAllPlatformTags; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -ift twelve-bt-sbc-hd-dualchannel; #repopick -it twelve-colors; + repopick -it S_asb_2024-02; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 915ecfbd..cdf51e93 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig +sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #S_asb_2024-02 fi; if enterAndClear "build/soong"; then