16.0 December ASB work

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-12-11 22:48:49 -05:00
parent f18fb48d8a
commit 4986da8250
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
21 changed files with 1221 additions and 7 deletions

View File

@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 44761a523abb..c680053d3259 100644
index 0a8c45cb16cf..0ab8a709cced 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -7936,13 +7936,7 @@ public class ActivityManagerService extends IActivityManager.Stub

View File

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
Date: Wed, 5 Jul 2023 13:52:21 +0200
Subject: [PATCH] Visit Uris added by WearableExtender
Bug: 283962802
Test: atest + manual (POC app now crashes on notify() as expected)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab)
Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed
Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed
---
core/java/android/app/Notification.java | 17 +++++++++++++++-
.../NotificationManagerServiceTest.java | 20 +++++++++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
index d456e3d57039..d1354a7e5c21 100644
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java
@@ -1700,6 +1700,10 @@ public class Notification implements Parcelable
}
}
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
+ visitIconUri(visitor, getIcon());
+ }
+
@Override
public Action clone() {
return new Action(
@@ -2362,7 +2366,7 @@ public class Notification implements Parcelable
if (actions != null) {
for (Action action : actions) {
- visitIconUri(visitor, action.getIcon());
+ action.visitUris(visitor);
}
}
@@ -2390,6 +2394,11 @@ public class Notification implements Parcelable
}
}
}
+
+ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) {
+ WearableExtender extender = new WearableExtender(this);
+ extender.visitUris(visitor);
+ }
}
/**
@@ -9045,6 +9054,12 @@ public class Notification implements Parcelable
mFlags &= ~mask;
}
}
+
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
+ for (Action action : mActions) {
+ action.visitUris(visitor);
+ }
+ }
}
/**
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
index e073e6767da6..379290bcf0ad 100644
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
@@ -2797,6 +2797,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
anyInt(), anyInt());
}
+ @Test
+ public void testVisitUris_wearableExtender() {
+ Icon actionIcon = Icon.createWithContentUri("content://media/action");
+ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction");
+ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(),
+ PendingIntent.FLAG_IMMUTABLE);
+ Notification n = new Notification.Builder(mContext, "a")
+ .setSmallIcon(android.R.drawable.sym_def_app_icon)
+ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build())
+ .extend(new Notification.WearableExtender().addAction(
+ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build()))
+ .build();
+
+ Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
+ n.visitUris(visitor);
+
+ verify(visitor).accept(eq(actionIcon.getUri()));
+ verify(visitor).accept(eq(wearActionIcon.getUri()));
+ }
+
@Test
public void testSetNotificationPolicy_preP_setOldFields() {
ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class);

View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lifu Tang <lifu@google.com>
Date: Wed, 5 Jul 2023 13:03:00 -0700
Subject: [PATCH] Fix bypass BAL via `requestGeofence`
Bug: 273729172
Test: manually
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f9be7c3c859dc82d37452570d9878b58f6437a9)
Merged-In: Ia8094244f908b20d42711b6ea8f58f9b3345b563
Change-Id: Ia8094244f908b20d42711b6ea8f58f9b3345b563
---
services/core/java/com/android/server/PendingIntentUtils.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/services/core/java/com/android/server/PendingIntentUtils.java b/services/core/java/com/android/server/PendingIntentUtils.java
index 1600101b20f4..a72a4d254a2a 100644
--- a/services/core/java/com/android/server/PendingIntentUtils.java
+++ b/services/core/java/com/android/server/PendingIntentUtils.java
@@ -34,6 +34,7 @@ public class PendingIntentUtils {
public static Bundle createDontSendToRestrictedAppsBundle(@Nullable Bundle bundle) {
final BroadcastOptions options = BroadcastOptions.makeBasic();
options.setDontSendToRestrictedApps(true);
+ options.setPendingIntentBackgroundActivityLaunchAllowed(false);
if (bundle == null) {
return options.toBundle();
}

View File

@ -0,0 +1,123 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kweku Adams <kwekua@google.com>
Date: Fri, 23 Sep 2022 21:06:53 +0000
Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data.
Drop invalid data when writing or reading from XML. PersistableBundle
does lazy unparcelling, so checking the values during unparcelling would
remove the benefit of the lazy unparcelling. Checking the validity when
writing to or reading from XML seems like the best alternative.
Bug: 246542285
Bug: 247513680
Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file
(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9)
Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
---
core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++----
1 file changed, 34 insertions(+), 8 deletions(-)
diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java
index 40eceb8a04e1..6a6ff64c5a5f 100644
--- a/core/java/android/os/PersistableBundle.java
+++ b/core/java/android/os/PersistableBundle.java
@@ -18,6 +18,7 @@ package android.os;
import android.annotation.Nullable;
import android.util.ArrayMap;
+import android.util.Slog;
import android.util.proto.ProtoOutputStream;
import com.android.internal.util.XmlUtils;
@@ -38,6 +39,8 @@ import java.util.ArrayList;
*/
public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,
XmlUtils.WriteMapCallback {
+ private static final String TAG = "PersistableBundle";
+
private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";
public static final PersistableBundle EMPTY;
@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
* @hide
*/
public PersistableBundle(Bundle b) {
- this(b.getMap());
+ this(b, true);
+ }
+
+ private PersistableBundle(Bundle b, boolean throwException) {
+ this(b.getMap(), throwException);
}
/**
@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
* @param map a Map containing only those items that can be persisted.
* @throws IllegalArgumentException if any element of #map cannot be persisted.
*/
- private PersistableBundle(ArrayMap<String, Object> map) {
+ private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {
super();
mFlags = FLAG_DEFUSABLE;
@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
// Now verify each item throwing an exception if there is a violation.
final int N = mMap.size();
- for (int i=0; i<N; i++) {
+ for (int i = N - 1; i >= 0; --i) {
Object value = mMap.valueAt(i);
if (value instanceof ArrayMap) {
// Fix up any Maps by replacing them with PersistableBundles.
- mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));
+ mMap.setValueAt(i,
+ new PersistableBundle((ArrayMap<String, Object>) value, throwException));
} else if (value instanceof Bundle) {
- mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));
+ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));
} else if (!isValidType(value)) {
- throw new IllegalArgumentException("Bad value in PersistableBundle key="
- + mMap.keyAt(i) + " value=" + value);
+ final String errorMsg = "Bad value in PersistableBundle key="
+ + mMap.keyAt(i) + " value=" + value;
+ if (throwException) {
+ throw new IllegalArgumentException(errorMsg);
+ } else {
+ Slog.wtfStack(TAG, errorMsg);
+ mMap.removeAt(i);
+ }
}
}
}
@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
/** @hide */
public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException {
unparcel();
+ // Explicitly drop invalid types an attacker may have added before persisting.
+ for (int i = mMap.size() - 1; i >= 0; --i) {
+ final Object value = mMap.valueAt(i);
+ if (!isValidType(value)) {
+ Slog.e(TAG, "Dropping bad data before persisting: "
+ + mMap.keyAt(i) + "=" + value);
+ mMap.removeAt(i);
+ }
+ }
XmlUtils.writeMapXml(mMap, out, this);
}
@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&
(event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {
if (event == XmlPullParser.START_TAG) {
+ // Don't throw an exception when restoring from XML since an attacker could try to
+ // input invalid data in the persisted file.
return new PersistableBundle((ArrayMap<String, Object>)
XmlUtils.readThisArrayMapXml(in, startTag, tagName,
- new MyReadMapCallback()));
+ new MyReadMapCallback()),
+ /* throwException */ false);
}
}
return EMPTY;

View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pawan Wagh <waghpawan@google.com>
Date: Tue, 13 Jun 2023 17:37:26 +0000
Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service
readFileDescriptor doesn't provide ownership of the fds. fdopen
needs ownership of the fds. Fds read from parcel should be duped
in this scenario and readUniqueFileDescriptor dups fds internally.
Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
Test: atest incidentd_test
Bug: 286931110
Bug: 283699145
(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055)
Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
---
cmds/incidentd/src/IncidentService.cpp | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp
index e305b5462b77..cdff153e9b60 100644
--- a/cmds/incidentd/src/IncidentService.cpp
+++ b/cmds/incidentd/src/IncidentService.cpp
@@ -261,9 +261,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel*
switch (code) {
case SHELL_COMMAND_TRANSACTION: {
- int in = data.readFileDescriptor();
- int out = data.readFileDescriptor();
- int err = data.readFileDescriptor();
+ unique_fd in, out, err;
+ if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status;
+
+ if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status;
+
+ if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status;
+
int argc = data.readInt32();
Vector<String8> args;
for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
@@ -273,15 +277,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel*
sp<IResultReceiver> resultReceiver =
IResultReceiver::asInterface(data.readStrongBinder());
- FILE* fin = fdopen(in, "r");
- FILE* fout = fdopen(out, "w");
- FILE* ferr = fdopen(err, "w");
+ FILE* fin = fdopen(in.release(), "r");
+ FILE* fout = fdopen(out.release(), "w");
+ FILE* ferr = fdopen(err.release(), "w");
if (fin == NULL || fout == NULL || ferr == NULL) {
resultReceiver->send(NO_MEMORY);
} else {
- err = command(fin, fout, ferr, args);
- resultReceiver->send(err);
+ status_t result = command(fin, fout, ferr, args);
+ resultReceiver->send(result);
}
if (fin != NULL) {

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Mon, 24 Jul 2023 14:58:56 -0700
Subject: [PATCH] Validate userId when publishing shortcuts
Bug: 288110451
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c)
Merged-In: Idbde676f871db83825155730e3714f3727e25762
Change-Id: Idbde676f871db83825155730e3714f3727e25762
---
services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
index e30da13d7d16..d97f653c8326 100644
--- a/services/core/java/com/android/server/pm/ShortcutService.java
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -1582,6 +1582,10 @@ public class ShortcutService extends IShortcutService.Stub {
android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
throw new SecurityException("Shortcut package name mismatch");
}
+ final int callingUid = injectBinderCallingUid();
+ if (UserHandle.getUserId(callingUid) != si.getUserId()) {
+ throw new SecurityException("User-ID in shortcut doesn't match the caller");
+ }
}
private void verifyShortcutInfoPackages(

View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Beverly Tai <beverlyt@google.com>
Date: Thu, 14 Sep 2023 20:50:28 +0000
Subject: [PATCH] Revert "On device lockdown, always show the keyguard"
This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94.
Reason for revert: b/300463732 regression
Bug: 300463732
Bug: 218495634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f)
Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82
Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82
---
.../systemui/keyguard/KeyguardViewMediator.java | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index 820c7eac715a..292e9e752052 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -586,13 +586,6 @@ public class KeyguardViewMediator extends SystemUI {
notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper);
}
}
-
- @Override
- public void onStrongAuthStateChanged(int userId) {
- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
- doKeyguardLocked(null);
- }
- }
};
ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() {
@@ -1348,8 +1341,7 @@ public class KeyguardViewMediator extends SystemUI {
}
// if another app is disabling us, don't show
- if (!mExternallyEnabled
- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
+ if (!mExternallyEnabled) {
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");
// note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes

View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kunal Malhotra <malhk@google.com>
Date: Thu, 2 Feb 2023 23:48:27 +0000
Subject: [PATCH] Adding in verification of calling UID in onShellCommand
Test: manual testing on device
Bug: b/261709193
(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0)
Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273
Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273
---
.../java/com/android/server/am/ActivityManagerService.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 44761a523abb..0a8c45cb16cf 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -16250,6 +16250,13 @@ public class ActivityManagerService extends IActivityManager.Stub
public void onShellCommand(FileDescriptor in, FileDescriptor out,
FileDescriptor err, String[] args, ShellCallback callback,
ResultReceiver resultReceiver) {
+ final int callingUid = Binder.getCallingUid();
+ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) {
+ if (resultReceiver != null) {
+ resultReceiver.send(-1, null);
+ }
+ throw new SecurityException("Shell commands are only callable by root or shell");
+ }
(new ActivityManagerShellCommand(this, false)).exec(
this, in, out, err, args, callback, resultReceiver);
}

View File

@ -0,0 +1,71 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Beverly Tai <beverlyt@google.com>
Date: Tue, 19 Sep 2023 21:01:11 +0000
Subject: [PATCH] Updated: always show the keyguard on device lockdown
Additionally, don't hide keyguard when it's disabled if the user has locked
down the device.
Manual test steps:
1. Enable app pinning and disable "Ask for PIN before unpinning" setting
2. Pin an app (ie: Settings)
3. Lockdown from the power menu
4. Observe: user is brought to the keyguard, primary auth is
required to enter the device.
=> After entering correct credential, the device is still in
app pinning mode.
=> After entering an incorrect credential, the keyguard remains
showing and the user can attempt again up to the limit
Bug: 300463732
Bug: 218495634
Test: atest KeyguardViewMediatorTest
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff)
Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0
Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0
---
.../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index 292e9e752052..c7d231f6f522 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -571,6 +571,13 @@ public class KeyguardViewMediator extends SystemUI {
}
}
+ @Override
+ public void onStrongAuthStateChanged(int userId) {
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
+ doKeyguardLocked(null);
+ }
+ }
+
@Override
public void onTrustChanged(int userId) {
if (userId == KeyguardUpdateMonitor.getCurrentUser()) {
@@ -1129,6 +1136,10 @@ public class KeyguardViewMediator extends SystemUI {
mExternallyEnabled = enabled;
if (!enabled && mShowing) {
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
+ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown");
+ return;
+ }
if (mExitSecureCallback != null) {
if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring");
// we're in the process of handling a request to verify the user
@@ -1340,8 +1351,9 @@ public class KeyguardViewMediator extends SystemUI {
return;
}
- // if another app is disabling us, don't show
- if (!mExternallyEnabled) {
+ // if another app is disabling us, don't show unless we're in lockdown mode
+ if (!mExternallyEnabled
+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");
// note: we *should* set mNeedToReshowWhenReenabled=true here, but that makes

View File

@ -87,10 +87,10 @@ index 8ac04e4f3..e55c13f50 100644
{"initNative", "()V", (void*)initNative},
{"sendMediaUpdateNative", "(ZZZ)V", (void*)sendMediaUpdateNative},
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
index f88a675b7..1eec888a0 100644
index 8faf670ce..b32868f5b 100644
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
@@ -1217,7 +1217,7 @@ static void interopDatabaseAddNative(JNIEnv* env, jobject obj, int feature,
@@ -1218,7 +1218,7 @@ static void interopDatabaseAddNative(JNIEnv* env, jobject obj, int feature,
env->ReleaseByteArrayElements(address, addr, 0);
}

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 5 Oct 2023 00:01:03 +0000
Subject: [PATCH] Fix UAF in ~CallbackEnv
com_android_bluetooth_btservice_AdapterService does not null its local
JNI environment variable after detaching the thread (which frees the
environment context), allowing UAF under certain conditions.
Null the variable in this case.
Testing here was done through a custom unit test; see patchsets 4-6 for
contents. However, unit testing of the JNI layer is problematic in
production, so that part of the patch is omitted for final merge.
Bug: 291500341
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
---
jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
index f88a675b7..8faf670ce 100644
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
@@ -406,6 +406,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
return;
}
vm->DetachCurrentThread();
+ callbackEnv = NULL;
}
}

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Tue, 12 Sep 2023 22:37:16 +0000
Subject: [PATCH] Fix permission bypass in legacy shortcut
Intent created for Chooser should not be allowed in legacy shortcuts
since it doesn't make sense for user to tap on a shortcut in homescreen
to share, the expected share flow started from ShareSheet.
Bug: 295334906, 295045199
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305)
Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
---
.../android/launcher3/util/PackageManagerHelper.java | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
index 4eac947fd0..96c636a8e7 100644
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
@@ -118,15 +118,8 @@ public class PackageManagerHelper {
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
// b/270152142
if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
- final Bundle extras = intent.getExtras();
- if (extras == null) {
- return true;
- }
- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
- if (intent == null) {
- return true;
- }
+ // Chooser shortcuts is not a valid target
+ return false;
}
ResolveInfo target = mPm.resolveActivity(intent, 0);
if (target == null) {

View File

@ -0,0 +1,100 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pranav Madapurmath <pmadapurmath@google.com>
Date: Wed, 5 Apr 2023 21:36:12 +0000
Subject: [PATCH] Resolve account image icon profile boundary exploit.
Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit
is possible where the user can upload an image icon (belonging to
another user) via registering a phone account. This CL provides a
lightweight solution for parsing the image URI to detect profile
exploitation.
Fixes: 273502295
Fixes: 296915211
Test: Unit test to enforce successful/failure path
(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7)
(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42)
Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
---
.../server/telecom/TelecomServiceImpl.java | 21 +++++++++++++++++++
.../telecom/tests/TelecomServiceImplTest.java | 21 +++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index 74a7d840b..008b99de2 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -469,6 +469,9 @@ public class TelecomServiceImpl {
enforceRegisterMultiUser();
}
enforceUserHandleMatchesCaller(account.getAccountHandle());
+ // Validate the profile boundary of the given image URI.
+ validateAccountIconUserBoundary(account.getIcon());
+
final long token = Binder.clearCallingIdentity();
try {
mPhoneAccountRegistrar.registerPhoneAccount(account);
@@ -1820,4 +1823,22 @@ public class TelecomServiceImpl {
// If only TX or RX were set (or neither), the video state is valid.
return remainingState == 0;
}
+
+ private void validateAccountIconUserBoundary(Icon icon) {
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
+ // incompatible types.
+ if (icon != null && (icon.getType() == Icon.TYPE_URI
+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) {
+ String encodedUser = icon.getUri().getEncodedUserInfo();
+ // If there is no encoded user, the URI is calling into the calling user space
+ if (encodedUser != null) {
+ int userId = Integer.parseInt(encodedUser);
+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) {
+ // If we are transcending the profile boundary, throw an error.
+ throw new IllegalArgumentException("Attempting to register a phone account with"
+ + " an image icon belonging to another user.");
+ }
+ }
+ }
+ }
}
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
index 521d05aae..8aa6f806c 100644
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
@@ -29,6 +29,7 @@ import android.content.Context;
import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -501,6 +502,26 @@ public class TelecomServiceImplTest extends TelecomTestCase {
}
}
+ @SmallTest
+ @Test
+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException {
+ String packageNameToUse = "com.android.officialpackage";
+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName(
+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle());
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
+ doReturn(PackageManager.PERMISSION_GRANTED)
+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE);
+
+ // This should fail; security exception will be thrown.
+ registerPhoneAccountTestHelper(phoneAccount, false);
+
+ icon = Icon.createWithContentUri("content://0@media/external/images/media/");
+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
+ // This should succeed.
+ registerPhoneAccountTestHelper(phoneAccount, true);
+ }
+
@SmallTest
@Test
public void testUnregisterPhoneAccount() throws RemoteException {

View File

@ -0,0 +1,99 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:20:10 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
bonding [1]
Rejecct access to services running on l2cap
Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
---
stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 899b6b908..a4d916cc3 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -98,7 +98,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
uint32_t mx_proto_id,
uint32_t mx_chan_id);
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
@@ -140,7 +140,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
* Returns bool true or false
*
******************************************************************************/
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) {
if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
return (true);
}
@@ -214,6 +214,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
return (false);
}
+/*******************************************************************************
+ *
+ * Function access_secure_service_from_temp_bond
+ *
+ * Description a utility function to test whether an access to
+ * secure service from temp bonding is happening
+ *
+ * Returns true if the aforementioned condition holds,
+ * false otherwise
+ *
+ ******************************************************************************/
+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
+ bool locally_initiated,
+ uint16_t security_req) {
+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+ btm_dev_authenticated(p_dev_rec) &&
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+}
+
/*******************************************************************************
*
* Function BTM_SecRegister
@@ -2075,9 +2094,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
}
if (rc == BTM_SUCCESS) {
+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ rc = BTM_FAILED_ON_SECURITY;
+ }
if (p_callback)
- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
- return (BTM_SUCCESS);
+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
+ return (rc);
}
}
@@ -5133,6 +5156,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
}
}
+ if (access_secure_service_from_temp_bond(p_dev_rec,
+ p_dev_rec->is_originator,
+ p_dev_rec->security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ return (BTM_FAILED_ON_SECURITY);
+ }
+
/* All required security procedures already established */
p_dev_rec->security_required &=
~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |

View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:27:29 +0000
Subject: [PATCH] Reject access to secure services authenticated from temp
bonding [2]
Reject access to service running on rfcomm
this is a backport of
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb)
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
---
stack/btm/btm_sec.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index a4d916cc3..bce9eae06 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -2423,6 +2423,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
mx_chan_id, p_callback, p_ref_data);
} else /* rc == BTM_SUCCESS */
{
+ if (access_secure_service_from_temp_bond(p_dev_rec,
+ is_originator, security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject");
+ rc = BTM_FAILED_ON_SECURITY;
+ }
/* access granted */
if (p_callback) {
(*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 12 Sep 2023 23:47:48 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
bonding [3]
Allow access to rfcomm PSM by default
Original bug
Bug: 294854926
Nearby regressions:
Bug: 298539299
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec)
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
---
stack/btm/btm_sec.cc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index bce9eae06..41f81631e 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -2117,15 +2117,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
btm_cb.security_mode == BTM_SEC_MODE_SC) {
if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
if (is_originator) {
- /* SM4 to SM4 -> always authenticate & encrypt */
- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
+ /* SM4 to SM4 -> always encrypt */
+ security_required |= BTM_SEC_OUT_ENCRYPT;
} else /* acceptor */
{
/* SM4 to SM4: the acceptor needs to make sure the authentication is
* already done */
chk_acp_auth_done = true;
- /* SM4 to SM4 -> always authenticate & encrypt */
- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
+ /* SM4 to SM4 -> always encrypt */
+ security_required |= BTM_SEC_IN_ENCRYPT;
}
} else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
/* the remote features are not known yet */

View File

@ -0,0 +1,128 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 12 Sep 2023 23:54:08 +0000
Subject: [PATCH] Reorganize the code for checking auth requirement
Original bug
Bug: 294854926
regressions:
Bug: 299570702
Test: Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91)
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
---
stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------
1 file changed, 56 insertions(+), 37 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 41f81631e..b8a423d28 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -5076,46 +5076,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
/* If connection is not authenticated and authentication is required */
/* start authentication and return PENDING to the caller */
- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) &&
- ((p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) ||
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) ||
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) &&
- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
-/*
- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
- * authenticated connections, hence we cannot distinguish here.
- */
-
- BTM_TRACE_EVENT("Security Manager: Start authentication");
+ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) {
+ bool start_auth = false;
+
+ // Check link status of BR/EDR
+ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
+ if (p_dev_rec->is_originator) {
+ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
+ start_auth = true;
+ }
+ } else {
+ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
+ LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
+ start_auth = true;
+ }
+ }
+ }
- /*
- * If we do have a link-key, but we end up here because we need an
- * upgrade, then clear the link-key known and authenticated flag before
- * restarting authentication.
- * WARNING: If the controller has link-key, it is optional and
- * recommended for the controller to send a Link_Key_Request.
- * In case we need an upgrade, the only alternative would be to delete
- * the existing link-key. That could lead to very bad user experience
- * or even IOP issues, if a reconnect causes a new connection that
- * requires an upgrade.
- */
- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
- p_dev_rec->sec_flags &=
- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
- BTM_SEC_AUTHENTICATED);
+ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) {
+ /*
+ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
+ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
+ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
+ * authenticated connections, hence we cannot distinguish here.
+ */
+ if (!p_dev_rec->is_originator) {
+ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) {
+ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required");
+ start_auth = true;
+ }
+ }
}
- btm_sec_start_authentication(p_dev_rec);
- return (BTM_CMD_STARTED);
+ if (start_auth) {
+ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication");
+
+ /*
+ * If we do have a link-key, but we end up here because we need an
+ * upgrade, then clear the link-key known and authenticated flag before
+ * restarting authentication.
+ * WARNING: If the controller has link-key, it is optional and
+ * recommended for the controller to send a Link_Key_Request.
+ * In case we need an upgrade, the only alternative would be to delete
+ * the existing link-key. That could lead to very bad user experience
+ * or even IOP issues, if a reconnect causes a new connection that
+ * requires an upgrade.
+ */
+ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
+ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
+ (!p_dev_rec->is_originator &&
+ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
+ p_dev_rec->sec_flags &=
+ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
+ BTM_SEC_AUTHENTICATED);
+ }
+
+ btm_sec_start_authentication(p_dev_rec);
+ return (BTM_CMD_STARTED);
+ }
}
/* If connection is not encrypted and encryption is required */

View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 13 Sep 2023 00:00:44 +0000
Subject: [PATCH] Enforce authentication if encryption is required
Original bug
Bug: 294854926
regressions:
Bug: 299570702
Bug: 299561281
Test: Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553)
Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
---
stack/btm/btm_sec.cc | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index b8a423d28..71f737ebf 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -5082,13 +5082,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
// Check link status of BR/EDR
if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
if (p_dev_rec->is_originator) {
- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
+ if (p_dev_rec->security_required &
+ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) {
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required");
start_auth = true;
}
} else {
- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
- LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
+ if (p_dev_rec->security_required &
+ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) {
+ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required");
start_auth = true;
}
}

View File

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 3 Oct 2023 21:27:49 +0000
Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature
BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.
Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.
Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)
Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c
Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c
---
stack/Android.bp | 1 +
stack/btm/btm_ble.cc | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/stack/Android.bp b/stack/Android.bp
index 03e2c940b..93c989ff5 100644
--- a/stack/Android.bp
+++ b/stack/Android.bp
@@ -179,6 +179,7 @@ cc_library_static {
"libcutils",
"liblog",
"libstatslog",
+ "libcrypto",
],
required: [
"libldacBT_enc",
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index 48f4496b1..82699286a 100644
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -41,6 +41,7 @@
#include "hcimsgs.h"
#include "log/log.h"
#include "l2c_int.h"
+#include "openssl/mem.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
#include "smp_api.h"
@@ -2261,7 +2262,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len,
BTM_CMAC_TLEN_SIZE, p_mac)) {
- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
btm_ble_increment_sign_ctr(bd_addr, false);
verified = true;
}

View File

@ -0,0 +1,114 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lin Lee <linlee@google.com>
Date: Mon, 7 Aug 2023 09:34:41 +0000
Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run
Use thread join to avoid thread exiting after instance
recycled.
Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds.
Test: m, fuzzing
Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer
Bug: 272382770
Ignore-AOSP-First: Security Issue
(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd)
Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138
Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138
---
server/MDnsSdListener.cpp | 36 ++++++++++++++++++++++++------------
server/MDnsSdListener.h | 4 +++-
2 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index b54014cd..e3dd616d 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <string.h>
#include <resolv.h>
+#include <thread>
#define LOG_TAG "MDnsDS"
#define DBG 1
@@ -524,10 +525,17 @@ MDnsSdListener::Monitor::Monitor() {
socketpair(AF_LOCAL, SOCK_STREAM, 0, mCtrlSocketPair);
pthread_mutex_init(&mHeadMutex, NULL);
- const int rval = ::android::net::threadLaunch(this);
- if (rval != 0) {
- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval);
- }
+ mRescanThread = new std::thread(&Monitor::run, this);
+ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread.");
+}
+
+MDnsSdListener::Monitor::~Monitor() {
+ if (VDBG) ALOGD("Monitor recycling");
+ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will
+ // be 17 = POLLIN | POLLHUP
+ mRescanThread->join();
+ delete mRescanThread;
+ if (VDBG) ALOGD("Monitor recycled");
}
#define NAP_TIME 200 // 200 ms between polls
@@ -617,14 +625,18 @@ void MDnsSdListener::Monitor::run() {
}
}
if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents);
- switch (mPollFds[0].revents) {
- case POLLIN: {
- char readBuf[2];
- read(mCtrlSocketPair[0], &readBuf, 1);
- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
- if (memcmp(RESCAN, readBuf, 1) == 0) {
- pollCount = rescan();
- }
+ if (mPollFds[0].revents & POLLHUP) {
+ free(mPollFds);
+ free(mPollRefs);
+ if (VDBG) ALOGD("Monitor thread leaving.");
+ return;
+ }
+ if (mPollFds[0].revents == POLLIN) {
+ char readBuf[2];
+ read(mCtrlSocketPair[0], &readBuf, 1);
+ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
+ if (memcmp(RESCAN, readBuf, 1) == 0) {
+ pollCount = rescan();
}
}
mPollFds[0].revents = 0;
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index 8c6096e8..2b3cb5e2 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -20,6 +20,7 @@
#include <pthread.h>
#include <sysutils/FrameworkListener.h>
#include <dns_sd.h>
+#include <thread>
#include "NetdCommand.h"
@@ -71,7 +72,7 @@ private:
class Monitor {
public:
Monitor();
- virtual ~Monitor() {}
+ ~Monitor();
DNSServiceRef *allocateServiceRef(int id, Context *c);
void startMonitoring(int id);
DNSServiceRef *lookupServiceRef(int id);
@@ -101,6 +102,7 @@ private:
int mPollSize;
int mCtrlSocketPair[2];
pthread_mutex_t mHeadMutex;
+ std::thread* mRescanThread;
};
class Handler : public NetdCommand {

View File

@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2022-01-05/2023-11-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-11 #XXX
sed -i 's/2022-01-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-12 #XXX
fi;
if enterAndClear "build/soong"; then
@ -165,6 +165,14 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/377010-backport.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard"
applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand
applyPatch "$DOS_PATCHES/android_frameworks_base/377012-backport.patch"; #R_asb_2023-12 Updated: always show the keyguard on device lockdown
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -274,6 +282,7 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud
fi;
if enterAndClear "packages/apps/Bluetooth"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi;
@ -333,6 +342,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics
fi;
if enterAndClear "packages/apps/Trebuchet"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
fi;
@ -352,8 +362,12 @@ if enterAndClear "packages/providers/DownloadProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "packages/providers/TelephonyProvider"; then
#if enterAndClear "packages/providers/TelephonyProvider"; then
#cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/;
#fi;
if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit.
fi;
if enterAndClear "packages/services/Telephony"; then
@ -362,9 +376,15 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
fi;
#if enterAndClear "system/bt"; then
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#fi;
fi;
if enterAndClear "system/ca-certificates"; then
rm -rf files; #Remove old certs
@ -384,6 +404,10 @@ if enterAndClear "system/extras"; then
applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
fi;
if enterAndClear "system/sepolicy"; then
applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)