diff --git a/Patches/LineageOS-15.1/android_frameworks_base/379136.patch b/Patches/LineageOS-15.1/android_frameworks_base/379136.patch new file mode 100644 index 00000000..d6d1d190 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/379136.patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 19 Oct 2023 14:22:58 -0700 +Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses + permissions + +In the pevious CL, we incorrectly added the permission check in the +killBackgroundProcessesExcept. Now fix this issue. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37) +Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b +Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b +--- + .../server/am/ActivityManagerService.java | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 25b797cdfd8a..aaa642896202 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -6201,6 +6201,22 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); ++ ++ ProcessRecord proc; ++ synchronized (mPidsSelfLocked) { ++ proc = mPidsSelfLocked.get(callingPid); ++ } ++ if (callingUid >= FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { +@@ -6258,22 +6274,6 @@ public class ActivityManagerService extends IActivityManager.Stub + throw new SecurityException(msg); + } + +- final int callingUid = Binder.getCallingUid(); +- final int callingPid = Binder.getCallingPid(); +- +- ProcessRecord proc; +- synchronized (mPidsSelfLocked) { +- proc = mPidsSelfLocked.get(callingPid); +- } +- if (callingUid >= FIRST_APPLICATION_UID +- && (proc == null || !proc.info.isSystemApp())) { +- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" +- + callingPid + ", uid=" + callingUid + " is not allowed"; +- Slog.w(TAG, msg); +- // Silently return to avoid existing apps from crashing. +- return; +- } +- + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/379147-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/379147-backport.patch new file mode 100644 index 00000000..6f5574ae --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/379147-backport.patch @@ -0,0 +1,94 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tetiana Meronyk +Date: Thu, 24 Aug 2023 16:27:30 +0000 +Subject: [PATCH] Truncate user data to a limit of 500 characters + +Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file. + +By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly. + +Bug: 293602317 +Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place. +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827) +Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989 +Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989 +--- + .../android/server/pm/UserManagerService.java | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index d8a42162e0af..957af0fbab68 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -212,6 +212,8 @@ public class UserManagerService extends IUserManager.Stub { + + private static final int USER_VERSION = 7; + ++ private static final int MAX_USER_STRING_LENGTH = 500; ++ + private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms + + // Maximum number of managed profiles permitted per user is 1. This cannot be increased +@@ -2058,15 +2060,17 @@ public class UserManagerService extends IUserManager.Stub { + // Write seed data + if (userData.persistSeedData) { + if (userData.seedAccountName != null) { +- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName); ++ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, ++ truncateString(userData.seedAccountName)); + } + if (userData.seedAccountType != null) { +- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType); ++ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, ++ truncateString(userData.seedAccountType)); + } + } + if (userInfo.name != null) { + serializer.startTag(null, TAG_NAME); +- serializer.text(userInfo.name); ++ serializer.text(truncateString(userInfo.name)); + serializer.endTag(null, TAG_NAME); + } + synchronized (mRestrictionsLock) { +@@ -2097,6 +2101,13 @@ public class UserManagerService extends IUserManager.Stub { + serializer.endDocument(); + } + ++ private String truncateString(String original) { ++ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) { ++ return original; ++ } ++ return original.substring(0, MAX_USER_STRING_LENGTH); ++ } ++ + /* + * Writes the user list file in this format: + * +@@ -2385,6 +2396,7 @@ public class UserManagerService extends IUserManager.Stub { + + private UserInfo createUserInternalUnchecked(String name, int flags, int parentId, + String[] disallowedPackages) { ++ String truncatedName = truncateString(name); + DeviceStorageMonitorInternal dsm = LocalServices + .getService(DeviceStorageMonitorInternal.class); + if (dsm.isMemoryLow()) { +@@ -2472,7 +2484,7 @@ public class UserManagerService extends IUserManager.Stub { + flags |= UserInfo.FLAG_EPHEMERAL; + } + +- userInfo = new UserInfo(userId, name, null, flags); ++ userInfo = new UserInfo(userId, truncatedName, null, flags); + userInfo.serialNumber = mNextSerialNumber++; + long now = System.currentTimeMillis(); + userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0; +@@ -3301,8 +3313,8 @@ public class UserManagerService extends IUserManager.Stub { + Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId); + return; + } +- userData.seedAccountName = accountName; +- userData.seedAccountType = accountType; ++ userData.seedAccountName = truncateString(accountName); ++ userData.seedAccountType = truncateString(accountType); + userData.seedAccountOptions = accountOptions; + userData.persistSeedData = persist; + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/379148-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/379148-backport.patch new file mode 100644 index 00000000..0df67e24 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/379148-backport.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Raphael Kim +Date: Mon, 18 Sep 2023 14:07:23 -0700 +Subject: [PATCH] Validate component name length before requesting notification + access. + +Bug: 295335110 +Test: Test app with long component name +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8) +Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579 +Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579 +--- + .../server/companion/CompanionDeviceManagerService.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +index 6dce7eed5eba..a5c9f67060d7 100644 +--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java ++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java +@@ -105,6 +105,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + private static final boolean DEBUG = false; + private static final String LOG_TAG = "CompanionDeviceManagerService"; + ++ private static final int MAX_CN_LENGTH = 500; ++ + private static final String XML_TAG_ASSOCIATIONS = "associations"; + private static final String XML_TAG_ASSOCIATION = "association"; + private static final String XML_ATTR_PACKAGE = "package"; +@@ -288,6 +290,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind + String callingPackage = component.getPackageName(); + checkCanCallNotificationApi(callingPackage); + int userId = getCallingUserId(); ++ if (component.flattenToString().length() > MAX_CN_LENGTH) { ++ throw new IllegalArgumentException("Component name is too long."); ++ } + String packageTitle = BidiFormatter.getInstance().unicodeWrap( + getPackageInfo(callingPackage, userId) + .applicationInfo diff --git a/Patches/LineageOS-15.1/android_frameworks_base/379149-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/379149-backport.patch new file mode 100644 index 00000000..e2fecce6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/379149-backport.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nan Wu +Date: Fri, 25 Aug 2023 15:02:28 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when + sending non-PI target + +Log ActivityManagerService.sendIntentSender if the target is not a +PendingIntent and a non-null whitelistToken is sent to the client. +This is simply to detect if there are real cases this would happen +before we decide simply remove whitelistToken in that case. + +Do not pass whitelistToken when sending non-PI target + +In ActivityManagerService.sendIntentSender, if the target is not a +PendingIntent, do not send whitelistToken to the client. + +Bug: 279428283 +Test: Manual test +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52) +Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810 +Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810 +--- + .../server/am/ActivityManagerService.java | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 0bdc9531064e..25b797cdfd8a 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -7861,12 +7861,12 @@ public class ActivityManagerService extends IActivityManager.Stub + } + + @Override +- public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code, ++ public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code, + Intent intent, String resolvedType, + IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) { + if (target instanceof PendingIntentRecord) { + return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType, +- whitelistToken, finishedReceiver, requiredPermission, options); ++ allowlistToken, finishedReceiver, requiredPermission, options); + } else { + if (intent == null) { + // Weird case: someone has given us their own custom IIntentSender, and now +@@ -7878,7 +7878,20 @@ public class ActivityManagerService extends IActivityManager.Stub + intent = new Intent(Intent.ACTION_MAIN); + } + try { +- target.send(code, intent, resolvedType, whitelistToken, null, ++ if (allowlistToken != null) { ++ final int callingUid = Binder.getCallingUid(); ++ final String packageName; ++ final long token = Binder.clearCallingIdentity(); ++ try { ++ packageName = AppGlobals.getPackageManager().getNameForUid(callingUid); ++ } finally { ++ Binder.restoreCallingIdentity(token); ++ } ++ Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target." ++ + " Calling package: " + packageName + "; intent: " + intent ++ + "; options: " + options); ++ } ++ target.send(code, intent, resolvedType, null, null, + requiredPermission, options); + } catch (RemoteException e) { + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/379150.patch b/Patches/LineageOS-15.1/android_frameworks_base/379150.patch new file mode 100644 index 00000000..dd0b16a5 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/379150.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Will Leshner +Date: Tue, 31 Oct 2023 13:23:08 -0700 +Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary + activities + +Test: Flashed device and verified dream settings works as expected +Test: Installed APK from bug and verified the dream didn't allow +launching the inappropriate settings activity. +Fixes: 300090204 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14) +Merged-In: I573040df84bf98a493b39f96c8581e4303206bac +Change-Id: I573040df84bf98a493b39f96c8581e4303206bac +--- + .../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +index 988060eac64d..a208d2f9284f 100644 +--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java ++++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java +@@ -331,7 +331,17 @@ public class DreamBackend { + if (cn != null && cn.indexOf('/') < 0) { + cn = resolveInfo.serviceInfo.packageName + "/" + cn; + } +- return cn == null ? null : ComponentName.unflattenFromString(cn); ++ // Ensure that the component is from the same package as the dream service. If not, ++ // treat the component as invalid and return null instead. ++ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null; ++ if (result != null ++ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) { ++ Log.w(TAG, ++ "Inconsistent package name in component: " + result.getPackageName() ++ + ", should be: " + resolveInfo.serviceInfo.packageName); ++ return null; ++ } ++ return result; + } + + private static void logd(String msg, Object... args) { diff --git a/Patches/LineageOS-15.1/android_system_bt/379154-prereq-1.patch b/Patches/LineageOS-15.1/android_system_bt/379154-prereq-1.patch new file mode 100644 index 00000000..7c7cad0b --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/379154-prereq-1.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jacky Cheung +Date: Thu, 26 Oct 2017 16:07:36 -0700 +Subject: [PATCH] Fix addr_type overriding by btm_ble_process_adv_addr(). + +Bug: 67042709 +Test: manual + +Change-Id: Iedffe2fa3dcb3f4e600626490b95c27d1535a737 +--- + stack/btm/btm_ble_gap.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc +index 341d85d4d..bf526b67f 100644 +--- a/stack/btm/btm_ble_gap.cc ++++ b/stack/btm/btm_ble_gap.cc +@@ -1841,10 +1841,10 @@ void btm_clear_all_pending_le_entry(void) { + } + } + +-void btm_ble_process_adv_addr(RawAddress& bda, uint8_t addr_type) { ++void btm_ble_process_adv_addr(RawAddress& bda, uint8_t* addr_type) { + #if (BLE_PRIVACY_SPT == TRUE) + /* map address to security record */ +- bool match = btm_identity_addr_to_random_pseudo(&bda, &addr_type, false); ++ bool match = btm_identity_addr_to_random_pseudo(&bda, addr_type, false); + + VLOG(1) << __func__ << ": bda=" << bda; + /* always do RRA resolution on host */ +@@ -1915,7 +1915,7 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + pkt_data_len, rssi); + } + +- btm_ble_process_adv_addr(bda, addr_type); ++ btm_ble_process_adv_addr(bda, &addr_type); + btm_ble_process_adv_pkt_cont(event_type, addr_type, bda, primary_phy, + secondary_phy, advertising_sid, tx_power, rssi, + periodic_adv_int, pkt_data_len, pkt_data); +@@ -1962,7 +1962,7 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + pkt_data_len, rssi); + } + +- btm_ble_process_adv_addr(bda, addr_type); ++ btm_ble_process_adv_addr(bda, &addr_type); + + uint16_t event_type; + if (legacy_evt_type == 0x00) { // ADV_IND; diff --git a/Patches/LineageOS-15.1/android_system_bt/379154-prereq-2.patch b/Patches/LineageOS-15.1/android_system_bt/379154-prereq-2.patch new file mode 100644 index 00000000..90fdf6cf --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/379154-prereq-2.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jakub Pawlowski +Date: Wed, 21 Mar 2018 17:13:36 -0700 +Subject: [PATCH] LE Advertising Report parsing enhancements + +Reject invalid data length for advertisement data. +Also, don't attempt to resolve anonymous advertising addresses. + +Test: LE scanning tests +Bug: 73193883 +Change-Id: I1cb330bc30fdcaebc86527cd2656c9dd7932b318 +(cherry picked from commit 47efa5b569e8dfa6c4397f0a9598d8137f71a05f) +--- + stack/btm/btm_ble_gap.cc | 17 ++++++++++++++--- + stack/include/bt_types.h | 1 + + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc +index bf526b67f..4f09f270a 100644 +--- a/stack/btm/btm_ble_gap.cc ++++ b/stack/btm/btm_ble_gap.cc +@@ -1909,13 +1909,20 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the next packet*/ ++ if (p > data + data_len) { ++ LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ return; ++ } + + if (rssi >= 21 && rssi <= 126) { +- BTM_TRACE_ERROR("%s: bad rssi value in advertising report: ", __func__, +- pkt_data_len, rssi); ++ BTM_TRACE_ERROR("%s: bad rssi value in advertising report: %d", __func__, ++ rssi); ++ } ++ ++ if (addr_type != BLE_ADDR_ANONYMOUS) { ++ btm_ble_process_adv_addr(bda, &addr_type); + } + +- btm_ble_process_adv_addr(bda, &addr_type); + btm_ble_process_adv_pkt_cont(event_type, addr_type, bda, primary_phy, + secondary_phy, advertising_sid, tx_power, rssi, + periodic_adv_int, pkt_data_len, pkt_data); +@@ -1954,6 +1961,10 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the rssi byte */ ++ if (p > data + data_len - sizeof(rssi)) { ++ LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ return; ++ } + + STREAM_TO_INT8(rssi, p); + +diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h +index 6acce0ffc..1c7e54ea2 100644 +--- a/stack/include/bt_types.h ++++ b/stack/include/bt_types.h +@@ -729,6 +729,7 @@ typedef struct { + #define BLE_ADDR_RANDOM 0x01 + #define BLE_ADDR_PUBLIC_ID 0x02 + #define BLE_ADDR_RANDOM_ID 0x03 ++#define BLE_ADDR_ANONYMOUS 0xFF + typedef uint8_t tBLE_ADDR_TYPE; + #define BLE_ADDR_TYPE_MASK (BLE_ADDR_RANDOM | BLE_ADDR_PUBLIC) + diff --git a/Patches/LineageOS-15.1/android_system_bt/379154.patch b/Patches/LineageOS-15.1/android_system_bt/379154.patch new file mode 100644 index 00000000..75b06996 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/379154.patch @@ -0,0 +1,135 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 23 May 2023 23:23:11 +0000 +Subject: [PATCH] Fix some OOB errors in BTM parsing + +Some HCI BLE events are missing bounds checks, leading to possible OOB +access. Add the appropriate bounds checks on the packets. + +Bug: 279169188 +Test: atest bluetooth_test_gd_unit, net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066) +Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57 +Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57 +--- + stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++---------- + stack/btu/btu_hcif.cc | 6 +++++ + 2 files changed, 44 insertions(+), 12 deletions(-) + +diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc +index 4f09f270a..17a87ed95 100644 +--- a/stack/btm/btm_ble_gap.cc ++++ b/stack/btm/btm_ble_gap.cc +@@ -1877,19 +1877,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + advertising_sid; + int8_t rssi, tx_power; + uint16_t event_type, periodic_adv_int, direct_address_type; ++ size_t bytes_to_process; + + /* Only process the results if the inquiry is still active */ + if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return; + ++ bytes_to_process = 1; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for num reports"; ++ return; ++ } ++ + /* Extract the number of reports in this event. */ + STREAM_TO_UINT8(num_reports, p); + + while (num_reports--) { +- if (p > data + data_len) { +- // TODO(jpawlowski): we should crash the stack here +- BTM_TRACE_ERROR( +- "Malformed LE Extended Advertising Report Event from controller - " +- "can't loop the data"); ++ bytes_to_process += 24; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for metadata"; + return; + } + +@@ -1909,8 +1917,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the next packet*/ +- if (p > data + data_len) { +- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ ++ bytes_to_process += pkt_data_len; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room " ++ "for packet data"; + return; + } + +@@ -1939,17 +1950,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + uint8_t* p = data; + uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len; + int8_t rssi; ++ size_t bytes_to_process; + + /* Only process the results if the inquiry is still active */ + if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return; + ++ bytes_to_process = 1; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) ++ << "Malformed LE advertising packet: not enough room for num reports"; ++ return; ++ } ++ + /* Extract the number of reports in this event. */ + STREAM_TO_UINT8(num_reports, p); + + while (num_reports--) { +- if (p > data + data_len) { +- // TODO(jpawlowski): we should crash the stack here +- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller"); ++ bytes_to_process += 9; ++ ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) ++ << "Malformed LE advertising packet: not enough room for metadata"; + return; + } + +@@ -1961,8 +1983,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { + + uint8_t* pkt_data = p; + p += pkt_data_len; /* Advance to the the rssi byte */ +- if (p > data + data_len - sizeof(rssi)) { +- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len; ++ ++ // include rssi for this check ++ bytes_to_process += pkt_data_len + 1; ++ if (data_len < bytes_to_process) { ++ LOG(ERROR) << "Malformed LE advertising packet: not enough room for " ++ "packet data and/or RSSI"; + return; + } + +diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc +index 15227cb1b..279c9d930 100644 +--- a/stack/btu/btu_hcif.cc ++++ b/stack/btu/btu_hcif.cc +@@ -1776,6 +1776,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) { + return; + } + ++ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len ++ if (evt_len < 8) { ++ LOG_ERROR(LOG_TAG, "Event packet too short"); ++ return; ++ } ++ + STREAM_TO_UINT16(handle, p); + STREAM_TO_UINT16(tx_data_len, p); + p += 2; /* Skip the TxTimer */ diff --git a/Patches/LineageOS-16.0/android_frameworks_base/379136.patch b/Patches/LineageOS-16.0/android_frameworks_base/379136.patch new file mode 100644 index 00000000..ec1652ec --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/379136.patch @@ -0,0 +1,69 @@ +From a1e8ab5e0dbb34361cbd548abac2f8cf980faab9 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 19 Oct 2023 14:22:58 -0700 +Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses + permissions + +In the pevious CL, we incorrectly added the permission check in the +killBackgroundProcessesExcept. Now fix this issue. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37) +Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b +Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b +--- + .../server/am/ActivityManagerService.java | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 5a12cdaae56c..9a9c05060a4c 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -3690,6 +3690,22 @@ public void killAllBackgroundProcesses() { + throw new SecurityException(msg); + } + ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); ++ ++ ProcessRecord proc; ++ synchronized (mPidsSelfLocked) { ++ proc = mPidsSelfLocked.get(callingPid); ++ } ++ if (callingUid >= FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { +@@ -3730,22 +3746,6 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) { + throw new SecurityException(msg); + } + +- final int callingUid = Binder.getCallingUid(); +- final int callingPid = Binder.getCallingPid(); +- +- ProcessRecord proc; +- synchronized (mPidsSelfLocked) { +- proc = mPidsSelfLocked.get(callingPid); +- } +- if (callingUid >= FIRST_APPLICATION_UID +- && (proc == null || !proc.info.isSystemApp())) { +- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" +- + callingPid + ", uid=" + callingUid + " is not allowed"; +- Slog.w(TAG, msg); +- // Silently return to avoid existing apps from crashing. +- return; +- } +- + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/379136.patch b/Patches/LineageOS-17.1/android_frameworks_base/379136.patch new file mode 100644 index 00000000..ec1652ec --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/379136.patch @@ -0,0 +1,69 @@ +From a1e8ab5e0dbb34361cbd548abac2f8cf980faab9 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 19 Oct 2023 14:22:58 -0700 +Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses + permissions + +In the pevious CL, we incorrectly added the permission check in the +killBackgroundProcessesExcept. Now fix this issue. + +Bug: 239423414 +Bug: 223376078 +Test: atest CtsAppTestCases:ActivityManagerTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37) +Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b +Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b +--- + .../server/am/ActivityManagerService.java | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 5a12cdaae56c..9a9c05060a4c 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -3690,6 +3690,22 @@ public void killAllBackgroundProcesses() { + throw new SecurityException(msg); + } + ++ final int callingUid = Binder.getCallingUid(); ++ final int callingPid = Binder.getCallingPid(); ++ ++ ProcessRecord proc; ++ synchronized (mPidsSelfLocked) { ++ proc = mPidsSelfLocked.get(callingPid); ++ } ++ if (callingUid >= FIRST_APPLICATION_UID ++ && (proc == null || !proc.info.isSystemApp())) { ++ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" ++ + callingPid + ", uid=" + callingUid + " is not allowed"; ++ Slog.w(TAG, msg); ++ // Silently return to avoid existing apps from crashing. ++ return; ++ } ++ + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { +@@ -3730,22 +3746,6 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) { + throw new SecurityException(msg); + } + +- final int callingUid = Binder.getCallingUid(); +- final int callingPid = Binder.getCallingPid(); +- +- ProcessRecord proc; +- synchronized (mPidsSelfLocked) { +- proc = mPidsSelfLocked.get(callingPid); +- } +- if (callingUid >= FIRST_APPLICATION_UID +- && (proc == null || !proc.info.isSystemApp())) { +- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid=" +- + callingPid + ", uid=" + callingUid + " is not allowed"; +- Slog.w(TAG, msg); +- // Silently return to avoid existing apps from crashing. +- return; +- } +- + final long callingId = Binder.clearCallingIdentity(); + try { + synchronized (this) { diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index d91cfe8d..60efd661 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -228,6 +228,11 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/373955.patch"; #R_asb_2023-11 [ applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data. applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand +applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_2024-01 Truncate user data to a limit of 500 characters +applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access. +applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target +applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS) @@ -492,6 +497,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature applyPatch "$DOS_PATCHES/android_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow +applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-1.patch"; #R_asb_2024-01 Fix addr_type overriding by btm_ble_process_adv_addr(). +applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-2.patch"; #R_asb_2024-01 LE Advertising Report parsing enhancements +applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing fi; if enterAndClear "system/ca-certificates"; then diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index fa3c27fa..f39d1c74 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -172,6 +172,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access. applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 37ef3f55..f1a9e017 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -173,6 +173,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access. applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities +applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)