mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-12 07:59:36 -05:00
17.1: December 2024 ASB work
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
3fd3dd08c1
commit
4ff62c1abc
@ -1,4 +1,4 @@
|
||||
From 8403f004112570c0974f227e79e82607e12f6c94 Mon Sep 17 00:00:00 2001
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Osman <brianosman@google.com>
|
||||
Date: Tue, 27 Aug 2024 14:22:52 -0400
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE: Avoid potential overflow when allocating
|
||||
@ -25,7 +25,7 @@ Change-Id: Ia35860371d45120baca63238e77faa5c0eb25d51
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/effects/SkEmbossMaskFilter.cpp b/src/effects/SkEmbossMaskFilter.cpp
|
||||
index ef265201727..94ff73e9088 100644
|
||||
index ef26520172..94ff73e908 100644
|
||||
--- a/src/effects/SkEmbossMaskFilter.cpp
|
||||
+++ b/src/effects/SkEmbossMaskFilter.cpp
|
||||
@@ -95,11 +95,13 @@ bool SkEmbossMaskFilter::filterMask(SkMask* dst, const SkMask& src,
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Wagner <bungeman@google.com>
|
||||
Date: Mon, 12 Aug 2024 15:00:08 -0400
|
||||
Subject: [PATCH] Bounds check in skia_alloc_func
|
||||
|
||||
The allocator callback for zlib needs to check that items * size will
|
||||
fit in size_t and return nullptr if not.
|
||||
|
||||
Conflicts:
|
||||
- src/pdf/SkDeflate.cpp: just in header includes
|
||||
|
||||
Bug: 349678452
|
||||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
|
||||
Commit-Queue: Ben Wagner <bungeman@google.com>
|
||||
Reviewed-by: Brian Osman <brianosman@google.com>
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56)
|
||||
Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
|
||||
Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
|
||||
---
|
||||
src/pdf/SkDeflate.cpp | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
|
||||
index be3e182cd1..8f48b7f16d 100644
|
||||
--- a/src/pdf/SkDeflate.cpp
|
||||
+++ b/src/pdf/SkDeflate.cpp
|
||||
@@ -10,6 +10,7 @@
|
||||
#include "SkData.h"
|
||||
#include "SkMakeUnique.h"
|
||||
#include "SkMalloc.h"
|
||||
+#include "SkTFitsIn.h"
|
||||
#include "SkTo.h"
|
||||
#include "SkTraceEvent.h"
|
||||
|
||||
@@ -20,6 +21,13 @@ namespace {
|
||||
// Different zlib implementations use different T.
|
||||
// We've seen size_t and unsigned.
|
||||
template <typename T> void* skia_alloc_func(void*, T items, T size) {
|
||||
+ if (!SkTFitsIn<size_t>(size)) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
+ const size_t maxItems = SIZE_MAX / size;
|
||||
+ if (maxItems < items) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
|
||||
}
|
||||
|
35
Patches/LineageOS-17.1/android_external_skia/411485.patch
Normal file
35
Patches/LineageOS-17.1/android_external_skia/411485.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 6f447355dd4fd0cfdf7c49b688149c71390194cb Mon Sep 17 00:00:00 2001
|
||||
From: Brian Osman <brianosman@google.com>
|
||||
Date: Thu, 29 Aug 2024 12:47:48 -0400
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
|
||||
SkMask data
|
||||
|
||||
Bug: 352631932
|
||||
Test: N/A -- not reproducible / speculative fix
|
||||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
|
||||
Commit-Queue: Ben Wagner <bungeman@google.com>
|
||||
Reviewed-by: Ben Wagner <bungeman@google.com>
|
||||
Auto-Submit: Brian Osman <brianosman@google.com>
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:767ef0ae44902bb84ef0bf6f6beb601c283ade01)
|
||||
Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
|
||||
Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
|
||||
---
|
||||
src/core/SkBlurMF.cpp | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp
|
||||
index bd7accae8d2..e16f6ee7698 100644
|
||||
--- a/src/core/SkBlurMF.cpp
|
||||
+++ b/src/core/SkBlurMF.cpp
|
||||
@@ -316,6 +316,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
|
||||
mask->fRowBytes = SkAlign4(mask->fBounds.width());
|
||||
mask->fFormat = SkMask::kA8_Format;
|
||||
const size_t size = mask->computeImageSize();
|
||||
+ if (size == 0) {
|
||||
+ return false;
|
||||
+ }
|
||||
mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
|
||||
if (nullptr == mask->fImage) {
|
||||
return false;
|
35
Patches/LineageOS-17.1/android_external_skia/411486.patch
Normal file
35
Patches/LineageOS-17.1/android_external_skia/411486.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 7f44cab6fa5bc8ff805795f88d0912612e849224 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Osman <brianosman@google.com>
|
||||
Date: Thu, 29 Aug 2024 11:52:35 -0400
|
||||
Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
|
||||
|
||||
Bug: 350118416
|
||||
Test: N/A -- speculative issue without repro case
|
||||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
|
||||
Reviewed-by: Robert Phillips <robertphillips@google.com>
|
||||
Commit-Queue: Brian Osman <brianosman@google.com>
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ed907c5f18a646c9150e41b74ef45ca08518830)
|
||||
Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
|
||||
Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
|
||||
---
|
||||
src/core/SkRegion.cpp | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
|
||||
index 73707c2b876..275410cbd22 100644
|
||||
--- a/src/core/SkRegion.cpp
|
||||
+++ b/src/core/SkRegion.cpp
|
||||
@@ -52,8 +52,10 @@ class RunArray {
|
||||
/** Resize the array to a size greater-than-or-equal-to count. */
|
||||
void resizeToAtLeast(int count) {
|
||||
if (count > fCount) {
|
||||
- // leave at least 50% extra space for future growth.
|
||||
- count += count >> 1;
|
||||
+ // leave at least 50% extra space for future growth (unless adding would overflow)
|
||||
+ SkSafeMath safe;
|
||||
+ int newCount = safe.addInt(count, count >> 1);
|
||||
+ count = safe ? newCount : SK_MaxS32;
|
||||
fMalloc.realloc(count);
|
||||
if (fPtr == fStack) {
|
||||
memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
|
60
Patches/LineageOS-17.1/android_frameworks_base/411487.patch
Normal file
60
Patches/LineageOS-17.1/android_frameworks_base/411487.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From b958e5cbbb8982c37dcc60f076e9e71a85588c87 Mon Sep 17 00:00:00 2001
|
||||
From: Pinyao Ting <pinyaoting@google.com>
|
||||
Date: Thu, 29 Aug 2024 17:01:55 +0000
|
||||
Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
|
||||
|
||||
Bug: 340239088
|
||||
Test: manually verified with the PoC app
|
||||
Flag: EXEMPT CVE
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b076641fc517b37f1689697130de3cbc22a4c92)
|
||||
Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
|
||||
Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
|
||||
---
|
||||
core/java/android/widget/RemoteViewsAdapter.java | 5 +++++
|
||||
.../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
|
||||
index e58f08a799655..d64a3b5ee16ba 100644
|
||||
--- a/core/java/android/widget/RemoteViewsAdapter.java
|
||||
+++ b/core/java/android/widget/RemoteViewsAdapter.java
|
||||
@@ -238,6 +238,11 @@ public void onServiceDisconnected(ComponentName name) {
|
||||
}
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onNullBinding(ComponentName name) {
|
||||
+ enqueueDeferredUnbindServiceMessage();
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void handleMessage(Message msg) {
|
||||
RemoteViewsAdapter adapter = mAdapter.get();
|
||||
diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
|
||||
index f989f73b11b10..709a206a39c77 100644
|
||||
--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
|
||||
+++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
|
||||
@@ -1888,6 +1888,11 @@ public void onServiceConnected(ComponentName name, IBinder service) {
|
||||
mContext.unbindService(this);
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onNullBinding(ComponentName name) {
|
||||
+ mContext.unbindService(this);
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void onServiceDisconnected(ComponentName name) {
|
||||
// Do nothing
|
||||
@@ -2028,6 +2033,11 @@ public void onServiceConnected(ComponentName name, IBinder service) {
|
||||
mContext.unbindService(this);
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onNullBinding(ComponentName name) {
|
||||
+ mContext.unbindService(this);
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void onServiceDisconnected(android.content.ComponentName name) {
|
||||
// Do nothing
|
44
Patches/LineageOS-17.1/android_system_bt/411488.patch
Normal file
44
Patches/LineageOS-17.1/android_system_bt/411488.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 9f73a10e0bd1ac2f6d8e3fe612fb9ff2f1839d63 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Mon, 8 Jul 2024 22:42:18 +0000
|
||||
Subject: [PATCH] [BACKPORT] Fix OOB write in build_read_multi_rsp of
|
||||
gatt_sr.cc
|
||||
|
||||
build_read_multi_rsp is missing a bounds check, which can lead to an
|
||||
OOB write when the mtu parameter is set to zero.
|
||||
|
||||
Add that bounds check.
|
||||
|
||||
Bug: 323850943
|
||||
Test: atest GattSrTest
|
||||
Test: researcher POC
|
||||
Tag: #security
|
||||
Flag: EXEMPT trivial validity checks
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd)
|
||||
Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
|
||||
Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index 252732c739..9a875d742d 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
/* Wait till we get all the responses */
|
||||
if (fixed_queue_length(p_cmd->multi_rsp_q) ==
|
||||
p_cmd->multi_req.num_handles) {
|
||||
+
|
||||
+ // We need at least one extra byte for the opcode
|
||||
+ if (mtu == 0) {
|
||||
+ LOG(ERROR) << "Invalid MTU";
|
||||
+ p_cmd->status = GATT_ILLEGAL_PARAMETER;
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
|
||||
p_buf = (BT_HDR*)osi_calloc(len);
|
||||
p_buf->offset = L2CAP_MIN_OFFSET;
|
73
Patches/LineageOS-17.1/android_system_bt/411489.patch
Normal file
73
Patches/LineageOS-17.1/android_system_bt/411489.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 25e48c2d290d3be724df2e7e073b661331963752 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Thu, 27 Jul 2023 04:09:04 +0000
|
||||
Subject: [PATCH] [BACKPORT] Fix an integer underflow in build_read_multi_rsp
|
||||
|
||||
This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
to sc-dev
|
||||
|
||||
Bug: 273874525
|
||||
Test: manual
|
||||
Ignore-AOSP-First: security
|
||||
Tag: #security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
|
||||
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 27 ++++++++++++++++-----------
|
||||
1 file changed, 16 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index 9a875d742d..c0c1486af0 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -21,7 +21,7 @@
|
||||
* this file contains the GATT server functions
|
||||
*
|
||||
******************************************************************************/
|
||||
-
|
||||
+#include <algorithm>
|
||||
#include "bt_target.h"
|
||||
#include "bt_utils.h"
|
||||
#include "osi/include/osi.h"
|
||||
@@ -171,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
}
|
||||
|
||||
if (p_rsp != NULL) {
|
||||
- total_len = (p_buf->len + p_rsp->attr_value.len);
|
||||
+ total_len = p_buf->len;
|
||||
|
||||
if (total_len > mtu) {
|
||||
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
|
||||
+
|
||||
+ if (len == 0) {
|
||||
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (len < p_rsp->attr_value.len) {
|
||||
/* just send the partial response for the overflow case */
|
||||
len = p_rsp->attr_value.len - (total_len - mtu);
|
||||
is_overflow = true;
|
||||
@@ -185,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
}
|
||||
|
||||
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
|
||||
- // check for possible integer overflow
|
||||
- if (p_buf->len + len <= UINT16_MAX) {
|
||||
- memcpy(p, p_rsp->attr_value.value, len);
|
||||
- if (!is_overflow) p += len;
|
||||
- p_buf->len += len;
|
||||
- } else {
|
||||
- p_cmd->status = GATT_NOT_FOUND;
|
||||
- break;
|
||||
- }
|
||||
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
|
||||
+ p_buf->len += (uint16_t) len;
|
||||
} else {
|
||||
p_cmd->status = GATT_NOT_FOUND;
|
||||
break;
|
37
Patches/LineageOS-17.1/android_system_bt/411490.patch
Normal file
37
Patches/LineageOS-17.1/android_system_bt/411490.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 425cc51af8d1662dacab60330628a6adfd1a404f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <jpawlowski@google.com>
|
||||
Date: Thu, 1 Aug 2024 14:12:58 +0000
|
||||
Subject: [PATCH] [BACKPORT] Fix "GATT Read Multiple Variable Response" builder
|
||||
|
||||
0 length value is perfectly fine, and should result in just length
|
||||
added into the packet.
|
||||
Currently, for 0 length value we just break out of loop, and don't add
|
||||
any value.
|
||||
This means, that if first characetristic in response had 0 length, we
|
||||
would return empty packet.
|
||||
|
||||
Ignore-AOSP-First: security fix
|
||||
Test: mma -j32;
|
||||
Bug: 352696105
|
||||
Bug: 356886209
|
||||
Flag: exempt, obvious logic fix
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf)
|
||||
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
|
||||
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index c0c1486af0..d94221682d 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
|
||||
len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
|
||||
|
||||
- if (len == 0) {
|
||||
+ if (total_len == mtu && p_rsp->attr_value.len > 0) {
|
||||
VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
break;
|
||||
}
|
@ -0,0 +1,43 @@
|
||||
From aff29339e466060263340cee43e16fbfc767d57f Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Mon, 8 Jul 2024 22:42:18 +0000
|
||||
Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc
|
||||
|
||||
build_read_multi_rsp is missing a bounds check, which can lead to an
|
||||
OOB write when the mtu parameter is set to zero.
|
||||
|
||||
Add that bounds check.
|
||||
|
||||
Bug: 323850943
|
||||
Test: atest GattSrTest
|
||||
Test: researcher POC
|
||||
Tag: #security
|
||||
Flag: EXEMPT trivial validity checks
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd)
|
||||
Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
|
||||
Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index ee5059b92..64167ab97 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
/* Wait till we get all the responses */
|
||||
if (fixed_queue_length(p_cmd->multi_rsp_q) ==
|
||||
p_cmd->multi_req.num_handles) {
|
||||
+
|
||||
+ // We need at least one extra byte for the opcode
|
||||
+ if (mtu == 0) {
|
||||
+ LOG(ERROR) << "Invalid MTU";
|
||||
+ p_cmd->status = GATT_ILLEGAL_PARAMETER;
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
|
||||
p_buf = (BT_HDR*)osi_calloc(len);
|
||||
p_buf->offset = L2CAP_MIN_OFFSET;
|
@ -0,0 +1,73 @@
|
||||
From e0b5d40517e5f89c1570fa9726835e3fbce89e56 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Thu, 27 Jul 2023 04:09:04 +0000
|
||||
Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
|
||||
|
||||
This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
to sc-dev
|
||||
|
||||
Bug: 273874525
|
||||
Test: manual
|
||||
Ignore-AOSP-First: security
|
||||
Tag: #security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
|
||||
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 27 ++++++++++++++++-----------
|
||||
1 file changed, 16 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index 64167ab97..309c71114 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -21,7 +21,7 @@
|
||||
* this file contains the GATT server functions
|
||||
*
|
||||
******************************************************************************/
|
||||
-
|
||||
+#include <algorithm>
|
||||
#include "bt_target.h"
|
||||
#include "bt_utils.h"
|
||||
#include "osi/include/osi.h"
|
||||
@@ -171,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
}
|
||||
|
||||
if (p_rsp != NULL) {
|
||||
- total_len = (p_buf->len + p_rsp->attr_value.len);
|
||||
+ total_len = p_buf->len;
|
||||
|
||||
if (total_len > mtu) {
|
||||
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
|
||||
+
|
||||
+ if (len == 0) {
|
||||
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (len < p_rsp->attr_value.len) {
|
||||
/* just send the partial response for the overflow case */
|
||||
len = p_rsp->attr_value.len - (total_len - mtu);
|
||||
is_overflow = true;
|
||||
@@ -185,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
}
|
||||
|
||||
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
|
||||
- // check for possible integer overflow
|
||||
- if (p_buf->len + len <= UINT16_MAX) {
|
||||
- memcpy(p, p_rsp->attr_value.value, len);
|
||||
- if (!is_overflow) p += len;
|
||||
- p_buf->len += len;
|
||||
- } else {
|
||||
- p_cmd->status = GATT_NOT_FOUND;
|
||||
- break;
|
||||
- }
|
||||
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
|
||||
+ p_buf->len += (uint16_t) len;
|
||||
} else {
|
||||
p_cmd->status = GATT_NOT_FOUND;
|
||||
break;
|
@ -0,0 +1,37 @@
|
||||
From 2f3d8b20b8211999d7758c7bb0e868fe46eea540 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <jpawlowski@google.com>
|
||||
Date: Thu, 1 Aug 2024 14:12:58 +0000
|
||||
Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder
|
||||
|
||||
0 length value is perfectly fine, and should result in just length
|
||||
added into the packet.
|
||||
Currently, for 0 length value we just break out of loop, and don't add
|
||||
any value.
|
||||
This means, that if first characetristic in response had 0 length, we
|
||||
would return empty packet.
|
||||
|
||||
Ignore-AOSP-First: security fix
|
||||
Test: mma -j32;
|
||||
Bug: 352696105
|
||||
Bug: 356886209
|
||||
Flag: exempt, obvious logic fix
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf)
|
||||
Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
|
||||
Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
|
||||
---
|
||||
stack/gatt/gatt_sr.cc | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
|
||||
index 309c71114..c25875442 100644
|
||||
--- a/stack/gatt/gatt_sr.cc
|
||||
+++ b/stack/gatt/gatt_sr.cc
|
||||
@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
|
||||
|
||||
len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
|
||||
|
||||
- if (len == 0) {
|
||||
+ if (total_len == mtu && p_rsp->attr_value.len > 0) {
|
||||
VLOG(1) << "Buffer space not enough for this data item, skipping";
|
||||
break;
|
||||
}
|
@ -0,0 +1,42 @@
|
||||
From 38f463ffa95d46bb7a56caefe12f7ed96adbf856 Mon Sep 17 00:00:00 2001
|
||||
From: Anna Bauza <annabauza@google.com>
|
||||
Date: Thu, 14 Nov 2024 18:58:26 +0100
|
||||
Subject: [PATCH] [PATCH] fix: Security Report - Reveal images across users via
|
||||
EditUserPhotoController
|
||||
|
||||
This functionality has implemented tests on t+ branches.
|
||||
|
||||
Bug: 296915959
|
||||
Test: N/A
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ae74e70c36ec027dd55164880d8b7225be4c85a3)
|
||||
Merged-In: If79af734432b14be74815a47e1026dc8369a304f
|
||||
Change-Id: If79af734432b14be74815a47e1026dc8369a304f
|
||||
---
|
||||
.../android/settings/users/EditUserPhotoController.java | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java
|
||||
index f1831f7120b..d836d2687bc 100644
|
||||
--- a/src/com/android/settings/users/EditUserPhotoController.java
|
||||
+++ b/src/com/android/settings/users/EditUserPhotoController.java
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
import android.app.Activity;
|
||||
import android.content.ClipData;
|
||||
+import android.content.ContentProvider;
|
||||
import android.content.ContentResolver;
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
@@ -131,6 +132,12 @@ public boolean onActivityResult(int requestCode, int resultCode, Intent data) {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ final int currentUserId = UserHandle.myUserId();
|
||||
+ if (currentUserId != ContentProvider.getUserIdFromUri(pictureUri, currentUserId)) {
|
||||
+ Log.e(TAG, "Invalid pictureUri: " + pictureUri);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
switch (requestCode) {
|
||||
case REQUEST_CODE_CROP_PHOTO:
|
||||
onPhotoCropped(pictureUri, true);
|
@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
|
||||
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
sed -i 's/2023-02-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-11
|
||||
sed -i 's/2023-02-05/2024-12-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-12
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -175,6 +175,9 @@ fi;
|
||||
|
||||
if enterAndClear "external/skia"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_skia/410984.patch"; #Q_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter
|
||||
applyPatch "$DOS_PATCHES/android_external_skia/411484-backport.patch"; #R_asb_2024-12 [pdf] Bounds check in skia_alloc_func
|
||||
applyPatch "$DOS_PATCHES/android_external_skia/411485.patch"; #R_asb_2024-12 Check for size overflow before allocating SkMask data
|
||||
applyPatch "$DOS_PATCHES/android_external_skia/411486.patch"; #R_asb_2024-12 Prevent overflow when growing an SkRegion's RunArray
|
||||
fi;
|
||||
|
||||
if enterAndClear "external/sonivox"; then
|
||||
@ -342,6 +345,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/410988.patch"; #Q_asb_2024-11 F
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/410989.patch"; #Q_asb_2024-11 Set no data transfer on function switch timeout for accessory mode
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/410990.patch"; #Q_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/410991.patch"; #Q_asb_2024-11 Clear app-provided shortcut icons
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/411487.patch"; #R_asb_2024-12 Properly handle onNullBinding() in appwidget service.
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
|
||||
@ -693,6 +697,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/403317.patch"; #Q_asb_2024-09 Disallo
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/408530.patch"; #Q_asb_2024-10 Add privatize option for bluetooth addresses for logging
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/408531.patch"; #Q_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/408532.patch"; #Q_asb_2024-10 Disallow unexpected incoming HID connections 1/2
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/411488.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/411489.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/411490.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
||||
@ -821,6 +828,9 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403327.patch";
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/408535.patch"; #Q_asb_2024-10 Add privatize option for bluetooth addresses for logging
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/408535.patch"; #Q_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/408536.patch"; #Q_asb_2024-10 Disallow unexpected incoming HID connections 1/2
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411491.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411492.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411493.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/lineage"; then
|
||||
|
@ -397,6 +397,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_20
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408449.patch"; #R_asb_2024-11 Stops hiding a11y services with the same package+label as an activity.
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408450.patch"; #R_asb_2024-11 startActivityForResult with new Intent
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/408451.patch"; #R_asb_2024-11 Checks cross user permission before handling intent
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/410993.patch"; #Q_asb_2024-11 fix: Security Report - Reveal images across users via EditUserPhotoController
|
||||
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0003-Remove_SensorsOff_Tile.patch"; #Remove the Sensors Off development tile (DivestOS)
|
||||
|
Loading…
Reference in New Issue
Block a user