Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-12-13 01:44:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

17.1: October 2024 ASB work

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-10-16 20:23:44 -04:00
parent 717d916263
commit 52fd08c2f1
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
13 changed files with 1283 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Patches/LineageOS-17.1/android_frameworks_base/405515.patch Normal file
View File

@ -0,0 +1,32 @@
From b0aee0b8b81d776e7c3234f7b340a856d138e4c4 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Thu, 11 Jul 2024 12:39:22 -0700
Subject: [PATCH] Update AccountManagerService checkKeyIntent.
Block intents with "content" data scheme.
Bug: 349780950
Test: manual
Flag: EXEMPT bugfix
(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5)
Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
---
.../com/android/server/accounts/AccountManagerService.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 37a68d3eec76c..fb79904a5b3a8 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -4812,6 +4812,9 @@ protected boolean checkKeyIntent(int authUid, Bundle bundle) {
if (resolveInfo == null) {
return false;
}
+ if ("content".equals(intent.getScheme())) {
+ return false;
+ }
ActivityInfo targetActivityInfo = resolveInfo.activityInfo;
int targetUid = targetActivityInfo.applicationInfo.uid;
PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class);

30
Patches/LineageOS-17.1/android_frameworks_base/405516.patch Normal file
View File

@ -0,0 +1,30 @@
From f31bdd9c6658dfb932eea857f17cc2d21124031e Mon Sep 17 00:00:00 2001
From: William Loh <wloh@google.com>
Date: Mon, 3 Jun 2024 12:56:47 -0700
Subject: [PATCH] Fail parseUri if end is missing
Bug: 318683126
Test: atest IntentTest
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967)
Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
---
core/java/android/content/Intent.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
index 24d59a0826c85..4ea29407f352f 100644
--- a/core/java/android/content/Intent.java
+++ b/core/java/android/content/Intent.java
@@ -7053,6 +7053,9 @@ public static Intent parseUri(String uri, @UriFlags int flags) throws URISyntaxE
int eq = uri.indexOf('=', i);
if (eq < 0) eq = i-1;
int semi = uri.indexOf(';', i);
+ if (semi < 0) {
+ throw new URISyntaxException(uri, "uri end not found");
+ }
String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : "";
// action

39
Patches/LineageOS-17.1/android_frameworks_base/405517-backport.patch Normal file
View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Mark Renouf <mrenouf@google.com>
Date: Thu, 20 Jun 2024 16:37:42 -0400
Subject: [PATCH] Prevent Sharing when FRP enforcement is in effect
ADB command to trigger sharing:
```
adb shell 'am start -a android.intent.action.CHOOSER --eu android.intent.extra.INTENT "intent:#Intent;action=android.intent.action.SEND;type=text/plain;S.android.intent.extra.TEXT=Shared%20text;end"'
```
Bug: 327645387
Test: manual; trigger FRP; attempt to open share sheet using adb
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5080af26387a18d5638d5a42eadfb8d4d700518c)
Merged-In: I1db78ab74babe71b516f601be35cf476b5e43271
Change-Id: I1db78ab74babe71b516f601be35cf476b5e43271
---
core/java/com/android/internal/app/ChooserActivity.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java
index 2e17dce90240..300e1053cc16 100644
--- a/core/java/com/android/internal/app/ChooserActivity.java
+++ b/core/java/com/android/internal/app/ChooserActivity.java
@@ -525,6 +525,14 @@ public class ChooserActivity extends ResolverActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
+ if (Settings.Secure.getIntForUser(getContentResolver(),
+ Settings.Secure.SECURE_FRP_MODE, 0,
+ getUserId()) == 1) {
+ Log.e(TAG, "Sharing disabled due to active FRP lock.");
+ super.onCreate(savedInstanceState);
+ finish();
+ return;
+ }
final long intentReceivedTime = System.currentTimeMillis();
// This is the only place this value is being set. Effectively final.
mIsAppPredictorComponentAvailable = isAppPredictionServiceAvailable();

39
Patches/LineageOS-17.1/android_frameworks_base/405518.patch Normal file
View File

@ -0,0 +1,39 @@
From 5fe06ebbd23db602bb46ba51a7e40711d7823be6 Mon Sep 17 00:00:00 2001
From: Sumedh Sen <sumedhsen@google.com>
Date: Wed, 17 Jul 2024 01:00:55 +0000
Subject: [PATCH] [RESTRICT AUTOMERGE] Check whether installerPackageName
contains only valid characters
Bug: 341256391
Bug: 307532206
Test: sts-tradefed run sts-dynamic-develop -m CtsSecurityTestCases -t android.security.cts.CVE_2024_0044
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b850b6f68e63288f240439601723412324381bb)
Merged-In: I74a172c617d6f5b13f0708092156b657b73b5891
Change-Id: I74a172c617d6f5b13f0708092156b657b73b5891
---
.../com/android/server/pm/PackageInstallerService.java | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
index 7e67021e3b847..ab8cc4c8d6697 100644
--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
+++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
@@ -580,12 +580,17 @@ private int createSessionInternal(SessionParams params, String installerPackageN
params.appLabel = TextUtils.trimToSize(params.appLabel,
PackageItemInfo.MAX_SAFE_LABEL_LENGTH);
- // Validate installer package name.
+ // Validate requested installer package name.
if (params.installerPackageName != null && !isValidPackageName(
params.installerPackageName)) {
params.installerPackageName = null;
}
+ // Validate installer package name.
+ if (installerPackageName != null && !isValidPackageName(installerPackageName)) {
+ installerPackageName = null;
+ }
+
String requestedInstallerPackageName =
params.installerPackageName != null ? params.installerPackageName
: installerPackageName;

53
Patches/LineageOS-17.1/android_libcore/405541.patch Normal file
View File

@ -0,0 +1,53 @@
From 1e0f995b0b68d811d4225e73426c4c6350a506ad Mon Sep 17 00:00:00 2001
From: Almaz Mingaleev <mingaleev@google.com>
Date: Wed, 10 Jul 2024 13:38:35 +0100
Subject: [PATCH] Do not accept zip files with invalid headers.
According to Section 4.3.6 in [1] non-empty zip file starts with
local file header. 4.3.1 allows empty files, and in such case
file starts with "end of central directory record".
This aligns ZipFile with libziparchive modulo empty zip files -
libziparchive rejects them.
Tests are skipped because sc-dev branch uses ART module
prebuilts, but builds tests from sources which leads to presubmit
failures.
Ignore-AOSP-First: b/309938635#comment1
[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt
Bug: 309938635
Test: CtsLibcoreTestCases
Test: CtsLibcoreOjTestCases
(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88)
Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b
Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b
---
ojluni/src/main/native/zip_util.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c
index aa9c5cede9e..16951a78ede 100644
--- a/ojluni/src/main/native/zip_util.c
+++ b/ojluni/src/main/native/zip_util.c
@@ -878,6 +878,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified,
zip->locsig = JNI_TRUE;
else
zip->locsig = JNI_FALSE;
+
+ // BEGIN Android-changed: do not accept files with invalid header.
+ if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) {
+ if (pmsg) {
+ *pmsg = strdup("Entry at offset zero has invalid LFH signature.");
+ }
+ ZFILE_Close(zfd);
+ freeZip(zip);
+ return NULL;
+ }
+ // END Android-changed: do not accept files with invalid header.
}
// This lseek is safe because it happens during construction of the ZipFile

84
Patches/LineageOS-17.1/android_packages_apps_Bluetooth/405540.patch Normal file
View File

@ -0,0 +1,84 @@
From 6799e4b038c33ce3fd175749ebdea69379a5489f Mon Sep 17 00:00:00 2001
From: Himanshu Rawat <rwt@google.com>
Date: Mon, 8 Apr 2024 19:44:45 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID
connections 2/2
HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96)
Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777
Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777
---
jni/com_android_bluetooth_hid_host.cpp | 8 +++++---
src/com/android/bluetooth/hid/HidHostService.java | 7 +++++--
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp
index cab5e3361..22c7dcfe8 100644
--- a/jni/com_android_bluetooth_hid_host.cpp
+++ b/jni/com_android_bluetooth_hid_host.cpp
@@ -284,7 +284,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object,
}
static jboolean disconnectHidNative(JNIEnv* env, jobject object,
- jbyteArray address) {
+ jbyteArray address,
+ jboolean reconnect_allowed) {
jbyte* addr;
jboolean ret = JNI_TRUE;
if (!sBluetoothHidInterface) return JNI_FALSE;
@@ -295,7 +296,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object,
return JNI_FALSE;
}
- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr);
+ bt_status_t status =
+ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed);
if (status != BT_STATUS_SUCCESS) {
ALOGE("Failed disconnect hid channel, status: %d", status);
ret = JNI_FALSE;
@@ -511,7 +513,7 @@ static JNINativeMethod sMethods[] = {
{"initializeNative", "()V", (void*)initializeNative},
{"cleanupNative", "()V", (void*)cleanupNative},
{"connectHidNative", "([B)Z", (void*)connectHidNative},
- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative},
+ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative},
{"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative},
{"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative},
{"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative},
diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java
index 10d414d46..ed35c2908 100644
--- a/src/com/android/bluetooth/hid/HidHostService.java
+++ b/src/com/android/bluetooth/hid/HidHostService.java
@@ -161,7 +161,10 @@ public void handleMessage(Message msg) {
break;
case MESSAGE_DISCONNECT: {
BluetoothDevice device = (BluetoothDevice) msg.obj;
- if (!disconnectHidNative(Utils.getByteAddress(device))) {
+ int connectionPolicy = getConnectionPolicy(device);
+ boolean reconnectAllowed =
+ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED;
+ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) {
broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING);
broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED);
break;
@@ -934,7 +937,7 @@ public void dump(StringBuilder sb) {
private native boolean connectHidNative(byte[] btAddress);
- private native boolean disconnectHidNative(byte[] btAddress);
+ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed);
private native boolean getProtocolModeNative(byte[] btAddress);

52
Patches/LineageOS-17.1/android_packages_apps_Settings/405534.patch Normal file
View File

@ -0,0 +1,52 @@
From da6ee7b698b7d4c4cbe56c70027904268b72d0f1 Mon Sep 17 00:00:00 2001
From: Yiling Chuang <emilychuang@google.com>
Date: Mon, 8 Jul 2024 03:09:50 +0000
Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage
page
Before the setup flow completion, don't allow the app info page in App battery usage to be launched.
Bug: 327748846
Test: atest SettingsRoboTests + manual test
- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes
Flag : EXEMPT bugfix
(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429)
Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0
Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0
---
.../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++
.../settings/fuelgauge/AdvancedPowerUsageDetailTest.java | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
index e8d5f3330f2..d17642053e7 100644
--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
@@ -210,6 +210,11 @@ public void onResume() {
initPreference();
}
+ @Override
+ protected boolean shouldSkipForInitialSUW() {
+ return true;
+ }
+
@VisibleForTesting
void initHeader() {
final View appSnippet = mHeaderPreference.findViewById(R.id.entity_header);
diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
index 8eeac8d26b0..37fa511beeb 100644
--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
@@ -395,4 +395,9 @@ public void testInitPreference_hasCorrectSummary() {
assertThat(mForegroundPreference.getSummary().toString()).isEqualTo("Used for 0 min");
assertThat(mBackgroundPreference.getSummary().toString()).isEqualTo("Active for 0 min");
}
+
+ @Test
+ public void shouldSkipForInitialSUW_returnTrue() {
+ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
+ }
}

56
Patches/LineageOS-17.1/android_system_bt/405536.patch Normal file
View File

@ -0,0 +1,56 @@
From 935b7a26fa502de27c0cd3c97a05381319e8f22c Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Sun, 14 Mar 2021 09:52:19 -0700
Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text
Toward loggable code
Bug: 163134718
Test: gd/cert/run
Tag: #refactor
BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines
Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2
---
btif/include/btif_hh.h | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
index b71d347c1a7..f33598d2f19 100644
--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
@@ -46,7 +46,7 @@
* Type definitions and return values
******************************************************************************/
-typedef enum {
+typedef enum : unsigned {
BTIF_HH_DISABLED = 0,
BTIF_HH_ENABLED,
BTIF_HH_DISABLING,
@@ -56,6 +56,25 @@ typedef enum {
BTIF_HH_DEV_DISCONNECTED
} BTIF_HH_STATUS;
+#define CASE_RETURN_TEXT(code) \
+ case code: \
+ return #code
+
+inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) {
+ switch (status) {
+ CASE_RETURN_TEXT(BTIF_HH_DISABLED);
+ CASE_RETURN_TEXT(BTIF_HH_ENABLED);
+ CASE_RETURN_TEXT(BTIF_HH_DISABLING);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED);
+ default:
+ return std::string("UNKNOWN[%hhu]", status);
+ }
+}
+#undef CASE_RETURN_TEXT
+
typedef struct {
bthh_connection_state_t dev_status;
uint8_t dev_handle;

369
Patches/LineageOS-17.1/android_system_bt/405537.patch Normal file
View File

@ -0,0 +1,369 @@
From 1017cfa02f11db8d077d5d7a32dd46da7c8b050b Mon Sep 17 00:00:00 2001
From: Himanshu Rawat <rwt@google.com>
Date: Mon, 8 Apr 2024 19:42:21 +0000
Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 1/2
HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b)
Merged-In: I6e9db983e752dd498625078c13b736cd4c668806
Change-Id: I6e9db983e752dd498625078c13b736cd4c668806
---
btif/include/btif_hh.h | 4 +-
btif/include/btif_storage.h | 23 ++++++++++
btif/src/btif_hh.cc | 87 ++++++++++++++++++++++++++++++++++---
btif/src/btif_storage.cc | 53 +++++++++++++++++++++-
include/hardware/bt_hh.h | 2 +-
5 files changed, 161 insertions(+), 8 deletions(-)
diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
index f33598d2f19..f93341d89f1 100644
--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
@@ -97,6 +97,7 @@ typedef struct {
uint8_t dev_handle;
RawAddress bd_addr;
tBTA_HH_ATTR_MASK attr_mask;
+ bool reconnect_allowed;
} btif_hh_added_device_t;
/**
@@ -122,7 +123,8 @@ extern btif_hh_cb_t btif_hh_cb;
extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle);
extern void btif_hh_remove_device(RawAddress bd_addr);
extern bool btif_hh_add_added_dev(const RawAddress& bda,
- tBTA_HH_ATTR_MASK attr_mask);
+ tBTA_HH_ATTR_MASK attr_mask,
+ bool reconnect_allowed);
extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr);
extern void btif_hh_disconnect(RawAddress* bd_addr);
extern void btif_hh_setreport(btif_hh_device_t* p_dev,
diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h
index 1c1163d1428..362ffdc21bb 100644
--- a/btif/include/btif_storage.h
+++ b/btif/include/btif_storage.h
@@ -178,6 +178,29 @@ bt_status_t btif_storage_remove_bonded_device(const RawAddress* remote_bd_addr);
******************************************************************************/
bt_status_t btif_storage_load_bonded_devices(void);
+/*******************************************************************************
+ *
+ * Function btif_storage_set_hid_connection_policy
+ *
+ * Description Stores connection policy info in nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+ bool reconnect_allowed);
+/*******************************************************************************
+ *
+ * Function btif_storage_get_hid_connection_policy
+ *
+ * Description get connection policy info from nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+ bool* reconnect_allowed);
+
/*******************************************************************************
*
* Function btif_storage_add_hid_device_info
diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
index 97479e040ba..25fb151d260 100644
--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
@@ -42,6 +42,7 @@
#include "btif_storage.h"
#include "btif_util.h"
#include "l2c_api.h"
+#include "main/shim/dumpsys.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -334,6 +335,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) {
return NULL;
}
+/*******************************************************************************
+ *
+ * Function btif_hh_find_added_dev
+ *
+ * Description Return the added device pointer of the specified address
+ *
+ * Returns Added device entry
+ ******************************************************************************/
+btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) {
+ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
+ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i];
+ if (added_dev->bd_addr == addr) {
+ return added_dev;
+ }
+ }
+ return nullptr;
+}
+
/*******************************************************************************
*
* Function btif_hh_find_dev_by_bda
@@ -419,7 +438,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) {
*
* Returns true if add successfully, otherwise false.
******************************************************************************/
-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
+bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask,
+ bool reconnect_allowed) {
int i;
for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
if (btif_hh_cb.added_devices[i].bd_addr == bda) {
@@ -433,6 +453,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
btif_hh_cb.added_devices[i].bd_addr = bda;
btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE;
btif_hh_cb.added_devices[i].attr_mask = attr_mask;
+ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed;
return true;
}
}
@@ -712,6 +733,23 @@ void btif_hh_getreport(btif_hh_device_t* p_dev, bthh_report_type_t r_type,
*
****************************************************************************/
+static bool btif_hh_connection_allowed(const RawAddress& bda) {
+ /* Accept connection only if reconnection is allowed for the known device, or
+ * outgoing connection was requested */
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda);
+ if (added_dev != nullptr && added_dev->reconnect_allowed) {
+ LOG_VERBOSE(LOG_TAG, "Connection allowed %s", PRIVATE_ADDRESS(bda));
+ return true;
+ } else if (btif_hh_cb.pending_conn_address == bda) {
+ LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s",
+ PRIVATE_ADDRESS(bda),
+ btif_hh_status_text(btif_hh_cb.status).c_str());
+ return true;
+ }
+
+ return false;
+}
+
/*******************************************************************************
*
* Function btif_hh_upstreams_evt
@@ -770,9 +808,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
p_data->status);
break;
- case BTA_HH_OPEN_EVT:
+ case BTA_HH_OPEN_EVT: {
BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__,
p_data->conn.handle, p_data->conn.status);
+
+ if (!btif_hh_connection_allowed(p_data->conn.bda)) {
+ LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s",
+ PRIVATE_ADDRESS(p_data->conn.bda));
+ btif_hh_device_t* p_dev =
+ btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
+ if (p_dev != nullptr) {
+ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED;
+ }
+
+ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
+ BTA_HhClose(p_data->conn.handle);
+ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda,
+ BTHH_CONN_STATE_DISCONNECTED);
+ return;
+ }
+
btif_hh_cb.pending_conn_address = RawAddress::kEmpty;
if (p_data->conn.status == BTA_HH_OK) {
p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
@@ -831,6 +886,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
}
break;
+ }
case BTA_HH_CLOSE_EVT:
BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d",
@@ -983,7 +1039,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
p_data->dscp_info.version,
p_data->dscp_info.ctry_code, len,
p_data->dscp_info.descriptor.dsc_list);
- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) {
+ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) {
tBTA_HH_DEV_DSCP_INFO dscp_info;
bt_status_t ret;
btif_hh_copy_hid_info(&dscp_info, &p_data->dscp_info);
@@ -999,6 +1055,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
p_data->dscp_info.ssr_min_tout, len,
p_data->dscp_info.descriptor.dsc_list);
+ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true);
+
ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret);
BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device");
@@ -1280,6 +1338,13 @@ static bt_status_t init(bthh_callbacks_t* callbacks) {
******************************************************************************/
static bt_status_t connect(RawAddress* bd_addr) {
if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) {
+ /* If the device was already added, ensure that reconnections are allowed */
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+ if (added_dev != nullptr && !added_dev->reconnect_allowed) {
+ added_dev->reconnect_allowed = true;
+ btif_storage_set_hid_connection_policy(*bd_addr, true);
+ }
+
btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT,
(char*)bd_addr, sizeof(RawAddress), NULL);
return BT_STATUS_SUCCESS;
@@ -1296,7 +1361,7 @@ static bt_status_t connect(RawAddress* bd_addr) {
* Returns bt_status_t
*
******************************************************************************/
-static bt_status_t disconnect(RawAddress* bd_addr) {
+static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) {
CHECK_BTHH_INIT();
BTIF_TRACE_EVENT("BTHH: %s", __func__);
btif_hh_device_t* p_dev;
@@ -1306,6 +1371,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) {
btif_hh_cb.status);
return BT_STATUS_FAIL;
}
+
+ if (!reconnect_allowed) {
+ LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s",
+ PRIVATE_ADDRESS((*bd_addr)));
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+ if (added_dev != nullptr && added_dev->reconnect_allowed) {
+ added_dev->reconnect_allowed = false;
+ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false);
+ }
+ }
+
p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr);
if (p_dev != NULL) {
return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT,
@@ -1437,9 +1513,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) {
(uint8_t*)osi_malloc(dscp_info.descriptor.dl_len);
memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len);
- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) {
+ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) {
BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class,
hid_info.app_id, dscp_info);
+ btif_storage_set_hid_connection_policy(*bd_addr, true);
}
osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list);
diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
index 95e4ef07150..8077ae55547 100644
--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
@@ -83,6 +83,8 @@ using bluetooth::Uuid;
#define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
#define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
+#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed"
+
/* This is a local property to add a device found */
#define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
@@ -1323,6 +1325,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr,
btif_config_get_int(remote_bd_addr->ToString(), "AddrType", addr_type);
return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL;
}
+
+/*******************************************************************************
+ *
+ * Function btif_storage_set_hid_connection_policy
+ *
+ * Description Stores connection policy info in nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+ bool reconnect_allowed) {
+ std::string bdstr = addr.ToString();
+
+ if (btif_config_set_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED,
+ reconnect_allowed)) {
+ return BT_STATUS_SUCCESS;
+ } else {
+ return BT_STATUS_FAIL;
+ }
+}
+
+/*******************************************************************************
+ *
+ * Function btif_storage_get_hid_connection_policy
+ *
+ * Description get connection policy info from nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+ bool* reconnect_allowed) {
+ std::string bdstr = addr.ToString();
+
+ // For backward compatibility, assume that the reconnection is allowed in the
+ // absence of the key
+ int value = 1;
+ btif_config_get_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value);
+ *reconnect_allowed = (value != 0);
+
+ return BT_STATUS_SUCCESS;
+}
+
/*******************************************************************************
*
* Function btif_storage_add_hid_device_info
@@ -1425,8 +1471,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) {
RawAddress bd_addr;
RawAddress::FromString(name, bd_addr);
+
+ bool reconnect_allowed = false;
+ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed);
+
// add extracted information to BTA HH
- if (btif_hh_add_added_dev(bd_addr, attr_mask)) {
+ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) {
BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info);
}
}
@@ -1458,6 +1508,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) {
btif_config_remove(bdstr, "HidSSRMaxLatency");
btif_config_remove(bdstr, "HidSSRMinTimeout");
btif_config_remove(bdstr, "HidDescriptor");
+ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED);
btif_config_save();
return BT_STATUS_SUCCESS;
}
diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h
index b87b129bb12..923c6279216 100644
--- a/include/hardware/bt_hh.h
+++ b/include/hardware/bt_hh.h
@@ -154,7 +154,7 @@ typedef struct {
bt_status_t (*connect)(RawAddress* bd_addr);
/** dis-connect from hid device */
- bt_status_t (*disconnect)(RawAddress* bd_addr);
+ bt_status_t (*disconnect)(RawAddress* bd_addr, bool reconnect_allowed);
/** Virtual UnPlug (VUP) the specified HID device */
bt_status_t (*virtual_unplug)(RawAddress* bd_addr);

97
Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch Normal file
View File

@ -0,0 +1,97 @@
From 0b906b1eef2156110bb753272fe133c096eb371b Mon Sep 17 00:00:00 2001
From: Himanshu Rawat <rwt@google.com>
Date: Mon, 8 Apr 2024 19:44:45 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID
connections 2/2
HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6d9a002091d88009db9e9de43f690d3d9fee15a0)
Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777
Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777
---
jni/com_android_bluetooth_hid_host.cpp | 8 +++++---
src/com/android/bluetooth/hid/HidHostService.java | 12 +++++++++---
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp
index b8f4d6530..e4c885b3e 100644
--- a/jni/com_android_bluetooth_hid_host.cpp
+++ b/jni/com_android_bluetooth_hid_host.cpp
@@ -285,7 +285,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object,
}
static jboolean disconnectHidNative(JNIEnv* env, jobject object,
- jbyteArray address) {
+ jbyteArray address,
+ jboolean reconnect_allowed) {
jbyte* addr;
jboolean ret = JNI_TRUE;
if (!sBluetoothHidInterface) return JNI_FALSE;
@@ -296,7 +297,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object,
return JNI_FALSE;
}
- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr);
+ bt_status_t status =
+ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed);
if (status != BT_STATUS_SUCCESS) {
ALOGE("Failed disconnect hid channel, status: %d", status);
ret = JNI_FALSE;
@@ -512,7 +514,7 @@ static JNINativeMethod sMethods[] = {
{"initializeNative", "()V", (void*)initializeNative},
{"cleanupNative", "()V", (void*)cleanupNative},
{"connectHidNative", "([B)Z", (void*)connectHidNative},
- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative},
+ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative},
{"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative},
{"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative},
{"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative},
diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java
index 4687bd6a1..0258f1fdd 100644
--- a/src/com/android/bluetooth/hid/HidHostService.java
+++ b/src/com/android/bluetooth/hid/HidHostService.java
@@ -167,7 +167,10 @@ public void handleMessage(Message msg) {
break;
case MESSAGE_DISCONNECT: {
BluetoothDevice device = (BluetoothDevice) msg.obj;
- if (!disconnectHidNative(Utils.getByteAddress(device))) {
+ int connectionPolicy = getConnectionPolicy(device);
+ boolean reconnectAllowed =
+ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED;
+ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) {
broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING);
broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED);
break;
@@ -192,7 +195,10 @@ public void handleMessage(Message msg) {
Log.d(TAG, "Incoming HID connection rejected");
}
if (disconnectRemote(device)) {
- disconnectHidNative(Utils.getByteAddress(device));
+ int connectionPolicy = getConnectionPolicy(device);
+ boolean reconnectAllowed =
+ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED;
+ disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed);
} else {
virtualUnPlugNative(Utils.getByteAddress(device));
}
@@ -978,7 +984,7 @@ public void dump(StringBuilder sb) {
private native boolean connectHidNative(byte[] btAddress);
- private native boolean disconnectHidNative(byte[] btAddress);
+ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed);
private native boolean getProtocolModeNative(byte[] btAddress);

56
Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405583.patch Normal file
View File

@ -0,0 +1,56 @@
From eb91d38c9e876c23d9a51ecc8bf9b55ad90c2c4d Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Sun, 14 Mar 2021 09:52:19 -0700
Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text
Toward loggable code
Bug: 163134718
Test: gd/cert/run
Tag: #refactor
BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines
Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2
---
btif/include/btif_hh.h | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
index 612b9f7c7..98dc33383 100644
--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
@@ -54,7 +54,7 @@
* Type definitions and return values
******************************************************************************/
-typedef enum {
+typedef enum : unsigned {
BTIF_HH_DISABLED = 0,
BTIF_HH_ENABLED,
BTIF_HH_DISABLING,
@@ -64,6 +64,25 @@ typedef enum {
BTIF_HH_DEV_DISCONNECTED
} BTIF_HH_STATUS;
+#define CASE_RETURN_TEXT(code) \
+ case code: \
+ return #code
+
+inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) {
+ switch (status) {
+ CASE_RETURN_TEXT(BTIF_HH_DISABLED);
+ CASE_RETURN_TEXT(BTIF_HH_ENABLED);
+ CASE_RETURN_TEXT(BTIF_HH_DISABLING);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED);
+ CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED);
+ default:
+ return std::string("UNKNOWN[%hhu]", status);
+ }
+}
+#undef CASE_RETURN_TEXT
+
typedef struct {
bthh_connection_state_t dev_status;
uint8_t dev_handle;

363
Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405584.patch Normal file
View File

@ -0,0 +1,363 @@
From 0196deeccce43dc7fc5d8c4bfe94d2f24ad2d4b2 Mon Sep 17 00:00:00 2001
From: Himanshu Rawat <rwt@google.com>
Date: Mon, 8 Apr 2024 19:42:21 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID
connections 1/2
HID profile accepted any new incoming HID connection. Even when the
connection policy disabled HID connection, remote devices could initiate
HID connection.
This change ensures that incoming HID connection are accepted only if
application was interested in that HID connection.
This vulnerarbility no longer exists on the main because of feature
request b/324093729.
Test: Manual | Pair and connect a HID device, disable HID connection
from Bluetooth device setting, attempt to connect from the HID device.
Bug: 308429049
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:674298968a36f54d049b385a2976afc29777d821)
Merged-In: I6e9db983e752dd498625078c13b736cd4c668806
Change-Id: I6e9db983e752dd498625078c13b736cd4c668806
---
btif/include/btif_hh.h | 4 +-
btif/include/btif_storage.h | 23 ++++++++++
btif/src/btif_hh.cc | 86 ++++++++++++++++++++++++++++++++++---
btif/src/btif_storage.cc | 53 ++++++++++++++++++++++-
include/hardware/bt_hh.h | 2 +-
5 files changed, 160 insertions(+), 8 deletions(-)
diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h
index 98dc33383..2aa03fddc 100644
--- a/btif/include/btif_hh.h
+++ b/btif/include/btif_hh.h
@@ -113,6 +113,7 @@ typedef struct {
uint8_t dev_handle;
RawAddress bd_addr;
tBTA_HH_ATTR_MASK attr_mask;
+ bool reconnect_allowed;
} btif_hh_added_device_t;
/**
@@ -137,7 +138,8 @@ extern btif_hh_cb_t btif_hh_cb;
extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle);
extern void btif_hh_remove_device(RawAddress bd_addr);
extern bool btif_hh_add_added_dev(const RawAddress& bda,
- tBTA_HH_ATTR_MASK attr_mask);
+ tBTA_HH_ATTR_MASK attr_mask,
+ bool reconnect_allowed);
extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr);
extern void btif_hh_disconnect(RawAddress* bd_addr);
extern void btif_hh_service_registration(bool enable);
diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h
index b1ada4db6..a32b7b8ff 100755
--- a/btif/include/btif_storage.h
+++ b/btif/include/btif_storage.h
@@ -201,6 +201,29 @@ bt_status_t btif_storage_is_device_bonded(RawAddress *remote_bd_addr);
******************************************************************************/
bt_status_t btif_storage_load_bonded_devices(void);
+/*******************************************************************************
+ *
+ * Function btif_storage_set_hid_connection_policy
+ *
+ * Description Stores connection policy info in nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+ bool reconnect_allowed);
+/*******************************************************************************
+ *
+ * Function btif_storage_get_hid_connection_policy
+ *
+ * Description get connection policy info from nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+ bool* reconnect_allowed);
+
/*******************************************************************************
*
* Function btif_storage_add_hid_device_info
diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
index aeaabc47d..4ad1537d6 100644
--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
@@ -340,6 +340,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) {
return NULL;
}
+/*******************************************************************************
+ *
+ * Function btif_hh_find_added_dev
+ *
+ * Description Return the added device pointer of the specified address
+ *
+ * Returns Added device entry
+ ******************************************************************************/
+btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) {
+ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
+ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i];
+ if (added_dev->bd_addr == addr) {
+ return added_dev;
+ }
+ }
+ return nullptr;
+}
+
/*******************************************************************************
*
* Function btif_hh_find_dev_by_bda
@@ -425,7 +443,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) {
*
* Returns true if add successfully, otherwise false.
******************************************************************************/
-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
+bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask,
+ bool reconnect_allowed) {
int i;
for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) {
if (btif_hh_cb.added_devices[i].bd_addr == bda) {
@@ -439,6 +458,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) {
btif_hh_cb.added_devices[i].bd_addr = bda;
btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE;
btif_hh_cb.added_devices[i].attr_mask = attr_mask;
+ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed;
return true;
}
}
@@ -736,6 +756,23 @@ void btif_hh_getreport(btif_hh_device_t* p_dev, bthh_report_type_t r_type,
*
****************************************************************************/
+static bool btif_hh_connection_allowed(const RawAddress& bda) {
+ /* Accept connection only if reconnection is allowed for the known device, or
+ * outgoing connection was requested */
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda);
+ if (added_dev != nullptr && added_dev->reconnect_allowed) {
+ LOG_VERBOSE(LOG_TAG, "Connection allowed %s", bda.ToString().c_str());
+ return true;
+ } else if (btif_hh_cb.pending_conn_address == bda) {
+ LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s",
+ bda.ToString().c_str(),
+ btif_hh_status_text(btif_hh_cb.status).c_str());
+ return true;
+ }
+
+ return false;
+}
+
/*******************************************************************************
*
* Function btif_hh_upstreams_evt
@@ -794,9 +831,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
p_data->status);
break;
- case BTA_HH_OPEN_EVT:
+ case BTA_HH_OPEN_EVT: {
BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__,
p_data->conn.handle, p_data->conn.status);
+
+ if (!btif_hh_connection_allowed(p_data->conn.bda)) {
+ LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s",
+ p_data->conn.bda.ToString().c_str());
+ btif_hh_device_t* p_dev =
+ btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
+ if (p_dev != nullptr) {
+ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED;
+ }
+
+ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
+ BTA_HhClose(p_data->conn.handle);
+ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda,
+ BTHH_CONN_STATE_DISCONNECTED);
+ return;
+ }
+
btif_hh_cb.pending_conn_address = RawAddress::kEmpty;
if (p_data->conn.status == BTA_HH_OK) {
p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle);
@@ -853,6 +907,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED;
}
break;
+ }
case BTA_HH_CLOSE_EVT:
BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d",
@@ -1021,7 +1076,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
}
return;
}
- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) {
+ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) {
tBTA_HH_DEV_DSCP_INFO dscp_info;
bt_status_t ret;
btif_hh_copy_hid_info(&dscp_info, p_data->h_d_info.dscp_info);
@@ -1037,6 +1092,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
p_data->h_d_info.dscp_info->ssr_min_tout, len,
p_data->h_d_info.dscp_info->descriptor.dsc_list);
+ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true);
+
ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret);
BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device");
@@ -1334,6 +1391,13 @@ static bt_status_t connect(RawAddress* bd_addr) {
BTIF_TRACE_EVENT("%s Ignore connect request, device already connected", __func__);
return BT_STATUS_SUCCESS;
} else if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) {
+ /* If the device was already added, ensure that reconnections are allowed */
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+ if (added_dev != nullptr && !added_dev->reconnect_allowed) {
+ added_dev->reconnect_allowed = true;
+ btif_storage_set_hid_connection_policy(*bd_addr, true);
+ }
+
btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT,
(char*)bd_addr, sizeof(RawAddress), NULL);
return BT_STATUS_SUCCESS;
@@ -1350,7 +1414,7 @@ static bt_status_t connect(RawAddress* bd_addr) {
* Returns bt_status_t
*
******************************************************************************/
-static bt_status_t disconnect(RawAddress* bd_addr) {
+static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) {
CHECK_BTHH_INIT();
BTIF_TRACE_EVENT("BTHH: %s", __func__);
btif_hh_device_t* p_dev;
@@ -1360,6 +1424,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) {
btif_hh_cb.status);
return BT_STATUS_FAIL;
}
+
+ if (!reconnect_allowed) {
+ LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s",
+ bd_addr->ToString().c_str());
+ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr);
+ if (added_dev != nullptr && added_dev->reconnect_allowed) {
+ added_dev->reconnect_allowed = false;
+ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false);
+ }
+ }
+
p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr);
if (p_dev != NULL) {
return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT,
@@ -1494,9 +1569,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) {
(uint8_t*)osi_malloc(dscp_info.descriptor.dl_len);
memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len);
- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) {
+ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) {
BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class,
hid_info.app_id, dscp_info);
+ btif_storage_set_hid_connection_policy(*bd_addr, true);
}
osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list);
diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
index d7a9cdf3c..0c40afd16 100644
--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
@@ -88,6 +88,8 @@ using bluetooth::Uuid;
#define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
#define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
+#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed"
+
/* This is a local property to add a device found */
#define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
@@ -1486,6 +1488,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr,
addr_type);
return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL;
}
+
+/*******************************************************************************
+ *
+ * Function btif_storage_set_hid_connection_policy
+ *
+ * Description Stores connection policy info in nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr,
+ bool reconnect_allowed) {
+ std::string bdstr = addr.ToString();
+
+ if (btif_config_set_int(bdstr.c_str(), BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED,
+ reconnect_allowed)) {
+ return BT_STATUS_SUCCESS;
+ } else {
+ return BT_STATUS_FAIL;
+ }
+}
+
+/*******************************************************************************
+ *
+ * Function btif_storage_get_hid_connection_policy
+ *
+ * Description get connection policy info from nvram
+ *
+ * Returns BT_STATUS_SUCCESS
+ *
+ ******************************************************************************/
+bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr,
+ bool* reconnect_allowed) {
+ std::string bdstr = addr.ToString();
+
+ // For backward compatibility, assume that the reconnection is allowed in the
+ // absence of the key
+ int value = 1;
+ btif_config_get_int(bdstr.c_str(), BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value);
+ *reconnect_allowed = (value != 0);
+
+ return BT_STATUS_SUCCESS;
+}
+
/*******************************************************************************
*
* Function btif_storage_add_hid_device_info
@@ -1585,8 +1631,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) {
(uint8_t*)dscp_info.descriptor.dsc_list, &len);
}
RawAddress::FromString(name, bd_addr);
+
+ bool reconnect_allowed = false;
+ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed);
+
// add extracted information to BTA HH
- if (btif_hh_add_added_dev(bd_addr, attr_mask)) {
+ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) {
BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info);
}
}
@@ -1626,6 +1676,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) {
btif_config_remove(bdstr, "HidSSRMaxLatency");
btif_config_remove(bdstr, "HidSSRMinTimeout");
btif_config_remove(bdstr, "HidDescriptor");
+ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED);
btif_config_save();
return BT_STATUS_SUCCESS;
}
diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h
index c39e3e5b8..c1247cb1c 100644
--- a/include/hardware/bt_hh.h
+++ b/include/hardware/bt_hh.h
@@ -151,7 +151,7 @@ typedef struct {
bt_status_t (*connect)( RawAddress *bd_addr);
/** dis-connect from hid device */
- bt_status_t (*disconnect)( RawAddress *bd_addr );
+ bt_status_t (*disconnect)( RawAddress *bd_addr, bool reconnect_allowed);
/** Virtual UnPlug (VUP) the specified HID device */
bt_status_t (*virtual_unplug)(RawAddress *bd_addr);

14
Scripts/LineageOS-17.1/Patch.sh
View File

@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
sed -i 's/2023-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2024-09
sed -i 's/2023-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-10
fi;
if enterAndClear "build/soong"; then
@ -328,6 +328,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/402604.patch"; #Q_asb_2024-08 B
applyPatch "$DOS_PATCHES/android_frameworks_base/402605.patch"; #Q_asb_2024-08 Restrict USB poups while setup is in progress
applyPatch "$DOS_PATCHES/android_frameworks_base/402606.patch"; #Q_asb_2024-08 Hide SAW subwindows
applyPatch "$DOS_PATCHES/android_frameworks_base/403301.patch"; #Q_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
applyPatch "$DOS_PATCHES/android_frameworks_base/405515.patch"; #R_asb_2024-10 Update AccountManagerService checkKeyIntent.
applyPatch "$DOS_PATCHES/android_frameworks_base/405516.patch"; #R_asb_2024-10 Fail parseUri if end is missing
applyPatch "$DOS_PATCHES/android_frameworks_base/405517-backport.patch"; #R_asb_2024-10 Prevent Sharing when FRP enforcement is in effect
applyPatch "$DOS_PATCHES/android_frameworks_base/405518.patch"; #R_asb_2024-10 Check whether installerPackageName contains only valid characters
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -450,6 +454,7 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch";
fi;
if enterAndClear "libcore"; then
applyPatch "$DOS_PATCHES/android_libcore/405541.patch"; #R_asb_2024-10 Do not accept zip files with invalid headers.
applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS)
applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-2.patch";
applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
@ -463,6 +468,7 @@ fi;
if enterAndClear "packages/apps/Bluetooth"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/378135.patch"; #Q_asb_2023-12 Fix UAF in ~CallbackEnv
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/405540.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 2/2
#applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272652.patch"; #ten-bt-sbc-hd-dualchannel: SBC Dual Channel (SBC HD Audio) support (ValdikSS)
#applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272653.patch"; #ten-bt-sbc-hd-dualchannel: Assume optional codecs are supported if were supported previously (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
@ -528,6 +534,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403302.patch"; #Q_asb_20
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403303.patch"; #Q_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage()
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403304.patch"; #Q_asb_2024-09 Ignore fragment attr from ext authenticator resource
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403305.patch"; #Q_asb_2024-09 Restrict Settings Homepage prior to provisioning
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_2024-10 FRP bypass defense in App battery usage page
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -668,6 +675,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/403314.patch"; #Q_asb_2024-09 Use btm
applyPatch "$DOS_PATCHES/android_system_bt/403315.patch"; #Q_asb_2024-09 Add support for checking security downgrade
applyPatch "$DOS_PATCHES/android_system_bt/403316.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade
applyPatch "$DOS_PATCHES/android_system_bt/403317.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade
applyPatch "$DOS_PATCHES/android_system_bt/405536.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
applyPatch "$DOS_PATCHES/android_system_bt/405537.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -749,6 +758,7 @@ fi;
if enterAndClear "vendor/qcom/opensource/commonsys/packages/apps/Bluetooth"; then
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/378136.patch"; #Q_asb_2023-12 Fix UAF in ~CallbackEnv
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 2/2
fi;
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then
@ -791,6 +801,8 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403324.patch";
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403325.patch"; #Q_asb_2024-09 Add support for checking security downgrade
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403326.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403327.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405583.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405584.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2
fi;
if enterAndClear "vendor/lineage"; then