diff --git a/Patches/LineageOS-16.0/android_external_libxml2/368053.patch b/Patches/LineageOS-16.0/android_external_libxml2/368053.patch new file mode 100644 index 00000000..11df9387 --- /dev/null +++ b/Patches/LineageOS-16.0/android_external_libxml2/368053.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Feb 2023 15:53:07 +0100 +Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter + +Found with libFuzzer, see #344. + +(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033) + +I also copied the error label from +e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure. + +Bug: http://b/274231102 +Test: TreeHugger +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:381160fc2a293d50a627c9e35bb34485bf97b6e7) +Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4 +Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4 +--- + xmlregexp.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/xmlregexp.c b/xmlregexp.c +index d255fbf0..6234a879 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1641,6 +1641,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + return(-1); + inter = ctxt->state; + counter = xmlRegGetCounter(ctxt); ++ if (counter < 0) ++ return(-1); + ctxt->counters[counter].min = atom->min - 1; + ctxt->counters[counter].max = atom->max - 1; + /* count the number of times we see it again */ +@@ -1659,6 +1661,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + * epsilon transition. + */ + counter = xmlRegGetCounter(ctxt); ++ if (counter < 0) ++ return(-1); + ctxt->counters[counter].min = atom->min - 1; + ctxt->counters[counter].max = atom->max - 1; + /* count the number of times we see it again */ +@@ -5924,6 +5928,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = min; + am->counters[counter].max = max; + +@@ -5943,6 +5949,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (min == 0) + xmlFAGenerateEpsilonTransition(am, from, to); + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** +@@ -5990,6 +6000,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = min; + am->counters[counter].max = max; + +@@ -6009,6 +6021,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (min == 0) + xmlFAGenerateEpsilonTransition(am, from, to); + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** +@@ -6076,6 +6092,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = 1; + am->counters[counter].max = 1; + +@@ -6088,6 +6106,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + xmlRegAtomPush(am, atom); + am->state = to; + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + +@@ -6135,6 +6157,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = 1; + am->counters[counter].max = 1; + +@@ -6147,6 +6171,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + xmlRegAtomPush(am, atom); + am->state = to; + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368055.patch b/Patches/LineageOS-16.0/android_frameworks_base/368055.patch new file mode 100644 index 00000000..cb42760d --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368055.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jean-Michel Trivi +Date: Wed, 7 Dec 2022 04:36:46 +0000 +Subject: [PATCH] RingtoneManager: verify default ringtone is audio + +When a ringtone picker tries to set a ringtone through +RingtoneManager.setActualDefaultRingtoneUri (also +called by com.android.settings.DefaultRingtonePreference), +verify the mimeType can be obtained (not found when caller +doesn't have access to it) and it is an audio resource. + +Bug: 205837340 +Test: atest android.media.audio.cts.RingtoneManagerTest +(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:377144b64325dadad102f5233ecb50a4446b205b) +Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e +Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e +--- + media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java +index fefa1ede849e..0e03bfb2502a 100644 +--- a/media/java/android/media/RingtoneManager.java ++++ b/media/java/android/media/RingtoneManager.java +@@ -819,10 +819,10 @@ public class RingtoneManager { + + return ringtoneUri; + } +- ++ + /** + * Sets the {@link Uri} of the default sound for a given sound type. +- * ++ * + * @param context A context used for querying. + * @param type The type whose default sound should be set. One of + * {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or +@@ -843,6 +843,21 @@ public class RingtoneManager { + if(!isInternalRingtoneUri(ringtoneUri)) { + ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId()); + } ++ ++ if (ringtoneUri != null) { ++ final String mimeType = resolver.getType(ringtoneUri); ++ if (mimeType == null) { ++ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri ++ + " ignored: failure to find mimeType (no access from this context?)"); ++ return; ++ } ++ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) { ++ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri ++ + " ignored: associated mimeType:" + mimeType + " is not an audio type"); ++ return; ++ } ++ } ++ + Settings.System.putStringForUser(resolver, setting, + ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId()); + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368059.patch b/Patches/LineageOS-16.0/android_frameworks_base/368059.patch new file mode 100644 index 00000000..de7a0236 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368059.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josep del Rio +Date: Mon, 26 Jun 2023 11:16:37 +0000 +Subject: [PATCH] Do not share key mappings with JNI object + +The key mapping information between the native key mappings and +the KeyCharacterMap object available in Java is currently shared, +which means that a read can be attempted while it's being modified. + +Because the code changed between R and S, this CL fixes it just +for R; the patch for versions S+ is ag/23785419 + +Bug: 274058082 +Test: Presubmit +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4b3c4620166071561ec44961fb08a56676b4fd6c) +Merged-In: I3be94534dcda365da473f82347ae2e3f57bb1b42 +Change-Id: I3be94534dcda365da473f82347ae2e3f57bb1b42 +--- + core/jni/android_view_InputDevice.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp +index 494fad7900ef..806a88f8f50e 100644 +--- a/core/jni/android_view_InputDevice.cpp ++++ b/core/jni/android_view_InputDevice.cpp +@@ -14,6 +14,7 @@ + * limitations under the License. + */ + ++#include + #include + + #include +@@ -48,9 +49,16 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi + return NULL; + } + ++ sp map = deviceInfo.getKeyCharacterMap(); ++ if (map != nullptr) { ++ Parcel parcel; ++ map->writeToParcel(&parcel); ++ map = map->readFromParcel(&parcel); ++ } ++ + ScopedLocalRef kcmObj(env, +- android_view_KeyCharacterMap_create(env, deviceInfo.getId(), +- deviceInfo.getKeyCharacterMap())); ++ android_view_KeyCharacterMap_create(env, deviceInfo.getId(), ++ map)); + if (!kcmObj.get()) { + return NULL; + } diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368060-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/368060-backport.patch new file mode 100644 index 00000000..2d9eaadd --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368060-backport.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tim Yu +Date: Tue, 20 Jun 2023 21:24:36 +0000 +Subject: [PATCH] Verify URI Permissions in Autofill RemoteViews + +Check permissions of URI inside of FillResponse's RemoteViews. If the +current user does not have the required permissions to view the URI, the +RemoteView is dropped from displaying. + +This fixes a security spill in which a user can view content of another +user through a malicious Autofill provider. + +Bug: 283137865 +Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566 +b/281534749 b/283101289 +Test: Verified by POC app attached in bugs +Test: atest CtsAutoFillServiceTestCases (added new tests) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:26beceb9a252a50374d056b162fa7e8ea55051b3) +Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a +Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a +--- + .../com/android/server/autofill/Helper.java | 43 +++++++++++++++++++ + .../android/server/autofill/ui/FillUi.java | 11 +++-- + .../android/server/autofill/ui/SaveUi.java | 2 +- + 3 files changed, 52 insertions(+), 4 deletions(-) + +diff --git a/services/autofill/java/com/android/server/autofill/Helper.java b/services/autofill/java/com/android/server/autofill/Helper.java +index f14c8f1aa7f6..a50d87ac81e4 100644 +--- a/services/autofill/java/com/android/server/autofill/Helper.java ++++ b/services/autofill/java/com/android/server/autofill/Helper.java +@@ -18,6 +18,8 @@ package com.android.server.autofill; + + import android.annotation.NonNull; + import android.annotation.Nullable; ++import android.annotation.UserIdInt; ++import android.app.ActivityManager; + import android.app.assist.AssistStructure; + import android.app.assist.AssistStructure.ViewNode; + import android.content.ComponentName; +@@ -29,13 +31,16 @@ import android.util.Slog; + import android.view.WindowManager; + import android.view.autofill.AutofillId; + import android.view.autofill.AutofillValue; ++import android.widget.RemoteViews; + + import com.android.internal.logging.nano.MetricsProto.MetricsEvent; + import com.android.internal.util.ArrayUtils; + + import java.io.PrintWriter; ++import java.util.Arrays; + import java.util.ArrayList; + import java.util.LinkedList; ++import java.util.concurrent.atomic.AtomicBoolean; + + public final class Helper { + +@@ -79,6 +84,44 @@ public final class Helper { + throw new UnsupportedOperationException("contains static members only"); + } + ++ private static boolean checkRemoteViewUriPermissions( ++ @UserIdInt int userId, @NonNull RemoteViews rView) { ++ final AtomicBoolean permissionsOk = new AtomicBoolean(true); ++ ++ rView.visitUris(uri -> { ++ int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri); ++ boolean allowed = uriOwnerId == userId; ++ permissionsOk.set(allowed && permissionsOk.get()); ++ }); ++ ++ return permissionsOk.get(); ++ } ++ ++ /** ++ * Checks the URI permissions of the remote view, ++ * to see if the current userId is able to access it. ++ * ++ * Returns the RemoteView that is passed if user is able, null otherwise. ++ * ++ * TODO: instead of returning a null remoteview when ++ * the current userId cannot access an URI, ++ * return a new RemoteView with the URI removed. ++ */ ++ public static @Nullable RemoteViews sanitizeRemoteView(RemoteViews rView) { ++ if (rView == null) return null; ++ ++ int userId = ActivityManager.getCurrentUser(); ++ ++ boolean ok = checkRemoteViewUriPermissions(userId, rView); ++ if (!ok) { ++ Slog.w(TAG, ++ "sanitizeRemoteView() user: " + userId ++ + " tried accessing resource that does not belong to them"); ++ } ++ return (ok ? rView : null); ++ } ++ ++ + @Nullable + static AutofillId[] toArray(@Nullable ArraySet set) { + if (set == null) return null; +diff --git a/services/autofill/java/com/android/server/autofill/ui/FillUi.java b/services/autofill/java/com/android/server/autofill/ui/FillUi.java +index 8119054f4196..cacfcdff686f 100644 +--- a/services/autofill/java/com/android/server/autofill/ui/FillUi.java ++++ b/services/autofill/java/com/android/server/autofill/ui/FillUi.java +@@ -137,8 +137,9 @@ final class FillUi { + mContext = new ContextThemeWrapper(context, THEME_ID); + final LayoutInflater inflater = LayoutInflater.from(mContext); + +- final RemoteViews headerPresentation = response.getHeader(); +- final RemoteViews footerPresentation = response.getFooter(); ++ final RemoteViews headerPresentation = Helper.sanitizeRemoteView(response.getHeader()); ++ final RemoteViews footerPresentation = Helper.sanitizeRemoteView(response.getFooter()); ++ + final ViewGroup decor; + if (mFullScreen) { + decor = (ViewGroup) inflater.inflate(R.layout.autofill_dataset_picker_fullscreen, null); +@@ -219,6 +220,9 @@ final class FillUi { + ViewGroup container = decor.findViewById(R.id.autofill_dataset_picker); + final View content; + try { ++ if (Helper.sanitizeRemoteView(response.getPresentation()) == null) { ++ throw new RuntimeException("Permission error accessing RemoteView"); ++ } + response.getPresentation().setApplyTheme(THEME_ID); + content = response.getPresentation().apply(mContext, decor, interceptionHandler); + container.addView(content); +@@ -296,7 +300,8 @@ final class FillUi { + final Dataset dataset = response.getDatasets().get(i); + final int index = dataset.getFieldIds().indexOf(focusedViewId); + if (index >= 0) { +- final RemoteViews presentation = dataset.getFieldPresentation(index); ++ final RemoteViews presentation = Helper.sanitizeRemoteView( ++ dataset.getFieldPresentation(index)); + if (presentation == null) { + Slog.w(TAG, "not displaying UI on field " + focusedViewId + " because " + + "service didn't provide a presentation for it on " + dataset); +diff --git a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java +index 58823036212d..695171e82773 100644 +--- a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java ++++ b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java +@@ -269,7 +269,7 @@ final class SaveUi { + final int type = info.getType(); + writeLog(MetricsEvent.AUTOFILL_SAVE_CUSTOM_DESCRIPTION, type); + +- final RemoteViews template = customDescription.getPresentation(); ++ final RemoteViews template = Helper.sanitizeRemoteView(customDescription.getPresentation()); + if (template == null) { + Slog.w(TAG, "No remote view on custom description"); + return false; diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368061.patch b/Patches/LineageOS-16.0/android_frameworks_base/368061.patch new file mode 100644 index 00000000..fb16b368 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368061.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Josep del Rio +Date: Wed, 12 Jul 2023 16:32:05 +0000 +Subject: [PATCH] Fix KCM key mapping cloning + +ag/23792288 tried to fix a security issue by cloning the key +mappings, but unfortunately the parcel was not being rewinded. + +Bug: 274058082 +Test: Confirmed change works in newer Android versions +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aaaba6cf190d976efdc5db6c78997dbdc9214c15) +Merged-In: I6f75b9202e20d82ebf81a35a2916e653ee1b8372 +Change-Id: I6f75b9202e20d82ebf81a35a2916e653ee1b8372 +--- + core/jni/android_view_InputDevice.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp +index 806a88f8f50e..f36300ada64e 100644 +--- a/core/jni/android_view_InputDevice.cpp ++++ b/core/jni/android_view_InputDevice.cpp +@@ -53,6 +53,7 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi + if (map != nullptr) { + Parcel parcel; + map->writeToParcel(&parcel); ++ parcel.setDataPosition(0); + map = map->readFromParcel(&parcel); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368062-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/368062-backport.patch new file mode 100644 index 00000000..b67adf35 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368062-backport.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hongwei Wang +Date: Wed, 24 May 2023 19:35:44 -0700 +Subject: [PATCH] Disallow loading icon from content URI to PipMenu + +Bug: 278246904 +Test: manually, with the PoC app attached to the bug +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f5a87d8a0dc9190327ba0e6113d5b80ee96abae) +Merged-In: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d +Change-Id: Iecfc1fb962de611cbe3c51a44ba4fded53925a7d +--- + .../systemui/pip/phone/PipMenuActivity.java | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java +index 615b29f93269..214c58a80727 100644 +--- a/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java ++++ b/packages/SystemUI/src/com/android/systemui/pip/phone/PipMenuActivity.java +@@ -51,6 +51,7 @@ import android.graphics.PointF; + import android.graphics.Rect; + import android.graphics.drawable.ColorDrawable; + import android.graphics.drawable.Drawable; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Bundle; + import android.os.Handler; +@@ -508,11 +509,17 @@ public class PipMenuActivity extends Activity { + final RemoteAction action = mActions.get(i); + final ImageView actionView = (ImageView) mActionsGroup.getChildAt(i); + +- // TODO: Check if the action drawable has changed before we reload it +- action.getIcon().loadDrawableAsync(this, d -> { +- d.setTint(Color.WHITE); +- actionView.setImageDrawable(d); +- }, mHandler); ++ final int iconType = action.getIcon().getType(); ++ if (iconType == Icon.TYPE_URI /* || iconType == Icon.TYPE_URI_ADAPTIVE_BITMAP*/) { ++ // Disallow loading icon from content URI ++ actionView.setImageDrawable(null); ++ } else { ++ // TODO: Check if the action drawable has changed before we reload it ++ action.getIcon().loadDrawableAsync(this, d -> { ++ d.setTint(Color.WHITE); ++ actionView.setImageDrawable(d); ++ }, mHandler); ++ } + actionView.setContentDescription(action.getContentDescription()); + if (action.isEnabled()) { + actionView.setOnClickListener(v -> { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368063.patch b/Patches/LineageOS-16.0/android_frameworks_base/368063.patch new file mode 100644 index 00000000..79631de4 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368063.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Fri, 2 Jun 2023 23:32:02 +0000 +Subject: [PATCH] Fixing DatabaseUtils to detect malformed UTF-16 strings + +Test: tested with POC in bug, also using atest +Bug: 224771621 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12) +Merged-In: Ide65205b83063801971c5778af3154bcf3f0e530 +Change-Id: Ide65205b83063801971c5778af3154bcf3f0e530 +--- + core/java/android/database/DatabaseUtils.java | 32 +++++++++++++------ + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/core/java/android/database/DatabaseUtils.java b/core/java/android/database/DatabaseUtils.java +index 3d019f07cb84..d3ebfea947db 100644 +--- a/core/java/android/database/DatabaseUtils.java ++++ b/core/java/android/database/DatabaseUtils.java +@@ -337,17 +337,31 @@ public class DatabaseUtils { + */ + public static void appendEscapedSQLString(StringBuilder sb, String sqlString) { + sb.append('\''); +- if (sqlString.indexOf('\'') != -1) { +- int length = sqlString.length(); +- for (int i = 0; i < length; i++) { +- char c = sqlString.charAt(i); +- if (c == '\'') { +- sb.append('\''); ++ int length = sqlString.length(); ++ for (int i = 0; i < length; i++) { ++ char c = sqlString.charAt(i); ++ if (Character.isHighSurrogate(c)) { ++ if (i == length - 1) { ++ continue; ++ } ++ if (Character.isLowSurrogate(sqlString.charAt(i + 1))) { ++ // add them both ++ sb.append(c); ++ sb.append(sqlString.charAt(i + 1)); ++ continue; ++ } else { ++ // this is a lone surrogate, skip it ++ continue; + } +- sb.append(c); + } +- } else +- sb.append(sqlString); ++ if (Character.isLowSurrogate(c)) { ++ continue; ++ } ++ if (c == '\'') { ++ sb.append('\''); ++ } ++ sb.append(c); ++ } + sb.append('\''); + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/368067-backport.patch b/Patches/LineageOS-16.0/android_frameworks_base/368067-backport.patch new file mode 100644 index 00000000..5da69ce1 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/368067-backport.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tad +Date: Mon, 9 Oct 2023 20:41:21 -0400 +Subject: [PATCH] Revert "DO NOT MERGE Dismiss keyguard when simpin auth'd + and..." + +This reverts commit 9137c0f90ae0fc93afa873e8bf6e1565ac46b9ba. +--- + .../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index bb205956e932..6a71cf84759c 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + case SimPuk: + // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home + SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId); +- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled( ++ if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled( + KeyguardUpdateMonitor.getCurrentUser())) { + finish = true; + } else { diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch index 2c556a40..b21c89a5 100644 --- a/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch @@ -26,7 +26,7 @@ Change-Id: Ibbffdb5f3930df74ca8b4ba93d451f7fad086989 create mode 100644 src/com/android/settings/network/CaptivePortalWarningDialogHost.java diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml -index e78bbea120..54e2864c9a 100644 +index e78bbea1202..54e2864c9aa 100644 --- a/res/values-de/cm_strings.xml +++ b/res/values-de/cm_strings.xml @@ -308,4 +308,7 @@ @@ -38,7 +38,7 @@ index e78bbea120..54e2864c9a 100644 + Nach dem Ausschalten der Captive-Portal-Erkennung empfangen Sie keine Verbindungs-Rückmeldung mehr. Wirklich fortfahren? diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml -index 7d0b80d3c0..c4a0aaa915 100644 +index 7d0b80d3c05..c4a0aaa9157 100644 --- a/res/values/cm_strings.xml +++ b/res/values/cm_strings.xml @@ -398,4 +398,9 @@ @@ -52,7 +52,7 @@ index 7d0b80d3c0..c4a0aaa915 100644 + If you switch off the captive portal, you will not receive connectivity informations any longer. Really switch off? diff --git a/res/xml/network_and_internet.xml b/res/xml/network_and_internet.xml -index 6eda0b0966..899bc41dd2 100644 +index 6eda0b09669..899bc41dd22 100644 --- a/res/xml/network_and_internet.xml +++ b/res/xml/network_and_internet.xml @@ -101,4 +101,10 @@ @@ -67,7 +67,7 @@ index 6eda0b0966..899bc41dd2 100644 + diff --git a/src/com/android/settings/ResetNetworkConfirm.java b/src/com/android/settings/ResetNetworkConfirm.java -index 4bdd8e1dba..2c9f04ca3e 100644 +index 4bdd8e1dba8..2c9f04ca3e2 100644 --- a/src/com/android/settings/ResetNetworkConfirm.java +++ b/src/com/android/settings/ResetNetworkConfirm.java @@ -32,6 +32,7 @@ import android.os.Bundle; @@ -91,7 +91,7 @@ index 4bdd8e1dba..2c9f04ca3e 100644 // fragments. They lead to garbled message when new fragments come diff --git a/src/com/android/settings/network/CaptivePortalModePreferenceController.java b/src/com/android/settings/network/CaptivePortalModePreferenceController.java new file mode 100644 -index 0000000000..0fd2d094a1 +index 00000000000..0fd2d094a1b --- /dev/null +++ b/src/com/android/settings/network/CaptivePortalModePreferenceController.java @@ -0,0 +1,81 @@ @@ -178,7 +178,7 @@ index 0000000000..0fd2d094a1 +} diff --git a/src/com/android/settings/network/CaptivePortalWarningDialog.java b/src/com/android/settings/network/CaptivePortalWarningDialog.java new file mode 100644 -index 0000000000..8240c2756e +index 00000000000..8240c2756e4 --- /dev/null +++ b/src/com/android/settings/network/CaptivePortalWarningDialog.java @@ -0,0 +1,73 @@ @@ -257,7 +257,7 @@ index 0000000000..8240c2756e +} diff --git a/src/com/android/settings/network/CaptivePortalWarningDialogHost.java b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java new file mode 100644 -index 0000000000..7a04d1f831 +index 00000000000..7a04d1f8311 --- /dev/null +++ b/src/com/android/settings/network/CaptivePortalWarningDialogHost.java @@ -0,0 +1,32 @@ @@ -294,7 +294,7 @@ index 0000000000..7a04d1f831 + void onCaptivePortalSwitchOffDialogDismissed(); +} diff --git a/src/com/android/settings/network/NetworkDashboardFragment.java b/src/com/android/settings/network/NetworkDashboardFragment.java -index 89bf5f4dec..4af55e2b50 100644 +index 89bf5f4dec2..4af55e2b507 100644 --- a/src/com/android/settings/network/NetworkDashboardFragment.java +++ b/src/com/android/settings/network/NetworkDashboardFragment.java @@ -44,7 +44,7 @@ import java.util.Arrays; diff --git a/Patches/LineageOS-16.0/android_packages_apps_Settings/368069-backport.patch b/Patches/LineageOS-16.0/android_packages_apps_Settings/368069-backport.patch new file mode 100644 index 00000000..b5eb3bea --- /dev/null +++ b/Patches/LineageOS-16.0/android_packages_apps_Settings/368069-backport.patch @@ -0,0 +1,136 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Weng Su +Date: Fri, 7 Jul 2023 19:52:04 +0800 +Subject: [PATCH] Restrict ApnEditor settings + +- Finish ApnEditor settings if user is not an admin + +- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction + +Bug: 279902472 +Test: manual test +make RunSettingsRoboTests ROBOTEST_FILTER=ApnEditorTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c2d727b8f9198bf758a4896eda7c9e5385435ff) +Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04 +Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04 +--- + .../android/settings/network/ApnEditor.java | 23 ++++++++++++++ + .../settings/network/ApnEditorTest.java | 31 ++++++++++++++++++- + 2 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/network/ApnEditor.java b/src/com/android/settings/network/ApnEditor.java +index cceb31d29e7..74a7fed07fc 100644 +--- a/src/com/android/settings/network/ApnEditor.java ++++ b/src/com/android/settings/network/ApnEditor.java +@@ -27,6 +27,7 @@ import android.database.Cursor; + import android.net.Uri; + import android.os.Bundle; + import android.os.PersistableBundle; ++import android.os.UserManager; + import android.provider.Telephony; + import android.support.annotation.VisibleForTesting; + import android.support.v14.preference.MultiSelectListPreference; +@@ -203,6 +204,11 @@ public class ApnEditor extends SettingsPreferenceFragment + @Override + public void onCreate(Bundle icicle) { + super.onCreate(icicle); ++ if (isUserRestricted()) { ++ Log.e(TAG, "This setting isn't available due to user restriction."); ++ finish(); ++ return; ++ } + + addPreferencesFromResource(R.xml.apn_editor); + +@@ -1166,6 +1172,23 @@ public class ApnEditor extends SettingsPreferenceFragment + return userEnteredApnType; + } + ++ @VisibleForTesting ++ boolean isUserRestricted() { ++ UserManager userManager = getContext().getSystemService(UserManager.class); ++ if (userManager == null) { ++ return false; ++ } ++ if (!userManager.isAdminUser()) { ++ Log.e(TAG, "User is not an admin"); ++ return true; ++ } ++ if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) { ++ Log.e(TAG, "User is not allowed to configure mobile network"); ++ return true; ++ } ++ return false; ++ } ++ + public static class ErrorDialog extends InstrumentedDialogFragment { + + public static void showError(ApnEditor editor) { +diff --git a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java +index 35f68a06698..ed82b59be5b 100644 +--- a/tests/robotests/src/com/android/settings/network/ApnEditorTest.java ++++ b/tests/robotests/src/com/android/settings/network/ApnEditorTest.java +@@ -32,6 +32,7 @@ import android.content.Context; + import android.content.res.Resources; + import android.database.Cursor; + import android.net.Uri; ++import android.os.UserManager; + import android.support.v14.preference.MultiSelectListPreference; + import android.support.v14.preference.SwitchPreference; + import android.support.v7.preference.EditTextPreference; +@@ -97,6 +98,8 @@ public class ApnEditorTest { + + private ApnEditor mApnEditorUT; + private Activity mActivity; ++ @Mock ++ private UserManager mUserManager; + private Resources mResources; + + @Before +@@ -111,6 +114,11 @@ public class ApnEditorTest { + doNothing().when(mApnEditorUT).finish(); + doNothing().when(mApnEditorUT).showError(); + ++ doReturn(mUserManager).when(mContext).getSystemService(UserManager.class); ++ doReturn(true).when(mUserManager).isAdminUser(); ++ doReturn(false).when(mUserManager) ++ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS); ++ + setMockPreference(mActivity); + mApnEditorUT.mApnData = new FakeApnData(APN_DATA); + mApnEditorUT.sNotSet = "Not Set"; +@@ -447,6 +455,27 @@ public class ApnEditorTest { + assertThat(ApnEditor.formatInteger("not an int")).isEqualTo("not an int"); + } + ++ @Test ++ @Config(shadows = ShadowFragment.class) ++ public void onCreate_notAdminUser_shouldFinish() { ++ doReturn(false).when(mUserManager).isAdminUser(); ++ ++ mApnEditorUT.onCreate(null); ++ ++ verify(mApnEditorUT).finish(); ++ } ++ ++ @Test ++ @Config(shadows = ShadowFragment.class) ++ public void onCreate_hasUserRestriction_shouldFinish() { ++ doReturn(true).when(mUserManager) ++ .hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS); ++ ++ mApnEditorUT.onCreate(null); ++ ++ verify(mApnEditorUT).finish(); ++ } ++ + private void initCursor() { + doReturn(2).when(mCursor).getColumnCount(); + doReturn(Integer.valueOf(2)).when(mCursor).getInt(CURSOR_INTEGER_INDEX); +@@ -489,4 +518,4 @@ public class ApnEditorTest { + mUri = uri; + } + } +-} +\ No newline at end of file ++} diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index 2726024c..f05fded7 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -91,7 +91,7 @@ patchWorkspaceReal() { repopick -fit P_asb_2023-05; repopick -fit P_asb_2023-06; repopick -fit P_asb_2023-07 -e 361282; - repopick -fit P_asb_2023-08 -e 365327; + repopick -fit P_asb_2023-08 -e 365327,365328,364605; repopick -fit P_asb_2023-09; sh "$DOS_SCRIPTS/Patch.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index d856cadc..cdd7c144 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2023-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-09 #XXX +sed -i 's/2022-01-05/2023-10-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-10 #XXX fi; if enterAndClear "build/soong"; then @@ -149,6 +149,10 @@ if enterAndClear "external/libvpx"; then applyPatch "$DOS_PATCHES_COMMON/android_external_libvpx/CVE-2023-5217.patch"; #VP8: disallow thread count changes fi; +if enterAndClear "external/libxml2"; then +applyPatch "$DOS_PATCHES/android_external_libxml2/368053.patch"; #R_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter +fi; + if enterAndClear "external/svox"; then git revert --no-edit 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie @@ -161,6 +165,13 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram fi; if enterAndClear "frameworks/base"; then +applyPatch "$DOS_PATCHES/android_frameworks_base/368055.patch"; #R_asb_2023-10 RingtoneManager: verify default ringtone is audio +applyPatch "$DOS_PATCHES/android_frameworks_base/368059.patch"; #R_asb_2023-10 Do not share key mappings with JNI object +applyPatch "$DOS_PATCHES/android_frameworks_base/368060-backport.patch"; #R_asb_2023-10 Verify URI Permissions in Autofill RemoteViews +applyPatch "$DOS_PATCHES/android_frameworks_base/368061.patch"; #R_asb_2023-10 Fix KCM key mapping cloning +applyPatch "$DOS_PATCHES/android_frameworks_base/368062-backport.patch"; #R_asb_2023-10 Disallow loading icon from content URI to PipMenu +applyPatch "$DOS_PATCHES/android_frameworks_base/368063.patch"; #R_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings +applyPatch "$DOS_PATCHES/android_frameworks_base/368067-backport.patch"; #R_asb_2023-10 Revert "DO NOT MERGE Dismiss keyguard when simpin auth'd and..." applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -311,6 +322,7 @@ fi; if enterAndClear "packages/apps/Settings"; then git revert --no-edit c240992b4c86c7f226290807a2f41f2619e7e5e8; #Don't hide OEM unlock +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/368069-backport.patch"; #R_asb_2023-10 Restrict ApnEditor settings applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch) #TODO: Needs work #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)