14.1 December ASB, thanks to @syphyr

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-12-10 16:34:46 -05:00
parent abb616d2f3
commit 63cbd1f483
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
15 changed files with 770 additions and 1 deletions

View File

@ -0,0 +1,106 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Fri, 19 Aug 2022 17:08:13 +0100
Subject: [PATCH] Validate package name passed to setApplicationRestrictions.
This adds validation that the package name passed to
setApplicationRestrictions is in the correct format. This will avoid
an issue where a path could be entered resulting in a file being
written to an unexpected place.
Bug: 239701237
Test: atest UserManagerServiceTest
Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67)
Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d)
Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
---
.../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++
.../server/pm/UserManagerServiceTest.java | 7 ++++
2 files changed, 48 insertions(+)
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index a4ffc3938af9..cea22bbe46f4 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -73,6 +73,7 @@ import android.system.Os;
import android.system.OsConstants;
import android.text.TextUtils;
import android.util.AtomicFile;
+import android.util.EventLog;
import android.util.IntArray;
import android.util.Log;
import android.util.Slog;
@@ -2638,6 +2639,13 @@ public class UserManagerService extends IUserManager.Stub {
public void setApplicationRestrictions(String packageName, Bundle restrictions,
int userId) {
checkSystemOrRoot("set application restrictions");
+ String validationResult = validateName(packageName);
+ if (validationResult != null) {
+ if (packageName.contains("../")) {
+ EventLog.writeEvent(0x534e4554, "239701237", -1, "");
+ }
+ throw new IllegalArgumentException("Invalid package name: " + validationResult);
+ }
if (restrictions != null) {
restrictions.setDefusable(true);
}
@@ -2657,6 +2665,39 @@ public class UserManagerService extends IUserManager.Stub {
mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId));
}
+ /**
+ * Check if the given name is valid.
+ *
+ * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove
+ * unnecessary parts. Copied here for a security fix.
+ *
+ * @param name The name to check.
+ * @return null if it's valid, error message if not
+ */
+ @VisibleForTesting
+ static String validateName(String name) {
+ final int n = name.length();
+ boolean front = true;
+ for (int i = 0; i < n; i++) {
+ final char c = name.charAt(i);
+ if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) {
+ front = false;
+ continue;
+ }
+ if (!front) {
+ if ((c >= '0' && c <= '9') || c == '_') {
+ continue;
+ }
+ if (c == '.') {
+ front = true;
+ continue;
+ }
+ }
+ return "bad character '" + c + "'";
+ }
+ return null;
+ }
+
private int getUidForPackage(String packageName) {
long ident = Binder.clearCallingIdentity();
try {
diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
index 9f77297b49dd..744be99e4bf7 100644
--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase {
assertEquals(accountName, um.getUserAccount(tempUserId));
}
+ public void testValidateName() {
+ assertNull(UserManagerService.validateName("android"));
+ assertNull(UserManagerService.validateName("com.company.myapp"));
+ assertNotNull(UserManagerService.validateName("/../../data"));
+ assertNotNull(UserManagerService.validateName("/dir"));
+ }
+
private Bundle createBundle() {
Bundle result = new Bundle();
// Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[]

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Wed, 21 Sep 2022 23:03:11 +0000
Subject: [PATCH] Ignore malformed shortcuts
After an app publishes a shortcut that contains malformed intent, the
system can be stuck in boot-loop due to uncaught exception caused by
parsing the malformed intent.
This CL ignores that particular malformed entry. Since shortcuts are
constantly writes back into the xml from system memory, the malformed
entry will be removed from the xml the next time system persists
shortcuts from memory to file system.
Bug: 246540168
Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
Test: manual
(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e)
Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
---
.../com/android/server/pm/ShortcutPackage.java | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
index 38d69ed287e1..0a98002feb14 100644
--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
+++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
@@ -1363,11 +1363,15 @@ class ShortcutPackage extends ShortcutPackageItem {
ret.getPackageInfo().loadFromXml(parser, fromBackup);
continue;
case TAG_SHORTCUT:
- final ShortcutInfo si = parseShortcut(parser, packageName,
- shortcutUser.getUserId());
-
- // Don't use addShortcut(), we don't need to save the icon.
- ret.mShortcuts.put(si.getId(), si);
+ try {
+ final ShortcutInfo si = parseShortcut(parser, packageName,
+ shortcutUser.getUserId());
+ // Don't use addShortcut(), we don't need to save the icon.
+ ret.mShortcuts.put(si.getId(), si);
+ } catch (Exception e) {
+ // b/246540168 malformed shortcuts should be ignored
+ Slog.e(TAG, "Failed parsing shortcut.", e);
+ }
continue;
}
}

View File

@ -0,0 +1,32 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rhed Jao <rhedjao@google.com>
Date: Mon, 26 Sep 2022 21:35:26 +0800
Subject: [PATCH] Fix permanent denial of service via
setComponentEnabledSetting
Do not update invalid component enabled settings to prevent the
malicious apps from exhausting system server memory.
Bug: 240936919
Test: atest android.security.cts.PackageManagerTest
Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d
(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f)
Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d
---
.../core/java/com/android/server/pm/PackageManagerService.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index e109337809cf..1e439c423a67 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -18339,6 +18339,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName());
} else {
Slog.w(TAG, "Failed setComponentEnabledSetting: component class "
+ className + " does not exist in " + packageName);
+ // Safetynet logging for b/240936919
+ EventLog.writeEvent(0x534e4554, "240936919", uid);
+ return;
}
}
switch (newState) {

View File

@ -0,0 +1,102 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hao Ke <haok@google.com>
Date: Tue, 4 Oct 2022 19:43:58 +0000
Subject: [PATCH] Add safety checks on KEY_INTENT mismatch.
For many years, Parcel mismatch typed exploits has been using the
AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of
launching arbitrary intents. We are adding an extra check on the service
side to simulate the final deserialization of the KEY_INTENT value, to
make sure the client side won't get a mismatched KEY_INTENT value.
Bug: 250588548
Bug: 240138294
Test: atest CtsAccountManagerTestCases
Test: local test, also see b/250588548
Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc
(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82)
Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc
---
.../accounts/AccountManagerService.java | 34 ++++++++++++++++---
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 239297cc420a..7273e3ea5ffc 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -89,6 +89,7 @@ import android.os.UserHandle;
import android.os.UserManager;
import android.os.storage.StorageManager;
import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import android.util.Pair;
import android.util.Slog;
@@ -2545,7 +2546,7 @@ public class AccountManagerService
*/
if (!checkKeyIntent(
Binder.getCallingUid(),
- intent)) {
+ result)) {
onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
"invalid intent in bundle returned");
return;
@@ -2960,7 +2961,7 @@ public class AccountManagerService
&& (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
if (!checkKeyIntent(
Binder.getCallingUid(),
- intent)) {
+ result)) {
onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
"invalid intent in bundle returned");
return;
@@ -4230,7 +4231,13 @@ public class AccountManagerService
* into launching aribtrary intents on the device via by tricking to click authenticator
* supplied entries in the system Settings app.
*/
- protected boolean checkKeyIntent(int authUid, Intent intent) {
+ protected boolean checkKeyIntent(int authUid, Bundle bundle) {
+ if (!checkKeyIntentParceledCorrectly(bundle)) {
+ EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
+ return false;
+ }
+
+ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
// Explicitly set an empty ClipData to ensure that we don't offer to
// promote any Uris contained inside for granting purposes
if (intent.getClipData() == null) {
@@ -4263,6 +4270,25 @@ public class AccountManagerService
}
}
+ /**
+ * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't
+ * violate our security policy.
+ *
+ * In particular we want to make sure the Authenticator doesn't trick users
+ * into launching arbitrary intents on the device via exploiting any other Parcel read/write
+ * mismatch problems.
+ */
+ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
+ Parcel p = Parcel.obtain();
+ p.writeBundle(bundle);
+ p.setDataPosition(0);
+ Bundle simulateBundle = p.readBundle();
+ p.recycle();
+ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+ Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+ return (intent.filterEquals(simulateIntent));
+ }
+
private void close() {
synchronized (mSessions) {
if (mSessions.remove(toString()) == null) {
@@ -4408,7 +4434,7 @@ public class AccountManagerService
&& (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
if (!checkKeyIntent(
Binder.getCallingUid(),
- intent)) {
+ result)) {
onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
"invalid intent in bundle returned");
return;

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Thu, 15 Sep 2022 22:51:42 +0000
Subject: [PATCH] Fix OOB read for registerLocaleList
When the buffer size is equal to string size,
the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
which is a negative number, and U_FAILURE would fail if error number
greater than zero only.
This would cause non null terminated string passing into following funcs
and causing different types of crash
Bug: 239210579
Bug: 239328580
Bug: 239267173
Test: locale_fuzzer
Ignore-AOSP-First: security
Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
Change-Id: Id9c98fc08876656e1f48d12823a24bb7a44bee45
(cherry picked from commit d8a427cc9c8a722b0911af5139b10b0a6aeb0e03)
Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
---
libs/minikin/FontLanguageListCache.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
index 6b661f0..8ef4a1b 100644
--- a/libs/minikin/FontLanguageListCache.cpp
+++ b/libs/minikin/FontLanguageListCache.cpp
@@ -39,7 +39,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
size_t outLength = 0;
UErrorCode uErr = U_ZERO_ERROR;
outLength = uloc_canonicalize(locale.c_str(), output, outSize, &uErr);
- if (U_FAILURE(uErr)) {
+ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
// unable to build a proper language identifier
ALOGD("uloc_canonicalize(\"%s\") failed: %s", locale.c_str(), u_errorName(uErr));
output[0] = '\0';
@@ -64,7 +64,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
uErr = U_ZERO_ERROR;
outLength = uloc_toLanguageTag(likelyChars, output, outSize, FALSE, &uErr);
- if (U_FAILURE(uErr)) {
+ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
// unable to build a proper language identifier
ALOGD("uloc_toLanguageTag(\"%s\") failed: %s", likelyChars, u_errorName(uErr));
output[0] = '\0';

View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Thu, 29 Sep 2022 22:34:05 +0000
Subject: [PATCH] Fix OOB crash for registerLocaleList
When the buffer size is equal to string size,
the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
which is a negative number, and U_FAILURE would fail if error number
greater than zero only.
This would cause non null terminated string passing into following funcs
and causing different types of crash
This fixes the previous partial fix.
Bug: 248612953
Bug: 239210579
Bug: 249151446
Bug: 239267173
Test: locale_fuzzer
Ignore-AOSP-First: security
Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
Change-Id: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
(cherry picked from commit 582927b0d6c6920ee6a04049eaa9e68608cfc888)
(cherry picked from commit a8265407660edaa1006545a6401d6409c05acb5d)
Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
---
libs/minikin/FontLanguageListCache.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
index 8ef4a1b..2bc39c2 100644
--- a/libs/minikin/FontLanguageListCache.cpp
+++ b/libs/minikin/FontLanguageListCache.cpp
@@ -55,7 +55,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
char likelyChars[ULOC_FULLNAME_CAPACITY];
uErr = U_ZERO_ERROR;
uloc_addLikelySubtags(output, likelyChars, ULOC_FULLNAME_CAPACITY, &uErr);
- if (U_FAILURE(uErr)) {
+ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
// unable to build a proper language identifier
ALOGD("uloc_addLikelySubtags(\"%s\") failed: %s", output, u_errorName(uErr));
output[0] = '\0';

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Wed, 28 Sep 2022 23:30:49 +0000
Subject: [PATCH] Fix URI check in BluetoothOppUtility.java
Bug: 225880741
Test: BT unit tests, validated against researcher POC
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I65c1494023930aa23fede55936488f605c7cfe01
(cherry picked from commit d0957cfdf1fc1b36620c1545643ffbc37f0ac24c)
Merged-In: I65c1494023930aa23fede55936488f605c7cfe01
---
src/com/android/bluetooth/opp/BluetoothOppUtility.java | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
index f5d926964..3a4959fcd 100644
--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
@@ -49,6 +49,7 @@ import android.content.pm.ResolveInfo;
import android.database.Cursor;
import android.database.sqlite.SQLiteException;
import android.os.Environment;
+import android.util.EventLog;
import android.util.Log;
import java.io.File;
@@ -70,7 +71,11 @@ public class BluetoothOppUtility {
= new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
public static boolean isBluetoothShareUri(Uri uri) {
- return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
+ if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString())
+ && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) {
+ EventLog.writeEvent(0x534e4554, "225880741", -1, "");
+ }
+ return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority());
}
public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {

View File

@ -0,0 +1,60 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Milton Wu <mingjuwu@google.com>
Date: Mon, 8 Aug 2022 09:05:00 +0000
Subject: [PATCH] Add FLAG_SECURE for ChooseLockPassword and Pattern
Prevent ChooseLockPassword and ChooseLockPatten being projected to
remote views, add FLAG_SECURE for these screens.
Bug: 179725730
Test: Check these 2 screens not projected to chromecast
Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
SetupChooseLockPasswordTest ChooseLockPasswordTest
Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
---
src/com/android/settings/ChooseLockPassword.java | 3 +++
src/com/android/settings/ChooseLockPattern.java | 3 +++
2 files changed, 6 insertions(+)
diff --git a/src/com/android/settings/ChooseLockPassword.java b/src/com/android/settings/ChooseLockPassword.java
index 86696bb280..db1fbb4966 100644
--- a/src/com/android/settings/ChooseLockPassword.java
+++ b/src/com/android/settings/ChooseLockPassword.java
@@ -40,6 +40,7 @@ import android.view.LayoutInflater;
import android.view.View;
import android.view.View.OnClickListener;
import android.view.ViewGroup;
+import android.view.WindowManager;
import android.widget.Button;
import android.widget.EditText;
import android.widget.LinearLayout;
@@ -149,6 +150,8 @@ public class ChooseLockPassword extends SettingsActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ getWindow().addPrivateFlags(
+ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
CharSequence msg = getText(R.string.lockpassword_choose_your_password_header);
setTitle(msg);
LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);
diff --git a/src/com/android/settings/ChooseLockPattern.java b/src/com/android/settings/ChooseLockPattern.java
index b81a3edfef..76965d1750 100644
--- a/src/com/android/settings/ChooseLockPattern.java
+++ b/src/com/android/settings/ChooseLockPattern.java
@@ -26,6 +26,7 @@ import android.view.KeyEvent;
import android.view.LayoutInflater;
import android.view.View;
import android.view.ViewGroup;
+import android.view.WindowManager;
import android.widget.LinearLayout;
import android.widget.TextView;
@@ -112,6 +113,8 @@ public class ChooseLockPattern extends SettingsActivity {
protected void onCreate(Bundle savedInstanceState) {
// requestWindowFeature(Window.FEATURE_NO_TITLE);
super.onCreate(savedInstanceState);
+ getWindow().addPrivateFlags(
+ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
CharSequence msg = getText(R.string.lockpassword_choose_your_pattern_header);
setTitle(msg);
LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);

View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tyler Gunn <tgunn@google.com>
Date: Tue, 27 Sep 2022 15:19:05 -0700
Subject: [PATCH] Hide overlay windows when showing phone account
enable/disable screen.
Hide any system alert window overlays when the screen that lets the user
enable/disable phone accounts is shown.
Test: Manual test with overlay shown from test app; verify that the overlay
is hidden when the phone account selection screen is opened.
Bug: 246933359
Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68
(cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035)
Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68
---
.../telecom/settings/EnableAccountPreferenceActivity.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
index 2367825b3..b1d497abb 100644
--- a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
+++ b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
@@ -25,12 +25,16 @@ import android.telecom.Log;
import android.telecom.PhoneAccountHandle;
import android.telecom.TelecomManager;
import android.view.MenuItem;
+import android.view.WindowManager;
public class EnableAccountPreferenceActivity extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ getWindow().addPrivateFlags(
+ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+
getFragmentManager().beginTransaction()
.replace(android.R.id.content, new EnableAccountPreferenceFragment())
.commit();

View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 Aug 2022 09:41:24 +0800
Subject: [PATCH] Add length check when copy AVDTP packet
Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f)
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
---
stack/avdt/avdt_msg.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
index 91a58403e..65d4485e7 100644
--- a/stack/avdt/avdt_msg.c
+++ b/stack/avdt/avdt_msg.c
@@ -1411,6 +1411,11 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
* would have allocated smaller buffer.
*/
p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
+ {
+ android_errorWriteLog(0x534e4554, "232023771");
+ return NULL;
+ }
memcpy(p_ccb->p_rx_msg, p_buf,
sizeof(BT_HDR) + p_buf->offset + p_buf->len);

View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 25 Aug 2022 18:52:28 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Added max buffer length check
Bug: 230867224
Test: Manual -- paired Bluetooth headset and played audio
Tags: #security
Ignore-AOSP-First: Security
Change-Id: I740038288143715a1c06db781efd674b269a7f3e
(cherry picked from commit 769f55450bd2eb94ddb9080f730e404de7716bda)
Merged-In: I740038288143715a1c06db781efd674b269a7f3e
---
stack/avct/avct_lcb_act.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c
index 878dd82b7..173c3070e 100644
--- a/stack/avct/avct_lcb_act.c
+++ b/stack/avct/avct_lcb_act.c
@@ -30,6 +30,7 @@
#include "avct_int.h"
#include "bt_common.h"
#include "btm_api.h"
+#include "osi/include/log.h"
/* packet header length lookup table */
const UINT8 avct_lcb_pkt_type_len[] = {
@@ -61,8 +62,14 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
AVCT_PRS_PKT_TYPE(p, pkt_type);
/* quick sanity check on length */
- if (p_buf->len < avct_lcb_pkt_type_len[pkt_type])
+ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
+ (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE)
{
+ if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
+ BT_DEFAULT_BUFFER_SIZE)
+ {
+ android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
+ }
osi_free(p_buf);
AVCT_TRACE_WARNING("Bad length during reassembly");
p_ret = NULL;

View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 25 Aug 2022 20:39:08 +0000
Subject: [PATCH] Add missing increment in bnep_api.cc
Bug: 228450451
Test: manual, pair BT and play audio
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36
(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d)
Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36
---
stack/bnep/bnep_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index e1c9f2e3d..d40c66c3c 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -283,6 +283,7 @@ tBNEP_RESULT BNEP_ConnectResp (UINT16 handle, tBNEP_RESULT resp)
while (extension_present && p && rem_len)
{
ext_type = *p++;
+ rem_len--;
extension_present = ext_type >> 7;
ext_type &= 0x7F;

View File

@ -0,0 +1,68 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Tue, 16 Aug 2022 21:41:03 +0000
Subject: [PATCH] Add length check when copy AVDT and AVCT packet
Previous fix for AVDT causing memory leak.
And missing similar fix for AVCT packet.
Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
(cherry picked from commit a4311b284639bbd2c6c2c72d35d8444d40fb2d12)
Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
---
stack/avct/avct_lcb_act.c | 9 ++++++++-
stack/avdt/avdt_msg.c | 6 ++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c
index 173c3070e..e1a7c3d26 100644
--- a/stack/avct/avct_lcb_act.c
+++ b/stack/avct/avct_lcb_act.c
@@ -92,13 +92,20 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
if (p_lcb->p_rx_msg != NULL)
AVCT_TRACE_WARNING("Got start during reassembly");
- osi_free(p_lcb->p_rx_msg);
+ osi_free_and_reset((void**)&p_lcb->p_rx_msg);
/*
* Allocate bigger buffer for reassembly. As lower layers are
* not aware of possible packet size after reassembly, they
* would have allocated smaller buffer.
*/
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
+ {
+ android_errorWriteLog(0x534e4554, "232023771");
+ osi_free(p_buf);
+ p_ret = NULL;
+ return p_ret;
+ }
p_lcb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
memcpy(p_lcb->p_rx_msg, p_buf,
sizeof(BT_HDR) + p_buf->offset + p_buf->len);
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
index 65d4485e7..acda49858 100644
--- a/stack/avdt/avdt_msg.c
+++ b/stack/avdt/avdt_msg.c
@@ -1410,12 +1410,14 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
* not aware of possible packet size after reassembly, they
* would have allocated smaller buffer.
*/
- p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
{
android_errorWriteLog(0x534e4554, "232023771");
- return NULL;
+ osi_free(p_buf);
+ p_ret = NULL;
+ return p_ret;
}
+ p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
memcpy(p_ccb->p_rx_msg, p_buf,
sizeof(BT_HDR) + p_buf->offset + p_buf->len);

View File

@ -0,0 +1,58 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Mon, 22 Aug 2022 19:44:10 +0000
Subject: [PATCH] Fix integer overflow when parsing avrc response
Convert min_len from 16 bits to 32 bits to avoid
length checking overflow.
Also, use calloc instead of malloc for list allocation
since caller need to clean up string memory in the list items
Bug: 242459126
Test: fuzz_avrc
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4
(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501)
Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
---
stack/avdt/avdt_scb_act.c | 2 +-
stack/avrc/avrc_pars_ct.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c
index d7cf791cc..f61abd626 100644
--- a/stack/avdt/avdt_scb_act.c
+++ b/stack/avdt/avdt_scb_act.c
@@ -363,7 +363,7 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
UINT8 *p_start = p;
UINT32 ssrc;
UINT8 o_v, o_p, o_cc;
- UINT16 min_len = 0;
+ UINT32 min_len = 0;
AVDT_REPORT_TYPE pt;
tAVDT_REPORT_DATA report, *p_rpt;
diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
index fc94424ba..b43fd5f55 100644
--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -148,7 +148,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p
tAVRC_STS avrc_parse_notification_rsp(UINT8* p_stream, UINT16 len,
tAVRC_REG_NOTIF_RSP* p_rsp) {
- UINT16 min_len = 1;
+ UINT32 min_len = 1;
if (len < min_len) goto length_error;
BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
@@ -241,7 +241,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
p++; /* skip the reserved/packe_type byte */
UINT16 len;
- UINT16 min_len = 0;
+ UINT32 min_len = 0;
BE_STREAM_TO_UINT16 (len, p);
AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__,
p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);

View File

@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-11 #XXX
sed -i 's/2021-06-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-12 #XXX
fi;
if enterAndClear "device/qcom/sepolicy"; then
@ -167,6 +167,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 C
applyPatch "$DOS_PATCHES/android_frameworks_base/344188.patch"; #n-asb-2022-11 Do not send new Intent to non-exported activity when navigateUpTo
applyPatch "$DOS_PATCHES/android_frameworks_base/344189.patch"; #n-asb-2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
applyPatch "$DOS_PATCHES/android_frameworks_base/344217.patch"; #n-asb-2022-11 Do not dismiss keyguard after SIM PUK unlock
applyPatch "$DOS_PATCHES/android_frameworks_base/345519.patch"; #n-asb-2022-12 Validate package name passed to setApplicationRestrictions.
applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/345521.patch"; #n-asb-2022-12 Fix permanent denial of service via setComponentEnabledSetting
applyPatch "$DOS_PATCHES/android_frameworks_base/345522.patch"; #n-asb-2022-12 Add safety checks on KEY_INTENT mismatch.
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -183,6 +187,11 @@ rm -rf packages/Osu; #Automatic Wi-Fi connection non-sense
rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
fi;
if enterAndClear "frameworks/minikin"; then
applyPatch "$DOS_PATCHES/android_frameworks_minikin/345523.patch"; #n-asb-2022-12 Fix OOB read for registerLocaleList
applyPatch "$DOS_PATCHES/android_frameworks_minikin/345524.patch"; #n-asb-2022-12 Fix OOB crash for registerLocaleList
fi;
if enterAndClear "frameworks/native"; then
applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references
applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters
@ -276,6 +285,7 @@ fi;
if enterAndClear "packages/apps/Bluetooth"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345525.patch"; #n-asb-2022-12 Fix URI check in BluetoothOppUtility.java
fi;
if enterAndClear "packages/apps/Contacts"; then
@ -323,6 +333,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-20
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@ -362,6 +373,7 @@ fi;
if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/343953.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345526.patch"; #n-asb-2022-12 Hide overlay windows when showing phone account enable/disable screen.
fi;
if enterAndClear "packages/services/Telephony"; then
@ -398,6 +410,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB
applyPatch "$DOS_PATCHES/android_system_bt/341070.patch"; #n-asb-2022-10 Fix potential interger overflow when parsing vendor response
applyPatch "$DOS_PATCHES/android_system_bt/343958.patch"; #n-asb-2022-11 Add buffer in pin_reply in bluetooth.cc
applyPatch "$DOS_PATCHES/android_system_bt/343959.patch"; #n-asb-2022-11 Add negative length check in process_service_search_rsp
applyPatch "$DOS_PATCHES/android_system_bt/345527.patch"; #n-asb-2022-12 Add length check when copy AVDTP packet
applyPatch "$DOS_PATCHES/android_system_bt/345528.patch"; #n-asb-2022-12 Added max buffer length check
applyPatch "$DOS_PATCHES/android_system_bt/345529.patch"; #n-asb-2022-12 Add missing increment in bnep_api.cc
applyPatch "$DOS_PATCHES/android_system_bt/345530.patch"; #n-asb-2022-12 Add length check when copy AVDT and AVCT packet
applyPatch "$DOS_PATCHES/android_system_bt/345531.patch"; #n-asb-2022-12 Fix integer overflow when parsing avrc response
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)