diff --git a/Patches/LineageOS-14.1/android_frameworks_base/345519.patch b/Patches/LineageOS-14.1/android_frameworks_base/345519.patch new file mode 100644 index 00000000..a16b017c --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/345519.patch @@ -0,0 +1,106 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Oli Lan +Date: Fri, 19 Aug 2022 17:08:13 +0100 +Subject: [PATCH] Validate package name passed to setApplicationRestrictions. + +This adds validation that the package name passed to +setApplicationRestrictions is in the correct format. This will avoid +an issue where a path could be entered resulting in a file being +written to an unexpected place. + +Bug: 239701237 +Test: atest UserManagerServiceTest +Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67) +Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d) +Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96 +--- + .../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++ + .../server/pm/UserManagerServiceTest.java | 7 ++++ + 2 files changed, 48 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java +index a4ffc3938af9..cea22bbe46f4 100644 +--- a/services/core/java/com/android/server/pm/UserManagerService.java ++++ b/services/core/java/com/android/server/pm/UserManagerService.java +@@ -73,6 +73,7 @@ import android.system.Os; + import android.system.OsConstants; + import android.text.TextUtils; + import android.util.AtomicFile; ++import android.util.EventLog; + import android.util.IntArray; + import android.util.Log; + import android.util.Slog; +@@ -2638,6 +2639,13 @@ public class UserManagerService extends IUserManager.Stub { + public void setApplicationRestrictions(String packageName, Bundle restrictions, + int userId) { + checkSystemOrRoot("set application restrictions"); ++ String validationResult = validateName(packageName); ++ if (validationResult != null) { ++ if (packageName.contains("../")) { ++ EventLog.writeEvent(0x534e4554, "239701237", -1, ""); ++ } ++ throw new IllegalArgumentException("Invalid package name: " + validationResult); ++ } + if (restrictions != null) { + restrictions.setDefusable(true); + } +@@ -2657,6 +2665,39 @@ public class UserManagerService extends IUserManager.Stub { + mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId)); + } + ++ /** ++ * Check if the given name is valid. ++ * ++ * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove ++ * unnecessary parts. Copied here for a security fix. ++ * ++ * @param name The name to check. ++ * @return null if it's valid, error message if not ++ */ ++ @VisibleForTesting ++ static String validateName(String name) { ++ final int n = name.length(); ++ boolean front = true; ++ for (int i = 0; i < n; i++) { ++ final char c = name.charAt(i); ++ if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) { ++ front = false; ++ continue; ++ } ++ if (!front) { ++ if ((c >= '0' && c <= '9') || c == '_') { ++ continue; ++ } ++ if (c == '.') { ++ front = true; ++ continue; ++ } ++ } ++ return "bad character '" + c + "'"; ++ } ++ return null; ++ } ++ + private int getUidForPackage(String packageName) { + long ident = Binder.clearCallingIdentity(); + try { +diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java +index 9f77297b49dd..744be99e4bf7 100644 +--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java ++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java +@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase { + assertEquals(accountName, um.getUserAccount(tempUserId)); + } + ++ public void testValidateName() { ++ assertNull(UserManagerService.validateName("android")); ++ assertNull(UserManagerService.validateName("com.company.myapp")); ++ assertNotNull(UserManagerService.validateName("/../../data")); ++ assertNotNull(UserManagerService.validateName("/dir")); ++ } ++ + private Bundle createBundle() { + Bundle result = new Bundle(); + // Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[] diff --git a/Patches/LineageOS-14.1/android_frameworks_base/345520.patch b/Patches/LineageOS-14.1/android_frameworks_base/345520.patch new file mode 100644 index 00000000..52287646 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/345520.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Wed, 21 Sep 2022 23:03:11 +0000 +Subject: [PATCH] Ignore malformed shortcuts + +After an app publishes a shortcut that contains malformed intent, the +system can be stuck in boot-loop due to uncaught exception caused by +parsing the malformed intent. + +This CL ignores that particular malformed entry. Since shortcuts are +constantly writes back into the xml from system memory, the malformed +entry will be removed from the xml the next time system persists +shortcuts from memory to file system. + +Bug: 246540168 +Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94 +Test: manual +(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e) +Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94 +--- + .../com/android/server/pm/ShortcutPackage.java | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java +index 38d69ed287e1..0a98002feb14 100644 +--- a/services/core/java/com/android/server/pm/ShortcutPackage.java ++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java +@@ -1363,11 +1363,15 @@ class ShortcutPackage extends ShortcutPackageItem { + ret.getPackageInfo().loadFromXml(parser, fromBackup); + continue; + case TAG_SHORTCUT: +- final ShortcutInfo si = parseShortcut(parser, packageName, +- shortcutUser.getUserId()); +- +- // Don't use addShortcut(), we don't need to save the icon. +- ret.mShortcuts.put(si.getId(), si); ++ try { ++ final ShortcutInfo si = parseShortcut(parser, packageName, ++ shortcutUser.getUserId()); ++ // Don't use addShortcut(), we don't need to save the icon. ++ ret.mShortcuts.put(si.getId(), si); ++ } catch (Exception e) { ++ // b/246540168 malformed shortcuts should be ignored ++ Slog.e(TAG, "Failed parsing shortcut.", e); ++ } + continue; + } + } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/345521.patch b/Patches/LineageOS-14.1/android_frameworks_base/345521.patch new file mode 100644 index 00000000..5fbe2daf --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/345521.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rhed Jao +Date: Mon, 26 Sep 2022 21:35:26 +0800 +Subject: [PATCH] Fix permanent denial of service via + setComponentEnabledSetting + +Do not update invalid component enabled settings to prevent the +malicious apps from exhausting system server memory. + +Bug: 240936919 +Test: atest android.security.cts.PackageManagerTest +Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d +(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f) +Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d +--- + .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index e109337809cf..1e439c423a67 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -18339,6 +18339,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName()); + } else { + Slog.w(TAG, "Failed setComponentEnabledSetting: component class " + + className + " does not exist in " + packageName); ++ // Safetynet logging for b/240936919 ++ EventLog.writeEvent(0x534e4554, "240936919", uid); ++ return; + } + } + switch (newState) { diff --git a/Patches/LineageOS-14.1/android_frameworks_base/345522.patch b/Patches/LineageOS-14.1/android_frameworks_base/345522.patch new file mode 100644 index 00000000..d23bb487 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/345522.patch @@ -0,0 +1,102 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hao Ke +Date: Tue, 4 Oct 2022 19:43:58 +0000 +Subject: [PATCH] Add safety checks on KEY_INTENT mismatch. + +For many years, Parcel mismatch typed exploits has been using the +AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of +launching arbitrary intents. We are adding an extra check on the service +side to simulate the final deserialization of the KEY_INTENT value, to +make sure the client side won't get a mismatched KEY_INTENT value. + +Bug: 250588548 +Bug: 240138294 +Test: atest CtsAccountManagerTestCases +Test: local test, also see b/250588548 +Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc +(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82) +Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc +--- + .../accounts/AccountManagerService.java | 34 ++++++++++++++++--- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 239297cc420a..7273e3ea5ffc 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -89,6 +89,7 @@ import android.os.UserHandle; + import android.os.UserManager; + import android.os.storage.StorageManager; + import android.text.TextUtils; ++import android.util.EventLog; + import android.util.Log; + import android.util.Pair; + import android.util.Slog; +@@ -2545,7 +2546,7 @@ public class AccountManagerService + */ + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; +@@ -2960,7 +2961,7 @@ public class AccountManagerService + && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; +@@ -4230,7 +4231,13 @@ public class AccountManagerService + * into launching aribtrary intents on the device via by tricking to click authenticator + * supplied entries in the system Settings app. + */ +- protected boolean checkKeyIntent(int authUid, Intent intent) { ++ protected boolean checkKeyIntent(int authUid, Bundle bundle) { ++ if (!checkKeyIntentParceledCorrectly(bundle)) { ++ EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); ++ return false; ++ } ++ ++ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + // Explicitly set an empty ClipData to ensure that we don't offer to + // promote any Uris contained inside for granting purposes + if (intent.getClipData() == null) { +@@ -4263,6 +4270,25 @@ public class AccountManagerService + } + } + ++ /** ++ * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't ++ * violate our security policy. ++ * ++ * In particular we want to make sure the Authenticator doesn't trick users ++ * into launching arbitrary intents on the device via exploiting any other Parcel read/write ++ * mismatch problems. ++ */ ++ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) { ++ Parcel p = Parcel.obtain(); ++ p.writeBundle(bundle); ++ p.setDataPosition(0); ++ Bundle simulateBundle = p.readBundle(); ++ p.recycle(); ++ Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); ++ return (intent.filterEquals(simulateIntent)); ++ } ++ + private void close() { + synchronized (mSessions) { + if (mSessions.remove(toString()) == null) { +@@ -4408,7 +4434,7 @@ public class AccountManagerService + && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), +- intent)) { ++ result)) { + onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, + "invalid intent in bundle returned"); + return; diff --git a/Patches/LineageOS-14.1/android_frameworks_minikin/345523.patch b/Patches/LineageOS-14.1/android_frameworks_minikin/345523.patch new file mode 100644 index 00000000..08ba3d33 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_minikin/345523.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Thu, 15 Sep 2022 22:51:42 +0000 +Subject: [PATCH] Fix OOB read for registerLocaleList + +When the buffer size is equal to string size, +the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING +which is a negative number, and U_FAILURE would fail if error number +greater than zero only. + +This would cause non null terminated string passing into following funcs +and causing different types of crash + +Bug: 239210579 +Bug: 239328580 +Bug: 239267173 +Test: locale_fuzzer +Ignore-AOSP-First: security +Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +Change-Id: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +(cherry picked from commit d8a427cc9c8a722b0911af5139b10b0a6aeb0e03) +Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45 +--- + libs/minikin/FontLanguageListCache.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp +index 6b661f0..8ef4a1b 100644 +--- a/libs/minikin/FontLanguageListCache.cpp ++++ b/libs/minikin/FontLanguageListCache.cpp +@@ -39,7 +39,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc + size_t outLength = 0; + UErrorCode uErr = U_ZERO_ERROR; + outLength = uloc_canonicalize(locale.c_str(), output, outSize, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper language identifier + ALOGD("uloc_canonicalize(\"%s\") failed: %s", locale.c_str(), u_errorName(uErr)); + output[0] = '\0'; +@@ -64,7 +64,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc + + uErr = U_ZERO_ERROR; + outLength = uloc_toLanguageTag(likelyChars, output, outSize, FALSE, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper language identifier + ALOGD("uloc_toLanguageTag(\"%s\") failed: %s", likelyChars, u_errorName(uErr)); + output[0] = '\0'; diff --git a/Patches/LineageOS-14.1/android_frameworks_minikin/345524.patch b/Patches/LineageOS-14.1/android_frameworks_minikin/345524.patch new file mode 100644 index 00000000..e6853171 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_minikin/345524.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Thu, 29 Sep 2022 22:34:05 +0000 +Subject: [PATCH] Fix OOB crash for registerLocaleList + +When the buffer size is equal to string size, +the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING +which is a negative number, and U_FAILURE would fail if error number +greater than zero only. + +This would cause non null terminated string passing into following funcs +and causing different types of crash + +This fixes the previous partial fix. + +Bug: 248612953 +Bug: 239210579 +Bug: 249151446 +Bug: 239267173 +Test: locale_fuzzer +Ignore-AOSP-First: security +Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +Change-Id: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +(cherry picked from commit 582927b0d6c6920ee6a04049eaa9e68608cfc888) +(cherry picked from commit a8265407660edaa1006545a6401d6409c05acb5d) +Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a +--- + libs/minikin/FontLanguageListCache.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp +index 8ef4a1b..2bc39c2 100644 +--- a/libs/minikin/FontLanguageListCache.cpp ++++ b/libs/minikin/FontLanguageListCache.cpp +@@ -55,7 +55,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc + char likelyChars[ULOC_FULLNAME_CAPACITY]; + uErr = U_ZERO_ERROR; + uloc_addLikelySubtags(output, likelyChars, ULOC_FULLNAME_CAPACITY, &uErr); +- if (U_FAILURE(uErr)) { ++ if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) { + // unable to build a proper language identifier + ALOGD("uloc_addLikelySubtags(\"%s\") failed: %s", output, u_errorName(uErr)); + output[0] = '\0'; diff --git a/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/345525.patch b/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/345525.patch new file mode 100644 index 00000000..48b4b0ba --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/345525.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Wed, 28 Sep 2022 23:30:49 +0000 +Subject: [PATCH] Fix URI check in BluetoothOppUtility.java + +Bug: 225880741 +Test: BT unit tests, validated against researcher POC +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I65c1494023930aa23fede55936488f605c7cfe01 +(cherry picked from commit d0957cfdf1fc1b36620c1545643ffbc37f0ac24c) +Merged-In: I65c1494023930aa23fede55936488f605c7cfe01 +--- + src/com/android/bluetooth/opp/BluetoothOppUtility.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +index f5d926964..3a4959fcd 100644 +--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java ++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +@@ -49,6 +49,7 @@ import android.content.pm.ResolveInfo; + import android.database.Cursor; + import android.database.sqlite.SQLiteException; + import android.os.Environment; ++import android.util.EventLog; + import android.util.Log; + + import java.io.File; +@@ -70,7 +71,11 @@ public class BluetoothOppUtility { + = new ConcurrentHashMap(); + + public static boolean isBluetoothShareUri(Uri uri) { +- return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()); ++ if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()) ++ && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) { ++ EventLog.writeEvent(0x534e4554, "225880741", -1, ""); ++ } ++ return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority()); + } + + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { diff --git a/Patches/LineageOS-14.1/android_packages_apps_Settings/345679.patch b/Patches/LineageOS-14.1/android_packages_apps_Settings/345679.patch new file mode 100644 index 00000000..8ae84521 --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_Settings/345679.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Milton Wu +Date: Mon, 8 Aug 2022 09:05:00 +0000 +Subject: [PATCH] Add FLAG_SECURE for ChooseLockPassword and Pattern + +Prevent ChooseLockPassword and ChooseLockPatten being projected to +remote views, add FLAG_SECURE for these screens. + +Bug: 179725730 +Test: Check these 2 screens not projected to chromecast +Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest + SetupChooseLockPasswordTest ChooseLockPasswordTest +Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca +--- + src/com/android/settings/ChooseLockPassword.java | 3 +++ + src/com/android/settings/ChooseLockPattern.java | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/com/android/settings/ChooseLockPassword.java b/src/com/android/settings/ChooseLockPassword.java +index 86696bb280..db1fbb4966 100644 +--- a/src/com/android/settings/ChooseLockPassword.java ++++ b/src/com/android/settings/ChooseLockPassword.java +@@ -40,6 +40,7 @@ import android.view.LayoutInflater; + import android.view.View; + import android.view.View.OnClickListener; + import android.view.ViewGroup; ++import android.view.WindowManager; + import android.widget.Button; + import android.widget.EditText; + import android.widget.LinearLayout; +@@ -149,6 +150,8 @@ public class ChooseLockPassword extends SettingsActivity { + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); ++ getWindow().addPrivateFlags( ++ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + CharSequence msg = getText(R.string.lockpassword_choose_your_password_header); + setTitle(msg); + LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent); +diff --git a/src/com/android/settings/ChooseLockPattern.java b/src/com/android/settings/ChooseLockPattern.java +index b81a3edfef..76965d1750 100644 +--- a/src/com/android/settings/ChooseLockPattern.java ++++ b/src/com/android/settings/ChooseLockPattern.java +@@ -26,6 +26,7 @@ import android.view.KeyEvent; + import android.view.LayoutInflater; + import android.view.View; + import android.view.ViewGroup; ++import android.view.WindowManager; + import android.widget.LinearLayout; + import android.widget.TextView; + +@@ -112,6 +113,8 @@ public class ChooseLockPattern extends SettingsActivity { + protected void onCreate(Bundle savedInstanceState) { + // requestWindowFeature(Window.FEATURE_NO_TITLE); + super.onCreate(savedInstanceState); ++ getWindow().addPrivateFlags( ++ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + CharSequence msg = getText(R.string.lockpassword_choose_your_pattern_header); + setTitle(msg); + LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent); diff --git a/Patches/LineageOS-14.1/android_packages_services_Telecomm/345526.patch b/Patches/LineageOS-14.1/android_packages_services_Telecomm/345526.patch new file mode 100644 index 00000000..cbb3da2c --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_services_Telecomm/345526.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tyler Gunn +Date: Tue, 27 Sep 2022 15:19:05 -0700 +Subject: [PATCH] Hide overlay windows when showing phone account + enable/disable screen. + +Hide any system alert window overlays when the screen that lets the user +enable/disable phone accounts is shown. + +Test: Manual test with overlay shown from test app; verify that the overlay +is hidden when the phone account selection screen is opened. +Bug: 246933359 + +Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68 +(cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035) +Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68 +--- + .../telecom/settings/EnableAccountPreferenceActivity.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java +index 2367825b3..b1d497abb 100644 +--- a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java ++++ b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java +@@ -25,12 +25,16 @@ import android.telecom.Log; + import android.telecom.PhoneAccountHandle; + import android.telecom.TelecomManager; + import android.view.MenuItem; ++import android.view.WindowManager; + + public class EnableAccountPreferenceActivity extends Activity { + @Override + public void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + ++ getWindow().addPrivateFlags( ++ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + getFragmentManager().beginTransaction() + .replace(android.R.id.content, new EnableAccountPreferenceFragment()) + .commit(); diff --git a/Patches/LineageOS-14.1/android_system_bt/345527.patch b/Patches/LineageOS-14.1/android_system_bt/345527.patch new file mode 100644 index 00000000..4dc19147 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/345527.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ted Wang +Date: Thu, 4 Aug 2022 09:41:24 +0800 +Subject: [PATCH] Add length check when copy AVDTP packet + +Bug: 232023771 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f) +Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b +--- + stack/avdt/avdt_msg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c +index 91a58403e..65d4485e7 100644 +--- a/stack/avdt/avdt_msg.c ++++ b/stack/avdt/avdt_msg.c +@@ -1411,6 +1411,11 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf) + * would have allocated smaller buffer. + */ + p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE); ++ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) ++ { ++ android_errorWriteLog(0x534e4554, "232023771"); ++ return NULL; ++ } + memcpy(p_ccb->p_rx_msg, p_buf, + sizeof(BT_HDR) + p_buf->offset + p_buf->len); + diff --git a/Patches/LineageOS-14.1/android_system_bt/345528.patch b/Patches/LineageOS-14.1/android_system_bt/345528.patch new file mode 100644 index 00000000..8b38ae17 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/345528.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 25 Aug 2022 18:52:28 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Added max buffer length check + +Bug: 230867224 +Test: Manual -- paired Bluetooth headset and played audio +Tags: #security +Ignore-AOSP-First: Security +Change-Id: I740038288143715a1c06db781efd674b269a7f3e +(cherry picked from commit 769f55450bd2eb94ddb9080f730e404de7716bda) +Merged-In: I740038288143715a1c06db781efd674b269a7f3e +--- + stack/avct/avct_lcb_act.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c +index 878dd82b7..173c3070e 100644 +--- a/stack/avct/avct_lcb_act.c ++++ b/stack/avct/avct_lcb_act.c +@@ -30,6 +30,7 @@ + #include "avct_int.h" + #include "bt_common.h" + #include "btm_api.h" ++#include "osi/include/log.h" + + /* packet header length lookup table */ + const UINT8 avct_lcb_pkt_type_len[] = { +@@ -61,8 +62,14 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf) + AVCT_PRS_PKT_TYPE(p, pkt_type); + + /* quick sanity check on length */ +- if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) ++ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || ++ (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) + { ++ if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > ++ BT_DEFAULT_BUFFER_SIZE) ++ { ++ android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); ++ } + osi_free(p_buf); + AVCT_TRACE_WARNING("Bad length during reassembly"); + p_ret = NULL; diff --git a/Patches/LineageOS-14.1/android_system_bt/345529.patch b/Patches/LineageOS-14.1/android_system_bt/345529.patch new file mode 100644 index 00000000..5bf1591e --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/345529.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 25 Aug 2022 20:39:08 +0000 +Subject: [PATCH] Add missing increment in bnep_api.cc + +Bug: 228450451 +Test: manual, pair BT and play audio +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36 +(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d) +Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36 +--- + stack/bnep/bnep_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c +index e1c9f2e3d..d40c66c3c 100644 +--- a/stack/bnep/bnep_api.c ++++ b/stack/bnep/bnep_api.c +@@ -283,6 +283,7 @@ tBNEP_RESULT BNEP_ConnectResp (UINT16 handle, tBNEP_RESULT resp) + while (extension_present && p && rem_len) + { + ext_type = *p++; ++ rem_len--; + extension_present = ext_type >> 7; + ext_type &= 0x7F; + diff --git a/Patches/LineageOS-14.1/android_system_bt/345530.patch b/Patches/LineageOS-14.1/android_system_bt/345530.patch new file mode 100644 index 00000000..650b09f9 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/345530.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Tue, 16 Aug 2022 21:41:03 +0000 +Subject: [PATCH] Add length check when copy AVDT and AVCT packet + +Previous fix for AVDT causing memory leak. +And missing similar fix for AVCT packet. + +Bug: 232023771 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +(cherry picked from commit a4311b284639bbd2c6c2c72d35d8444d40fb2d12) +Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90 +--- + stack/avct/avct_lcb_act.c | 9 ++++++++- + stack/avdt/avdt_msg.c | 6 ++++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c +index 173c3070e..e1a7c3d26 100644 +--- a/stack/avct/avct_lcb_act.c ++++ b/stack/avct/avct_lcb_act.c +@@ -92,13 +92,20 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf) + if (p_lcb->p_rx_msg != NULL) + AVCT_TRACE_WARNING("Got start during reassembly"); + +- osi_free(p_lcb->p_rx_msg); ++ osi_free_and_reset((void**)&p_lcb->p_rx_msg); + + /* + * Allocate bigger buffer for reassembly. As lower layers are + * not aware of possible packet size after reassembly, they + * would have allocated smaller buffer. + */ ++ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) ++ { ++ android_errorWriteLog(0x534e4554, "232023771"); ++ osi_free(p_buf); ++ p_ret = NULL; ++ return p_ret; ++ } + p_lcb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + memcpy(p_lcb->p_rx_msg, p_buf, + sizeof(BT_HDR) + p_buf->offset + p_buf->len); +diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c +index 65d4485e7..acda49858 100644 +--- a/stack/avdt/avdt_msg.c ++++ b/stack/avdt/avdt_msg.c +@@ -1410,12 +1410,14 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf) + * not aware of possible packet size after reassembly, they + * would have allocated smaller buffer. + */ +- p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) + { + android_errorWriteLog(0x534e4554, "232023771"); +- return NULL; ++ osi_free(p_buf); ++ p_ret = NULL; ++ return p_ret; + } ++ p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + memcpy(p_ccb->p_rx_msg, p_buf, + sizeof(BT_HDR) + p_buf->offset + p_buf->len); + diff --git a/Patches/LineageOS-14.1/android_system_bt/345531.patch b/Patches/LineageOS-14.1/android_system_bt/345531.patch new file mode 100644 index 00000000..ee2eb968 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/345531.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Keith Mok +Date: Mon, 22 Aug 2022 19:44:10 +0000 +Subject: [PATCH] Fix integer overflow when parsing avrc response + +Convert min_len from 16 bits to 32 bits to avoid +length checking overflow. +Also, use calloc instead of malloc for list allocation +since caller need to clean up string memory in the list items + +Bug: 242459126 +Test: fuzz_avrc +Tag: #security +Ignore-AOSP-First: Security +Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4 +Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4 +(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501) +Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4 +--- + stack/avdt/avdt_scb_act.c | 2 +- + stack/avrc/avrc_pars_ct.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c +index d7cf791cc..f61abd626 100644 +--- a/stack/avdt/avdt_scb_act.c ++++ b/stack/avdt/avdt_scb_act.c +@@ -363,7 +363,7 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len) + UINT8 *p_start = p; + UINT32 ssrc; + UINT8 o_v, o_p, o_cc; +- UINT16 min_len = 0; ++ UINT32 min_len = 0; + AVDT_REPORT_TYPE pt; + tAVDT_REPORT_DATA report, *p_rpt; + +diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c +index fc94424ba..b43fd5f55 100644 +--- a/stack/avrc/avrc_pars_ct.c ++++ b/stack/avrc/avrc_pars_ct.c +@@ -148,7 +148,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p + + tAVRC_STS avrc_parse_notification_rsp(UINT8* p_stream, UINT16 len, + tAVRC_REG_NOTIF_RSP* p_rsp) { +- UINT16 min_len = 1; ++ UINT32 min_len = 1; + + if (len < min_len) goto length_error; + BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); +@@ -241,7 +241,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( + p++; /* skip the reserved/packe_type byte */ + + UINT16 len; +- UINT16 min_len = 0; ++ UINT32 min_len = 0; + BE_STREAM_TO_UINT16 (len, p); + AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__, + p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len); diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index c39211b1..81cbf8fc 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-11 #XXX +sed -i 's/2021-06-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-12 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -167,6 +167,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 C applyPatch "$DOS_PATCHES/android_frameworks_base/344188.patch"; #n-asb-2022-11 Do not send new Intent to non-exported activity when navigateUpTo applyPatch "$DOS_PATCHES/android_frameworks_base/344189.patch"; #n-asb-2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. applyPatch "$DOS_PATCHES/android_frameworks_base/344217.patch"; #n-asb-2022-11 Do not dismiss keyguard after SIM PUK unlock +applyPatch "$DOS_PATCHES/android_frameworks_base/345519.patch"; #n-asb-2022-12 Validate package name passed to setApplicationRestrictions. +applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/345521.patch"; #n-asb-2022-12 Fix permanent denial of service via setComponentEnabledSetting +applyPatch "$DOS_PATCHES/android_frameworks_base/345522.patch"; #n-asb-2022-12 Add safety checks on KEY_INTENT mismatch. git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -183,6 +187,11 @@ rm -rf packages/Osu; #Automatic Wi-Fi connection non-sense rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps fi; +if enterAndClear "frameworks/minikin"; then +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345523.patch"; #n-asb-2022-12 Fix OOB read for registerLocaleList +applyPatch "$DOS_PATCHES/android_frameworks_minikin/345524.patch"; #n-asb-2022-12 Fix OOB crash for registerLocaleList +fi; + if enterAndClear "frameworks/native"; then applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters @@ -276,6 +285,7 @@ fi; if enterAndClear "packages/apps/Bluetooth"; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345525.patch"; #n-asb-2022-12 Fix URI check in BluetoothOppUtility.java fi; if enterAndClear "packages/apps/Contacts"; then @@ -323,6 +333,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) @@ -362,6 +373,7 @@ fi; if enterAndClear "packages/services/Telecomm"; then applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/343953.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345526.patch"; #n-asb-2022-12 Hide overlay windows when showing phone account enable/disable screen. fi; if enterAndClear "packages/services/Telephony"; then @@ -398,6 +410,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB applyPatch "$DOS_PATCHES/android_system_bt/341070.patch"; #n-asb-2022-10 Fix potential interger overflow when parsing vendor response applyPatch "$DOS_PATCHES/android_system_bt/343958.patch"; #n-asb-2022-11 Add buffer in pin_reply in bluetooth.cc applyPatch "$DOS_PATCHES/android_system_bt/343959.patch"; #n-asb-2022-11 Add negative length check in process_service_search_rsp +applyPatch "$DOS_PATCHES/android_system_bt/345527.patch"; #n-asb-2022-12 Add length check when copy AVDTP packet +applyPatch "$DOS_PATCHES/android_system_bt/345528.patch"; #n-asb-2022-12 Added max buffer length check +applyPatch "$DOS_PATCHES/android_system_bt/345529.patch"; #n-asb-2022-12 Add missing increment in bnep_api.cc +applyPatch "$DOS_PATCHES/android_system_bt/345530.patch"; #n-asb-2022-12 Add length check when copy AVDT and AVCT packet +applyPatch "$DOS_PATCHES/android_system_bt/345531.patch"; #n-asb-2022-12 Fix integer overflow when parsing avrc response applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)