17.1 June ASB work

Note: 358555 is prone to mismerge

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-06-09 22:29:55 -04:00
parent e7b390d7e6
commit 67dd049bf6
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
31 changed files with 3085 additions and 11 deletions

View File

@ -0,0 +1,75 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Mon, 27 Mar 2023 18:16:46 -0500
Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling
readSampleData() did not initialize buffer before filling it,
leading to OOB memory references. Correct and clarify the book
keeping around output buffer management.
Bug: 275418191
Test: CtsMediaExtractorTestCases w/debug messages
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
---
media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
index 680d426d96..ddab6d3923 100644
--- a/media/libstagefright/NuMediaExtractor.cpp
+++ b/media/libstagefright/NuMediaExtractor.cpp
@@ -595,9 +595,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(
numPageSamples = -1;
}
+ // insert, including accounting for the space used.
memcpy((uint8_t *)buffer->data() + mbuf->range_length(),
&numPageSamples,
sizeof(numPageSamples));
+ buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples));
uint32_t type;
const void *data;
@@ -646,6 +648,8 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
ssize_t minIndex = fetchAllTrackSamples();
+ buffer->setRange(0, 0); // start with an empty buffer
+
if (minIndex < 0) {
return ERROR_END_OF_STREAM;
}
@@ -661,25 +665,25 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
sampleSize += sizeof(int32_t);
}
+ // capacity() is ok since we cleared out the buffer
if (buffer->capacity() < sampleSize) {
return -ENOMEM;
}
+ const size_t srclen = it->mBuffer->range_length();
const uint8_t *src =
(const uint8_t *)it->mBuffer->data()
+ it->mBuffer->range_offset();
- memcpy((uint8_t *)buffer->data(), src, it->mBuffer->range_length());
+ memcpy((uint8_t *)buffer->data(), src, srclen);
+ buffer->setRange(0, srclen);
status_t err = OK;
if (info->mTrackFlags & kIsVorbis) {
+ // adjusts range when it inserts the extra bits
err = appendVorbisNumPageSamples(it->mBuffer, buffer);
}
- if (err == OK) {
- buffer->setRange(0, sampleSize);
- }
-
return err;
}

View File

@ -21,7 +21,7 @@ Change-Id: Id75a774ce1ed109a83c6a5bf512536c643165d71
2 files changed, 170 insertions(+) 2 files changed, 170 insertions(+)
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 111a8c48a46c..12102a140947 100644 index 111a8c48a46c..962c4215f7b6 100644
--- a/core/java/android/net/ConnectivityManager.java --- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java +++ b/core/java/android/net/ConnectivityManager.java
@@ -757,6 +757,58 @@ public class ConnectivityManager { @@ -757,6 +757,58 @@ public class ConnectivityManager {

View File

@ -8,7 +8,7 @@ Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
1 file changed, 8 insertions(+) 1 file changed, 8 insertions(+)
diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
index 12102a140947..21661609ff72 100644 index 962c4215f7b6..089f6b65a908 100644
--- a/core/java/android/net/ConnectivityManager.java --- a/core/java/android/net/ConnectivityManager.java
+++ b/core/java/android/net/ConnectivityManager.java +++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net; @@ -17,6 +17,7 @@ package android.net;

View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hongwei Wang <hwwang@google.com>
Date: Thu, 23 Feb 2023 13:23:37 -0800
Subject: [PATCH] Remove Activity if it enters PiP without window
This is to prevent malicious app entering PiP without being visible
first, like blocking onResume from completion. Which in turn
leaves the PiP window in limbo and non-interactable.
Bug: 265293293
Test: atest PinnedStackTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4fad1456409b79d6e649a29d5116a4fe3160bd21)
Merged-In: I458a9508662e72a1adb9d9818105f2e9d7096d44
Change-Id: I458a9508662e72a1adb9d9818105f2e9d7096d44
---
.../core/java/com/android/server/wm/ActivityRecord.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/services/core/java/com/android/server/wm/ActivityRecord.java b/services/core/java/com/android/server/wm/ActivityRecord.java
index 55e8e19fd278..ffd27481a280 100644
--- a/services/core/java/com/android/server/wm/ActivityRecord.java
+++ b/services/core/java/com/android/server/wm/ActivityRecord.java
@@ -781,6 +781,12 @@ final class ActivityRecord extends ConfigurationContainer {
}
schedulePictureInPictureModeChanged(newConfig);
scheduleMultiWindowModeChanged(newConfig);
+ if (inPictureInPictureMode && findMainWindow() == null) {
+ // Prevent malicious app entering PiP without valid WindowState, which can in turn
+ // result a non-touchable PiP window since the InputConsumer for PiP requires it.
+ EventLog.writeEvent(0x534e4554, "265293293", -1, "");
+ removeImmediately();
+ }
}
}

View File

@ -0,0 +1,106 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Mark Renouf <mrenouf@google.com>
Date: Wed, 22 Feb 2023 15:14:08 +0000
Subject: [PATCH] Prevent sharesheet from previewing unowned URIs
Bug: 261036568
Test: manually via supplied tool (see bug)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3062b80fb28014a7482d5fa8b2a5c852134a5845)
Merged-In: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
Change-Id: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
---
.../android/internal/app/ChooserActivity.java | 36 +++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java
index f43ff17ed7d0..2e17dce90240 100644
--- a/core/java/com/android/internal/app/ChooserActivity.java
+++ b/core/java/com/android/internal/app/ChooserActivity.java
@@ -16,6 +16,8 @@
package com.android.internal.app;
+import static android.content.ContentProvider.getUserIdFromUri;
+
import static java.lang.annotation.RetentionPolicy.SOURCE;
import android.animation.Animator;
@@ -140,6 +142,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.stream.Collectors;
/**
* The Chooser Activity handles intent resolution specifically for sharing intents -
@@ -1082,7 +1085,7 @@ public class ChooserActivity extends ResolverActivity {
ImageView previewThumbnailView = contentPreviewLayout.findViewById(
R.id.content_preview_thumbnail);
- if (previewThumbnail == null) {
+ if (!validForContentPreview(previewThumbnail)) {
previewThumbnailView.setVisibility(View.GONE);
} else {
mPreviewCoord = new ContentPreviewCoordinator(contentPreviewLayout, false);
@@ -1109,6 +1112,10 @@ public class ChooserActivity extends ResolverActivity {
String action = targetIntent.getAction();
if (Intent.ACTION_SEND.equals(action)) {
Uri uri = targetIntent.getParcelableExtra(Intent.EXTRA_STREAM);
+ if (!validForContentPreview(uri)) {
+ contentPreviewLayout.setVisibility(View.GONE);
+ return contentPreviewLayout;
+ }
mPreviewCoord.loadUriIntoView(R.id.content_preview_image_1_large, uri, 0);
} else {
ContentResolver resolver = getContentResolver();
@@ -1116,7 +1123,7 @@ public class ChooserActivity extends ResolverActivity {
List<Uri> uris = targetIntent.getParcelableArrayListExtra(Intent.EXTRA_STREAM);
List<Uri> imageUris = new ArrayList<>();
for (Uri uri : uris) {
- if (isImageType(resolver.getType(uri))) {
+ if (validForContentPreview(uri) && isImageType(resolver.getType(uri))) {
imageUris.add(uri);
}
}
@@ -1222,9 +1229,16 @@ public class ChooserActivity extends ResolverActivity {
String action = targetIntent.getAction();
if (Intent.ACTION_SEND.equals(action)) {
Uri uri = targetIntent.getParcelableExtra(Intent.EXTRA_STREAM);
+ if (!validForContentPreview(uri)) {
+ contentPreviewLayout.setVisibility(View.GONE);
+ return contentPreviewLayout;
+ }
loadFileUriIntoView(uri, contentPreviewLayout);
} else {
List<Uri> uris = targetIntent.getParcelableArrayListExtra(Intent.EXTRA_STREAM);
+ uris = uris.stream()
+ .filter(ChooserActivity::validForContentPreview)
+ .collect(Collectors.toList());
int uriCount = uris.size();
if (uriCount == 0) {
@@ -1278,6 +1292,24 @@ public class ChooserActivity extends ResolverActivity {
}
}
+ /**
+ * Indicate if the incoming content URI should be allowed.
+ *
+ * @param uri the uri to test
+ * @return true if the URI is allowed for content preview
+ */
+ private static boolean validForContentPreview(Uri uri) throws SecurityException {
+ if (uri == null) {
+ return false;
+ }
+ int userId = getUserIdFromUri(uri, UserHandle.USER_CURRENT);
+ if (userId != UserHandle.USER_CURRENT && userId != UserHandle.myUserId()) {
+ Log.e(TAG, "dropped invalid content URI belonging to user " + userId);
+ return false;
+ }
+ return true;
+ }
+
@VisibleForTesting
protected boolean isImageType(String mimeType) {
return mimeType != null && mimeType.startsWith("image/");

View File

@ -0,0 +1,167 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Lee <brnlee@google.com>
Date: Fri, 17 Feb 2023 16:05:17 -0800
Subject: [PATCH] Check key intent for selectors and prohibited flags
Bug: 265015796
Test: atest
FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8)
Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
---
.../accounts/AccountManagerService.java | 18 +++++++---
.../accounts/AccountManagerServiceTest.java | 36 +++++++++++++++++++
.../AccountManagerServiceTestFixtures.java | 5 ++-
.../TestAccountType1Authenticator.java | 5 +--
4 files changed, 54 insertions(+), 10 deletions(-)
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index b4edf94927b2..a9c7b0c6a3f1 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -4808,10 +4808,6 @@ public class AccountManagerService
if (intent.getClipData() == null) {
intent.setClipData(ClipData.newPlainText(null, null));
}
- intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
- | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
- | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
- | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
long bid = Binder.clearCallingIdentity();
try {
PackageManager pm = mContext.getPackageManager();
@@ -4858,7 +4854,19 @@ public class AccountManagerService
if (intent == null) {
return (simulateIntent == null);
}
- return intent.filterEquals(simulateIntent);
+ if (!intent.filterEquals(simulateIntent)) {
+ return false;
+ }
+
+ if (intent.getSelector() != simulateIntent.getSelector()) {
+ return false;
+ }
+
+ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
+ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
+ return (simulateIntent.getFlags() & prohibitedFlags) == 0;
}
private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
index 215f1e8e2a9e..d379e8131268 100644
--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
@@ -18,6 +18,7 @@ package com.android.server.accounts;
import static android.database.sqlite.SQLiteDatabase.deleteDatabase;
+import static org.mockito.ArgumentMatchers.contains;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Matchers.anyInt;
@@ -686,6 +687,41 @@ public class AccountManagerServiceTest extends AndroidTestCase {
assertNotNull(intent.getParcelableExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK));
}
+ @SmallTest
+ public void testStartAddAccountSessionWhereAuthenticatorReturnsIntentWithProhibitedFlags()
+ throws Exception {
+ unlockSystemUser();
+ ResolveInfo resolveInfo = new ResolveInfo();
+ resolveInfo.activityInfo = new ActivityInfo();
+ resolveInfo.activityInfo.applicationInfo = new ApplicationInfo();
+ when(mMockPackageManager.resolveActivityAsUser(
+ any(Intent.class), anyInt(), anyInt())).thenReturn(resolveInfo);
+ when(mMockPackageManager.checkSignatures(
+ anyInt(), anyInt())).thenReturn(PackageManager.SIGNATURE_MATCH);
+
+ final CountDownLatch latch = new CountDownLatch(1);
+ Response response = new Response(latch, mMockAccountManagerResponse);
+ Bundle options = createOptionsWithAccountName(
+ AccountManagerServiceTestFixtures.ACCOUNT_NAME_INTERVENE);
+ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
+ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
+ options.putInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, prohibitedFlags);
+
+ mAms.startAddAccountSession(
+ response, // response
+ AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1, // accountType
+ "authTokenType",
+ null, // requiredFeatures
+ true, // expectActivityLaunch
+ options); // optionsIn
+ waitForLatch(latch);
+
+ verify(mMockAccountManagerResponse).onError(
+ eq(AccountManager.ERROR_CODE_INVALID_RESPONSE), contains("invalid intent"));
+ }
+
@SmallTest
public void testStartAddAccountSessionError() throws Exception {
unlockSystemUser();
diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
index 73f30d9f9e79..b98a6a891d55 100644
--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
@@ -17,9 +17,6 @@ package com.android.server.accounts;
import android.accounts.Account;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* Constants shared between test AccountAuthenticators and AccountManagerServiceTest.
*/
@@ -31,6 +28,8 @@ public final class AccountManagerServiceTestFixtures {
"account_manager_service_test:account_status_token_key";
public static final String KEY_ACCOUNT_PASSWORD =
"account_manager_service_test:account_password_key";
+ public static final String KEY_INTENT_FLAGS =
+ "account_manager_service_test:intent_flags_key";
public static final String KEY_OPTIONS_BUNDLE =
"account_manager_service_test:option_bundle_key";
public static final String ACCOUNT_NAME_SUCCESS = "success_on_return@fixture.com";
diff --git a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
index 8106364477d9..924443e9d5cf 100644
--- a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
@@ -24,8 +24,6 @@ import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
-import com.android.frameworks.servicestests.R;
-
import java.util.concurrent.atomic.AtomicInteger;
/**
@@ -270,11 +268,13 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
String accountName = null;
Bundle sessionBundle = null;
String password = null;
+ int intentFlags = 0;
if (options != null) {
accountName = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_NAME);
sessionBundle = options.getBundle(
AccountManagerServiceTestFixtures.KEY_ACCOUNT_SESSION_BUNDLE);
password = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_PASSWORD);
+ intentFlags = options.getInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, 0);
}
Bundle result = new Bundle();
@@ -302,6 +302,7 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
intent.putExtra(AccountManagerServiceTestFixtures.KEY_RESULT,
eventualActivityResultData);
intent.putExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK, response);
+ intent.setFlags(intentFlags);
result.putParcelable(AccountManager.KEY_INTENT, intent);
} else {

View File

@ -0,0 +1,79 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kweku Adams <kwekua@google.com>
Date: Wed, 21 Sep 2022 22:13:01 +0000
Subject: [PATCH] Handle invalid data during job loading.
Catch exceptions that may be thrown if invalid data ended up in the
persisted job file.
Bug: 246541702
Bug: 246542132
Bug: 246542285
Bug: 246542330
Test: install test app with invalid job config, start app to schedule job, then reboot device
(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203)
Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e
---
.../java/com/android/server/job/JobStore.java | 26 ++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java
index 4ef37a2e484d..1f2772571e71 100644
--- a/services/core/java/com/android/server/job/JobStore.java
+++ b/services/core/java/com/android/server/job/JobStore.java
@@ -677,6 +677,10 @@ public final class JobStore {
}
} catch (XmlPullParserException | IOException e) {
Slog.wtf(TAG, "Error jobstore xml.", e);
+ } catch (Exception e) {
+ // Crashing at this point would result in a boot loop, so live with a general
+ // Exception for system stability's sake.
+ Slog.wtf(TAG, "Unexpected exception", e);
} finally {
if (mPersistInfo.countAllJobsLoaded < 0) { // Only set them once.
mPersistInfo.countAllJobsLoaded = numJobs;
@@ -807,6 +811,15 @@ public final class JobStore {
} catch (NumberFormatException e) {
Slog.d(TAG, "Error reading constraints, skipping.");
return null;
+ } catch (XmlPullParserException e) {
+ Slog.d(TAG, "Error Parser Exception.", e);
+ return null;
+ } catch (IOException e) {
+ Slog.d(TAG, "Error I/O Exception.", e);
+ return null;
+ } catch (IllegalArgumentException e) {
+ Slog.e(TAG, "Constraints contained invalid data", e);
+ return null;
}
parser.next(); // Consume </constraints>
@@ -902,8 +915,14 @@ public final class JobStore {
return null;
}
- PersistableBundle extras = PersistableBundle.restoreFromXml(parser);
- jobBuilder.setExtras(extras);
+ final PersistableBundle extras;
+ try {
+ extras = PersistableBundle.restoreFromXml(parser);
+ jobBuilder.setExtras(extras);
+ } catch (IllegalArgumentException e) {
+ Slog.e(TAG, "Persisted extras contained invalid data", e);
+ return null;
+ }
parser.nextTag(); // Consume </extras>
final JobInfo builtJob;
@@ -950,7 +969,8 @@ public final class JobStore {
return new JobInfo.Builder(jobId, cname);
}
- private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) {
+ private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser)
+ throws XmlPullParserException, IOException {
String val;
final String netCapabilities = parser.getAttributeValue(null, "net-capabilities");

View File

@ -0,0 +1,231 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julia Reynolds <juliacr@google.com>
Date: Tue, 7 Mar 2023 15:44:49 -0500
Subject: [PATCH] Allow filtering of services
Test: ServiceListingTest
Bug: 260570119
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44dcb8351e61f4b3a63ec68fa5d8490501e8a823)
Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760
Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760
---
.../applications/ServiceListing.java | 19 +++-
.../applications/ServiceListingTest.java | 98 ++++++++++++++++++-
2 files changed, 113 insertions(+), 4 deletions(-)
diff --git a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
index 454d1dce0b2f..6ed7b5065175 100644
--- a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+++ b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
@@ -35,6 +35,7 @@ import android.util.Slog;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
+import java.util.function.Predicate;
/**
* Class for managing services matching a given intent and requesting a given permission.
@@ -50,11 +51,13 @@ public class ServiceListing {
private final HashSet<ComponentName> mEnabledServices = new HashSet<>();
private final List<ServiceInfo> mServices = new ArrayList<>();
private final List<Callback> mCallbacks = new ArrayList<>();
+ private final Predicate mValidator;
private boolean mListening;
private ServiceListing(Context context, String tag,
- String setting, String intentAction, String permission, String noun) {
+ String setting, String intentAction, String permission, String noun,
+ Predicate validator) {
mContentResolver = context.getContentResolver();
mContext = context;
mTag = tag;
@@ -62,6 +65,7 @@ public class ServiceListing {
mIntentAction = intentAction;
mPermission = permission;
mNoun = noun;
+ mValidator = validator;
}
public void addCallback(Callback callback) {
@@ -130,7 +134,6 @@ public class ServiceListing {
new Intent(mIntentAction),
PackageManager.GET_SERVICES | PackageManager.GET_META_DATA,
user);
-
for (ResolveInfo resolveInfo : installedServices) {
ServiceInfo info = resolveInfo.serviceInfo;
@@ -141,6 +144,9 @@ public class ServiceListing {
+ mPermission);
continue;
}
+ if (mValidator != null && !mValidator.test(info)) {
+ continue;
+ }
mServices.add(info);
}
for (Callback callback : mCallbacks) {
@@ -186,6 +192,7 @@ public class ServiceListing {
private String mIntentAction;
private String mPermission;
private String mNoun;
+ private Predicate mValidator;
public Builder(Context context) {
mContext = context;
@@ -216,8 +223,14 @@ public class ServiceListing {
return this;
}
+ public Builder setValidator(Predicate<ServiceInfo> validator) {
+ mValidator = validator;
+ return this;
+ }
+
public ServiceListing build() {
- return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun);
+ return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun,
+ mValidator);
}
}
}
diff --git a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
index f7fd25b9fb7d..7ff0988c494d 100644
--- a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+++ b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
@@ -18,20 +18,35 @@ package com.android.settingslib.applications;
import static com.google.common.truth.Truth.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
import static org.mockito.ArgumentMatchers.anyList;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
import android.content.ComponentName;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.content.pm.ServiceInfo;
import android.provider.Settings;
+import androidx.test.core.app.ApplicationProvider;
+
+import com.google.common.collect.ImmutableList;
+
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
import org.robolectric.RobolectricTestRunner;
import org.robolectric.RuntimeEnvironment;
+import java.util.List;
+
@RunWith(RobolectricTestRunner.class)
public class ServiceListingTest {
@@ -39,16 +54,97 @@ public class ServiceListingTest {
private static final String TEST_INTENT = "com.example.intent";
private ServiceListing mServiceListing;
+ private Context mContext;
+ private PackageManager mPm;
@Before
public void setUp() {
- mServiceListing = new ServiceListing.Builder(RuntimeEnvironment.application)
+ mPm = mock(PackageManager.class);
+ mContext = spy(ApplicationProvider.getApplicationContext());
+ when(mContext.getPackageManager()).thenReturn(mPm);
+
+ mServiceListing = new ServiceListing.Builder(mContext)
+ .setTag("testTag")
+ .setSetting(TEST_SETTING)
+ .setNoun("testNoun")
+ .setIntentAction(TEST_INTENT)
+ .setPermission("testPermission")
+ .build();
+ }
+
+ @Test
+ public void testValidator() {
+ ServiceInfo s1 = new ServiceInfo();
+ s1.permission = "testPermission";
+ s1.packageName = "pkg";
+ ServiceInfo s2 = new ServiceInfo();
+ s2.permission = "testPermission";
+ s2.packageName = "pkg2";
+ ResolveInfo r1 = new ResolveInfo();
+ r1.serviceInfo = s1;
+ ResolveInfo r2 = new ResolveInfo();
+ r2.serviceInfo = s2;
+
+ when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
+ ImmutableList.of(r1, r2));
+
+ mServiceListing = new ServiceListing.Builder(mContext)
+ .setTag("testTag")
+ .setSetting(TEST_SETTING)
+ .setNoun("testNoun")
+ .setIntentAction(TEST_INTENT)
+ .setValidator(info -> {
+ if (info.packageName.equals("pkg")) {
+ return true;
+ }
+ return false;
+ })
+ .setPermission("testPermission")
+ .build();
+ ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
+ mServiceListing.addCallback(callback);
+ mServiceListing.reload();
+
+ verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
+ ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
+ verify(callback, times(1)).onServicesReloaded(captor.capture());
+
+ assertThat(captor.getValue().size()).isEqualTo(1);
+ assertThat(captor.getValue().get(0)).isEqualTo(s1);
+ }
+
+ @Test
+ public void testNoValidator() {
+ ServiceInfo s1 = new ServiceInfo();
+ s1.permission = "testPermission";
+ s1.packageName = "pkg";
+ ServiceInfo s2 = new ServiceInfo();
+ s2.permission = "testPermission";
+ s2.packageName = "pkg2";
+ ResolveInfo r1 = new ResolveInfo();
+ r1.serviceInfo = s1;
+ ResolveInfo r2 = new ResolveInfo();
+ r2.serviceInfo = s2;
+
+ when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
+ ImmutableList.of(r1, r2));
+
+ mServiceListing = new ServiceListing.Builder(mContext)
.setTag("testTag")
.setSetting(TEST_SETTING)
.setNoun("testNoun")
.setIntentAction(TEST_INTENT)
.setPermission("testPermission")
.build();
+ ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
+ mServiceListing.addCallback(callback);
+ mServiceListing.reload();
+
+ verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
+ ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
+ verify(callback, times(1)).onServicesReloaded(captor.capture());
+
+ assertThat(captor.getValue().size()).isEqualTo(2);
}
@Test

View File

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeff DeCew <jeffdq@google.com>
Date: Fri, 24 Mar 2023 16:15:24 +0000
Subject: [PATCH] Add BubbleMetadata detection to block FSI
Bug: 274759612
Test: atest NotificationInterruptStateProviderImplTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c60e264a551df9f880fd73683321b7e821429da7)
Merged-In: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
Change-Id: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
---
.../NotificationInterruptionStateProvider.java | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java b/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
index ff71db4dc3b5..336c65b3c7d4 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
@@ -461,6 +461,20 @@ public class NotificationInterruptionStateProvider {
return false;
}
+ // If the notification has suppressive BubbleMetadata, block FSI and warn.
+ Notification.BubbleMetadata bubbleMetadata = sbn.getNotification().getBubbleMetadata();
+ if (bubbleMetadata != null && bubbleMetadata.isNotificationSuppressed()) {
+ // b/274759612: Detect and report an event when a notification has both an FSI and a
+ // suppressive BubbleMetadata, and now correctly block the FSI from firing.
+ final int uid = entry.getSbn().getUid();
+ android.util.EventLog.writeEvent(0x534e4554, "274759612", uid, "bubbleMetadata");
+ if (DEBUG) {
+ Log.w(TAG, "No FullScreenIntent: WARNING: BubbleMetadata may prevent HUN: "
+ + entry.getKey());
+ }
+ return false;
+ }
+
// If the screen is off, then launch the FullScreenIntent
if (!mPowerManager.isInteractive()) {
if (DEBUG) {

View File

@ -0,0 +1,85 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Valentin Iftime <valiiftime@google.com>
Date: Wed, 22 Feb 2023 09:38:55 +0100
Subject: [PATCH] Prevent RemoteViews crashing SystemUi
Catch canvas drawing exceptions caused by unsuported image sizes.
Test: 1. Post a custom view notification with a layout
containing an ImageView that references a 5k x 5k image
2. Add an App Widget to the home screen with that has the
layout mentioned above as preview/initial layout.
Bug: 268193777
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d)
Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a
---
.../android/appwidget/AppWidgetHostView.java | 39 ++++++++++++++-----
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
index 85f0e2342412..eafb631216e5 100644
--- a/core/java/android/appwidget/AppWidgetHostView.java
+++ b/core/java/android/appwidget/AppWidgetHostView.java
@@ -28,6 +28,7 @@ import android.content.pm.LauncherActivityInfo;
import android.content.pm.LauncherApps;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.res.Resources;
+import android.graphics.Canvas;
import android.graphics.Color;
import android.graphics.Rect;
import android.os.Bundle;
@@ -250,19 +251,26 @@ public class AppWidgetHostView extends FrameLayout {
super.onLayout(changed, left, top, right, bottom);
} catch (final RuntimeException e) {
Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e);
- removeViewInLayout(mView);
- View child = getErrorView();
- prepareView(child);
- addViewInLayout(child, 0, child.getLayoutParams());
- measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
- MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
- child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
- child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
- mView = child;
- mViewMode = VIEW_MODE_ERROR;
+ handleViewError();
}
}
+ /**
+ * Remove bad view and replace with error message view
+ */
+ private void handleViewError() {
+ removeViewInLayout(mView);
+ View child = getErrorView();
+ prepareView(child);
+ addViewInLayout(child, 0, child.getLayoutParams());
+ measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
+ MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
+ child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
+ child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
+ mView = child;
+ mViewMode = VIEW_MODE_ERROR;
+ }
+
/**
* Provide guidance about the size of this widget to the AppWidgetManager. The widths and
* heights should correspond to the full area the AppWidgetHostView is given. Padding added by
@@ -711,4 +719,15 @@ public class AppWidgetHostView extends FrameLayout {
}
return null;
}
+
+ @Override
+ protected void dispatchDraw(Canvas canvas) {
+ try {
+ super.dispatchDraw(canvas);
+ } catch (Exception e) {
+ // Catch draw exceptions that may be caused by RemoteViews
+ Log.e(TAG, "Drawing view failed: " + e);
+ post(this::handleViewError);
+ }
+ }
}

View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Tue, 7 Mar 2023 10:59:38 -0800
Subject: [PATCH] Convert argument to Intent in car settings
AddAccountActivity.
Bug: 265798353
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3195c559667939b458445b7e133fb4a7c76aaead)
Merged-In: I4b035fd370197b7f4838af5fb6e4d0ce27a5f3e7
Change-Id: I4b035fd370197b7f4838af5fb6e4d0ce27a5f3e7
---
src/com/android/car/settings/accounts/AddAccountActivity.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/com/android/car/settings/accounts/AddAccountActivity.java b/src/com/android/car/settings/accounts/AddAccountActivity.java
index d5ce57142..69ada037f 100644
--- a/src/com/android/car/settings/accounts/AddAccountActivity.java
+++ b/src/com/android/car/settings/accounts/AddAccountActivity.java
@@ -94,7 +94,7 @@ public class AddAccountActivity extends Activity {
intent.putExtras(addAccountOptions);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivityForResultAsUser(
- intent, ADD_ACCOUNT_REQUEST, mUserHandle);
+ new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
LOG.v("account added: " + result);
} catch (OperationCanceledException | IOException | AuthenticatorException e) {
LOG.v("addAccount error: " + e);

View File

@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
<item msgid="6490061470416867723">Small</item> <item msgid="6490061470416867723">Small</item>
<item msgid="3579015730662088893">Default</item> <item msgid="3579015730662088893">Default</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index 2180ea45f6..eeee1c039f 100644 index f6e3b0f62d..8f4a3c6115 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -810,6 +810,9 @@ @@ -810,6 +810,9 @@

View File

@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
<string-array name="screen_timeout_entries"> <string-array name="screen_timeout_entries">
<item>15 seconds</item> <item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index eeee1c039f..c5287c4489 100644 index 8f4a3c6115..ef517e8503 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -25,6 +25,25 @@ @@ -25,6 +25,25 @@

View File

@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
<string-array name="screen_timeout_entries"> <string-array name="screen_timeout_entries">
<item>15 seconds</item> <item>15 seconds</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index c5287c4489..0f254706ff 100644 index ef517e8503..228d9570dd 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -44,6 +44,25 @@ @@ -44,6 +44,25 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index 0f254706ff..fcac812417 100644 index 228d9570dd..d965a63b0d 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -11316,6 +11316,9 @@ @@ -11316,6 +11316,9 @@

View File

@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index fcac812417..197882d66e 100644 index d965a63b0d..e7dcf62ddc 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -11316,6 +11316,8 @@ @@ -11316,6 +11316,8 @@

View File

@ -106,7 +106,7 @@ index 6d95bcc58b..072004e447 100644
<item>"18"</item> <item>"18"</item>
<item>"1"</item> <item>"1"</item>
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index 197882d66e..88bd100122 100644 index e7dcf62ddc..fedb9f3fde 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -10942,6 +10942,8 @@ @@ -10942,6 +10942,8 @@

View File

@ -16,7 +16,7 @@ Change-Id: Ic01a142722372d9d57f52947025cd9db23e58ef4
create mode 100644 src/com/android/settings/security/HostsPreferenceController.java create mode 100644 src/com/android/settings/security/HostsPreferenceController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index 88bd100122..a64940d793 100644 index fedb9f3fde..b5dbdc7d81 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -11327,6 +11327,9 @@ @@ -11327,6 +11327,9 @@

View File

@ -11,7 +11,7 @@ Subject: [PATCH] add a toggle for forcibly disabling SUPL
create mode 100644 src/com/android/settings/location/ForceDisableSuplPrefController.java create mode 100644 src/com/android/settings/location/ForceDisableSuplPrefController.java
diff --git a/res/values/strings.xml b/res/values/strings.xml diff --git a/res/values/strings.xml b/res/values/strings.xml
index a64940d793..f1ea003e3b 100644 index b5dbdc7d81..a5aab8e5d0 100644
--- a/res/values/strings.xml --- a/res/values/strings.xml
+++ b/res/values/strings.xml +++ b/res/values/strings.xml
@@ -11517,4 +11517,7 @@ @@ -11517,4 +11517,7 @@

View File

@ -0,0 +1,190 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Bonian Chen <bonianchen@google.com>
Date: Thu, 18 Nov 2021 10:27:34 +0800
Subject: [PATCH] Move display of VPN version into summary text
Move the display of version text within VPN into summary part of the
display, and limit the height of summary area.
Bug: 205460459
Test: install apk from b/205460459#comment3 and verify
(cherry picked from commit 144f295d7aa66bae8556ba030553a49615eab0b2)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dddd74a491a206178feb10d5ef983d5cd273504d)
Merged-In: I666b9db356feeebf04e3be688897c2d9110a5275
Change-Id: I666b9db356feeebf04e3be688897c2d9110a5275
---
res/values/strings.xml | 2 +-
res/values/styles.xml | 10 ++++
res/xml/vpn_app_management.xml | 14 ++++-
.../settings/vpn2/AppManagementFragment.java | 51 +++++++++++++++++--
4 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/res/values/strings.xml b/res/values/strings.xml
index 2180ea45f6..f6e3b0f62d 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -6613,7 +6613,7 @@
<!-- Button label to disconnect from a VPN profile. [CHAR LIMIT=40] -->
<string name="vpn_disconnect">Disconnect</string>
<!-- Field label to show the version number for a VPN app. [CHAR LIMIT=40] -->
- <string name="vpn_version">Version <xliff:g id="version" example="3.3.0">%s</xliff:g></string>
+ <string name="vpn_version">Version</string>
<!-- Button label to forget a VPN profile [CHAR LIMIT=40] -->
<string name="vpn_forget_long">Forget VPN</string>
<!-- Dialog message title to set another VPN app to be always-on [CHAR LIMIT=40] -->
diff --git a/res/values/styles.xml b/res/values/styles.xml
index d3d3199f62..ec66bc8d1b 100644
--- a/res/values/styles.xml
+++ b/res/values/styles.xml
@@ -197,6 +197,16 @@
<item name="android:textAppearance">@android:style/TextAppearance.DeviceDefault.Small</item>
</style>
+ <style name="vpn_app_management_version_title">
+ <item name="android:textAppearance">?android:attr/textAppearanceListItem</item>
+ <item name="android:textColor">?android:attr/textColorPrimary</item>
+ </style>
+
+ <style name="vpn_app_management_version_summary">
+ <item name="android:textAppearance">?android:attr/textAppearanceListItemSecondary</item>
+ <item name="android:textColor">?android:attr/textColorSecondary</item>
+ </style>
+
<style name="TextAppearance" parent="android:TextAppearance.DeviceDefault"/>
<style name="TextAppearance.info_label">
diff --git a/res/xml/vpn_app_management.xml b/res/xml/vpn_app_management.xml
index bcaa6b0a62..adc441d846 100644
--- a/res/xml/vpn_app_management.xml
+++ b/res/xml/vpn_app_management.xml
@@ -15,14 +15,24 @@
-->
<PreferenceScreen xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:settings="http://schemas.android.com/apk/res-auto">
+ xmlns:settings="http://schemas.android.com/apk/res-auto"
+ orderingFromXml="false"
+ >
+
+ <!-- To limit the size (in height) of version Preference displayed here,
+ maximum height of TextView need to be set programmingly.
+ Therefore, this Preference got removed from here and will be added
+ dynamically through source code.
<Preference
+ android:order="0"
android:key="version"
android:textColor="?android:attr/textColorSecondary"
android:selectable="false"/>
+ -->
<com.android.settingslib.RestrictedSwitchPreference
+ android:order="10"
android:key="always_on_vpn"
android:title="@string/vpn_menu_lockdown"
android:defaultValue="false"
@@ -32,6 +42,7 @@
settings:restrictedSwitchSummary="@string/disabled_by_admin_summary_text" />
<com.android.settingslib.RestrictedSwitchPreference
+ android:order="20"
android:key="lockdown_vpn"
android:title="@string/vpn_require_connection"
android:defaultValue="false"
@@ -41,6 +52,7 @@
settings:restrictedSwitchSummary="@string/disabled_by_admin_summary_text" />
<com.android.settingslib.RestrictedPreference
+ android:order="30"
android:key="forget_vpn"
android:title="@string/vpn_forget_long"
android:icon="@drawable/ic_delete"
diff --git a/src/com/android/settings/vpn2/AppManagementFragment.java b/src/com/android/settings/vpn2/AppManagementFragment.java
index 5f4644614c..805ffb2854 100644
--- a/src/com/android/settings/vpn2/AppManagementFragment.java
+++ b/src/com/android/settings/vpn2/AppManagementFragment.java
@@ -35,11 +35,13 @@ import android.os.UserHandle;
import android.os.UserManager;
import android.text.TextUtils;
import android.util.Log;
+import android.widget.TextView;
import androidx.annotation.VisibleForTesting;
import androidx.appcompat.app.AlertDialog;
import androidx.fragment.app.DialogFragment;
import androidx.preference.Preference;
+import androidx.preference.PreferenceViewHolder;
import com.android.internal.net.VpnConfig;
import com.android.internal.util.ArrayUtils;
@@ -76,7 +78,6 @@ public class AppManagementFragment extends SettingsPreferenceFragment
private String mVpnLabel;
// UI preference
- private Preference mPreferenceVersion;
private RestrictedSwitchPreference mPreferenceAlwaysOn;
private RestrictedSwitchPreference mPreferenceLockdown;
private RestrictedPreference mPreferenceForget;
@@ -122,7 +123,6 @@ public class AppManagementFragment extends SettingsPreferenceFragment
mConnectivityService = IConnectivityManager.Stub
.asInterface(ServiceManager.getService(Context.CONNECTIVITY_SERVICE));
- mPreferenceVersion = findPreference(KEY_VERSION);
mPreferenceAlwaysOn = (RestrictedSwitchPreference) findPreference(KEY_ALWAYS_ON_VPN);
mPreferenceLockdown = (RestrictedSwitchPreference) findPreference(KEY_LOCKDOWN_VPN);
mPreferenceForget = (RestrictedPreference) findPreference(KEY_FORGET_VPN);
@@ -138,9 +138,52 @@ public class AppManagementFragment extends SettingsPreferenceFragment
boolean isInfoLoaded = loadInfo();
if (isInfoLoaded) {
- mPreferenceVersion.setTitle(
- getPrefContext().getString(R.string.vpn_version, mPackageInfo.versionName));
updateUI();
+
+ Preference version = getPreferenceScreen().findPreference(KEY_VERSION);
+ if (version != null) {
+ // Version field has been added.
+ return;
+ }
+
+ /**
+ * Create version field at runtime, and set max height on the display area.
+ *
+ * When long length of text given within version field, a large text area
+ * might be created and inconvenient to the user (User need to scroll
+ * for a long time in order to get to the Preferences after this field.)
+ */
+ version = new Preference(getPrefContext()) {
+ @Override
+ public void onBindViewHolder(PreferenceViewHolder holder) {
+ super.onBindViewHolder(holder);
+
+ TextView titleView =
+ (TextView) holder.findViewById(android.R.id.title);
+ if (titleView != null) {
+ titleView.setTextAppearance(R.style.vpn_app_management_version_title);
+ }
+
+ TextView summaryView =
+ (TextView) holder.findViewById(android.R.id.summary);
+ if (summaryView != null) {
+ summaryView.setTextAppearance(R.style.vpn_app_management_version_summary);
+
+ // Set max height in summary area.
+ int versionMaxHeight = getListView().getHeight();
+ summaryView.setMaxHeight(versionMaxHeight);
+ summaryView.setVerticalScrollBarEnabled(false);
+ summaryView.setHorizontallyScrolling(false);
+ }
+ }
+ };
+ version.setOrder(0); // Set order to 0 in order to be placed
+ // in front of other Preference(s).
+ version.setKey(KEY_VERSION); // Set key to avoid from creating multi instance.
+ version.setTitle(R.string.vpn_version);
+ version.setSummary(mPackageInfo.versionName);
+ version.setSelectable(false);
+ getPreferenceScreen().addPreference(version);
} else {
finish();
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Tue, 7 Mar 2023 10:36:41 -0800
Subject: [PATCH] Convert argument to intent in AddAccountSettings.
Bug: 265798353
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da)
Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
---
src/com/android/settings/accounts/AddAccountSettings.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java
index cca15c96d3..2e23e93124 100644
--- a/src/com/android/settings/accounts/AddAccountSettings.java
+++ b/src/com/android/settings/accounts/AddAccountSettings.java
@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity {
addAccountOptions.putParcelable(EXTRA_USER, mUserHandle);
intent.putExtras(addAccountOptions);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
- startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle);
+ startActivityForResultAsUser(
+ new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
} else {
setResult(RESULT_OK);
if (mPendingIntent != null) {

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Tue, 7 Mar 2023 10:55:07 -0800
Subject: [PATCH] Convert argument to intent in addAccount TvSettings.
Bug: 265798353
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac)
Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e
Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e
---
.../tv/settings/accounts/AddAccountWithTypeActivity.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
index a608bc4fa..ff71ac93b 100644
--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
@@ -52,7 +52,7 @@ public class AddAccountWithTypeActivity extends Activity {
Log.e(TAG, "Failed to retrieve add account intent from authenticator");
setResultAndFinish(Activity.RESULT_CANCELED);
} else {
- startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT);
+ startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT);
}
} catch (IOException|AuthenticatorException|OperationCanceledException e) {
Log.e(TAG, "Failed to get add account intent: ", e);

View File

@ -0,0 +1,80 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pranav Madapurmath <pmadapurmath@google.com>
Date: Tue, 21 Mar 2023 23:28:56 +0000
Subject: [PATCH] Call Redirection: unbind service when onBind returns null
The call redirection service does not handle the corner case of
onNullBinding (occurs when onBind returns null). This vulnerability
would give the app that has the call redirection role unintentional
access to launch background activities outside the scope of a call
lifecycle.
Fixes: 273260090
Test: Unit test to ensure we unbind the service on null onBind
Test: CTS for similar assertion
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3580d96071a7232ce11ad83848d6394b93121d8)
Merged-In: Ib9d44d239833131eb055e83801cb635e8efe0b81
Change-Id: Ib9d44d239833131eb055e83801cb635e8efe0b81
---
.../CallRedirectionProcessor.java | 13 ++++++++++
.../tests/CallRedirectionProcessorTest.java | 25 +++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
index 7a54118f8..9ddc4ab6c 100644
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
@@ -151,6 +151,19 @@ public class CallRedirectionProcessor implements CallRedirectionCallback {
Log.endSession();
}
}
+
+ @Override
+ public void onNullBinding(ComponentName componentName) {
+ // Make sure we unbind the service if onBind returns null
+ Log.startSession("CRSC.oNB");
+ try {
+ synchronized (mTelecomLock) {
+ finishCallRedirection();
+ }
+ } finally {
+ Log.endSession();
+ }
+ }
}
private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {
diff --git a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
index 169c56acf..44d2b8956 100644
--- a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
+++ b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
@@ -280,4 +280,29 @@ public class CallRedirectionProcessorTest extends TelecomTestCase {
eq(mPhoneAccountHandle), eq(mGatewayInfo), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
eq(false), eq(CallRedirectionProcessor.UI_TYPE_NO_ACTION));
}
+
+
+ @Test
+ public void testUnbindOnNullBind() throws Exception {
+ startProcessWithNoGateWayInfo();
+ // To make sure tests are not flaky, clean all the previous handler messages
+ waitForHandlerAction(mProcessor.getHandler(), HANDLER_TIMEOUT_DELAY);
+ enableUserDefinedCallRedirectionService();
+ disableCarrierCallRedirectionService();
+
+ mProcessor.performCallRedirection();
+
+ // Capture the binder
+ ArgumentCaptor<ServiceConnection> serviceConnectionCaptor = ArgumentCaptor.forClass(
+ ServiceConnection.class);
+ // Verify binding occurred
+ verify(mContext, times(1)).bindServiceAsUser(any(Intent.class),
+ serviceConnectionCaptor.capture(), anyInt(), eq(UserHandle.CURRENT));
+ // Simulate null return from onBind
+ serviceConnectionCaptor.getValue().onNullBinding(USER_DEFINED_SERVICE_TEST_COMPONENT_NAME);
+
+ // Verify service was unbound
+ verify(mContext, times(1)).
+ unbindService(any(ServiceConnection.class));
+ }
}

View File

@ -0,0 +1,107 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 11 Oct 2022 21:23:22 +0000
Subject: [PATCH] Prevent use-after-free of HID reports
BTA sends the the HID report pointer to BTIF and deallocates it immediately.
This is now prevented by providing a deep copy callback function for HID
reports when tranferring context from BTA to BTIF.
This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
already merged on T for b/227620181.
Bug: 228837201
Test: Validated against researcher POC, ran BT unit tests, played audio
manually.
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
---
btif/src/btif_hh.cc | 50 ++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 45 insertions(+), 5 deletions(-)
diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
index 650923a3c..5c57ee80c 100644
--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
@@ -1096,6 +1096,38 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
}
}
+/*******************************************************************************
+ *
+ * Function btif_hh_hsdata_rpt_copy_cb
+ *
+ * Description Deep copies the tBTA_HH_HSDATA structure
+ *
+ * Returns void
+ *
+ ******************************************************************************/
+
+static void btif_hh_hsdata_rpt_copy_cb(uint16_t event, char* p_dest,
+ char* p_src) {
+ tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
+ tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
+ BT_HDR* hdr;
+
+ if (!p_src) {
+ BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
+ return;
+ }
+
+ memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
+
+ hdr = p_src_data->rsp_data.p_rpt_data;
+ if (hdr != NULL) {
+ uint8_t* p_data = ((uint8_t*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
+ memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
+
+ p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
+ }
+}
+
/*******************************************************************************
*
* Function bte_hh_evt
@@ -1109,6 +1141,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
bt_status_t status;
int param_len = 0;
+ tBTIF_COPY_CBACK* p_copy_cback = NULL;
if (BTA_HH_ENABLE_EVT == event)
param_len = sizeof(tBTA_HH_STATUS);
@@ -1120,11 +1153,18 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
param_len = sizeof(tBTA_HH_CBDATA);
else if (BTA_HH_GET_DSCP_EVT == event)
param_len = sizeof(tBTA_HH_DEV_DSCP_INFO);
- else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event) ||
- (BTA_HH_GET_IDLE_EVT == event))
+ else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
+ param_len = sizeof(tBTA_HH_HSDATA);
+ else if (BTA_HH_GET_RPT_EVT == event) {
+ BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
param_len = sizeof(tBTA_HH_HSDATA);
- else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
- (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+
+ if (hdr != NULL) {
+ p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
+ param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
+ }
+ } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+ (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
param_len = sizeof(tBTA_HH_CBDATA);
else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event))
param_len = sizeof(tBTA_HH_DEV_INFO);
@@ -1133,7 +1173,7 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
/* switch context to btif task context (copy full union size for convenience)
*/
status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
- (char*)p_data, param_len, NULL);
+ (char*)p_data, param_len, p_copy_cback);
/* catch any failed context transfers */
ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);

View File

@ -0,0 +1,141 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 21 Mar 2023 22:35:35 +0000
Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length
in sdpu_build_uuid_seq""
This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6.
Reason for revert: Reinstate original change for QPR
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec)
Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8
Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8
---
stack/sdp/sdp_discovery.cc | 65 ++++++++++++++++++++++++++++++++++----
1 file changed, 58 insertions(+), 7 deletions(-)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index f5938e423..553e068f5 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -70,10 +70,15 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
*
******************************************************************************/
static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
- Uuid* p_uuid_list) {
+ Uuid* p_uuid_list, uint16_t& bytes_left) {
uint16_t xx;
uint8_t* p_len;
+ if (bytes_left < 2) {
+ DCHECK(0) << "SDP: No space for data element header";
+ return (p_out);
+ }
+
/* First thing is the data element header */
UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
@@ -81,9 +86,20 @@ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
p_len = p_out;
p_out += 1;
+ /* Account for data element header and length */
+ bytes_left -= 2;
+
/* Now, loop through and put in all the UUID(s) */
for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) {
int len = p_uuid_list->GetShortestRepresentationSize();
+
+ if (len + 1 > bytes_left) {
+ DCHECK(0) << "SDP: Too many UUIDs for internal buffer";
+ break;
+ } else {
+ bytes_left -= (len + 1);
+ }
+
if (len == Uuid::kNumBytes16) {
UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit());
@@ -120,6 +136,7 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
uint8_t *p, *p_start, *p_param_len;
BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
uint16_t param_len;
+ uint16_t bytes_left = SDP_DATA_BUF_SIZE;
/* Prepare the buffer for sending the packet to L2CAP */
p_cmd->offset = L2CAP_MIN_OFFSET;
@@ -134,13 +151,30 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
p_param_len = p;
p += 2;
-/* Build the UID sequence. */
+ /* Account for header size, max service record count and
+ * continuation state */
+ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+ 3u + /* service search request header */
+ 2u + /* param len */
+ 3u + ((p_cont) ? cont_len : 0));
+
+ if (base_bytes > bytes_left) {
+ DCHECK(0) << "SDP: Overran SDP data buffer";
+ osi_free(p_cmd);
+ return;
+ }
+
+ bytes_left -= base_bytes;
+
+ /* Build the UID sequence. */
#if (SDP_BROWSE_PLUS == TRUE)
p = sdpu_build_uuid_seq(p, 1,
- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+ bytes_left);
#else
+ /* Build the UID sequence. */
p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
- p_ccb->p_db->uuid_filters);
+ p_ccb->p_db->uuid_filters, bytes_left);
#endif
/* Set max service record count */
@@ -575,6 +609,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
if ((cont_request_needed) || (!p_reply)) {
BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
uint8_t* p;
+ uint16_t bytes_left = SDP_DATA_BUF_SIZE;
p_msg->offset = L2CAP_MIN_OFFSET;
p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
@@ -588,13 +623,29 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
p_param_len = p;
p += 2;
-/* Build the UID sequence. */
+ /* Account for header size, max service record count and
+ * continuation state */
+ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+ 3u + /* service search request header */
+ 2u + /* param len */
+ 3u + /* max service record count */
+ ((p_reply) ? (*p_reply) : 0));
+
+ if (base_bytes > bytes_left) {
+ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
+ return;
+ }
+
+ bytes_left -= base_bytes;
+
+ /* Build the UID sequence. */
#if (SDP_BROWSE_PLUS == TRUE)
p = sdpu_build_uuid_seq(p, 1,
- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+ bytes_left);
#else
p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
- p_ccb->p_db->uuid_filters);
+ p_ccb->p_db->uuid_filters, bytes_left);
#endif
/* Max attribute byte count */

View File

@ -0,0 +1,82 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 21 Mar 2023 22:39:16 +0000
Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
(P_256->P_192)""
This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
Function btm_sec_encrypt_change() is called at most places
with argument "encr_enable" treated as bool and not as per
(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
function has special handling for "encr_enable=1" to downgrade
the link key type for BR/EDR case. This gets executed even
when the caller/context did not mean/expect so. It appears
this handling in btm_sec_encrypt_change() is not necessary and
is removed by this commit to prevent accidental execution of it.
Test: Verified re-pairing with an iPhone works fine now
Issue Reproduction Steps:
1. Enable Bluetooth Hotspot on Android device (DUT).
2. Pair and connect an iPhone to DUT.
3. Forget this pairing on DUT.
4. On iPhone settings, click on old DUT's paired entry to connect.
5. iPhone notifies to click 'Forget Device' and try fresh pairing.
6. On iPhone, after doing 'Forget Device', discover DUT again.
7. Attempt pairing to DUT by clicking on discovered DUT entry.
Pairing will be unsuccessful.
Issue Cause:
During re-pairing, DUT is seen to downgrade
BR/EDR link key unexpectedly from link key type 0x8
(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
Log snippet (re-pairing time):
btm_sec_link_key_notification set new_encr_key_256 to 1
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
btm_sec_encrypt_change new_encr_key_256 is 1
--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
btm_sec_encrypt_change new_encr_key_256 is 0
updated link key type to 5
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
This is a backport of the following patch: aosp/1890096
Bug: 258834033
Reason for revert: Reinstate original change for QPR
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
---
stack/btm/btm_sec.cc | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 277e01dc1..3ba1a6023 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4035,22 +4035,6 @@ void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
SMP_BR_PairWith(p_dev_rec->bd_addr);
}
}
- } else {
- // BR/EDR is successfully encrypted. Correct LK type if needed
- // (BR/EDR LK derived from LE LTK was used for encryption)
- if ((encr_enable == 1) && /* encryption is ON for SSP */
- /* LK type is for BR/EDR SC */
- (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
- p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
- else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
-
- BTM_TRACE_DEBUG("updated link key type to %d",
- p_dev_rec->link_key_type);
- btm_send_link_key_notif(p_dev_rec);
- }
}
}

View File

@ -0,0 +1,109 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 11 Oct 2022 21:23:22 +0000
Subject: [PATCH] Prevent use-after-free of HID reports
BTA sends the the HID report pointer to BTIF and deallocates it immediately.
This is now prevented by providing a deep copy callback function for HID
reports when tranferring context from BTA to BTIF.
This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
already merged on T for b/227620181.
Bug: 228837201
Test: Validated against researcher POC, ran BT unit tests, played audio
manually.
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
Change-Id: I7e94dbdf4990ce8ebb03d8ffdacd4049f16873bb
---
btif/src/btif_hh.cc | 50 ++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 45 insertions(+), 5 deletions(-)
diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
index 1b770ddb1..b5135ff2f 100644
--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
@@ -1127,6 +1127,38 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
}
}
+/*******************************************************************************
+ *
+ * Function btif_hh_hsdata_rpt_copy_cb
+ *
+ * Description Deep copies the tBTA_HH_HSDATA structure
+ *
+ * Returns void
+ *
+ ******************************************************************************/
+
+static void btif_hh_hsdata_rpt_copy_cb(uint16_t event, char* p_dest,
+ char* p_src) {
+ tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
+ tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
+ BT_HDR* hdr;
+
+ if (!p_src) {
+ BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
+ return;
+ }
+
+ memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
+
+ hdr = p_src_data->rsp_data.p_rpt_data;
+ if (hdr != NULL) {
+ uint8_t* p_data = ((uint8_t*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
+ memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
+
+ p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
+ }
+}
+
/*******************************************************************************
*
* Function bte_hh_evt
@@ -1140,6 +1172,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
bt_status_t status;
int param_len = 0;
+ tBTIF_COPY_CBACK* p_copy_cback = NULL;
if (BTA_HH_ENABLE_EVT == event)
param_len = sizeof(tBTA_HH_STATUS);
@@ -1151,11 +1184,18 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
param_len = sizeof(tBTA_HH_CBDATA);
else if (BTA_HH_GET_DSCP_EVT == event)
param_len = sizeof(tBTA_HH_DEV_HANDLE_DSCP_INFO);
- else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event) ||
- (BTA_HH_GET_IDLE_EVT == event))
+ else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
+ param_len = sizeof(tBTA_HH_HSDATA);
+ else if (BTA_HH_GET_RPT_EVT == event) {
+ BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
param_len = sizeof(tBTA_HH_HSDATA);
- else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
- (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+
+ if (hdr != NULL) {
+ p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
+ param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
+ }
+ } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+ (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
param_len = sizeof(tBTA_HH_CBDATA);
else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event))
param_len = sizeof(tBTA_HH_DEV_INFO);
@@ -1164,7 +1204,7 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
/* switch context to btif task context (copy full union size for convenience)
*/
status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
- (char*)p_data, param_len, NULL);
+ (char*)p_data, param_len, p_copy_cback);
/* catch any failed context transfers */
ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);

View File

@ -0,0 +1,139 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 21 Mar 2023 22:35:08 +0000
Subject: [PATCH] Revert^2 "Validate buffer length in sdpu_build_uuid_seq"
fd2ded7341c7f867a153e86f003758808f11bfb9
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4d33899d2c0573cf351691cdf27628416621f545)
Merged-In: I40ea9f3858215f460e6dab3768e0c6d2155e4755
Change-Id: I40ea9f3858215f460e6dab3768e0c6d2155e4755
Change-Id: I41b3e52c09638f8a46a26d9527b0e114f6c8682e
---
stack/sdp/sdp_discovery.cc | 64 +++++++++++++++++++++++++++++++++-----
1 file changed, 57 insertions(+), 7 deletions(-)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index ebfa510f1..14713c4b1 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -74,10 +74,15 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
*
******************************************************************************/
static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
- Uuid* p_uuid_list) {
+ Uuid* p_uuid_list, uint16_t& bytes_left) {
uint16_t xx;
uint8_t* p_len;
+ if (bytes_left < 2) {
+ DCHECK(0) << "SDP: No space for data element header";
+ return (p_out);
+ }
+
/* First thing is the data element header */
UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
@@ -85,9 +90,20 @@ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
p_len = p_out;
p_out += 1;
+ /* Account for data element header and length */
+ bytes_left -= 2;
+
/* Now, loop through and put in all the UUID(s) */
for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) {
int len = p_uuid_list->GetShortestRepresentationSize();
+
+ if (len + 1 > bytes_left) {
+ DCHECK(0) << "SDP: Too many UUIDs for internal buffer";
+ break;
+ } else {
+ bytes_left -= (len + 1);
+ }
+
if (len == Uuid::kNumBytes16) {
UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit());
@@ -124,6 +140,7 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
uint8_t *p, *p_start, *p_param_len;
BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
uint16_t param_len;
+ uint16_t bytes_left = SDP_DATA_BUF_SIZE;
/* Prepare the buffer for sending the packet to L2CAP */
p_cmd->offset = L2CAP_MIN_OFFSET;
@@ -138,13 +155,29 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
p_param_len = p;
p += 2;
-/* Build the UID sequence. */
+ /* Account for header size, max service record count and
+ * continuation state */
+ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+ 3u + /* service search request header */
+ 2u + /* param len */
+ 3u + ((p_cont) ? cont_len : 0));
+
+ if (base_bytes > bytes_left) {
+ DCHECK(0) << "SDP: Overran SDP data buffer";
+ osi_free(p_cmd);
+ return;
+ }
+
+ bytes_left -= base_bytes;
+
+ /* Build the UID sequence. */
#if (SDP_BROWSE_PLUS == TRUE)
p = sdpu_build_uuid_seq(p, 1,
- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+ bytes_left);
#else
p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
- p_ccb->p_db->uuid_filters);
+ p_ccb->p_db->uuid_filters, bytes_left);
#endif
/* Set max service record count */
@@ -635,6 +668,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
if ((cont_request_needed) || (!p_reply)) {
BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
uint8_t* p;
+ uint16_t bytes_left = SDP_DATA_BUF_SIZE;
p_msg->offset = L2CAP_MIN_OFFSET;
p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
@@ -648,13 +682,29 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
p_param_len = p;
p += 2;
-/* Build the UID sequence. */
+ /* Account for header size, max service record count and
+ * continuation state */
+ const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+ 3u + /* service search request header */
+ 2u + /* param len */
+ 3u + /* max service record count */
+ ((p_reply) ? (*p_reply) : 0));
+
+ if (base_bytes > bytes_left) {
+ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
+ return;
+ }
+
+ bytes_left -= base_bytes;
+
+ /* Build the UID sequence. */
#if (SDP_BROWSE_PLUS == TRUE)
p = sdpu_build_uuid_seq(p, 1,
- &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+ &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+ bytes_left);
#else
p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
- p_ccb->p_db->uuid_filters);
+ p_ccb->p_db->uuid_filters, bytes_left);
#endif
/* Max attribute byte count */

View File

@ -0,0 +1,93 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 21 Mar 2023 22:39:16 +0000
Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
(P_256->P_192)""
This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
Function btm_sec_encrypt_change() is called at most places
with argument "encr_enable" treated as bool and not as per
(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
function has special handling for "encr_enable=1" to downgrade
the link key type for BR/EDR case. This gets executed even
when the caller/context did not mean/expect so. It appears
this handling in btm_sec_encrypt_change() is not necessary and
is removed by this commit to prevent accidental execution of it.
Test: Verified re-pairing with an iPhone works fine now
Issue Reproduction Steps:
1. Enable Bluetooth Hotspot on Android device (DUT).
2. Pair and connect an iPhone to DUT.
3. Forget this pairing on DUT.
4. On iPhone settings, click on old DUT's paired entry to connect.
5. iPhone notifies to click 'Forget Device' and try fresh pairing.
6. On iPhone, after doing 'Forget Device', discover DUT again.
7. Attempt pairing to DUT by clicking on discovered DUT entry.
Pairing will be unsuccessful.
Issue Cause:
During re-pairing, DUT is seen to downgrade
BR/EDR link key unexpectedly from link key type 0x8
(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
Log snippet (re-pairing time):
btm_sec_link_key_notification set new_encr_key_256 to 1
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
btm_sec_encrypt_change new_encr_key_256 is 1
--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
btm_sec_encrypt_change new_encr_key_256 is 0
updated link key type to 5
btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
This is a backport of the following patch: aosp/1890096
Bug: 258834033
Reason for revert: Reinstate original change for QPR
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
Change-Id: Ic5130971306864e5bd2a590f238175c9545a297a
---
stack/btm/btm_sec.cc | 25 -------------------------
1 file changed, 25 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 2e4c0c196..40f051c0d 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4303,31 +4303,6 @@ void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
SMP_BR_PairWith(p_dev_rec->bd_addr);
}
}
- } else {
- // BR/EDR is successfully encrypted. Correct LK type if needed
- // (BR/EDR LK derived from LE LTK was used for encryption)
- if ((encr_enable == 1) && /* encryption is ON for SSP */
- /* LK type is for BR/EDR SC */
- (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
- p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
- if (p_dev_rec->sec_smp_pair_pending != BTM_SEC_SMP_PAIR_PENDING) {
- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
- else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
- p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
-
- BTM_TRACE_DEBUG("updated link key type to %d",
- p_dev_rec->link_key_type);
- btm_send_link_key_notif(p_dev_rec);
- } else {
- BTM_TRACE_DEBUG("link key type to %d will update after SMP",
- p_dev_rec->link_key_type);
- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
- p_dev_rec->sec_smp_pair_pending |= BTM_SEC_LINK_KEY_TYPE_UNAUTH;
- else
- p_dev_rec->sec_smp_pair_pending |= BTM_SEC_LINK_KEY_TYPE_AUTH;
- }
- }
}
}

View File

@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
sed -i 's/2023-02-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-05 #XXX sed -i 's/2023-02-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-06 #XXX
fi; fi;
if enterAndClear "build/soong"; then if enterAndClear "build/soong"; then
@ -136,6 +136,10 @@ if enterAndClear "external/zlib"; then
applyPatch "$DOS_PATCHES/android_external_zlib/351107.patch"; #n-asb-2023-03 Fix a bug when getting a gzip header extra field with inflate(). applyPatch "$DOS_PATCHES/android_external_zlib/351107.patch"; #n-asb-2023-03 Fix a bug when getting a gzip header extra field with inflate().
fi; fi;
if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/358555.patch"; #R_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
fi;
if enterAndClear "frameworks/base"; then if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/351411-backport.patch"; #R_asb_2023-03 Move service initialization applyPatch "$DOS_PATCHES/android_frameworks_base/351411-backport.patch"; #R_asb_2023-03 Move service initialization
applyPatch "$DOS_PATCHES/android_frameworks_base/351412.patch"; #R_asb_2023-03 Stop managed profile owner granting READ_SMS applyPatch "$DOS_PATCHES/android_frameworks_base/351412.patch"; #R_asb_2023-03 Stop managed profile owner granting READ_SMS
@ -158,6 +162,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/355763-backport.patch"; #R_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/355765-backport.patch"; #R_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size. applyPatch "$DOS_PATCHES/android_frameworks_base/355765-backport.patch"; #R_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
applyPatch "$DOS_PATCHES/android_frameworks_base/355766-backport.patch"; #R_asb_2023-05 Uri: check authority and scheme as part of determining URI path applyPatch "$DOS_PATCHES/android_frameworks_base/355766-backport.patch"; #R_asb_2023-05 Uri: check authority and scheme as part of determining URI path
applyPatch "$DOS_PATCHES/android_frameworks_base/355767.patch"; #R_asb_2023-05 Enforce stricter rules when registering phoneAccounts applyPatch "$DOS_PATCHES/android_frameworks_base/355767.patch"; #R_asb_2023-05 Enforce stricter rules when registering phoneAccounts
#applyPatch "$DOS_PATCHES/android_frameworks_base/358556.patch"; #R_asb_2023-06 Remove Activity if it enters PiP without window #TODO: needs backport of findMainWindow
applyPatch "$DOS_PATCHES/android_frameworks_base/358557.patch"; #R_asb_2023-06 Prevent sharesheet from previewing unowned URIs
applyPatch "$DOS_PATCHES/android_frameworks_base/358560.patch"; #R_asb_2023-06 Check key intent for selectors and prohibited flags
applyPatch "$DOS_PATCHES/android_frameworks_base/358561-backport.patch"; #R_asb_2023-06 Handle invalid data during job loading.
applyPatch "$DOS_PATCHES/android_frameworks_base/358562-backport.patch"; #R_asb_2023-06 Allow filtering of services
#applyPatch "$DOS_PATCHES/android_frameworks_base/358564-backport.patch"; #R_asb_2023-06 Add BubbleMetadata detection to block FSI #TODO: needs backport of getSbn
applyPatch "$DOS_PATCHES/android_frameworks_base/358732-backport.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -297,6 +308,10 @@ if enterAndClear "packages/apps/Bluetooth"; then
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi; fi;
if enterAndClear "packages/apps/Car/Settings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Car_Settings/358565-backport.patch"; #R_asb_2023-06 Convert argument to Intent in car settings AddAccountActivity.
fi;
#if enterAndClear "packages/apps/CarrierConfig"; then #if enterAndClear "packages/apps/CarrierConfig"; then
#rm -rf assets/*.xml; #rm -rf assets/*.xml;
#cp $DOS_PATCHES_COMMON/android_packages_apps_CarrierConfig/*.xml assets/; #cp $DOS_PATCHES_COMMON/android_packages_apps_CarrierConfig/*.xml assets/;
@ -337,6 +352,9 @@ git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM u
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/353956.patch"; #R_asb_2023-04 Only primary user is allowed to control secure nfc applyPatch "$DOS_PATCHES/android_packages_apps_Settings/353956.patch"; #R_asb_2023-04 Only primary user is allowed to control secure nfc
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358566.patch"; #R_asb_2023-06 Move display of VPN version into summary text
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358567-backport.patch"; #R_asb_2023-06 Import translations.
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@ -364,6 +382,10 @@ if enterAndClear "packages/apps/Trebuchet"; then
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
fi; fi;
if enterAndClear "packages/apps/TvSettings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358578.patch"; #R_asb_2023-06 Convert argument to intent in addAccount TvSettings.
fi;
if enterAndClear "packages/apps/Updater"; then if enterAndClear "packages/apps/Updater"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS)
@ -396,6 +418,7 @@ if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353958-backport.patch"; #R_asb_2023-04 Ensure service unbind when receiving a null call screening service in onBind. applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353958-backport.patch"; #R_asb_2023-04 Ensure service unbind when receiving a null call screening service in onBind.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353959.patch"; #R_asb_2023-04 Do not process content uri in call Intents applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353959.patch"; #R_asb_2023-04 Do not process content uri in call Intents
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccounts applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccounts
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/358579-backport.patch"; #R_asb_2023-06 Call Redirection: unbind service when onBind returns null
fi; fi;
if enterAndClear "prebuilts/abi-dumps/vndk"; then if enterAndClear "prebuilts/abi-dumps/vndk"; then
@ -408,6 +431,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/351444.patch"; #R_asb_2023-03 Fix an
applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
applyPatch "$DOS_PATCHES/android_system_bt/353960.patch"; #R_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag applyPatch "$DOS_PATCHES/android_system_bt/353960.patch"; #R_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
applyPatch "$DOS_PATCHES/android_system_bt/353961.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp applyPatch "$DOS_PATCHES/android_system_bt/353961.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports
applyPatch "$DOS_PATCHES/android_system_bt/358581.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -492,6 +518,9 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351450.patch";
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353967.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353967.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353968.patch"; #R_asb_2023-04 AVDTP: Fix a potential overflow about the media payload offset applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353968.patch"; #R_asb_2023-04 AVDTP: Fix a potential overflow about the media payload offset
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358583.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358584.patch"; #R_asb_2023-06 Revert^2 "Validate buffer length in sdpu_build_uuid_seq"
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358585.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
fi; fi;
# #
#END OF ROM CHANGES #END OF ROM CHANGES