14.1: Import and verify picks

https://review.lineageos.org/q/topic:n-asb-2021-09 https://review.lineageos.org/q/topic:n-asb-2021-10 https://review.lineageos.org/q/topic:n-asb-2021-11 https://review.lineageos.org/q/topic:n-asb-2021-12 https://review.lineageos.org/q/topic:n-asb-2022-01 https://review.lineageos.org/q/topic:n-asb-2022-02 https://review.lineageos.org/q/topic:n-asb-2022-03 https://review.lineageos.org/q/topic:n-asb-2022-04 https://review.lineageos.org/q/topic:n-asb-2022-05 https://review.lineageos.org/q/topic:n-asb-2022-06 https://review.lineageos.org/q/topic:n-asb-2022-07 https://review.lineageos.org/q/topic:n-asb-2022-08 https://review.lineageos.org/q/topic:n-asb-2022-09 https://review.lineageos.org/q/topic:n-asb-2022-10 https://review.lineageos.org/q/topic:n-asb-2022-11 https://review.lineageos.org/q/topic:n-asb-2022-12 https://review.lineageos.org/q/topic:n-asb-2023-01 https://review.lineageos.org/q/topic:n-asb-2023-02 https://review.lineageos.org/q/topic:n-asb-2023-03 https://review.lineageos.org/q/topic:n-asb-2023-04 https://review.lineageos.org/q/topic:n-asb-2023-05 https://review.lineageos.org/q/topic:n-asb-2023-06 https://review.lineageos.org/q/topic:n-asb-2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/360899 https://review.lineageos.org/q/topic:n-asb-2023-08 https://review.lineageos.org/q/topic:n-asb-2023-09 https://review.lineageos.org/q/topic:n-asb-2023-10 https://review.lineageos.org/q/topic:n-asb-2023-11 was missing: https://review.lineageos.org/c/LineageOS/android_packages_providers_TelephonyProvider/+/376079 https://review.lineageos.org/q/topic:n-asb-2023-12 https://review.lineageos.org/q/topic:n-asb-2024-01 https://review.lineageos.org/q/topic:n-asb-2024-02 https://review.lineageos.org/q/topic:n-asb-2024-03 https://review.lineageos.org/q/topic:n-asb-2024-04 https://review.lineageos.org/q/topic:n-asb-2024-05 Signed-off-by: Tavi <tavi@divested.dev>
2024-06-26 14:42:13 +00:00 · 2024-05-07 17:45:55 -04:00 · 2024-05-07 17:45:55 -04:00 · 7162b237d3
commit 7162b237d3
parent 2d7a1ea25c
3 changed files with 543 additions and 1 deletions
--- a/Patches/LineageOS-14.1/android_external_sonivox/391896.patch
+++ b/Patches/LineageOS-14.1/android_external_sonivox/391896.patch
@ -0,0 +1,121 @@
+From 3d934a327765cdcadc1453c2a5615a83d9162d6f Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Wed, 14 Feb 2024 11:10:41 -0600
+Subject: [PATCH] fix buffer overrun in eas_wtengine
+
+avoid a buffer overrun in eas_wtengine.
+Check buffer limits during application of gain
+Clip calculated length in eas_wtsynth
+
+Bug: 317780080
+Test: POC with bug
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6b66e7665dbcd891ff23081c13ab0b1637bb1dda)
+backporting fix from main
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f9d489385ecb04bbfe06f92d6fb03a69d2734fad)
+Merged-In: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
+Change-Id: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
+---
+ arm-wt-22k/lib_src/eas_wtengine.c | 24 ++++++++++++++++++++++++
+ arm-wt-22k/lib_src/eas_wtsynth.c  | 12 +++++++++++-
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c
+index 68a0400..fd57672 100644
+--- a/arm-wt-22k/lib_src/eas_wtengine.c
+++ b/arm-wt-22k/lib_src/eas_wtengine.c
+@@ -95,6 +95,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pMixBuffer = pWTIntFrame->pMixBuffer;
+     pInputBuffer = pWTIntFrame->pAudioBuffer;
+@@ -194,6 +198,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pOutputBuffer = pWTIntFrame->pAudioBuffer;
+ 
+@@ -293,6 +301,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pOutputBuffer = pWTIntFrame->pAudioBuffer;
+ 
+@@ -393,6 +405,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pAudioBuffer = pWTIntFrame->pAudioBuffer;
+ 
+@@ -461,6 +477,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pOutputBuffer = pWTIntFrame->pAudioBuffer;
+     phaseInc = pWTIntFrame->frame.phaseIncrement;
+@@ -609,6 +629,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
+         ALOGE("b/26366256");
+         android_errorWriteLog(0x534e4554, "26366256");
+         return;
+    } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+        ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+        android_errorWriteLog(0x534e4554, "317780080");
+        numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+     }
+     pMixBuffer = pWTIntFrame->pMixBuffer;
+ 
+diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c
+index 8488fe2..cc8990f 100644
+--- a/arm-wt-22k/lib_src/eas_wtsynth.c
+++ b/arm-wt-22k/lib_src/eas_wtsynth.c
+@@ -467,7 +467,12 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
+         /*lint -e{703} use shift for performance */
+         numSamples = (EAS_I32) ((numSamples << NUM_PHASE_FRAC_BITS) - pWTVoice->phaseFrac);
+         if (pWTIntFrame->frame.phaseIncrement) {
+-            pWTIntFrame->numSamples = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+            EAS_I32 oldMethod = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+            pWTIntFrame->numSamples =
+                (numSamples + pWTIntFrame->frame.phaseIncrement - 1) / pWTIntFrame->frame.phaseIncrement;
+            if (oldMethod != pWTIntFrame->numSamples) {
+                ALOGE("b/317780080 old %ld new %ld", oldMethod, pWTIntFrame->numSamples);
+            }
+         } else {
+             pWTIntFrame->numSamples = numSamples;
+         }
+@@ -475,6 +480,11 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
+             ALOGE("b/26366256");
+             android_errorWriteLog(0x534e4554, "26366256");
+             pWTIntFrame->numSamples = 0;
+        } else if (pWTIntFrame->numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+            ALOGE("b/317780080 clip numSamples %ld -> %d",
+                  pWTIntFrame->numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+            android_errorWriteLog(0x534e4554, "317780080");
+            pWTIntFrame->numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
+         }
+ 
+         /* sound will be done this frame */
--- a/Patches/LineageOS-14.1/android_packages_providers_TelephonyProvider/376079.patch
+++ b/Patches/LineageOS-14.1/android_packages_providers_TelephonyProvider/376079.patch
@ -0,0 +1,419 @@
+From e399bfb1393225413dd08c407930dbec02915b9a Mon Sep 17 00:00:00 2001
+From: Aishwarya Mallampati <amallampati@google.com>
+Date: Wed, 23 Aug 2023 18:30:46 +0000
+Subject: [PATCH] DO NOT MERGE Block access to sms/mms db from work profile.
+
+Bug: 289242655
+Test: Manually verified work profile cannot access personal sms by
+following steps mentioned in b/289242655#comment26
+- atest SmsProviderTest
+- atest MmsProviderTest
+- atest SmsBackupRestoreTest
+- QA performed regression testing and confirmed fix is working as intended here: b/294459052#comment30
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:950a7e5a4bf1b38e846fe00642105479efded57d)
+Merged-In: Ib1c9ec75f77e8412b53df50f5414caa0e5aaa277
+Change-Id: Ib1c9ec75f77e8412b53df50f5414caa0e5aaa277
+
+Change-Id: I7e4cf14fabb2c00e916504ce44816462a8b5215e
+---
+ .../providers/telephony/MmsProvider.java      |  36 +++++
+ .../telephony/MmsSmsDatabaseHelper.java       | 150 ++++++++++--------
+ .../providers/telephony/MmsSmsProvider.java   |  36 +++++
+ .../providers/telephony/SmsProvider.java      |  35 ++++
+ 4 files changed, 189 insertions(+), 68 deletions(-)
+
+diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
+index ba057828d..7e50535c6 100755
+--- a/src/com/android/providers/telephony/MmsProvider.java
+++ b/src/com/android/providers/telephony/MmsProvider.java
+@@ -35,6 +35,7 @@
+ import android.os.FileUtils;
+ import android.os.ParcelFileDescriptor;
+ import android.os.UserHandle;
+import android.os.UserManager;
+ import android.provider.BaseColumns;
+ import android.provider.Telephony;
+ import android.provider.Telephony.CanonicalAddressesColumns;
+@@ -161,6 +162,16 @@ private Cursor getPdus(int itemCount, int dataCount, String[] data) {
+     @Override
+     public Cursor query(Uri uri, String[] projection,
+             String selection, String[] selectionArgs, String sortOrder) {
+        Cursor emptyCursor = new MatrixCursor((projection == null) ?
+                (new String[] {}) : projection);
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to query mms, return empty cursor.
+            Log.e(TAG, "Managed profile is not allowed to query MMS.");
+            return emptyCursor;
+        }
+
+         // First check if a restricted view of the "pdu" table should be used based on the
+         // caller's identity. Only system, phone or the default sms app can have full access
+         // of mms data. For other apps, we present a restricted view which only contains sent
+@@ -508,6 +519,15 @@ public Uri insert(Uri uri, ContentValues values) {
+         if (values != null && values.containsKey(Part._DATA)) {
+             return null;
+         }
+
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to insert mms, return null.
+            Log.e(TAG, "Managed profile is not allowed to insert MMS.");
+            return null;
+        }
+
+         final int callerUid = Binder.getCallingUid();
+         final String callerPkg = getCallingPackage();
+         int msgBox = Mms.MESSAGE_BOX_ALL;
+@@ -787,6 +807,14 @@ private int getMessageBoxByMatch(int match) {
+     @Override
+     public int delete(Uri uri, String selection,
+             String[] selectionArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to delete mms, return 0.
+            Log.e(TAG, "Managed profile is not allowed to delete MMS.");
+            return 0;
+        }
+
+         int match = sURLMatcher.match(uri);
+         if (LOCAL_LOGV) {
+             Log.v(TAG, "Delete uri=" + uri + ", match=" + match);
+@@ -960,6 +988,14 @@ private static int deleteDataRows(SQLiteDatabase db, String table,
+ 
+     @Override
+     public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to update mms, return 0.
+            Log.e(TAG, "Managed profile is not allowed to update MMS.");
+            return 0;
+        }
+
+         // The _data column is filled internally in MmsProvider, so this check is just to avoid
+         // it from being inadvertently set. This is not supposed to be a protection against
+         // malicious attack, since sql injection could still be attempted to bypass the check. On
+diff --git a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
+index 9e5715dd6..64cc50cd0 100644
+--- a/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
+++ b/src/com/android/providers/telephony/MmsSmsDatabaseHelper.java
+@@ -636,78 +636,92 @@ private void createThreadIdIndex(SQLiteDatabase db) {
+         }
+     }
+ 
+    public static String CREATE_ADDR_TABLE_STR =
+            "CREATE TABLE " + MmsProvider.TABLE_ADDR + " (" +
+                    Addr._ID + " INTEGER PRIMARY KEY," +
+                    Addr.MSG_ID + " INTEGER," +
+                    Addr.CONTACT_ID + " INTEGER," +
+                    Addr.ADDRESS + " TEXT," +
+                    Addr.TYPE + " INTEGER," +
+                    Addr.CHARSET + " INTEGER);";
+
+    public static String CREATE_PART_TABLE_STR =
+            "CREATE TABLE " + MmsProvider.TABLE_PART + " (" +
+                    Part._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," +
+                    Part.MSG_ID + " INTEGER," +
+                    Part.SEQ + " INTEGER DEFAULT 0," +
+                    Part.CONTENT_TYPE + " TEXT," +
+                    Part.NAME + " TEXT," +
+                    Part.CHARSET + " INTEGER," +
+                    Part.CONTENT_DISPOSITION + " TEXT," +
+                    Part.FILENAME + " TEXT," +
+                    Part.CONTENT_ID + " TEXT," +
+                    Part.CONTENT_LOCATION + " TEXT," +
+                    Part.CT_START + " INTEGER," +
+                    Part.CT_TYPE + " TEXT," +
+                    Part._DATA + " TEXT," +
+                    Part.TEXT + " TEXT);";
+
+    public static String CREATE_PDU_TABLE_STR =
+            "CREATE TABLE " + MmsProvider.TABLE_PDU + " (" +
+                    Mms._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," +
+                    Mms.THREAD_ID + " INTEGER," +
+                    Mms.DATE + " INTEGER," +
+                    Mms.DATE_SENT + " INTEGER DEFAULT 0," +
+                    Mms.MESSAGE_BOX + " INTEGER," +
+                    Mms.READ + " INTEGER DEFAULT 0," +
+                    Mms.MESSAGE_ID + " TEXT," +
+                    Mms.SUBJECT + " TEXT," +
+                    Mms.SUBJECT_CHARSET + " INTEGER," +
+                    Mms.CONTENT_TYPE + " TEXT," +
+                    Mms.CONTENT_LOCATION + " TEXT," +
+                    Mms.EXPIRY + " INTEGER," +
+                    Mms.MESSAGE_CLASS + " TEXT," +
+                    Mms.MESSAGE_TYPE + " INTEGER," +
+                    Mms.MMS_VERSION + " INTEGER," +
+                    Mms.MESSAGE_SIZE + " INTEGER," +
+                    Mms.PRIORITY + " INTEGER," +
+                    Mms.READ_REPORT + " INTEGER," +
+                    Mms.REPORT_ALLOWED + " INTEGER," +
+                    Mms.RESPONSE_STATUS + " INTEGER," +
+                    Mms.STATUS + " INTEGER," +
+                    Mms.TRANSACTION_ID + " TEXT," +
+                    Mms.RETRIEVE_STATUS + " INTEGER," +
+                    Mms.RETRIEVE_TEXT + " TEXT," +
+                    Mms.RETRIEVE_TEXT_CHARSET + " INTEGER," +
+                    Mms.READ_STATUS + " INTEGER," +
+                    Mms.CONTENT_CLASS + " INTEGER," +
+                    Mms.RESPONSE_TEXT + " TEXT," +
+                    Mms.DELIVERY_TIME + " INTEGER," +
+                    Mms.DELIVERY_REPORT + " INTEGER," +
+                    Mms.LOCKED + " INTEGER DEFAULT 0," +
+                    Mms.SUBSCRIPTION_ID + " INTEGER DEFAULT "
+                    + SubscriptionManager.INVALID_SUBSCRIPTION_ID + ", " +
+                    Mms.SEEN + " INTEGER DEFAULT 0," +
+                    Mms.CREATOR + " TEXT," +
+                    Mms.TEXT_ONLY + " INTEGER DEFAULT 0);";
+
+    public static String CREATE_RATE_TABLE_STR =
+            "CREATE TABLE " + MmsProvider.TABLE_RATE + " (" +
+                    Rate.SENT_TIME + " INTEGER);";
+
+    public static String CREATE_DRM_TABLE_STR =
+            "CREATE TABLE " + MmsProvider.TABLE_DRM + " (" +
+                    BaseColumns._ID + " INTEGER PRIMARY KEY," +
+                    "_data TEXT);";
+
+     private void createMmsTables(SQLiteDatabase db) {
+         // N.B.: Whenever the columns here are changed, the columns in
+         // {@ref MmsSmsProvider} must be changed to match.
+-        db.execSQL("CREATE TABLE " + MmsProvider.TABLE_PDU + " (" +
+-                   Mms._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," +
+-                   Mms.THREAD_ID + " INTEGER," +
+-                   Mms.DATE + " INTEGER," +
+-                   Mms.DATE_SENT + " INTEGER DEFAULT 0," +
+-                   Mms.MESSAGE_BOX + " INTEGER," +
+-                   Mms.READ + " INTEGER DEFAULT 0," +
+-                   Mms.MESSAGE_ID + " TEXT," +
+-                   Mms.SUBJECT + " TEXT," +
+-                   Mms.SUBJECT_CHARSET + " INTEGER," +
+-                   Mms.CONTENT_TYPE + " TEXT," +
+-                   Mms.CONTENT_LOCATION + " TEXT," +
+-                   Mms.EXPIRY + " INTEGER," +
+-                   Mms.MESSAGE_CLASS + " TEXT," +
+-                   Mms.MESSAGE_TYPE + " INTEGER," +
+-                   Mms.MMS_VERSION + " INTEGER," +
+-                   Mms.MESSAGE_SIZE + " INTEGER," +
+-                   Mms.PRIORITY + " INTEGER," +
+-                   Mms.READ_REPORT + " INTEGER," +
+-                   Mms.REPORT_ALLOWED + " INTEGER," +
+-                   Mms.RESPONSE_STATUS + " INTEGER," +
+-                   Mms.STATUS + " INTEGER," +
+-                   Mms.TRANSACTION_ID + " TEXT," +
+-                   Mms.RETRIEVE_STATUS + " INTEGER," +
+-                   Mms.RETRIEVE_TEXT + " TEXT," +
+-                   Mms.RETRIEVE_TEXT_CHARSET + " INTEGER," +
+-                   Mms.READ_STATUS + " INTEGER," +
+-                   Mms.CONTENT_CLASS + " INTEGER," +
+-                   Mms.RESPONSE_TEXT + " TEXT," +
+-                   Mms.DELIVERY_TIME + " INTEGER," +
+-                   Mms.DELIVERY_REPORT + " INTEGER," +
+-                   Mms.LOCKED + " INTEGER DEFAULT 0," +
+-                   Mms.SUBSCRIPTION_ID + " INTEGER DEFAULT "
+-                           + SubscriptionManager.INVALID_SUBSCRIPTION_ID + ", " +
+-                   Mms.SEEN + " INTEGER DEFAULT 0," +
+-                   Mms.CREATOR + " TEXT," +
+-                   Mms.TEXT_ONLY + " INTEGER DEFAULT 0" +
+-                   ");");
+        db.execSQL(CREATE_PDU_TABLE_STR);
+
+        db.execSQL(CREATE_ADDR_TABLE_STR);
+
+        db.execSQL(CREATE_PART_TABLE_STR);
+
+        db.execSQL(CREATE_RATE_TABLE_STR);
+ 
+-        db.execSQL("CREATE TABLE " + MmsProvider.TABLE_ADDR + " (" +
+-                   Addr._ID + " INTEGER PRIMARY KEY," +
+-                   Addr.MSG_ID + " INTEGER," +
+-                   Addr.CONTACT_ID + " INTEGER," +
+-                   Addr.ADDRESS + " TEXT," +
+-                   Addr.TYPE + " INTEGER," +
+-                   Addr.CHARSET + " INTEGER);");
+-
+-        db.execSQL("CREATE TABLE " + MmsProvider.TABLE_PART + " (" +
+-                   Part._ID + " INTEGER PRIMARY KEY AUTOINCREMENT," +
+-                   Part.MSG_ID + " INTEGER," +
+-                   Part.SEQ + " INTEGER DEFAULT 0," +
+-                   Part.CONTENT_TYPE + " TEXT," +
+-                   Part.NAME + " TEXT," +
+-                   Part.CHARSET + " INTEGER," +
+-                   Part.CONTENT_DISPOSITION + " TEXT," +
+-                   Part.FILENAME + " TEXT," +
+-                   Part.CONTENT_ID + " TEXT," +
+-                   Part.CONTENT_LOCATION + " TEXT," +
+-                   Part.CT_START + " INTEGER," +
+-                   Part.CT_TYPE + " TEXT," +
+-                   Part._DATA + " TEXT," +
+-                   Part.TEXT + " TEXT);");
+-
+-        db.execSQL("CREATE TABLE " + MmsProvider.TABLE_RATE + " (" +
+-                   Rate.SENT_TIME + " INTEGER);");
+-
+-        db.execSQL("CREATE TABLE " + MmsProvider.TABLE_DRM + " (" +
+-                   BaseColumns._ID + " INTEGER PRIMARY KEY," +
+-                   "_data TEXT);");
+        db.execSQL(CREATE_DRM_TABLE_STR);
+ 
+         // Restricted view of pdu table, only sent/received messages without wap pushes
+         db.execSQL("CREATE VIEW " + MmsProvider.VIEW_PDU_RESTRICTED + " AS " +
+diff --git a/src/com/android/providers/telephony/MmsSmsProvider.java b/src/com/android/providers/telephony/MmsSmsProvider.java
+index 7b44583e6..a9914257d 100644
+--- a/src/com/android/providers/telephony/MmsSmsProvider.java
+++ b/src/com/android/providers/telephony/MmsSmsProvider.java
+@@ -23,12 +23,14 @@
+ import android.content.UriMatcher;
+ import android.database.Cursor;
+ import android.database.DatabaseUtils;
+import android.database.MatrixCursor;
+ import android.database.sqlite.SQLiteDatabase;
+ import android.database.sqlite.SQLiteOpenHelper;
+ import android.database.sqlite.SQLiteQueryBuilder;
+ import android.net.Uri;
+ import android.os.Binder;
+ import android.os.UserHandle;
+import android.os.UserManager;
+ import android.provider.BaseColumns;
+ import android.provider.Telephony;
+ import android.provider.Telephony.CanonicalAddressesColumns;
+@@ -335,6 +337,16 @@ public boolean onCreate() {
+     @Override
+     public Cursor query(Uri uri, String[] projection,
+             String selection, String[] selectionArgs, String sortOrder) {
+        Cursor emptyCursor = new MatrixCursor((projection == null) ?
+                (new String[] {}) : projection);
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to query mms/sms, return empty cursor.
+            Log.e(LOG_TAG, "Managed profile is not allowed to query MMS/SMS.");
+            return emptyCursor;
+        }
+
+         // First check if restricted views of the "sms" and "pdu" tables should be used based on the
+         // caller's identity. Only system, phone or the default sms app can have full access
+         // of sms/mms data. For other apps, we present a restricted view which only contains sent
+@@ -1244,6 +1256,14 @@ public String getType(Uri uri) {
+     @Override
+     public int delete(Uri uri, String selection,
+             String[] selectionArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to delete mms/sms, return 0.
+            Log.e(LOG_TAG, "Managed profile is not allowed to delete MMS/SMS.");
+            return 0;
+        }
+
+         SQLiteDatabase db = mOpenHelper.getWritableDatabase();
+         Context context = getContext();
+         int affectedRows = 0;
+@@ -1300,6 +1320,14 @@ private int deleteConversation(Uri uri, String selection, String[] selectionArgs
+ 
+     @Override
+     public Uri insert(Uri uri, ContentValues values) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to insert mms/sms, return null.
+            Log.e(LOG_TAG, "Managed profile is not allowed to insert MMS/SMS.");
+            return null;
+        }
+
+         if (URI_MATCHER.match(uri) == URI_PENDING_MSG) {
+             SQLiteDatabase db = mOpenHelper.getWritableDatabase();
+             long rowId = db.insert(TABLE_PENDING_MSG, null, values);
+@@ -1311,6 +1339,14 @@ public Uri insert(Uri uri, ContentValues values) {
+     @Override
+     public int update(Uri uri, ContentValues values,
+             String selection, String[] selectionArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to update mms/sms, return 0.
+            Log.e(LOG_TAG, "Managed profile is not allowed to update MMS/SMS.");
+            return 0;
+        }
+
+         final int callerUid = Binder.getCallingUid();
+         final String callerPkg = getCallingPackage();
+         SQLiteDatabase db = mOpenHelper.getWritableDatabase();
+diff --git a/src/com/android/providers/telephony/SmsProvider.java b/src/com/android/providers/telephony/SmsProvider.java
+index 208175645..6fa858751 100644
+--- a/src/com/android/providers/telephony/SmsProvider.java
+++ b/src/com/android/providers/telephony/SmsProvider.java
+@@ -38,6 +38,7 @@
+ import android.net.Uri;
+ import android.os.Binder;
+ import android.os.UserHandle;
+import android.os.UserManager;
+ import android.provider.Contacts;
+ import android.provider.Telephony;
+ import android.provider.Telephony.MmsSms;
+@@ -146,6 +147,16 @@ public static String getSmsTable(boolean accessRestricted) {
+     @Override
+     public Cursor query(Uri url, String[] projectionIn, String selection,
+             String[] selectionArgs, String sort) {
+        Cursor emptyCursor = new MatrixCursor((projectionIn == null) ?
+                (new String[] {}) : projectionIn);
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to query sms, return empty cursor.
+            Log.e(TAG, "Managed profile is not allowed to query SMS.");
+            return emptyCursor;
+        }
+
+         // First check if a restricted view of the "sms" table should be used based on the
+         // caller's identity. Only system, phone or the default sms app can have full access
+         // of sms data. For other apps, we present a restricted view which only contains sent
+@@ -521,6 +532,14 @@ public Uri insert(Uri url, ContentValues initialValues) {
+     }
+ 
+     private Uri insertInner(Uri url, ContentValues initialValues, int callerUid, String callerPkg) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to insert sms, return null.
+            Log.e(TAG, "Managed profile is not allowed to insert SMS.");
+            return null;
+        }
+
+         ContentValues values;
+         long rowID;
+         int type = Sms.MESSAGE_TYPE_ALL;
+@@ -1050,6 +1069,14 @@ private static int charToBCD(char c) {
+ 
+     @Override
+     public int delete(Uri url, String where, String[] whereArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to delete sms, return 0.
+            Log.e(TAG, "Managed profile is not allowed to delete SMS.");
+            return 0;
+        }
+
+         int count;
+         int match = sURLMatcher.match(url);
+         SQLiteDatabase db = getDBOpenHelper(match).getWritableDatabase();
+@@ -1161,6 +1188,14 @@ private int deleteMessageFromIcc(String messageIndexString, int subId) {
+ 
+     @Override
+     public int update(Uri url, ContentValues values, String where, String[] whereArgs) {
+        UserManager userManager = (UserManager) getContext().getSystemService(Context.USER_SERVICE);
+        if ((userManager != null) && (userManager.isManagedProfile(
+                Binder.getCallingUserHandle().getIdentifier()))) {
+            // If work profile is trying to update sms, return 0.
+            Log.e(TAG, "Managed profile is not allowed to update SMS.");
+            return 0;
+        }
+
+         final int callerUid = Binder.getCallingUid();
+         final String callerPkg = getCallingPackage();
+         int count = 0;
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2024-04-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-04 #XXX
+sed -i 's/2021-06-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-05 #XXX
 fi;

 if enterAndClear "device/qcom/sepolicy"; then
@ -143,6 +143,7 @@ fi;

 if enterAndClear "external/sonivox"; then
 applyPatch "$DOS_PATCHES/android_external_sonivox/317038.patch"; #n-asb-2021-10 Fix global buffer overflow in WT_InterpolateNoLoop
+applyPatch "$DOS_PATCHES/android_external_sonivox/391896.patch"; #n-asb-2024-05 Fix buffer overrun in eas_wtengine
 fi;

 if enterAndClear "external/sqlite"; then
@ -493,6 +494,7 @@ fi;
 if enterAndClear "packages/providers/TelephonyProvider"; then
 applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/343954.patch"; #n-asb-2022-11 Check dir path before updating permissions.
 applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364040-backport.patch"; #R_asb_2023-08 Update file permissions using canonical path
+applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/376079.patch"; #n-asb-2023-11 Block access to sms/mms db from work profile.
 fi;

 if enterAndClear "system/bt"; then