19.1: July 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-07-14 12:24:14 -04:00
parent 236a403d12
commit 7182e4d63a
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
19 changed files with 1006 additions and 39 deletions

View File

@ -23,7 +23,7 @@ index c33437d946d8..0526ce1ef25d 100644
<!-- Allows applications to access information about networks.
<p>Protection level: normal
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index fb0167d80fda..1aa703adee58 100644
index c3a2332e8a16..e098943661b0 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2633,7 +2633,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -99,7 +99,7 @@ index 27c9026c863a..4a8624222ae8 100644
<string name="permlab_readCalendar">Read calendar events and details</string>
<!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 1aa703adee58..b4240a3a944e 100644
index e098943661b0..534377d269b9 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -2633,7 +2633,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -8,7 +8,7 @@ Subject: [PATCH] extend special runtime permission implementation
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 917a32193409..fb0167d80fda 100644
index ab4f7821eba9..c3a2332e8a16 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1882,7 +1882,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -20,7 +20,7 @@ Signed-off-by: Danny Lin <danny@kdrag0n.dev>
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 31babe0418b8..917a32193409 100644
index 93f9e1c2295c..ab4f7821eba9 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1526,7 +1526,8 @@ public class PermissionManagerService extends IPermissionManager.Stub {

View File

@ -145,7 +145,7 @@ index 6860759eea8a..a2eef62f80be 100644
OsConstants._LINUX_CAPABILITY_VERSION_3, 0);
StructCapUserData[] data;
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 993e4e7b4b3d..c3e6e0453b50 100644
index 765901a043a0..199ab0093f55 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -29,6 +29,7 @@ import android.net.Credentials;
@ -156,7 +156,7 @@ index 993e4e7b4b3d..c3e6e0453b50 100644
import android.os.Trace;
import android.system.ErrnoException;
import android.system.Os;
@@ -247,7 +248,7 @@ class ZygoteConnection {
@@ -250,7 +251,7 @@ class ZygoteConnection {
fdsToClose[1] = zygoteFd.getInt$();
}
@ -165,7 +165,7 @@ index 993e4e7b4b3d..c3e6e0453b50 100644
|| !multipleOK || peer.getUid() != Process.SYSTEM_UID) {
// Continue using old code for now. TODO: Handle these cases in the other path.
pid = Zygote.forkAndSpecialize(parsedArgs.mUid, parsedArgs.mGid,
@@ -535,6 +536,13 @@ class ZygoteConnection {
@@ -538,6 +539,13 @@ class ZygoteConnection {
throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
} else {
if (!isZygote) {

View File

@ -78,10 +78,10 @@ index 6d4b8c5ea1ad..1f0ac0bd6520 100644
+ public static native void nativeHandleRuntimeFlags(int runtimeFlags);
}
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 4573cb2c0b59..9cc90f3ac142 100644
index d4844be2b381..f58d6102257a 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -539,7 +539,7 @@ class ZygoteConnection {
@@ -542,7 +542,7 @@ class ZygoteConnection {
if (SystemProperties.getBoolean("sys.spawn.exec", false) &&
(parsedArgs.mRuntimeFlags & ApplicationInfo.FLAG_DEBUGGABLE) == 0) {
ExecInit.execApplication(parsedArgs.mNiceName, parsedArgs.mTargetSdkVersion,

View File

@ -10,10 +10,10 @@ spawning when doing debugging.
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index c3e6e0453b50..4573cb2c0b59 100644
index 199ab0093f55..d4844be2b381 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -536,7 +536,8 @@ class ZygoteConnection {
@@ -539,7 +539,8 @@ class ZygoteConnection {
throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned");
} else {
if (!isZygote) {

View File

@ -0,0 +1,13 @@
diff --git a/core/java/android/companion/AssociationRequest.java b/core/java/android/companion/AssociationRequest.java
index bb8fa9e..6b836ad 100644
--- a/core/java/android/companion/AssociationRequest.java
+++ b/core/java/android/companion/AssociationRequest.java
@@ -148,7 +148,7 @@
/** @hide */
public void setSkipPrompt(boolean value) {
- mSkipPrompt = true;
+ mSkipPrompt = value;
}
/** @hide */

View File

@ -0,0 +1,82 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Bishoy Gendy <bishoygendy@google.com>
Date: Thu, 11 Apr 2024 16:37:10 +0000
Subject: [PATCH] Fix security vulnerability allowing apps to start from
background
Bug: 317048338
Test: Using the steps in b/317048338#comment12
(cherry picked from commit c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df3584bb93ab89d7e174f7d39e42d4b22cb92fe0)
Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
---
.../media/session/ParcelableListBinder.java | 13 +++++++++++--
.../android/server/media/MediaSessionRecord.java | 14 ++++++++------
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/media/java/android/media/session/ParcelableListBinder.java b/media/java/android/media/session/ParcelableListBinder.java
index bbf1e0889b68..d78828462b1e 100644
--- a/media/java/android/media/session/ParcelableListBinder.java
+++ b/media/java/android/media/session/ParcelableListBinder.java
@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
private static final int END_OF_PARCEL = 0;
private static final int ITEM_CONTINUED = 1;
+ private final Class<T> mListElementsClass;
private final Consumer<List<T>> mConsumer;
private final Object mLock = new Object();
@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
/**
* Creates an instance.
*
+ * @param listElementsClass the class of the list elements.
* @param consumer a consumer that consumes the list received
*/
- public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {
+ public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {
+ mListElementsClass = listElementsClass;
mConsumer = consumer;
}
@@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
mCount = data.readInt();
}
while (i < mCount && data.readInt() != END_OF_PARCEL) {
- mList.add(data.readParcelable(null));
+ Object object = data.readParcelable(null);
+ if (mListElementsClass.isAssignableFrom(object.getClass())) {
+ // Checking list items are of compaitible types to validate against malicious
+ // apps calling it directly via reflection with non compilable items.
+ // See b/317048338 for more details
+ mList.add((T) object);
+ }
i++;
}
if (i >= mCount) {
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 66adbad5372e..a0679d7457a0 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -1095,12 +1095,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
@Override
public IBinder getBinderForSetQueue() throws RemoteException {
- return new ParcelableListBinder<QueueItem>((list) -> {
- synchronized (mLock) {
- mQueue = list;
- }
- mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
- });
+ return new ParcelableListBinder<QueueItem>(
+ QueueItem.class,
+ (list) -> {
+ synchronized (mLock) {
+ mQueue = list;
+ }
+ mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
+ });
}
@Override

View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yi-an Chen <theianchen@google.com>
Date: Tue, 23 Apr 2024 21:17:44 +0000
Subject: [PATCH] Fix security vulnerability of non-dynamic permission removal
The original removePermission() code in PermissionManagerServiceImpl
missed a logical negation operator when handling non-dynamic
permissions, causing both
testPermissionPermission_nonDynamicPermission_permissionUnchanged and
testRemovePermission_dynamicPermission_permissionRemoved tests in
DynamicPermissionsTest to fail.
The corresponding test DynamicPermissionsTest is also updated in the
other CL: ag/27073864
Bug: 321711213
Test: DynamicPermissionsTest on sc-dev and tm-dev locally
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ead58f69f5de82b00406316b333366d556239f1)
Merged-In: Ia146d4098643d9c473f8c83d33a8a125a53101fc
Change-Id: Ia146d4098643d9c473f8c83d33a8a125a53101fc
---
.../android/server/pm/permission/PermissionManagerService.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 31babe0418b8..93f9e1c2295c 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -687,7 +687,7 @@ public class PermissionManagerService extends IPermissionManager.Stub {
if (bp == null) {
return;
}
- if (bp.isDynamic()) {
+ if (!bp.isDynamic()) {
// TODO: switch this back to SecurityException
Slog.wtf(TAG, "Not allowed to modify non-dynamic permission "
+ permName);

View File

@ -0,0 +1,175 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Thu, 29 Feb 2024 12:03:05 +0000
Subject: [PATCH] Verify UID of incoming Zygote connections.
Only the system UID should be allowed to connect to the Zygote. While
for generic Zygotes this is also covered by SELinux policy, this is not
true for App Zygotes: the preload code running in an app zygote could
connect to another app zygote socket, if it had access to its (random)
socket address.
On the Java layer, simply check the UID when the connection is made. In
the native layer, this check was already present, but it actually didn't
work in the case where we receive a new incoming connection on the
socket, and receive a 'non-fork' command: in that case, we will simply
exit the native loop, and let the Java layer handle the command, without
any further UID checking.
Modified the native logic to drop new connections with a mismatching
UID, and to keep serving the existing connection (if it was still
there).
Bug: 319081336
Test: manual
(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f1d4b34ad51b6ccb84ab042486923da8b2451e0f)
Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
---
.../android/internal/os/ZygoteConnection.java | 3 +
...ndroid_internal_os_ZygoteCommandBuffer.cpp | 81 ++++++++++++-------
2 files changed, 56 insertions(+), 28 deletions(-)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 993e4e7b4b3d..765901a043a0 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -93,6 +93,9 @@ class ZygoteConnection {
throw ex;
}
+ if (peer.getUid() != Process.SYSTEM_UID) {
+ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
+ }
isEof = false;
}
diff --git a/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp b/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
index 248db76da71d..1ad64d58b7c9 100644
--- a/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
+++ b/core/jni/com_android_internal_os_ZygoteCommandBuffer.cpp
@@ -341,6 +341,18 @@ jstring com_android_internal_os_ZygoteCommandBuffer_nativeNextArg(JNIEnv* env, j
return result;
}
+static uid_t getSocketPeerUid(int socket, const std::function<void(const std::string&)>& fail_fn) {
+ struct ucred credentials;
+ socklen_t cred_size = sizeof credentials;
+ if (getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &credentials, &cred_size) == -1
+ || cred_size != sizeof credentials) {
+ fail_fn(CREATE_ERROR("Failed to get socket credentials, %s",
+ strerror(errno)));
+ }
+
+ return credentials.uid;
+}
+
// Read all lines from the current command into the buffer, and then reset the buffer, so
// we will start reading again at the beginning of the command, starting with the argument
// count. And we don't need access to the fd to do so.
@@ -398,18 +410,12 @@ jboolean com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly(
fail_fn_z("Failed to retrieve session socket timeout");
}
- struct ucred credentials;
- socklen_t cred_size = sizeof credentials;
- if (getsockopt(n_buffer->getFd(), SOL_SOCKET, SO_PEERCRED, &credentials, &cred_size) == -1
- || cred_size != sizeof credentials) {
- fail_fn_1(CREATE_ERROR("ForkMany failed to get initial credentials, %s", strerror(errno)));
+ uid_t peerUid = getSocketPeerUid(session_socket, fail_fn_1);
+ if (peerUid != static_cast<uid_t>(expected_uid)) {
+ return JNI_FALSE;
}
-
bool first_time = true;
do {
- if (credentials.uid != expected_uid) {
- return JNI_FALSE;
- }
n_buffer->readAllLines(first_time ? fail_fn_1 : fail_fn_n);
n_buffer->reset();
int pid = zygote::forkApp(env, /* no pipe FDs */ -1, -1, session_socket_fds,
@@ -439,30 +445,56 @@ jboolean com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly(
// Clear buffer and get count from next command.
n_buffer->clear();
for (;;) {
+ bool valid_session_socket = true;
// Poll isn't strictly necessary for now. But without it, disconnect is hard to detect.
int poll_res = TEMP_FAILURE_RETRY(poll(fd_structs, 2, -1 /* infinite timeout */));
if ((fd_structs[SESSION_IDX].revents & POLLIN) != 0) {
if (n_buffer->getCount(fail_fn_z) != 0) {
break;
- } // else disconnected;
+ } else {
+ // Session socket was disconnected
+ valid_session_socket = false;
+ close(session_socket);
+ }
} else if (poll_res == 0 || (fd_structs[ZYGOTE_IDX].revents & POLLIN) == 0) {
fail_fn_z(
CREATE_ERROR("Poll returned with no descriptors ready! Poll returned %d", poll_res));
}
- // We've now seen either a disconnect or connect request.
- close(session_socket);
- int new_fd = TEMP_FAILURE_RETRY(accept(zygote_socket_fd, nullptr, nullptr));
+ int new_fd = -1;
+ do {
+ // We've now seen either a disconnect or connect request.
+ new_fd = TEMP_FAILURE_RETRY(accept(zygote_socket_fd, nullptr, nullptr));
+ if (new_fd == -1) {
+ fail_fn_z(CREATE_ERROR("Accept(%d) failed: %s", zygote_socket_fd, strerror(errno)));
+ }
+ uid_t newPeerUid = getSocketPeerUid(new_fd, fail_fn_1);
+ if (newPeerUid != static_cast<uid_t>(expected_uid)) {
+ ALOGW("Dropping new connection with a mismatched uid %d\n", newPeerUid);
+ close(new_fd);
+ new_fd = -1;
+ } else {
+ // If we still have a valid session socket, close it now
+ if (valid_session_socket) {
+ close(session_socket);
+ }
+ valid_session_socket = true;
+ }
+ } while (!valid_session_socket);
+
+ // At this point we either have a valid new connection (new_fd > 0), or
+ // an existing session socket we can poll on
if (new_fd == -1) {
- fail_fn_z(CREATE_ERROR("Accept(%d) failed: %s", zygote_socket_fd, strerror(errno)));
+ // The new connection wasn't valid, and we still have an old one; retry polling
+ continue;
}
if (new_fd != session_socket) {
- // Move new_fd back to the old value, so that we don't have to change Java-level data
- // structures to reflect a change. This implicitly closes the old one.
- if (TEMP_FAILURE_RETRY(dup2(new_fd, session_socket)) != session_socket) {
- fail_fn_z(CREATE_ERROR("Failed to move fd %d to %d: %s",
- new_fd, session_socket, strerror(errno)));
- }
- close(new_fd); // On Linux, fd is closed even if EINTR is returned.
+ // Move new_fd back to the old value, so that we don't have to change Java-level data
+ // structures to reflect a change. This implicitly closes the old one.
+ if (TEMP_FAILURE_RETRY(dup2(new_fd, session_socket)) != session_socket) {
+ fail_fn_z(CREATE_ERROR("Failed to move fd %d to %d: %s",
+ new_fd, session_socket, strerror(errno)));
+ }
+ close(new_fd); // On Linux, fd is closed even if EINTR is returned.
}
// If we ever return, we effectively reuse the old Java ZygoteConnection.
// None of its state needs to change.
@@ -474,13 +506,6 @@ jboolean com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly(
fail_fn_z(CREATE_ERROR("Failed to set send timeout for socket %d: %s",
session_socket, strerror(errno)));
}
- if (getsockopt(session_socket, SOL_SOCKET, SO_PEERCRED, &credentials, &cred_size) == -1) {
- fail_fn_z(CREATE_ERROR("ForkMany failed to get credentials: %s", strerror(errno)));
- }
- if (cred_size != sizeof credentials) {
- fail_fn_z(CREATE_ERROR("ForkMany credential size = %d, should be %d",
- cred_size, static_cast<int>(sizeof credentials)));
- }
}
first_time = false;
} while (n_buffer->isSimpleForkCommand(minUid, fail_fn_n));

View File

@ -11,8 +11,8 @@ Signed-off-by: Tavi <tavi@divested.dev>
src/app/grapheneos/carrierconfig2/Utils.java | 6 +++---
src/app/grapheneos/carrierconfig2/loader/Apns.java | 9 +++------
.../carrierconfig2/loader/CarrierConfigLoader.java | 8 ++++----
.../grapheneos/carrierconfig2/loader/Filters.java | 7 ++-----
6 files changed, 16 insertions(+), 28 deletions(-)
.../grapheneos/carrierconfig2/loader/Filters.java | 4 ++--
6 files changed, 16 insertions(+), 25 deletions(-)
diff --git a/src/app/grapheneos/carrierconfig2/ApnServiceImpl.java b/src/app/grapheneos/carrierconfig2/ApnServiceImpl.java
index 1fc2339..1ac28fc 100644
@ -28,6 +28,7 @@ index 1fc2339..1ac28fc 100644
Log.e(TAG, "CSettingsDir is missing");
return emptyList();
diff --git a/src/app/grapheneos/carrierconfig2/CarrierServiceImpl.java b/src/app/grapheneos/carrierconfig2/CarrierServiceImpl.java
index 166272f..37b430c 100644
--- a/src/app/grapheneos/carrierconfig2/CarrierServiceImpl.java
+++ b/src/app/grapheneos/carrierconfig2/CarrierServiceImpl.java
@@ -14,10 +14,10 @@ public class CarrierServiceImpl extends CarrierService {
@ -56,6 +57,7 @@ diff --git a/src/app/grapheneos/carrierconfig2/CarrierServiceImpl.java b/src/app
- }
}
diff --git a/src/app/grapheneos/carrierconfig2/Utils.java b/src/app/grapheneos/carrierconfig2/Utils.java
index 7300925..06abf09 100644
--- a/src/app/grapheneos/carrierconfig2/Utils.java
+++ b/src/app/grapheneos/carrierconfig2/Utils.java
@@ -22,7 +22,7 @@ public class Utils {
@ -84,6 +86,7 @@ diff --git a/src/app/grapheneos/carrierconfig2/Utils.java b/src/app/grapheneos/c
return baos.toString();
}
diff --git a/src/app/grapheneos/carrierconfig2/loader/Apns.java b/src/app/grapheneos/carrierconfig2/loader/Apns.java
index ff0082f..357e6ea 100644
--- a/src/app/grapheneos/carrierconfig2/loader/Apns.java
+++ b/src/app/grapheneos/carrierconfig2/loader/Apns.java
@@ -39,7 +39,7 @@ public class Apns {
@ -124,6 +127,7 @@ diff --git a/src/app/grapheneos/carrierconfig2/loader/Apns.java b/src/app/graphe
for (ApnItem.ApnType apnType : list) {
diff --git a/src/app/grapheneos/carrierconfig2/loader/CarrierConfigLoader.java b/src/app/grapheneos/carrierconfig2/loader/CarrierConfigLoader.java
index 1d77aac..97a07be 100644
--- a/src/app/grapheneos/carrierconfig2/loader/CarrierConfigLoader.java
+++ b/src/app/grapheneos/carrierconfig2/loader/CarrierConfigLoader.java
@@ -65,7 +65,7 @@ public class CarrierConfigLoader {
@ -163,6 +167,7 @@ diff --git a/src/app/grapheneos/carrierconfig2/loader/CarrierConfigLoader.java b
b.append('-');
b.append(cs.getVersion());
diff --git a/src/app/grapheneos/carrierconfig2/loader/Filters.java b/src/app/grapheneos/carrierconfig2/loader/Filters.java
index 75764db..56081b9 100644
--- a/src/app/grapheneos/carrierconfig2/loader/Filters.java
+++ b/src/app/grapheneos/carrierconfig2/loader/Filters.java
@@ -107,7 +107,7 @@ class Filters {

View File

@ -0,0 +1,291 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Weng Su <wengsu@google.com>
Date: Wed, 3 Apr 2024 10:45:43 +0800
Subject: [PATCH] Restrict WifiDppConfiguratorActivity
- Don't show WifiDppConfiguratorActivity if user has DISALLOW_ADD_WIFI_CONFIG
- Don't show AddNetworkFragment if user has DISALLOW_ADD_WIFI_CONFIG
Fix: 299931076
Flag: None
Test: manual test with TestDPC
atest -c SettingsUnitTests:AddNetworkFragmentTest \
SettingsUnitTests:WifiDppConfiguratorActivityTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:254ba087c29503e8bcf01cc10082c3f393e7701f)
Merged-In: I34afe0f698e2dc43eba59b25f5f3f4f61e70166a
Change-Id: I34afe0f698e2dc43eba59b25f5f3f4f61e70166a
---
.../settings/wifi/AddNetworkFragment.java | 20 +++++
.../wifi/dpp/WifiDppConfiguratorActivity.java | 20 +++++
.../settings/wifi/AddNetworkFragmentTest.java | 74 +++++++++++++++++++
.../dpp/WifiDppConfiguratorActivityTest.java | 74 +++++++++++++++++++
4 files changed, 188 insertions(+)
create mode 100644 tests/unit/src/com/android/settings/wifi/AddNetworkFragmentTest.java
create mode 100644 tests/unit/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivityTest.java
diff --git a/src/com/android/settings/wifi/AddNetworkFragment.java b/src/com/android/settings/wifi/AddNetworkFragment.java
index 01d5ef1ca4..c50ab9ae24 100644
--- a/src/com/android/settings/wifi/AddNetworkFragment.java
+++ b/src/com/android/settings/wifi/AddNetworkFragment.java
@@ -16,11 +16,16 @@
package com.android.settings.wifi;
+import static android.os.UserManager.DISALLOW_ADD_WIFI_CONFIG;
+
import android.app.Activity;
import android.app.settings.SettingsEnums;
+import android.content.Context;
import android.content.Intent;
import android.net.wifi.WifiConfiguration;
import android.os.Bundle;
+import android.os.UserManager;
+import android.util.Log;
import android.view.LayoutInflater;
import android.view.View;
import android.view.ViewGroup;
@@ -40,6 +45,7 @@ import com.android.settings.wifi.dpp.WifiDppUtils;
*/
public class AddNetworkFragment extends InstrumentedFragment implements WifiConfigUiBase2,
View.OnClickListener {
+ private static final String TAG = "AddNetworkFragment";
public static final String WIFI_CONFIG_KEY = "wifi_config_key";
@VisibleForTesting
@@ -57,6 +63,10 @@ public class AddNetworkFragment extends InstrumentedFragment implements WifiConf
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ if (!isAddWifiConfigAllowed(getContext())) {
+ getActivity().finish();
+ return;
+ }
}
@Override
@@ -204,4 +214,14 @@ public class AddNetworkFragment extends InstrumentedFragment implements WifiConf
activity.setResult(Activity.RESULT_CANCELED);
activity.finish();
}
+
+ @VisibleForTesting
+ static boolean isAddWifiConfigAllowed(Context context) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ if (userManager != null && userManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)) {
+ Log.e(TAG, "The user is not allowed to add Wi-Fi configuration.");
+ return false;
+ }
+ return true;
+ }
}
diff --git a/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivity.java b/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivity.java
index ecaf9ee8fc..a658c16a8c 100644
--- a/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivity.java
+++ b/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivity.java
@@ -16,6 +16,8 @@
package com.android.settings.wifi.dpp;
+import static android.os.UserManager.DISALLOW_ADD_WIFI_CONFIG;
+
import android.app.settings.SettingsEnums;
import android.content.Intent;
import android.net.Uri;
@@ -96,6 +98,10 @@ public class WifiDppConfiguratorActivity extends WifiDppBaseActivity implements
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ if (!isAddWifiConfigAllowed(getApplicationContext())) {
+ finish();
+ return;
+ }
if (savedInstanceState != null) {
String qrCode = savedInstanceState.getString(KEY_QR_CODE);
@@ -116,6 +122,10 @@ public class WifiDppConfiguratorActivity extends WifiDppBaseActivity implements
@Override
protected void handleIntent(Intent intent) {
+ if (!isAddWifiConfigAllowed(getApplicationContext())) {
+ finish();
+ return;
+ }
String action = intent != null ? intent.getAction() : null;
if (action == null) {
finish();
@@ -384,4 +394,14 @@ public class WifiDppConfiguratorActivity extends WifiDppBaseActivity implements
return null;
}
+
+ @VisibleForTesting
+ static boolean isAddWifiConfigAllowed(Context context) {
+ UserManager userManager = context.getSystemService(UserManager.class);
+ if (userManager != null && userManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)) {
+ Log.e(TAG, "The user is not allowed to add Wi-Fi configuration.");
+ return false;
+ }
+ return true;
+ }
}
diff --git a/tests/unit/src/com/android/settings/wifi/AddNetworkFragmentTest.java b/tests/unit/src/com/android/settings/wifi/AddNetworkFragmentTest.java
new file mode 100644
index 0000000000..22d43c9bb4
--- /dev/null
+++ b/tests/unit/src/com/android/settings/wifi/AddNetworkFragmentTest.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.wifi;
+
+import static android.os.UserManager.DISALLOW_ADD_WIFI_CONFIG;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import static org.mockito.Mockito.when;
+
+import android.content.Context;
+import android.os.UserManager;
+
+import androidx.test.annotation.UiThreadTest;
+import androidx.test.core.app.ApplicationProvider;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;
+
+@RunWith(AndroidJUnit4.class)
+@UiThreadTest
+public class AddNetworkFragmentTest {
+
+ @Rule
+ public final MockitoRule mMockitoRule = MockitoJUnit.rule();
+ @Spy
+ private final Context mContext = ApplicationProvider.getApplicationContext();
+ @Mock
+ private UserManager mUserManager;
+
+ private AddNetworkFragment mFragment;
+
+ @Before
+ public void setUp() {
+ when(mContext.getSystemService(UserManager.class)).thenReturn(mUserManager);
+
+ mFragment = new AddNetworkFragment();
+ }
+
+ @Test
+ public void isAddWifiConfigAllowed_hasNoUserRestriction_returnTrue() {
+ when(mUserManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)).thenReturn(false);
+
+ assertThat(mFragment.isAddWifiConfigAllowed(mContext)).isTrue();
+ }
+
+ @Test
+ public void isAddWifiConfigAllowed_hasUserRestriction_returnFalse() {
+ when(mUserManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)).thenReturn(true);
+
+ assertThat(mFragment.isAddWifiConfigAllowed(mContext)).isFalse();
+ }
+}
diff --git a/tests/unit/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivityTest.java b/tests/unit/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivityTest.java
new file mode 100644
index 0000000000..4d723dc184
--- /dev/null
+++ b/tests/unit/src/com/android/settings/wifi/dpp/WifiDppConfiguratorActivityTest.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.wifi.dpp;
+
+import static android.os.UserManager.DISALLOW_ADD_WIFI_CONFIG;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import static org.mockito.Mockito.when;
+
+import android.content.Context;
+import android.os.UserManager;
+
+import androidx.test.annotation.UiThreadTest;
+import androidx.test.core.app.ApplicationProvider;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;
+
+@RunWith(AndroidJUnit4.class)
+@UiThreadTest
+public class WifiDppConfiguratorActivityTest {
+
+ @Rule
+ public final MockitoRule mMockitoRule = MockitoJUnit.rule();
+ @Spy
+ private final Context mContext = ApplicationProvider.getApplicationContext();
+ @Mock
+ private UserManager mUserManager;
+
+ private WifiDppConfiguratorActivity mActivity;
+
+ @Before
+ public void setUp() {
+ when(mContext.getSystemService(UserManager.class)).thenReturn(mUserManager);
+
+ mActivity = new WifiDppConfiguratorActivity();
+ }
+
+ @Test
+ public void isAddWifiConfigAllowed_hasNoUserRestriction_returnTrue() {
+ when(mUserManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)).thenReturn(false);
+
+ assertThat(mActivity.isAddWifiConfigAllowed(mContext)).isTrue();
+ }
+
+ @Test
+ public void isAddWifiConfigAllowed_hasUserRestriction_returnFalse() {
+ when(mUserManager.hasUserRestriction(DISALLOW_ADD_WIFI_CONFIG)).thenReturn(true);
+
+ assertThat(mActivity.isAddWifiConfigAllowed(mContext)).isFalse();
+ }
+}

View File

@ -0,0 +1,260 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Vova Sharaienko <sharaienko@google.com>
Date: Thu, 20 Jul 2023 23:25:31 +0000
Subject: [PATCH] Make executor thread a class member of MultiConditionTrigger
executorThread references class members after detaching. Making
executorThread as class member and joining in MultiConditionTrigger
destructor.
Ignore-AOSP-First: Security bugs merged into internal branch first
Test: atest statsd_test
Bug: 292160348
Flag: NONE mainline module bug fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:262e2c8a5293483c98be498e60e1e5d15c6a0145)
Merged-In: I7036eb3d506e8ca88e4a5faa6275dc4cba8020ee
Change-Id: I7036eb3d506e8ca88e4a5faa6275dc4cba8020ee
---
statsd/src/utils/MultiConditionTrigger.cpp | 21 ++-
statsd/src/utils/MultiConditionTrigger.h | 10 +-
.../utils/MultiConditionTrigger_test.cpp | 121 ++++++++++++++++++
3 files changed, 144 insertions(+), 8 deletions(-)
diff --git a/statsd/src/utils/MultiConditionTrigger.cpp b/statsd/src/utils/MultiConditionTrigger.cpp
index 43a69337..3088453e 100644
--- a/statsd/src/utils/MultiConditionTrigger.cpp
+++ b/statsd/src/utils/MultiConditionTrigger.cpp
@@ -14,11 +14,10 @@
* limitations under the License.
*/
#define DEBUG false // STOPSHIP if true
+#include "Log.h"
#include "MultiConditionTrigger.h"
-#include <thread>
-
using namespace std;
namespace android {
@@ -31,8 +30,7 @@ MultiConditionTrigger::MultiConditionTrigger(const set<string>& conditionNames,
mTrigger(trigger),
mCompleted(mRemainingConditionNames.empty()) {
if (mCompleted) {
- thread executorThread([this] { mTrigger(); });
- executorThread.detach();
+ startExecutorThread();
}
}
@@ -48,10 +46,21 @@ void MultiConditionTrigger::markComplete(const string& conditionName) {
doTrigger = mCompleted;
}
if (doTrigger) {
- std::thread executorThread([this] { mTrigger(); });
- executorThread.detach();
+ startExecutorThread();
}
}
+
+void MultiConditionTrigger::startExecutorThread() {
+ mExecutorThread = make_unique<thread>([this] { mTrigger(); });
+}
+
+MultiConditionTrigger::~MultiConditionTrigger() {
+ if (mExecutorThread != nullptr && mExecutorThread->joinable()) {
+ VLOG("MultiConditionTrigger waiting on execution thread termination");
+ mExecutorThread->join();
+ }
+}
+
} // namespace statsd
} // namespace os
} // namespace android
diff --git a/statsd/src/utils/MultiConditionTrigger.h b/statsd/src/utils/MultiConditionTrigger.h
index 51f60299..dee00713 100644
--- a/statsd/src/utils/MultiConditionTrigger.h
+++ b/statsd/src/utils/MultiConditionTrigger.h
@@ -19,6 +19,7 @@
#include <mutex>
#include <set>
+#include <thread>
namespace android {
namespace os {
@@ -27,8 +28,8 @@ namespace statsd {
/**
* This class provides a utility to wait for a set of named conditions to occur.
*
- * It will execute the trigger runnable in a detached thread once all conditions have been marked
- * true.
+ * It will execute the trigger runnable in a separate thread (which will be joined at instance
+ * destructor time) once all conditions have been marked true.
*/
class MultiConditionTrigger {
public:
@@ -37,19 +38,24 @@ public:
MultiConditionTrigger(const MultiConditionTrigger&) = delete;
MultiConditionTrigger& operator=(const MultiConditionTrigger&) = delete;
+ ~MultiConditionTrigger();
// Mark a specific condition as true. If this condition has called markComplete already or if
// the event was not specified in the constructor, the function is a no-op.
void markComplete(const std::string& eventName);
private:
+ void startExecutorThread();
+
mutable std::mutex mMutex;
std::set<std::string> mRemainingConditionNames;
std::function<void()> mTrigger;
bool mCompleted;
+ std::unique_ptr<std::thread> mExecutorThread;
FRIEND_TEST(MultiConditionTriggerTest, TestCountDownCalledBySameEventName);
};
+
} // namespace statsd
} // namespace os
} // namespace android
diff --git a/statsd/tests/utils/MultiConditionTrigger_test.cpp b/statsd/tests/utils/MultiConditionTrigger_test.cpp
index 32cecd3b..b525f75e 100644
--- a/statsd/tests/utils/MultiConditionTrigger_test.cpp
+++ b/statsd/tests/utils/MultiConditionTrigger_test.cpp
@@ -22,6 +22,8 @@
#include <thread>
#include <vector>
+#include "tests/statsd_test_util.h"
+
#ifdef __ANDROID__
using namespace std;
@@ -166,6 +168,125 @@ TEST(MultiConditionTrigger, TestTriggerOnlyCalledOnce) {
}
}
+namespace {
+
+class TriggerDependency {
+public:
+ TriggerDependency(mutex& lock, condition_variable& cv, bool& triggerCalled, int& triggerCount)
+ : mLock(lock), mCv(cv), mTriggerCalled(triggerCalled), mTriggerCount(triggerCount) {
+ }
+
+ void someMethod() {
+ lock_guard lg(mLock);
+ mTriggerCount++;
+ mTriggerCalled = true;
+ mCv.notify_all();
+ }
+
+private:
+ mutex& mLock;
+ condition_variable& mCv;
+ bool& mTriggerCalled;
+ int& mTriggerCount;
+};
+
+} // namespace
+
+TEST(MultiConditionTrigger, TestTriggerHasSleep) {
+ const string t1 = "t1";
+ set<string> conditionNames = {t1};
+
+ mutex lock;
+ condition_variable cv;
+ bool triggerCalled = false;
+ int triggerCount = 0;
+
+ {
+ TriggerDependency dependency(lock, cv, triggerCalled, triggerCount);
+ MultiConditionTrigger trigger(conditionNames, [&dependency] {
+ std::this_thread::sleep_for(std::chrono::milliseconds(50));
+ dependency.someMethod();
+ });
+ trigger.markComplete(t1);
+
+ // Here dependency instance will go out of scope and the thread within MultiConditionTrigger
+ // after delay will try to call method of already destroyed class instance
+ // with leading crash if trigger execution thread is detached in MultiConditionTrigger
+ // Instead since the MultiConditionTrigger destructor happens before TriggerDependency
+ // destructor, MultiConditionTrigger destructor is waiting on execution thread termination
+ // with thread::join
+ }
+ // At this moment the executor thread guaranteed terminated by MultiConditionTrigger destructor
+
+ // Ensure that the trigger fired.
+ {
+ unique_lock<mutex> unique_lk(lock);
+ cv.wait(unique_lk, [&triggerCalled] { return triggerCalled; });
+ EXPECT_TRUE(triggerCalled);
+ EXPECT_EQ(triggerCount, 1);
+ }
+}
+
+TEST(MultiConditionTrigger, TestTriggerHasSleepEarlyTermination) {
+ const string t1 = "t1";
+ set<string> conditionNames = {t1};
+
+ mutex lock;
+ condition_variable cv;
+ bool triggerCalled = false;
+ int triggerCount = 0;
+
+ std::condition_variable triggerTerminationFlag;
+ std::mutex triggerTerminationFlagMutex;
+ bool terminationRequested = false;
+
+ // used for error threshold tolerance due to wait_for() is involved
+ const int64_t errorThresholdMs = 25;
+ const int64_t triggerEarlyTerminationDelayMs = 100;
+ const int64_t triggerStartNs = getElapsedRealtimeNs();
+ {
+ TriggerDependency dependency(lock, cv, triggerCalled, triggerCount);
+ MultiConditionTrigger trigger(
+ conditionNames, [&dependency, &triggerTerminationFlag, &triggerTerminationFlagMutex,
+ &lock, &triggerCalled, &cv, &terminationRequested] {
+ std::unique_lock<std::mutex> lk(triggerTerminationFlagMutex);
+ if (triggerTerminationFlag.wait_for(
+ lk, std::chrono::seconds(1),
+ [&terminationRequested] { return terminationRequested; })) {
+ // triggerTerminationFlag was notified - early termination is requested
+ lock_guard lg(lock);
+ triggerCalled = true;
+ cv.notify_all();
+ return;
+ }
+ dependency.someMethod();
+ });
+ trigger.markComplete(t1);
+
+ // notify to terminate trigger executor thread after triggerEarlyTerminationDelayMs
+ std::this_thread::sleep_for(std::chrono::milliseconds(triggerEarlyTerminationDelayMs));
+ {
+ std::unique_lock<std::mutex> lk(triggerTerminationFlagMutex);
+ terminationRequested = true;
+ }
+ triggerTerminationFlag.notify_all();
+ }
+ // At this moment the executor thread guaranteed terminated by MultiConditionTrigger destructor
+
+ // check that test duration is closer to 100ms rather to 1s
+ const int64_t triggerEndNs = getElapsedRealtimeNs();
+ EXPECT_LE(NanoToMillis(triggerEndNs - triggerStartNs),
+ triggerEarlyTerminationDelayMs + errorThresholdMs);
+
+ // Ensure that the trigger fired but not the dependency.someMethod().
+ {
+ unique_lock<mutex> unique_lk(lock);
+ cv.wait(unique_lk, [&triggerCalled] { return triggerCalled; });
+ EXPECT_TRUE(triggerCalled);
+ EXPECT_EQ(triggerCount, 0);
+ }
+}
+
} // namespace statsd
} // namespace os
} // namespace android

View File

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Omar Eissa <oeissa@google.com>
Date: Mon, 15 Apr 2024 12:04:56 +0000
Subject: [PATCH] Prevent insertion in other users storage volumes
Don't allow file insertion in other users storage volumes.
This was already handled if DATA was explicitly set in content values,
but was allowed if DATA was generated based on other values like RELATIVE_PATH and DISPLAY_NAME.
Insertion of files in other users storage volumes can be used by malicious apps
to get access to other users files, since the same file would exist in both users MP databases
which would lead to MP falsely assuming that the user has access to this file.
Bug: 294406604
Test: atest MediaProviderTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df39f8486b25473d0bdbeed896ad917e3c793bf9)
Merged-In: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
Change-Id: Ie219bbdbe28819421040e4c083b65ab47d8ebde6
---
src/com/android/providers/media/MediaProvider.java | 1 +
tests/src/com/android/providers/media/MediaProviderTest.java | 5 ++---
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 0d220aa5..71b652f1 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -3275,6 +3275,7 @@ public class MediaProvider extends ContentProvider {
FileUtils.sanitizeValues(values, /*rewriteHiddenFileName*/ !isFuseThread());
FileUtils.computeDataFromValues(values, volumePath, isFuseThread());
+ assertFileColumnsConsistent(match, uri, values);
// Create result file
File res = new File(values.getAsString(MediaColumns.DATA));
diff --git a/tests/src/com/android/providers/media/MediaProviderTest.java b/tests/src/com/android/providers/media/MediaProviderTest.java
index 11fc327b..28463477 100644
--- a/tests/src/com/android/providers/media/MediaProviderTest.java
+++ b/tests/src/com/android/providers/media/MediaProviderTest.java
@@ -377,9 +377,8 @@ public class MediaProviderTest {
@Test
public void testInsertionWithInvalidFilePath_throwsIllegalArgumentException() {
final ContentValues values = new ContentValues();
- values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example");
- values.put(MediaStore.Images.Media.DISPLAY_NAME,
- "./../../../../../../../../../../../data/media/test.txt");
+ values.put(MediaStore.MediaColumns.RELATIVE_PATH, "Android/media/com.example/");
+ values.put(MediaStore.Images.Media.DISPLAY_NAME, "data/media/test.txt");
IllegalArgumentException illegalArgumentException = Assert.assertThrows(
IllegalArgumentException.class, () -> sIsolatedResolver.insert(

View File

@ -1,25 +0,0 @@
From 3ee1dde662b9b42c1a344fc9c6613b12e96b80cf Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 1 Jul 2017 13:21:18 -0400
Subject: [PATCH] add alloc_size attributes to the allocator
This results in expanded _FORTIFY_SOURCE coverage.
---
osi/include/allocator.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/osi/include/allocator.h b/osi/include/allocator.h
index 3a4141f384..4fa059eb14 100644
--- a/osi/include/allocator.h
+++ b/osi/include/allocator.h
@@ -37,8 +37,8 @@ extern const allocator_t allocator_calloc;
char* osi_strdup(const char* str);
char* osi_strndup(const char* str, size_t len);
-void* osi_malloc(size_t size);
-void* osi_calloc(size_t size);
+void* osi_malloc(size_t size) __attribute__((alloc_size(1)));
+void* osi_calloc(size_t size) __attribute__((alloc_size(1)));
void osi_free(void* ptr);
// Free a buffer that was previously allocated with function |osi_malloc|

View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Mon, 22 Apr 2024 21:10:09 +0000
Subject: [PATCH] Fix an authentication bypass bug in SMP
When pairing with BLE legacy pairing initiated
from remote, authentication can be bypassed.
This change fixes it.
Bug: 251514170
Test: m com.android.btservices
Test: manual run against PoC
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
---
stack/smp/smp_act.cc | 12 ++++++++++++
stack/smp/smp_int.h | 1 +
2 files changed, 13 insertions(+)
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 1863fdf51..47be844aa 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -294,6 +294,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
SMP_TRACE_DEBUG("%s", __func__);
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
}
/*******************************************************************************
@@ -655,6 +656,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
return;
}
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
+ // in legacy pairing, the peer should send its rand after
+ // we send our confirm
+ tSMP_INT_DATA smp_int_data{};
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
/* save the SRand for comparison */
STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
}
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
index c13120182..b8c1a5b95 100644
--- a/stack/smp/smp_int.h
+++ b/stack/smp/smp_int.h
@@ -211,6 +211,7 @@ typedef union {
(1 << 7) /* used to resolve race condition */
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
(1 << 8) /* used on peripheral to resolve race condition */
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
/* check if authentication requirement need MITM protection */
#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

View File

@ -172,7 +172,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-10153/4.9/0002.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-10208/3.18/0005.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-10741/3.18/0005.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-10906/4.4/0003.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-20022/3.18/0001.patch
#git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-20022/3.18/0001.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/^4.10/0006.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/^4.10/0007.patch
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-GadgetFS/^4.10/0008.patch

View File

@ -95,6 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
sed -i 's/2024-06-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #X_asb_2024-07
fi;
if enterAndClear "build/soong"; then
@ -125,6 +126,10 @@ sed -i '11iLOCAL_OVERRIDES_PACKAGES := Camera Camera2 LegacyCamera Snap OpenCame
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/329230490-1.patch"; #X_asb_2024-07 [CDM] Fix setSkipPrompt on Android S
applyPatch "$DOS_PATCHES/android_frameworks_base/397375.patch"; #T_asb_2024-07 Fix security vulnerability allowing apps to start from background
applyPatch "$DOS_PATCHES/android_frameworks_base/397376-backport.patch"; #T_asb_2024-07 Fix security vulnerability of non-dynamic permission removal
applyPatch "$DOS_PATCHES/android_frameworks_base/397377-backport.patch"; #T_asb_2024-07 Verify UID of incoming Zygote connections.
git revert --no-edit 83fe523914728a3674debba17a6019cb74803045; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch
applyPatch "$DOS_PATCHES/android_frameworks_base/344888-backport.patch"; #fixup! fw/b: Add support for allowing/disallowing apps on cellular, vpn and wifi networks (CalyxOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
@ -299,6 +304,7 @@ fi;
if enterAndClear "packages/apps/Settings"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/316891059-19.patch"; #x-asb_2024-05 Replace getCallingActivity() with getLaunchedFromPackage()
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/397378-backport.patch"; #T_asb_2024-07 Restrict WifiDppConfiguratorActivity
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch"; #Timeout for Bluetooth (CalyxOS)
@ -372,6 +378,10 @@ applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0005-Browser_No_Loc
applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indicators.patch"; #SystemUI: Use new privacy indicators for location (GrapheneOS)
fi;
if enterAndClear "packages/modules/StatsD"; then
applyPatch "$DOS_PATCHES/android_packages_modules_StatsD/397380-backport.patch"; #T_asb_2024-07 Make executor thread a class member of MultiConditionTrigger
fi;
if enterAndClear "packages/modules/Wifi"; then
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC-a1.patch"; #Fix MAC address leak after SSR (AOSP)
@ -382,11 +392,16 @@ if enterAndClear "packages/providers/DownloadProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "packages/providers/MediaProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/397381.patch"; #T_asb_2024-07 Prevent insertion in other users storage volumes
fi
if enterAndClear "packages/services/Telephony"; then
if [ -d "$DOS_BUILD_BASE"/vendor/divested-carriersettings ]; then applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-CC2.patch"; fi; #Runtime control of platform carrier config package (DivestOS)
fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/397379-backport.patch"; #T_asb_2024-07 Fix an authentication bypass bug in SMP
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi;