From 77e1c9c7187676c3536089a23ada00228d4c2d55 Mon Sep 17 00:00:00 2001 From: Tavi Date: Sat, 14 Dec 2024 11:54:53 -0500 Subject: [PATCH] 18.1: December 2024 ASB picks Signed-off-by: Tavi --- .../android_external_skia/411484.patch | 48 ++++++++++++ .../android_external_skia/411485.patch | 35 +++++++++ .../android_external_skia/411486.patch | 35 +++++++++ .../android_frameworks_base/411487.patch | 60 +++++++++++++++ .../android_system_bt/411488.patch | 44 +++++++++++ .../android_system_bt/411489.patch | 73 +++++++++++++++++++ .../android_system_bt/411490.patch | 37 ++++++++++ .../411491.patch | 43 +++++++++++ .../411492.patch | 73 +++++++++++++++++++ .../411493.patch | 37 ++++++++++ Scripts/LineageOS-18.1/Patch.sh | 12 ++- 11 files changed, 496 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-18.1/android_external_skia/411484.patch create mode 100644 Patches/LineageOS-18.1/android_external_skia/411485.patch create mode 100644 Patches/LineageOS-18.1/android_external_skia/411486.patch create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/411487.patch create mode 100644 Patches/LineageOS-18.1/android_system_bt/411488.patch create mode 100644 Patches/LineageOS-18.1/android_system_bt/411489.patch create mode 100644 Patches/LineageOS-18.1/android_system_bt/411490.patch create mode 100644 Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411491.patch create mode 100644 Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411492.patch create mode 100644 Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411493.patch diff --git a/Patches/LineageOS-18.1/android_external_skia/411484.patch b/Patches/LineageOS-18.1/android_external_skia/411484.patch new file mode 100644 index 00000000..bec2f24b --- /dev/null +++ b/Patches/LineageOS-18.1/android_external_skia/411484.patch @@ -0,0 +1,48 @@ +From 5f7c0d2314257dbcb63a6fdb2abde785adfd0f98 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Mon, 12 Aug 2024 15:00:08 -0400 +Subject: [PATCH] [pdf] Bounds check in skia_alloc_func + +The allocator callback for zlib needs to check that items * size will +fit in size_t and return nullptr if not. + +Conflicts: +- src/pdf/SkDeflate.cpp: just in header includes + +Bug: 349678452 +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996 +Commit-Queue: Ben Wagner +Reviewed-by: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56) +Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc +Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc +--- + src/pdf/SkDeflate.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp +index a8bd667cc06..f243f94b40e 100644 +--- a/src/pdf/SkDeflate.cpp ++++ b/src/pdf/SkDeflate.cpp +@@ -9,6 +9,7 @@ + + #include "include/core/SkData.h" + #include "include/private/SkMalloc.h" ++#include "include/private/SkTFitsIn.h" + #include "include/private/SkTo.h" + #include "src/core/SkTraceEvent.h" + +@@ -21,6 +22,13 @@ namespace { + // Different zlib implementations use different T. + // We've seen size_t and unsigned. + template void* skia_alloc_func(void*, T items, T size) { ++ if (!SkTFitsIn(size)) { ++ return nullptr; ++ } ++ const size_t maxItems = SIZE_MAX / size; ++ if (maxItems < items) { ++ return nullptr; ++ } + return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size)); + } + diff --git a/Patches/LineageOS-18.1/android_external_skia/411485.patch b/Patches/LineageOS-18.1/android_external_skia/411485.patch new file mode 100644 index 00000000..bae6c9ca --- /dev/null +++ b/Patches/LineageOS-18.1/android_external_skia/411485.patch @@ -0,0 +1,35 @@ +From 6f447355dd4fd0cfdf7c49b688149c71390194cb Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Thu, 29 Aug 2024 12:47:48 -0400 +Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating + SkMask data + +Bug: 352631932 +Test: N/A -- not reproducible / speculative fix +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478 +Commit-Queue: Ben Wagner +Reviewed-by: Ben Wagner +Auto-Submit: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:767ef0ae44902bb84ef0bf6f6beb601c283ade01) +Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2 +Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2 +--- + src/core/SkBlurMF.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp +index bd7accae8d2..e16f6ee7698 100644 +--- a/src/core/SkBlurMF.cpp ++++ b/src/core/SkBlurMF.cpp +@@ -316,6 +316,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) { + mask->fRowBytes = SkAlign4(mask->fBounds.width()); + mask->fFormat = SkMask::kA8_Format; + const size_t size = mask->computeImageSize(); ++ if (size == 0) { ++ return false; ++ } + mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc); + if (nullptr == mask->fImage) { + return false; diff --git a/Patches/LineageOS-18.1/android_external_skia/411486.patch b/Patches/LineageOS-18.1/android_external_skia/411486.patch new file mode 100644 index 00000000..24a9c020 --- /dev/null +++ b/Patches/LineageOS-18.1/android_external_skia/411486.patch @@ -0,0 +1,35 @@ +From 7f44cab6fa5bc8ff805795f88d0912612e849224 Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Thu, 29 Aug 2024 11:52:35 -0400 +Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray + +Bug: 350118416 +Test: N/A -- speculative issue without repro case +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836 +Reviewed-by: Robert Phillips +Commit-Queue: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ed907c5f18a646c9150e41b74ef45ca08518830) +Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57 +Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57 +--- + src/core/SkRegion.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp +index 73707c2b876..275410cbd22 100644 +--- a/src/core/SkRegion.cpp ++++ b/src/core/SkRegion.cpp +@@ -52,8 +52,10 @@ class RunArray { + /** Resize the array to a size greater-than-or-equal-to count. */ + void resizeToAtLeast(int count) { + if (count > fCount) { +- // leave at least 50% extra space for future growth. +- count += count >> 1; ++ // leave at least 50% extra space for future growth (unless adding would overflow) ++ SkSafeMath safe; ++ int newCount = safe.addInt(count, count >> 1); ++ count = safe ? newCount : SK_MaxS32; + fMalloc.realloc(count); + if (fPtr == fStack) { + memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType)); diff --git a/Patches/LineageOS-18.1/android_frameworks_base/411487.patch b/Patches/LineageOS-18.1/android_frameworks_base/411487.patch new file mode 100644 index 00000000..cca44e86 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/411487.patch @@ -0,0 +1,60 @@ +From b958e5cbbb8982c37dcc60f076e9e71a85588c87 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 29 Aug 2024 17:01:55 +0000 +Subject: [PATCH] Properly handle onNullBinding() in appwidget service. + +Bug: 340239088 +Test: manually verified with the PoC app +Flag: EXEMPT CVE +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b076641fc517b37f1689697130de3cbc22a4c92) +Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7 +Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7 +--- + core/java/android/widget/RemoteViewsAdapter.java | 5 +++++ + .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java +index e58f08a799655..d64a3b5ee16ba 100644 +--- a/core/java/android/widget/RemoteViewsAdapter.java ++++ b/core/java/android/widget/RemoteViewsAdapter.java +@@ -238,6 +238,11 @@ public void onServiceDisconnected(ComponentName name) { + } + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ enqueueDeferredUnbindServiceMessage(); ++ } ++ + @Override + public void handleMessage(Message msg) { + RemoteViewsAdapter adapter = mAdapter.get(); +diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +index f989f73b11b10..709a206a39c77 100644 +--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java ++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +@@ -1888,6 +1888,11 @@ public void onServiceConnected(ComponentName name, IBinder service) { + mContext.unbindService(this); + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ mContext.unbindService(this); ++ } ++ + @Override + public void onServiceDisconnected(ComponentName name) { + // Do nothing +@@ -2028,6 +2033,11 @@ public void onServiceConnected(ComponentName name, IBinder service) { + mContext.unbindService(this); + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ mContext.unbindService(this); ++ } ++ + @Override + public void onServiceDisconnected(android.content.ComponentName name) { + // Do nothing diff --git a/Patches/LineageOS-18.1/android_system_bt/411488.patch b/Patches/LineageOS-18.1/android_system_bt/411488.patch new file mode 100644 index 00000000..f1b6173b --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_bt/411488.patch @@ -0,0 +1,44 @@ +From 9f73a10e0bd1ac2f6d8e3fe612fb9ff2f1839d63 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 8 Jul 2024 22:42:18 +0000 +Subject: [PATCH] [BACKPORT] Fix OOB write in build_read_multi_rsp of + gatt_sr.cc + +build_read_multi_rsp is missing a bounds check, which can lead to an +OOB write when the mtu parameter is set to zero. + +Add that bounds check. + +Bug: 323850943 +Test: atest GattSrTest +Test: researcher POC +Tag: #security +Flag: EXEMPT trivial validity checks +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd) +Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +--- + stack/gatt/gatt_sr.cc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index 252732c739..9a875d742d 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + /* Wait till we get all the responses */ + if (fixed_queue_length(p_cmd->multi_rsp_q) == + p_cmd->multi_req.num_handles) { ++ ++ // We need at least one extra byte for the opcode ++ if (mtu == 0) { ++ LOG(ERROR) << "Invalid MTU"; ++ p_cmd->status = GATT_ILLEGAL_PARAMETER; ++ return (true); ++ } ++ + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; + p_buf = (BT_HDR*)osi_calloc(len); + p_buf->offset = L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-18.1/android_system_bt/411489.patch b/Patches/LineageOS-18.1/android_system_bt/411489.patch new file mode 100644 index 00000000..f2728467 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_bt/411489.patch @@ -0,0 +1,73 @@ +From 25e48c2d290d3be724df2e7e073b661331963752 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 27 Jul 2023 04:09:04 +0000 +Subject: [PATCH] [BACKPORT] Fix an integer underflow in build_read_multi_rsp + +This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +to sc-dev + +Bug: 273874525 +Test: manual +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed) +Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +--- + stack/gatt/gatt_sr.cc | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index 9a875d742d..c0c1486af0 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -21,7 +21,7 @@ + * this file contains the GATT server functions + * + ******************************************************************************/ +- ++#include + #include "bt_target.h" + #include "bt_utils.h" + #include "osi/include/osi.h" +@@ -171,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + } + + if (p_rsp != NULL) { +- total_len = (p_buf->len + p_rsp->attr_value.len); ++ total_len = p_buf->len; + + if (total_len > mtu) { ++ VLOG(1) << "Buffer space not enough for this data item, skipping"; ++ break; ++ } ++ ++ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len); ++ ++ if (len == 0) { ++ VLOG(1) << "Buffer space not enough for this data item, skipping"; ++ break; ++ } ++ ++ if (len < p_rsp->attr_value.len) { + /* just send the partial response for the overflow case */ + len = p_rsp->attr_value.len - (total_len - mtu); + is_overflow = true; +@@ -185,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + } + + if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { +- // check for possible integer overflow +- if (p_buf->len + len <= UINT16_MAX) { +- memcpy(p, p_rsp->attr_value.value, len); +- if (!is_overflow) p += len; +- p_buf->len += len; +- } else { +- p_cmd->status = GATT_NOT_FOUND; +- break; +- } ++ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len); ++ p_buf->len += (uint16_t) len; + } else { + p_cmd->status = GATT_NOT_FOUND; + break; diff --git a/Patches/LineageOS-18.1/android_system_bt/411490.patch b/Patches/LineageOS-18.1/android_system_bt/411490.patch new file mode 100644 index 00000000..d34aa460 --- /dev/null +++ b/Patches/LineageOS-18.1/android_system_bt/411490.patch @@ -0,0 +1,37 @@ +From 425cc51af8d1662dacab60330628a6adfd1a404f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= +Date: Thu, 1 Aug 2024 14:12:58 +0000 +Subject: [PATCH] [BACKPORT] Fix "GATT Read Multiple Variable Response" builder + +0 length value is perfectly fine, and should result in just length +added into the packet. +Currently, for 0 length value we just break out of loop, and don't add +any value. +This means, that if first characetristic in response had 0 length, we +would return empty packet. + +Ignore-AOSP-First: security fix +Test: mma -j32; +Bug: 352696105 +Bug: 356886209 +Flag: exempt, obvious logic fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf) +Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +--- + stack/gatt/gatt_sr.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index c0c1486af0..d94221682d 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + + len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len); + +- if (len == 0) { ++ if (total_len == mtu && p_rsp->attr_value.len > 0) { + VLOG(1) << "Buffer space not enough for this data item, skipping"; + break; + } diff --git a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411491.patch b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411491.patch new file mode 100644 index 00000000..11256f70 --- /dev/null +++ b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411491.patch @@ -0,0 +1,43 @@ +From aff29339e466060263340cee43e16fbfc767d57f Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 8 Jul 2024 22:42:18 +0000 +Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc + +build_read_multi_rsp is missing a bounds check, which can lead to an +OOB write when the mtu parameter is set to zero. + +Add that bounds check. + +Bug: 323850943 +Test: atest GattSrTest +Test: researcher POC +Tag: #security +Flag: EXEMPT trivial validity checks +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd) +Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +--- + stack/gatt/gatt_sr.cc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index ee5059b92..64167ab97 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + /* Wait till we get all the responses */ + if (fixed_queue_length(p_cmd->multi_rsp_q) == + p_cmd->multi_req.num_handles) { ++ ++ // We need at least one extra byte for the opcode ++ if (mtu == 0) { ++ LOG(ERROR) << "Invalid MTU"; ++ p_cmd->status = GATT_ILLEGAL_PARAMETER; ++ return (true); ++ } ++ + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; + p_buf = (BT_HDR*)osi_calloc(len); + p_buf->offset = L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411492.patch b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411492.patch new file mode 100644 index 00000000..4aa1a3db --- /dev/null +++ b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411492.patch @@ -0,0 +1,73 @@ +From e0b5d40517e5f89c1570fa9726835e3fbce89e56 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 27 Jul 2023 04:09:04 +0000 +Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp + +This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +to sc-dev + +Bug: 273874525 +Test: manual +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed) +Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +--- + stack/gatt/gatt_sr.cc | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index 64167ab97..309c71114 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -21,7 +21,7 @@ + * this file contains the GATT server functions + * + ******************************************************************************/ +- ++#include + #include "bt_target.h" + #include "bt_utils.h" + #include "osi/include/osi.h" +@@ -171,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + } + + if (p_rsp != NULL) { +- total_len = (p_buf->len + p_rsp->attr_value.len); ++ total_len = p_buf->len; + + if (total_len > mtu) { ++ VLOG(1) << "Buffer space not enough for this data item, skipping"; ++ break; ++ } ++ ++ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len); ++ ++ if (len == 0) { ++ VLOG(1) << "Buffer space not enough for this data item, skipping"; ++ break; ++ } ++ ++ if (len < p_rsp->attr_value.len) { + /* just send the partial response for the overflow case */ + len = p_rsp->attr_value.len - (total_len - mtu); + is_overflow = true; +@@ -185,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + } + + if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { +- // check for possible integer overflow +- if (p_buf->len + len <= UINT16_MAX) { +- memcpy(p, p_rsp->attr_value.value, len); +- if (!is_overflow) p += len; +- p_buf->len += len; +- } else { +- p_cmd->status = GATT_NOT_FOUND; +- break; +- } ++ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len); ++ p_buf->len += (uint16_t) len; + } else { + p_cmd->status = GATT_NOT_FOUND; + break; diff --git a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411493.patch b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411493.patch new file mode 100644 index 00000000..021e5a28 --- /dev/null +++ b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/411493.patch @@ -0,0 +1,37 @@ +From 2f3d8b20b8211999d7758c7bb0e868fe46eea540 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= +Date: Thu, 1 Aug 2024 14:12:58 +0000 +Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder + +0 length value is perfectly fine, and should result in just length +added into the packet. +Currently, for 0 length value we just break out of loop, and don't add +any value. +This means, that if first characetristic in response had 0 length, we +would return empty packet. + +Ignore-AOSP-First: security fix +Test: mma -j32; +Bug: 352696105 +Bug: 356886209 +Flag: exempt, obvious logic fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf) +Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +--- + stack/gatt/gatt_sr.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc +index 309c71114..c25875442 100644 +--- a/stack/gatt/gatt_sr.cc ++++ b/stack/gatt/gatt_sr.cc +@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, + + len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len); + +- if (len == 0) { ++ if (total_len == mtu && p_rsp->attr_value.len > 0) { + VLOG(1) << "Buffer space not enough for this data item, skipping"; + break; + } diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index df180ba3..41e479ab 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -93,7 +93,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) -sed -i 's/2024-02-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-11 +sed -i 's/2024-02-05/2024-12-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-12 fi; if enterAndClear "build/soong"; then @@ -134,6 +134,9 @@ fi; if enterAndClear "external/skia"; then applyPatch "$DOS_PATCHES/android_external_skia/408442.patch"; #R_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter +applyPatch "$DOS_PATCHES/android_external_skia/411484.patch"; #R_asb_2024-12 [pdf] Bounds check in skia_alloc_func +applyPatch "$DOS_PATCHES/android_external_skia/411485.patch"; #R_asb_2024-12 Check for size overflow before allocating SkMask data +applyPatch "$DOS_PATCHES/android_external_skia/411486.patch"; #R_asb_2024-12 Prevent overflow when growing an SkRegion's RunArray fi; if enterAndClear "external/sonivox"; then @@ -188,6 +191,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/408445.patch"; #R_asb_2024-11 S applyPatch "$DOS_PATCHES/android_frameworks_base/408446.patch"; #R_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant. applyPatch "$DOS_PATCHES/android_frameworks_base/408447.patch"; #R_asb_2024-11 Clear app-provided shortcut icons applyPatch "$DOS_PATCHES/android_frameworks_base/408448.patch"; #R_asb_2024-11 Restrict access to directories +applyPatch "$DOS_PATCHES/android_frameworks_base/411487.patch"; #R_asb_2024-12 Properly handle onNullBinding() in appwidget service. git revert --no-edit 438d9feacfcad73d3ee918541574132928a93644; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) @@ -479,6 +483,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/399742.patch"; #R_asb_2024-08 Fix hea applyPatch "$DOS_PATCHES/android_system_bt/405535.patch"; #R_asb_2024-10 Add privatize option for bluetooth addresses for logging applyPatch "$DOS_PATCHES/android_system_bt/405536.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text applyPatch "$DOS_PATCHES/android_system_bt/405537.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2 +applyPatch "$DOS_PATCHES/android_system_bt/411488.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc +applyPatch "$DOS_PATCHES/android_system_bt/411489.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_system_bt/411490.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder git am "$DOS_PATCHES/android_system_bt/a2dp-master-fixes.patch"; #topic (AOSP) applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi; @@ -545,6 +552,9 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/397546.patch"; applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399743.patch"; #R_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405583.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405584.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2 +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411491.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411492.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/411493.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder fi; if enterAndClear "vendor/lineage"; then