From 85e5812290d858e33ead581617d83dee20179d0f Mon Sep 17 00:00:00 2001 From: Tavi Date: Wed, 17 Jul 2024 16:09:08 -0400 Subject: [PATCH] 16.0: July 2024 ASB work Signed-off-by: Tavi --- Logs/resetWorkspace-LineageOS-16.0.txt | 2 +- .../0010-Exec_Based_Spawning-1.patch | 4 +- .../0010-Exec_Based_Spawning-10.patch | 4 +- .../0013-Network_Permission-1.patch | 2 +- .../0013-Sensors_Permission.patch | 2 +- .../0013-Special_Permissions.patch | 2 +- .../android_frameworks_base/397542.patch | 48 ++++++++++++++ .../android_frameworks_base/397543.patch | 37 +++++++++++ .../android_system_bt/397545-backport.patch | 63 +++++++++++++++++++ Scripts/LineageOS-16.0/Patch.sh | 5 +- 10 files changed, 160 insertions(+), 9 deletions(-) create mode 100644 Patches/LineageOS-16.0/android_frameworks_base/397542.patch create mode 100644 Patches/LineageOS-16.0/android_frameworks_base/397543.patch create mode 100644 Patches/LineageOS-16.0/android_system_bt/397545-backport.patch diff --git a/Logs/resetWorkspace-LineageOS-16.0.txt b/Logs/resetWorkspace-LineageOS-16.0.txt index aba8d071..0cd5f432 100644 --- a/Logs/resetWorkspace-LineageOS-16.0.txt +++ b/Logs/resetWorkspace-LineageOS-16.0.txt @@ -67,7 +67,7 @@ external/capstone 6788a4139092f179005f7cdbf181ba24b60b6113 external/cblas ddf5f49cb53866fbc503a6349bf44bac24a6963d external/chromium-libpac dff5ddb8d28f6ac9a86eb28763b4313f6f72eec5 external/chromium-trace b2cf025c7d5cebd43084f38c6c7ff9cc17da428a -external/chromium-webview 55628131e0608ae5877fd6934719369e5002b679 +external/chromium-webview 170a4ad46bc61af284392a04dda7dc378a638976 external/clang f9d2af42fc6d74c28893af371e4647158eaba66c external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4 external/cn-cbor 7fe9f01990a97be4df5e46d2decd894c06678072 diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-1.patch b/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-1.patch index cfbf8239..8ea483bc 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-1.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-1.patch @@ -145,10 +145,10 @@ index f0e779694c90..9f41a4136db9 100644 OsConstants._LINUX_CAPABILITY_VERSION_3, 0); StructCapUserData[] data; diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java -index f537e3e2897b..84a3731576a2 100644 +index 522da894fd0f..a4278b984e11 100644 --- a/core/java/com/android/internal/os/ZygoteConnection.java +++ b/core/java/com/android/internal/os/ZygoteConnection.java -@@ -880,6 +880,13 @@ class ZygoteConnection { +@@ -883,6 +883,13 @@ class ZygoteConnection { throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned"); } else { if (!isZygote) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-10.patch b/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-10.patch index 7ea69977..e94e4901 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-10.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0010-Exec_Based_Spawning-10.patch @@ -10,10 +10,10 @@ spawning when doing debugging. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java -index 84a3731576a2..752f6c64c76d 100644 +index a4278b984e11..7ad4453f3b80 100644 --- a/core/java/com/android/internal/os/ZygoteConnection.java +++ b/core/java/com/android/internal/os/ZygoteConnection.java -@@ -880,7 +880,7 @@ class ZygoteConnection { +@@ -883,7 +883,7 @@ class ZygoteConnection { throw new IllegalStateException("WrapperInit.execApplication unexpectedly returned"); } else { if (!isZygote) { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch index c124f3ee..158827fb 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Network_Permission-1.patch @@ -22,7 +22,7 @@ index d23501a86b79..b0c7b69215b3 100644 diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java -index 10da8dff5d83..89348bcf49c3 100644 +index 2bff48ef07ac..2b3da698e640 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -771,7 +771,7 @@ public class PermissionManagerService { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch index 0f7d9f1e..13f29b09 100644 --- a/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch +++ b/Patches/LineageOS-16.0/android_frameworks_base/0013-Special_Permissions.patch @@ -25,7 +25,7 @@ index 893268da7f36..f91fa76b53ce 100644 != PERMISSION_OPERATION_FAILURE) { writeRuntimePermissions = true; diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java -index b902001cd359..e9267683ba19 100644 +index 91f24d7295a9..ed1d3102b140 100644 --- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java @@ -770,6 +770,10 @@ public class PermissionManagerService { diff --git a/Patches/LineageOS-16.0/android_frameworks_base/397542.patch b/Patches/LineageOS-16.0/android_frameworks_base/397542.patch new file mode 100644 index 00000000..494a0bd3 --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/397542.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Thu, 29 Feb 2024 12:03:05 +0000 +Subject: [PATCH] Verify UID of incoming Zygote connections. + +Only the system UID should be allowed to connect to the Zygote. While +for generic Zygotes this is also covered by SELinux policy, this is not +true for App Zygotes: the preload code running in an app zygote could +connect to another app zygote socket, if it had access to its (random) +socket address. + +On the Java layer, simply check the UID when the connection is made. In +the native layer, this check was already present, but it actually didn't +work in the case where we receive a new incoming connection on the +socket, and receive a 'non-fork' command: in that case, we will simply +exit the native loop, and let the Java layer handle the command, without +any further UID checking. + +Modified the native logic to drop new connections with a mismatching +UID, and to keep serving the existing connection (if it was still +there). + + [Backport: No native layer for ZygoteCommandBuffer present] + +Bug: 319081336 +Test: manual +(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085) +Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532 +Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532 +--- + core/java/com/android/internal/os/ZygoteConnection.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java +index f537e3e2897b..522da894fd0f 100644 +--- a/core/java/com/android/internal/os/ZygoteConnection.java ++++ b/core/java/com/android/internal/os/ZygoteConnection.java +@@ -100,6 +100,9 @@ class ZygoteConnection { + throw ex; + } + ++ if (peer.getUid() != Process.SYSTEM_UID) { ++ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote."); ++ } + isEof = false; + } + diff --git a/Patches/LineageOS-16.0/android_frameworks_base/397543.patch b/Patches/LineageOS-16.0/android_frameworks_base/397543.patch new file mode 100644 index 00000000..a00e25ab --- /dev/null +++ b/Patches/LineageOS-16.0/android_frameworks_base/397543.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yi-an Chen +Date: Tue, 23 Apr 2024 21:53:02 +0000 +Subject: [PATCH] Fix security vulnerability of non-dynamic permission removal + +The original removePermission() code in PermissionManagerService +missed a logical negation operator when handling non-dynamic +permissions, causing both +testPermissionPermission_nonDynamicPermission_permissionUnchanged and +testRemovePermission_dynamicPermission_permissionRemoved tests in +DynamicPermissionsTest to fail. + +The corresponding test DynamicPermissionsTest is also updated in the +other CL: ag/27073864 + +Bug: 321711213 +Test: DynamicPermissionsTest on sc-dev and tm-dev locally +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35d77a77feef62dc108f6478cb9228cc6044f70d) +Merged-In: Id573b75cdcfce3a1df5731ffb00c4228c513e686 +Change-Id: Id573b75cdcfce3a1df5731ffb00c4228c513e686 +--- + .../android/server/pm/permission/PermissionManagerService.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +index b902001cd359..91f24d7295a9 100644 +--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java ++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java +@@ -758,7 +758,7 @@ public class PermissionManagerService { + if (bp == null) { + return; + } +- if (bp.isDynamic()) { ++ if (!bp.isDynamic()) { + // TODO: switch this back to SecurityException + Slog.wtf(TAG, "Not allowed to modify non-dynamic permission " + + permName); diff --git a/Patches/LineageOS-16.0/android_system_bt/397545-backport.patch b/Patches/LineageOS-16.0/android_system_bt/397545-backport.patch new file mode 100644 index 00000000..685570d7 --- /dev/null +++ b/Patches/LineageOS-16.0/android_system_bt/397545-backport.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 22 Apr 2024 21:14:56 +0000 +Subject: [PATCH] Fix an authentication bypass bug in SMP + +When pairing with BLE legacy pairing initiated +from remote, authentication can be bypassed. +This change fixes it. + +Bug: 251514170 +Test: m com.android.btservices +Test: manual run against PoC +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747) +Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8 +Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8 +--- + stack/smp/smp_act.cc | 12 ++++++++++++ + stack/smp/smp_int.h | 1 + + 2 files changed, 13 insertions(+) + +diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc +index f530218fb..05e0b91a4 100644 +--- a/stack/smp/smp_act.cc ++++ b/stack/smp/smp_act.cc +@@ -281,6 +281,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + SMP_TRACE_DEBUG("%s", __func__); + smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb); ++ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT; + } + + /******************************************************************************* +@@ -639,6 +640,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { + return; + } + ++ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) && ++ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) && ++ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) { ++ // in legacy pairing, the peer should send its rand after ++ // we send our confirm ++ tSMP_INT_DATA smp_int_data{}; ++ smp_int_data.status = SMP_INVALID_PARAMETERS; ++ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data); ++ return; ++ } ++ + /* save the SRand for comparison */ + STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN); + } +diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h +index e0e27a4b2..3ccb4ad6f 100644 +--- a/stack/smp/smp_int.h ++++ b/stack/smp/smp_int.h +@@ -240,6 +240,7 @@ typedef union { + (1 << 7) /* used to resolve race condition */ + #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \ + (1 << 8) /* used on slave to resolve race condition */ ++#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9) + + /* check if authentication requirement need MITM protection */ + #define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0) diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 05072891..4c706c26 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2022-01-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-06 #XXX +sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-06 #XXX fi; if enterAndClear "build/soong"; then @@ -326,6 +326,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394879.patch"; #P_asb_2024-06 A applyPatch "$DOS_PATCHES/android_frameworks_base/394880.patch"; #P_asb_2024-06 Check hidden API exemptions applyPatch "$DOS_PATCHES/android_frameworks_base/394881.patch"; #P_asb_2024-06 AccessibilityManagerService: remove uninstalled services from enabled list after service update. applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands +applyPatch "$DOS_PATCHES/android_frameworks_base/397542.patch"; #R_asb_2024-07 Verify UID of incoming Zygote connections. +applyPatch "$DOS_PATCHES/android_frameworks_base/397543.patch"; #R_asb_2024-07 Fix security vulnerability of non-dynamic permission removal applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS) @@ -659,6 +661,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/385675.patch"; #P_asb_2024-03 Fix OOB applyPatch "$DOS_PATCHES/android_system_bt/385676.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond +applyPatch "$DOS_PATCHES/android_system_bt/397545-backport.patch"; #R_asb_2024-07 Fix an authentication bypass bug in SMP #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) fi;