16.0: December 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-16.0/android_external_skia/410675-backport.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Mon, 12 Aug 2024 15:00:08 -0400
+Subject: [PATCH] Bounds check in skia_alloc_func
+
+The allocator callback for zlib needs to check that items * size will
+fit in size_t and return nullptr if not.
+
+Conflicts:
+- src/pdf/SkDeflate.cpp: just in header includes
+
+Bug: 349678452
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
+Commit-Queue: Ben Wagner <bungeman@google.com>
+Reviewed-by: Brian Osman <brianosman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56)
+Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+---
+ src/pdf/SkDeflate.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
+index 6952ec4f11..8ae2102c0e 100644
+--- a/src/pdf/SkDeflate.cpp
++++ b/src/pdf/SkDeflate.cpp
+@@ -10,6 +10,7 @@
+ #include "SkDeflate.h"
+ #include "SkMakeUnique.h"
+ #include "SkMalloc.h"
++#include "SkTFitsIn.h"
+ #include "SkTraceEvent.h"
+ 
+ #include "zlib.h"
+@@ -19,6 +20,13 @@ namespace {
+ // Different zlib implementations use different T.
+ // We've seen size_t and unsigned.
+ template <typename T> void* skia_alloc_func(void*, T items, T size) {
++    if (!SkTFitsIn<size_t>(size)) {
++        return nullptr;
++    }
++    const size_t maxItems = SIZE_MAX / size;
++    if (maxItems < items) {
++        return nullptr;
++    }
+     return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
+ }
+ 

Patches/LineageOS-16.0/android_external_skia/410676-backport.patch

@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Thu, 29 Aug 2024 12:47:48 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
+ SkMask data
+
+Bug: 352631932
+Test: N/A -- not reproducible / speculative fix
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
+Commit-Queue: Ben Wagner <bungeman@google.com>
+Reviewed-by: Ben Wagner <bungeman@google.com>
+Auto-Submit: Brian Osman <brianosman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36)
+Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+
+Change-Id: I4e5330532e3981a15f6eee8e65fe74e7da50f719
+---
+ src/effects/SkBlurMaskFilter.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/effects/SkBlurMaskFilter.cpp b/src/effects/SkBlurMaskFilter.cpp
+index 9d7df43d62..b37b84b168 100644
+--- a/src/effects/SkBlurMaskFilter.cpp
++++ b/src/effects/SkBlurMaskFilter.cpp
+@@ -349,6 +349,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
+     mask->fRowBytes = SkAlign4(mask->fBounds.width());
+     mask->fFormat = SkMask::kA8_Format;
+     const size_t size = mask->computeImageSize();
++    if (size == 0) {
++        return false;
++    }
+     mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
+     if (nullptr == mask->fImage) {
+         return false;

Patches/LineageOS-16.0/android_frameworks_base/411487.patch

@@ -0,0 +1,60 @@
+From b958e5cbbb8982c37dcc60f076e9e71a85588c87 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 29 Aug 2024 17:01:55 +0000
+Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
+
+Bug: 340239088
+Test: manually verified with the PoC app
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b076641fc517b37f1689697130de3cbc22a4c92)
+Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+---
+ core/java/android/widget/RemoteViewsAdapter.java       |  5 +++++
+ .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
+index e58f08a799655..d64a3b5ee16ba 100644
+--- a/core/java/android/widget/RemoteViewsAdapter.java
++++ b/core/java/android/widget/RemoteViewsAdapter.java
+@@ -238,6 +238,11 @@ public void onServiceDisconnected(ComponentName name) {
+             }
+         }
+ 
++        @Override
++        public void onNullBinding(ComponentName name) {
++            enqueueDeferredUnbindServiceMessage();
++        }
++
+         @Override
+         public void handleMessage(Message msg) {
+             RemoteViewsAdapter adapter = mAdapter.get();
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index f989f73b11b10..709a206a39c77 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1888,6 +1888,11 @@ public void onServiceConnected(ComponentName name, IBinder service) {
+                 mContext.unbindService(this);
+             }
+ 
++            @Override
++            public void onNullBinding(ComponentName name) {
++                mContext.unbindService(this);
++            }
++
+             @Override
+             public void onServiceDisconnected(ComponentName name) {
+                 // Do nothing
+@@ -2028,6 +2033,11 @@ public void onServiceConnected(ComponentName name, IBinder service) {
+                                 mContext.unbindService(this);
+                             }
+ 
++                            @Override
++                            public void onNullBinding(ComponentName name) {
++                                mContext.unbindService(this);
++                            }
++
+                             @Override
+                             public void onServiceDisconnected(android.content.ComponentName name) {
+                                 // Do nothing

Patches/LineageOS-16.0/android_system_bt/411488.patch

@@ -0,0 +1,44 @@
+From 9f73a10e0bd1ac2f6d8e3fe612fb9ff2f1839d63 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 8 Jul 2024 22:42:18 +0000
+Subject: [PATCH] [BACKPORT] Fix OOB write in build_read_multi_rsp of
+ gatt_sr.cc
+
+build_read_multi_rsp is missing a bounds check, which can lead to an
+OOB write when the mtu parameter is set to zero.
+
+Add that bounds check.
+
+Bug: 323850943
+Test: atest GattSrTest
+Test: researcher POC
+Tag: #security
+Flag: EXEMPT trivial validity checks
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd)
+Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+---
+ stack/gatt/gatt_sr.cc | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index 252732c739..9a875d742d 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+     /* Wait till we get all the responses */
+     if (fixed_queue_length(p_cmd->multi_rsp_q) ==
+         p_cmd->multi_req.num_handles) {
++
++      // We need at least one extra byte for the opcode
++      if (mtu == 0) {
++        LOG(ERROR) << "Invalid MTU";
++        p_cmd->status = GATT_ILLEGAL_PARAMETER;
++        return (true);
++      }
++
+       len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
+       p_buf = (BT_HDR*)osi_calloc(len);
+       p_buf->offset = L2CAP_MIN_OFFSET;

Patches/LineageOS-16.0/android_system_bt/411489-backport.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Thu, 27 Jul 2023 04:09:04 +0000
+Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
+
+This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
+to sc-dev
+
+Bug: 273874525
+Test: manual
+Ignore-AOSP-First: security
+Tag: #security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
+Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
+Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
+---
+ stack/gatt/gatt_sr.cc | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index 28e7d3415..e80070b05 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -23,6 +23,7 @@
+  ******************************************************************************/
+ 
+ #include <log/log.h>
++#include <algorithm>
+ #include "bt_target.h"
+ #include "bt_utils.h"
+ #include "osi/include/osi.h"
+@@ -170,9 +171,21 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+         }
+ 
+         if (p_rsp != NULL) {
+-          total_len = (p_buf->len + p_rsp->attr_value.len);
++          total_len = p_buf->len;
+ 
+           if (total_len > mtu) {
++            VLOG(1) << "Buffer space not enough for this data item, skipping";
++            break;
++          }
++
++          len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
++
++          if (len == 0) {
++            VLOG(1) << "Buffer space not enough for this data item, skipping";
++            break;
++          }
++
++          if (len < p_rsp->attr_value.len) {
+             /* just send the partial response for the overflow case */
+             len = p_rsp->attr_value.len - (total_len - mtu);
+             is_overflow = true;
+@@ -184,15 +197,8 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+           }
+ 
+           if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
+-            // check for possible integer overflow
+-            if (p_buf->len + len <= UINT16_MAX) {
+-              memcpy(p, p_rsp->attr_value.value, len);
+-              if (!is_overflow) p += len;
+-              p_buf->len += len;
+-            } else {
+-              p_cmd->status = GATT_NOT_FOUND;
+-              break;
+-            }
++            ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
++            p_buf->len += (uint16_t) len;
+           } else {
+             p_cmd->status = GATT_NOT_FOUND;
+             break;

Patches/LineageOS-16.0/android_system_bt/411490.patch

@@ -0,0 +1,37 @@
+From 425cc51af8d1662dacab60330628a6adfd1a404f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <jpawlowski@google.com>
+Date: Thu, 1 Aug 2024 14:12:58 +0000
+Subject: [PATCH] [BACKPORT] Fix "GATT Read Multiple Variable Response" builder
+
+0 length value is perfectly fine, and should result in just length
+added into the packet.
+Currently, for 0 length value we just break out of loop, and don't add
+any value.
+This means, that if first characetristic in response had 0 length, we
+would return empty packet.
+
+Ignore-AOSP-First: security fix
+Test: mma -j32;
+Bug: 352696105
+Bug: 356886209
+Flag: exempt, obvious logic fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf)
+Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+---
+ stack/gatt/gatt_sr.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index c0c1486af0..d94221682d 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -180,7 +180,7 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status,
+ 
+           len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+ 
+-          if (len == 0) {
++          if (total_len == mtu && p_rsp->attr_value.len > 0) {
+             VLOG(1) << "Buffer space not enough for this data item, skipping";
+             break;
+           }

Scripts/LineageOS-16.0/Patch.sh

@@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-11 #XXX
+sed -i 's/2022-01-05/2024-12-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-12 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -180,6 +180,8 @@ fi;
 
 if enterAndClear "external/skia"; then
 applyPatch "$DOS_PATCHES/android_external_skia/408506.patch"; #P_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter
+applyPatch "$DOS_PATCHES/android_external_skia/410675-backport.patch"; #n-asb-2024-12 [pdf] Bounds check in skia_alloc_func
+applyPatch "$DOS_PATCHES/android_external_skia/410676-backport.patch"; #n-asb-2024-12 Check for size overflow before allocating SkMask data
 fi;
 
 if enterAndClear "external/sonivox"; then
@@ -349,6 +351,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/408507.patch"; #P_asb_2024-11 R
 applyPatch "$DOS_PATCHES/android_frameworks_base/408508.patch"; #P_asb_2024-11 RingtoneManager: allow video ringtone URI
 applyPatch "$DOS_PATCHES/android_frameworks_base/408509.patch"; #P_asb_2024-11 Disallow device admin package and protected packages to be reinstalled as instant.
 applyPatch "$DOS_PATCHES/android_frameworks_base/408510.patch"; #P_asb_2024-11 Clear app-provided shortcut icons
+applyPatch "$DOS_PATCHES/android_frameworks_base/411487.patch"; #R_asb_2024-12 Properly handle onNullBinding() in appwidget service.
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@@ -694,6 +697,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an
 applyPatch "$DOS_PATCHES/android_system_bt/399772.patch"; #P_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
 applyPatch "$DOS_PATCHES/android_system_bt/405833.patch"; #P_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text
 applyPatch "$DOS_PATCHES/android_system_bt/405834.patch"; #P_asb_2024-10 Disallow unexpected incoming HID connections 1/2
++applyPatch "$DOS_PATCHES/android_system_bt/411488.patch"; #R_asb_2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc
++applyPatch "$DOS_PATCHES/android_system_bt/411489-backport.patch"; #R_asb_2024-12 Fix an integer underflow in build_read_multi_rsp
++applyPatch "$DOS_PATCHES/android_system_bt/411490.patch"; #R_asb_2024-12 Fix "GATT Read Multiple Variable Response" builder
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;