diff --git a/Patches/LineageOS-14.1/android_external_libnfc-nci/343955.patch b/Patches/LineageOS-14.1/android_external_libnfc-nci/343955.patch new file mode 100644 index 00000000..6e7b281c --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_libnfc-nci/343955.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 3 Aug 2022 12:25:33 -0700 +Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked() + +Bug: 230356196 +Test: builds ok +Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581 +Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491) +Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +--- + halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c +index bb667e9..4d458e3 100644 +--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c ++++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c +@@ -787,7 +787,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t *cmd_len, uint8_t *p_cmd_data, + status = NFCSTATUS_FAILED; + } + //2002 0904 3000 3100 3200 5000 +- else if ( (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02 ) && ++ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) && ++ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && + ( (p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*|| + (p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/ + ) diff --git a/Patches/LineageOS-14.1/android_frameworks_base/343956.patch b/Patches/LineageOS-14.1/android_frameworks_base/343956.patch new file mode 100644 index 00000000..a09430c4 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/343956.patch @@ -0,0 +1,125 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:27:43 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09) +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +--- + telecomm/java/android/telecom/TelecomManager.java | 11 ++++++----- + .../com/android/internal/telecom/ITelecomService.aidl | 11 ++++++----- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java +index b05e0fc2752c..adfcc559d19f 100644 +--- a/telecomm/java/android/telecom/TelecomManager.java ++++ b/telecomm/java/android/telecom/TelecomManager.java +@@ -703,7 +703,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme, +- mContext.getOpPackageName()); ++ mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e); +@@ -738,7 +738,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getCallCapablePhoneAccounts( +- includeDisabledAccounts, mContext.getOpPackageName()); ++ includeDisabledAccounts, mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" + +@@ -757,7 +757,8 @@ public class TelecomManager { + public List getPhoneAccountsForPackage() { + try { + if (isServiceConnected()) { +- return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName()); ++ return getTelecomService() ++ .getPhoneAccountsForPackage(mContext.getPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e); +@@ -811,7 +812,7 @@ public class TelecomManager { + public List getAllPhoneAccounts() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccounts(); ++ return getTelecomService().getAllPhoneAccounts().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e); +@@ -829,7 +830,7 @@ public class TelecomManager { + public List getAllPhoneAccountHandles() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccountHandles(); ++ return getTelecomService().getAllPhoneAccountHandles().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e); +diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +index 5c412e7afb0e..83eec3ad2ca7 100644 +--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl ++++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle; + import android.net.Uri; + import android.os.Bundle; + import android.telecom.PhoneAccount; ++import android.content.pm.ParceledListSlice; + + /** + * Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing +@@ -55,19 +56,19 @@ interface ITelecomService { + /** + * @see TelecomServiceImpl#getCallCapablePhoneAccounts + */ +- List getCallCapablePhoneAccounts( ++ ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsSupportingScheme + */ +- List getPhoneAccountsSupportingScheme(in String uriScheme, ++ ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme, + String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsForPackage + */ +- List getPhoneAccountsForPackage(in String packageName); ++ ParceledListSlice getPhoneAccountsForPackage(in String packageName); + + /** + * @see TelecomManager#getPhoneAccount +@@ -82,12 +83,12 @@ interface ITelecomService { + /** + * @see TelecomManager#getAllPhoneAccounts + */ +- List getAllPhoneAccounts(); ++ ParceledListSlice getAllPhoneAccounts(); + + /** + * @see TelecomManager#getAllPhoneAccountHandles + */ +- List getAllPhoneAccountHandles(); ++ ParceledListSlice getAllPhoneAccountHandles(); + + /** + * @see TelecomServiceImpl#getSimCallManager diff --git a/Patches/LineageOS-14.1/android_frameworks_base/343957.patch b/Patches/LineageOS-14.1/android_frameworks_base/343957.patch new file mode 100644 index 00000000..5048887e --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/343957.patch @@ -0,0 +1,202 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ivan Chiang +Date: Mon, 15 Aug 2022 15:09:33 +0800 +Subject: [PATCH] Check permission for VoiceInteraction + +The service must have the CAPTURE_AUDIO_HOTWORD permission to access +AlwaysOnHotwordDetector. If it doesn't have the permission, return +STATE_HARDWARE_UNAVAILABLE state. If it is not granted the +RECORD_AUDIO permisison, it also can't start to recognize the audio. + +Test: manual +Test: atest CtsVoiceInteractionTestCases +Test: atest CtsAssistTestCases +Bug: 229793943 +Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a) +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +--- + .../voice/AlwaysOnHotwordDetector.java | 40 ++++++++++++++++++- + .../voice/VoiceInteractionService.java | 2 +- + .../VoiceInteractionManagerService.java | 14 +++++++ + 3 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +index 9464a8754fa8..b188eb3ca898 100644 +--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java ++++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +@@ -16,11 +16,14 @@ + + package android.service.voice; + ++import android.Manifest; + import android.annotation.IntDef; + import android.annotation.NonNull; + import android.annotation.Nullable; + import android.app.Activity; ++import android.content.Context; + import android.content.Intent; ++import android.content.pm.PackageManager; + import android.hardware.soundtrigger.IRecognitionStatusCallback; + import android.hardware.soundtrigger.KeyphraseEnrollmentInfo; + import android.hardware.soundtrigger.KeyphraseMetadata; +@@ -196,8 +199,10 @@ public class AlwaysOnHotwordDetector { + private final Callback mExternalCallback; + private final Object mLock = new Object(); + private final Handler mHandler; ++ private final Context mContext; + + private int mAvailability = STATE_NOT_READY; ++ private boolean mIsGrantedHotwordPermission; + + /** + * Additional payload for {@link Callback#onDetected}. +@@ -324,19 +329,32 @@ public class AlwaysOnHotwordDetector { + public abstract void onRecognitionResumed(); + } + ++ private static boolean hasHotwordPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ ++ private static boolean hasRecordAudioPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ + /** ++ * @param context The context to check permission + * @param text The keyphrase text to get the detector for. + * @param locale The java locale for the detector. + * @param callback A non-null Callback for receiving the recognition events. ++ * @param keyphraseEnrollmentInfo The Enrollment info of key phrase + * @param voiceInteractionService The current voice interaction service. + * @param modelManagementService A service that allows management of sound models. + * + * @hide + */ +- public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback, ++ public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback, + KeyphraseEnrollmentInfo keyphraseEnrollmentInfo, + IVoiceInteractionService voiceInteractionService, + IVoiceInteractionManagerService modelManagementService) { ++ mContext = context; + mText = text; + mLocale = locale; + mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo; +@@ -346,6 +364,7 @@ public class AlwaysOnHotwordDetector { + mInternalCallback = new SoundTriggerListener(mHandler); + mVoiceInteractionService = voiceInteractionService; + mModelManagementService = modelManagementService; ++ mIsGrantedHotwordPermission = hasHotwordPermission(mContext); + new RefreshAvailabiltyTask().execute(); + } + +@@ -402,6 +421,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean startRecognition(@RecognitionFlags int recognitionFlags) { + if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("startRecognition called on an invalid detector"); +@@ -430,6 +455,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean stopRecognition() { + if (DBG) Slog.d(TAG, "stopRecognition()"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("stopRecognition called on an invalid detector"); +@@ -546,7 +577,8 @@ public class AlwaysOnHotwordDetector { + synchronized (mLock) { + if (mAvailability == STATE_INVALID + || mAvailability == STATE_HARDWARE_UNAVAILABLE +- || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) { ++ || mAvailability == STATE_KEYPHRASE_UNSUPPORTED ++ || !hasRecordAudioPermission(mContext)) { + Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config"); + return; + } +@@ -717,6 +749,10 @@ public class AlwaysOnHotwordDetector { + * @return The initial availability without checking the enrollment status. + */ + private int internalGetInitialAvailability() { ++ if (!mIsGrantedHotwordPermission) { ++ return STATE_HARDWARE_UNAVAILABLE; ++ } ++ + synchronized (mLock) { + // This detector has already been invalidated. + if (mAvailability == STATE_INVALID) { +diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java +index 479c9e2f7c30..0d18efdd7c9f 100644 +--- a/core/java/android/service/voice/VoiceInteractionService.java ++++ b/core/java/android/service/voice/VoiceInteractionService.java +@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service { + synchronized (mLock) { + // Allow only one concurrent recognition via the APIs. + safelyShutdownHotwordDetector(); +- mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback, ++ mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback, + mKeyphraseEnrollmentInfo, mInterface, mSystemService); + } + return mHotwordDetector; +diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +index a04034e3f764..cf4845fc11fc 100644 +--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java ++++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +@@ -843,6 +843,9 @@ public class VoiceInteractionManagerService extends SystemService { + + @Override + public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) { ++ // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD. ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -864,6 +867,9 @@ public class VoiceInteractionManagerService extends SystemService { + public int startRecognition(IVoiceInteractionService service, int keyphraseId, + String bcp47Locale, IRecognitionStatusCallback callback, + RecognitionConfig recognitionConfig) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -904,6 +910,9 @@ public class VoiceInteractionManagerService extends SystemService { + @Override + public int stopRecognition(IVoiceInteractionService service, int keyphraseId, + IRecognitionStatusCallback callback) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -1117,6 +1126,11 @@ public class VoiceInteractionManagerService extends SystemService { + mSoundTriggerInternal.dump(fd, pw, args); + } + ++ private void enforceAlwaysOnHotwordPermissions() { ++ enforceCallingPermission(Manifest.permission.RECORD_AUDIO); ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ } ++ + private void enforceCallingPermission(String permission) { + if (mContext.checkCallingOrSelfPermission(permission) + != PackageManager.PERMISSION_GRANTED) { diff --git a/Patches/LineageOS-14.1/android_packages_providers_TelephonyProvider/343954.patch b/Patches/LineageOS-14.1/android_packages_providers_TelephonyProvider/343954.patch new file mode 100644 index 00000000..99b249a0 --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_providers_TelephonyProvider/343954.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 17 Aug 2022 23:21:18 +0000 +Subject: [PATCH] Check dir path before updating permissions. + +Bug: 240685104 +Test: atest android.telephonyprovider.cts.MmsPartTest + atest CtsTelephonyTestCases + Sanity check - sending and receiving sms and mms manually +Change-Id: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +(cherry picked from commit 0c3e2ce2810e4f5988b342f96bdd600c293c3187) +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +--- + .../providers/telephony/MmsProvider.java | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 79791fac..88f8f376 100755 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -44,7 +44,10 @@ import android.provider.Telephony.Mms.Part; + import android.provider.Telephony.Mms.Rate; + import android.provider.Telephony.MmsSms; + import android.provider.Telephony.Threads; ++import android.system.ErrnoException; ++import android.system.Os; + import android.text.TextUtils; ++import android.util.EventLog; + import android.util.Log; + + import com.google.android.mms.MmsException; +@@ -1001,11 +1004,21 @@ public class MmsProvider extends ContentProvider { + case MMS_PART_RESET_FILE_PERMISSION: + String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' + + uri.getPathSegments().get(1); +- // Reset the file permission back to read for everyone but me. +- int result = FileUtils.setPermissions(path, 0644, -1, -1); +- if (LOCAL_LOGV) { +- Log.d(TAG, "MmsProvider.update setPermissions result: " + result + +- " for path: " + path); ++ try { ++ String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath(); ++ if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) { ++ EventLog.writeEvent(0x534e4554, "240685104", ++ Binder.getCallingUid(), (TAG + " update: path " + path + ++ " does not start with " + partsDirPath)); ++ return 0; ++ } ++ // Reset the file permission back to read for everyone but me. ++ Os.chmod(path, 0644); ++ if (LOCAL_LOGV) { ++ Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path); ++ } ++ } catch (ErrnoException | IOException e) { ++ Log.e(TAG, "Exception in chmod: " + e); + } + return 0; + diff --git a/Patches/LineageOS-14.1/android_packages_services_Telecomm/343953.patch b/Patches/LineageOS-14.1/android_packages_services_Telecomm/343953.patch new file mode 100644 index 00000000..2d2027c4 --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_services_Telecomm/343953.patch @@ -0,0 +1,217 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:20:30 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +(cherry picked from commit 960147d4bba558c87a26df6f0328df637a30479b) +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +--- + .../server/telecom/TelecomServiceImpl.java | 44 +++++++++++-------- + .../telecom/tests/TelecomServiceImplTest.java | 21 +++++---- + 2 files changed, 39 insertions(+), 26 deletions(-) + +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index f2e85c64c..6bb1a1226 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -32,6 +32,8 @@ import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; + import android.content.res.Resources; ++import android.content.pm.ParceledListSlice; ++import android.content.pm.ResolveInfo; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -176,19 +178,20 @@ public class TelecomServiceImpl { + } + + @Override +- public List getCallCapablePhoneAccounts( ++ public ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage) { + try { + Log.startSession("TSI.gCCPA"); + if (!canReadPhoneState(callingPackage, "getDefaultOutgoingPhoneAccount")) { +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, +- includeDisabledAccounts, callingUserHandle); ++ return new ParceledListSlice<>( ++ mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, ++ includeDisabledAccounts, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getCallCapablePhoneAccounts"); + throw e; +@@ -201,20 +204,22 @@ public class TelecomServiceImpl { + } + } + ++ + @Override +- public List getPhoneAccountsSupportingScheme(String uriScheme, +- String callingPackage) { +- try { ++ public ParceledListSlice getPhoneAccountsSupportingScheme( ++ String uriScheme, String callingPackage) { ++ try { + Log.startSession("TSI.gPASS"); + synchronized (mLock) { + if (!canReadPhoneState(callingPackage, "getPhoneAccountsSupportingScheme")) { +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(uriScheme, false, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getCallCapablePhoneAccounts(uriScheme, false, ++ callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsSupportingScheme %s", uriScheme); + throw e; +@@ -228,7 +233,8 @@ public class TelecomServiceImpl { + } + + @Override +- public List getPhoneAccountsForPackage(String packageName) { ++ public ParceledListSlice getPhoneAccountsForPackage( ++ String packageName) { + //TODO: Deprecate this in S + try { + enforceCallingPackage(packageName); +@@ -251,8 +257,8 @@ public class TelecomServiceImpl { + long token = Binder.clearCallingIdentity(); + try { + Log.startSession("TSI.gPAFP"); +- return mPhoneAccountRegistrar.getPhoneAccountsForPackage(packageName, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getPhoneAccountsForPackage(packageName, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsForPackage %s", packageName); + throw e; +@@ -293,7 +299,7 @@ public class TelecomServiceImpl { + try { + Log.startSession("TSI.gAPAC"); + // This list is pre-filtered for the calling user. +- return getAllPhoneAccounts().size(); ++ return getAllPhoneAccounts().getList().size(); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccountsCount"); + throw e; +@@ -304,13 +310,14 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccounts() { ++ public ParceledListSlice getAllPhoneAccounts() { + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + Log.startSession("TSI.gAPA"); +- return mPhoneAccountRegistrar.getAllPhoneAccounts(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccounts(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +@@ -322,13 +329,14 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccountHandles() { ++ public ParceledListSlice getAllPhoneAccountHandles() { + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { + Log.startSession("TSI.gAPAH"); +- return mPhoneAccountRegistrar.getAllPhoneAccountHandles(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccountHandles(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index 8de54bfbf..8b194b220 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -311,9 +311,12 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(fullPHList, +- mTSIBinder.getCallCapablePhoneAccounts(true, DEFAULT_DIALER_PACKAGE)); +- assertEquals(smallPHList, +- mTSIBinder.getCallCapablePhoneAccounts(false, DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getCallCapablePhoneAccounts( ++ true, DEFAULT_DIALER_PACKAGE).getList()); ++ ++ assertEquals(smallPHList, ++ mTSIBinder.getCallCapablePhoneAccounts( ++ false, DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -327,7 +330,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + + List result = null; + try { +- result = mTSIBinder.getCallCapablePhoneAccounts(true, ""); ++ result = mTSIBinder.getCallCapablePhoneAccounts(true, "").getList(); + } catch (SecurityException e) { + // intended behavior + } +@@ -354,9 +357,11 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(telPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("tel", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "tel", DEFAULT_DIALER_PACKAGE).getList()); + assertEquals(sipPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("sip", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "sip", DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -371,7 +376,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + assertEquals(phoneAccountHandleList, + mTSIBinder.getPhoneAccountsForPackage( +- TEL_PA_HANDLE_16.getComponentName().getPackageName())); ++ TEL_PA_HANDLE_16.getComponentName().getPackageName()).getList()); + } + + @SmallTest +@@ -392,7 +397,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + when(mFakePhoneAccountRegistrar.getAllPhoneAccounts(any(UserHandle.class))) + .thenReturn(phoneAccountList); + +- assertEquals(2, mTSIBinder.getAllPhoneAccounts().size()); ++ assertEquals(2, mTSIBinder.getAllPhoneAccounts().getList().size()); + } + + @SmallTest diff --git a/Patches/LineageOS-14.1/android_system_bt/343958.patch b/Patches/LineageOS-14.1/android_system_bt/343958.patch new file mode 100644 index 00000000..66cd055b --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/343958.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Sat, 13 Aug 2022 02:01:14 +0000 +Subject: [PATCH] Add buffer in pin_reply in bluetooth.cc + +Bug: 228602963 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +(cherry picked from commit 0dc1c1c34961822f2f3f0a1e8e0b4819c823951b) +Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +--- + btif/src/bluetooth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/btif/src/bluetooth.c b/btif/src/bluetooth.c +index d2f81733d..b6552e251 100644 +--- a/btif/src/bluetooth.c ++++ b/btif/src/bluetooth.c +@@ -342,11 +342,13 @@ static int get_connection_state(const bt_bdaddr_t *bd_addr) + static int pin_reply(const bt_bdaddr_t *bd_addr, uint8_t accept, + uint8_t pin_len, bt_pin_code_t *pin_code) + { ++ bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (interface_ready() == FALSE) + return BT_STATUS_NOT_READY; + +- return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code); ++ memcpy(&tmp_pin_code, pin_code, pin_len); ++ return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); + } + + static int ssp_reply(const bt_bdaddr_t *bd_addr, bt_ssp_variant_t variant, diff --git a/Patches/LineageOS-14.1/android_system_bt/343959.patch b/Patches/LineageOS-14.1/android_system_bt/343959.patch new file mode 100644 index 00000000..0d51cd37 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/343959.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 12 Aug 2022 17:26:19 +0000 +Subject: [PATCH] Add negative length check in process_service_search_rsp + +Bug: 225876506 +Test: run supplied POC (updated to Android T) +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +(cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f) +Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +--- + stack/sdp/sdp_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c +index 6f6fe2b15..ec85da47a 100644 +--- a/stack/sdp/sdp_discovery.c ++++ b/stack/sdp/sdp_discovery.c +@@ -309,7 +309,7 @@ static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, + + orig = p_ccb->num_handles; + p_ccb->num_handles += cur_handles; +- if (p_ccb->num_handles == 0) ++ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) + { + SDP_TRACE_WARNING ("SDP - Rcvd ServiceSearchRsp, no matches"); + sdp_disconnect (p_ccb, SDP_NO_RECS_MATCH); diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 27dd04da..71083c1c 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -72,7 +72,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2022-10-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-10 #XXX +sed -i 's/2021-06-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-11 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -109,6 +109,7 @@ applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332458.patch"; #n-asb-2022- applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332459.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332460.patch"; #n-asb-2022-06 Double Free in ce_t4t_data_cback applyPatch "$DOS_PATCHES/android_external_libnfc-nci/341071.patch"; #n-asb-2022-10 The length of a packet should be non-zero +applyPatch "$DOS_PATCHES/android_external_libnfc-nci/343955.patch"; #n-asb-2022-11 OOBW in phNxpNciHal_write_unlocked() fi; if enterAndClear "external/sonivox"; then @@ -157,6 +158,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/334871.patch"; #n-asb-2022-08 O applyPatch "$DOS_PATCHES/android_frameworks_base/334872.patch"; #n-asb-2022-08 Stop using invalid URL to prevent unexpected crash applyPatch "$DOS_PATCHES/android_frameworks_base/334873.patch"; #n-asb-2022-08 Only allow the system server to connect to sync adapters applyPatch "$DOS_PATCHES/android_frameworks_base/338003.patch"; #n-asb-2022-09 IMMS: Make IMMS PendingIntents immutable +applyPatch "$DOS_PATCHES/android_frameworks_base/343956.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 Check permission for VoiceInteraction git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -350,6 +353,7 @@ fi; if enterAndClear "packages/services/Telecomm"; then applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/343953.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice fi; if enterAndClear "packages/services/Telephony"; then @@ -365,6 +369,10 @@ if enterAndClear "packages/providers/MediaProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/324248.patch"; #n-asb-2022-02 Open all files with O_NOFOLLOW. fi; +if enterAndClear "packages/providers/TelephonyProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/343954.patch"; #n-asb-2022-11 Check dir path before updating permissions. +fi; + if enterAndClear "system/bt"; then applyPatch "$DOS_PATCHES/android_system_bt/315718.patch"; #BLE: [IOT] Initiate disconnection when encryption fails during pairing #CVE-2021-1957 applyPatch "$DOS_PATCHES/android_system_bt/315719.patch"; #n-asb-2021-09 SMP: Reject pairing if public_key.x match @@ -380,6 +388,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/337998.patch"; #n-asb-2022-09 Fix OOB applyPatch "$DOS_PATCHES/android_system_bt/337999.patch"; #n-asb-2022-09 Fix OOB in bnep_is_packet_allowed applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB in reassemble_and_dispatch applyPatch "$DOS_PATCHES/android_system_bt/341070.patch"; #n-asb-2022-10 Fix potential interger overflow when parsing vendor response +applyPatch "$DOS_PATCHES/android_system_bt/343958.patch"; #n-asb-2022-11 Add buffer in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_system_bt/343959.patch"; #n-asb-2022-11 Add negative length check in process_service_search_rsp applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie) diff --git a/Scripts/LineageOS-18.1/Functions.sh b/Scripts/LineageOS-18.1/Functions.sh index 8bf7779b..b532a93c 100644 --- a/Scripts/LineageOS-18.1/Functions.sh +++ b/Scripts/LineageOS-18.1/Functions.sh @@ -110,10 +110,11 @@ patchWorkspace() { gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc"; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -it eleven-firewall; #repopick -i 314453; #TaskViewTouchController: Null check current animation on drag #repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default + repopick -it R_asb_2022-11; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh index b99b4a23..4bc584f0 100644 --- a/Scripts/LineageOS-19.1/Functions.sh +++ b/Scripts/LineageOS-19.1/Functions.sh @@ -113,8 +113,9 @@ patchWorkspace() { gpgVerifyGitTag "$DOS_BUILD_BASE/external/SecureCamera"; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - #source build/envsetup.sh; + source build/envsetup.sh; #repopick -it twelve-colors; + repopick -it S_asb_2022-11; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 18ea6886..6c4fe460 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -211,6 +211,10 @@ if enterAndClear "frameworks/opt/net/wifi"; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; +if enterAndClear "hardware/nxp/nfc"; then +git fetch https://github.com/LineageOS/android_hardware_nxp_nfc refs/changes/21/343921/1 && git cherry-pick FETCH_HEAD; #S_asb_2022-11 +fi; + if enterAndClear "hardware/qcom-caf/msm8953/audio"; then applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-8998.patch"; #audio_extn: Fix unused parameter warning in utils.c (codeworkx) fi; diff --git a/Scripts/WebView_Update_Repo.sh b/Scripts/WebView_Update_Repo.sh index 7fe2ad57..6cb7ddf2 100644 --- a/Scripts/WebView_Update_Repo.sh +++ b/Scripts/WebView_Update_Repo.sh @@ -16,7 +16,7 @@ umask 0022; set -uo pipefail; -export version="107.0.5304.91-1"; +export version="107.0.5304.105-1"; export PATH=$PATH:$HOME/Android/Sdk/build-tools/33.0.0; export webviewARM32="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm/webview.apk"; export webviewARM64="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm64/webview.apk";