Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-11-09 18:06:19 -05:00
parent 807a08210a
commit 8d4d73d65c
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
12 changed files with 716 additions and 4 deletions

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 3 Aug 2022 12:25:33 -0700
Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked()
Bug: 230356196
Test: builds ok
Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581
Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491)
Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
---
halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c
index bb667e9..4d458e3 100644
--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c
+++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c
@@ -787,7 +787,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t *cmd_len, uint8_t *p_cmd_data,
status = NFCSTATUS_FAILED;
}
//2002 0904 3000 3100 3200 5000
- else if ( (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02 ) &&
+ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) &&
+ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) &&
( (p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*||
(p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/
)

View File

@ -0,0 +1,125 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 23 Jun 2022 14:27:43 -0700
Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.
In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.
bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
#testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09)
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
---
telecomm/java/android/telecom/TelecomManager.java | 11 ++++++-----
.../com/android/internal/telecom/ITelecomService.aidl | 11 ++++++-----
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
index b05e0fc2752c..adfcc559d19f 100644
--- a/telecomm/java/android/telecom/TelecomManager.java
+++ b/telecomm/java/android/telecom/TelecomManager.java
@@ -703,7 +703,7 @@ public class TelecomManager {
try {
if (isServiceConnected()) {
return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme,
- mContext.getOpPackageName());
+ mContext.getOpPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e);
@@ -738,7 +738,7 @@ public class TelecomManager {
try {
if (isServiceConnected()) {
return getTelecomService().getCallCapablePhoneAccounts(
- includeDisabledAccounts, mContext.getOpPackageName());
+ includeDisabledAccounts, mContext.getOpPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" +
@@ -757,7 +757,8 @@ public class TelecomManager {
public List<PhoneAccountHandle> getPhoneAccountsForPackage() {
try {
if (isServiceConnected()) {
- return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName());
+ return getTelecomService()
+ .getPhoneAccountsForPackage(mContext.getPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e);
@@ -811,7 +812,7 @@ public class TelecomManager {
public List<PhoneAccount> getAllPhoneAccounts() {
try {
if (isServiceConnected()) {
- return getTelecomService().getAllPhoneAccounts();
+ return getTelecomService().getAllPhoneAccounts().getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e);
@@ -829,7 +830,7 @@ public class TelecomManager {
public List<PhoneAccountHandle> getAllPhoneAccountHandles() {
try {
if (isServiceConnected()) {
- return getTelecomService().getAllPhoneAccountHandles();
+ return getTelecomService().getAllPhoneAccountHandles().getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e);
diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
index 5c412e7afb0e..83eec3ad2ca7 100644
--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
+++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle;
import android.net.Uri;
import android.os.Bundle;
import android.telecom.PhoneAccount;
+import android.content.pm.ParceledListSlice;
/**
* Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing
@@ -55,19 +56,19 @@ interface ITelecomService {
/**
* @see TelecomServiceImpl#getCallCapablePhoneAccounts
*/
- List<PhoneAccountHandle> getCallCapablePhoneAccounts(
+ ParceledListSlice getCallCapablePhoneAccounts(
boolean includeDisabledAccounts, String callingPackage);
/**
* @see TelecomManager#getPhoneAccountsSupportingScheme
*/
- List<PhoneAccountHandle> getPhoneAccountsSupportingScheme(in String uriScheme,
+ ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme,
String callingPackage);
/**
* @see TelecomManager#getPhoneAccountsForPackage
*/
- List<PhoneAccountHandle> getPhoneAccountsForPackage(in String packageName);
+ ParceledListSlice getPhoneAccountsForPackage(in String packageName);
/**
* @see TelecomManager#getPhoneAccount
@@ -82,12 +83,12 @@ interface ITelecomService {
/**
* @see TelecomManager#getAllPhoneAccounts
*/
- List<PhoneAccount> getAllPhoneAccounts();
+ ParceledListSlice getAllPhoneAccounts();
/**
* @see TelecomManager#getAllPhoneAccountHandles
*/
- List<PhoneAccountHandle> getAllPhoneAccountHandles();
+ ParceledListSlice getAllPhoneAccountHandles();
/**
* @see TelecomServiceImpl#getSimCallManager

View File

@ -0,0 +1,202 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ivan Chiang <chiangi@google.com>
Date: Mon, 15 Aug 2022 15:09:33 +0800
Subject: [PATCH] Check permission for VoiceInteraction
The service must have the CAPTURE_AUDIO_HOTWORD permission to access
AlwaysOnHotwordDetector. If it doesn't have the permission, return
STATE_HARDWARE_UNAVAILABLE state. If it is not granted the
RECORD_AUDIO permisison, it also can't start to recognize the audio.
Test: manual
Test: atest CtsVoiceInteractionTestCases
Test: atest CtsAssistTestCases
Bug: 229793943
Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a)
Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
---
.../voice/AlwaysOnHotwordDetector.java | 40 ++++++++++++++++++-
.../voice/VoiceInteractionService.java | 2 +-
.../VoiceInteractionManagerService.java | 14 +++++++
3 files changed, 53 insertions(+), 3 deletions(-)
diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
index 9464a8754fa8..b188eb3ca898 100644
--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java
+++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
@@ -16,11 +16,14 @@
package android.service.voice;
+import android.Manifest;
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.Activity;
+import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.hardware.soundtrigger.IRecognitionStatusCallback;
import android.hardware.soundtrigger.KeyphraseEnrollmentInfo;
import android.hardware.soundtrigger.KeyphraseMetadata;
@@ -196,8 +199,10 @@ public class AlwaysOnHotwordDetector {
private final Callback mExternalCallback;
private final Object mLock = new Object();
private final Handler mHandler;
+ private final Context mContext;
private int mAvailability = STATE_NOT_READY;
+ private boolean mIsGrantedHotwordPermission;
/**
* Additional payload for {@link Callback#onDetected}.
@@ -324,19 +329,32 @@ public class AlwaysOnHotwordDetector {
public abstract void onRecognitionResumed();
}
+ private static boolean hasHotwordPermission(Context context) {
+ return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD)
+ == PackageManager.PERMISSION_GRANTED;
+ }
+
+ private static boolean hasRecordAudioPermission(Context context) {
+ return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO)
+ == PackageManager.PERMISSION_GRANTED;
+ }
+
/**
+ * @param context The context to check permission
* @param text The keyphrase text to get the detector for.
* @param locale The java locale for the detector.
* @param callback A non-null Callback for receiving the recognition events.
+ * @param keyphraseEnrollmentInfo The Enrollment info of key phrase
* @param voiceInteractionService The current voice interaction service.
* @param modelManagementService A service that allows management of sound models.
*
* @hide
*/
- public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback,
+ public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback,
KeyphraseEnrollmentInfo keyphraseEnrollmentInfo,
IVoiceInteractionService voiceInteractionService,
IVoiceInteractionManagerService modelManagementService) {
+ mContext = context;
mText = text;
mLocale = locale;
mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo;
@@ -346,6 +364,7 @@ public class AlwaysOnHotwordDetector {
mInternalCallback = new SoundTriggerListener(mHandler);
mVoiceInteractionService = voiceInteractionService;
mModelManagementService = modelManagementService;
+ mIsGrantedHotwordPermission = hasHotwordPermission(mContext);
new RefreshAvailabiltyTask().execute();
}
@@ -402,6 +421,12 @@ public class AlwaysOnHotwordDetector {
*/
public boolean startRecognition(@RecognitionFlags int recognitionFlags) {
if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")");
+
+ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
+ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
+ + "permissions to access the detector.");
+ }
+
synchronized (mLock) {
if (mAvailability == STATE_INVALID) {
throw new IllegalStateException("startRecognition called on an invalid detector");
@@ -430,6 +455,12 @@ public class AlwaysOnHotwordDetector {
*/
public boolean stopRecognition() {
if (DBG) Slog.d(TAG, "stopRecognition()");
+
+ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
+ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
+ + "permissions to access the detector.");
+ }
+
synchronized (mLock) {
if (mAvailability == STATE_INVALID) {
throw new IllegalStateException("stopRecognition called on an invalid detector");
@@ -546,7 +577,8 @@ public class AlwaysOnHotwordDetector {
synchronized (mLock) {
if (mAvailability == STATE_INVALID
|| mAvailability == STATE_HARDWARE_UNAVAILABLE
- || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) {
+ || mAvailability == STATE_KEYPHRASE_UNSUPPORTED
+ || !hasRecordAudioPermission(mContext)) {
Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config");
return;
}
@@ -717,6 +749,10 @@ public class AlwaysOnHotwordDetector {
* @return The initial availability without checking the enrollment status.
*/
private int internalGetInitialAvailability() {
+ if (!mIsGrantedHotwordPermission) {
+ return STATE_HARDWARE_UNAVAILABLE;
+ }
+
synchronized (mLock) {
// This detector has already been invalidated.
if (mAvailability == STATE_INVALID) {
diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java
index 479c9e2f7c30..0d18efdd7c9f 100644
--- a/core/java/android/service/voice/VoiceInteractionService.java
+++ b/core/java/android/service/voice/VoiceInteractionService.java
@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service {
synchronized (mLock) {
// Allow only one concurrent recognition via the APIs.
safelyShutdownHotwordDetector();
- mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback,
+ mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback,
mKeyphraseEnrollmentInfo, mInterface, mSystemService);
}
return mHotwordDetector;
diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
index a04034e3f764..cf4845fc11fc 100644
--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
+++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
@@ -843,6 +843,9 @@ public class VoiceInteractionManagerService extends SystemService {
@Override
public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) {
+ // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD.
+ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -864,6 +867,9 @@ public class VoiceInteractionManagerService extends SystemService {
public int startRecognition(IVoiceInteractionService service, int keyphraseId,
String bcp47Locale, IRecognitionStatusCallback callback,
RecognitionConfig recognitionConfig) {
+ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
+ enforceAlwaysOnHotwordPermissions();
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -904,6 +910,9 @@ public class VoiceInteractionManagerService extends SystemService {
@Override
public int stopRecognition(IVoiceInteractionService service, int keyphraseId,
IRecognitionStatusCallback callback) {
+ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
+ enforceAlwaysOnHotwordPermissions();
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -1117,6 +1126,11 @@ public class VoiceInteractionManagerService extends SystemService {
mSoundTriggerInternal.dump(fd, pw, args);
}
+ private void enforceAlwaysOnHotwordPermissions() {
+ enforceCallingPermission(Manifest.permission.RECORD_AUDIO);
+ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
+ }
+
private void enforceCallingPermission(String permission) {
if (mContext.checkCallingOrSelfPermission(permission)
!= PackageManager.PERMISSION_GRANTED) {

View File

@ -0,0 +1,59 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aishwarya Mallampati <amallampati@google.com>
Date: Wed, 17 Aug 2022 23:21:18 +0000
Subject: [PATCH] Check dir path before updating permissions.
Bug: 240685104
Test: atest android.telephonyprovider.cts.MmsPartTest
atest CtsTelephonyTestCases
Sanity check - sending and receiving sms and mms manually
Change-Id: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
(cherry picked from commit 0c3e2ce2810e4f5988b342f96bdd600c293c3187)
Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
---
.../providers/telephony/MmsProvider.java | 23 +++++++++++++++----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
index 79791fac..88f8f376 100755
--- a/src/com/android/providers/telephony/MmsProvider.java
+++ b/src/com/android/providers/telephony/MmsProvider.java
@@ -44,7 +44,10 @@ import android.provider.Telephony.Mms.Part;
import android.provider.Telephony.Mms.Rate;
import android.provider.Telephony.MmsSms;
import android.provider.Telephony.Threads;
+import android.system.ErrnoException;
+import android.system.Os;
import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import com.google.android.mms.MmsException;
@@ -1001,11 +1004,21 @@ public class MmsProvider extends ContentProvider {
case MMS_PART_RESET_FILE_PERMISSION:
String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' +
uri.getPathSegments().get(1);
- // Reset the file permission back to read for everyone but me.
- int result = FileUtils.setPermissions(path, 0644, -1, -1);
- if (LOCAL_LOGV) {
- Log.d(TAG, "MmsProvider.update setPermissions result: " + result +
- " for path: " + path);
+ try {
+ String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath();
+ if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) {
+ EventLog.writeEvent(0x534e4554, "240685104",
+ Binder.getCallingUid(), (TAG + " update: path " + path +
+ " does not start with " + partsDirPath));
+ return 0;
+ }
+ // Reset the file permission back to read for everyone but me.
+ Os.chmod(path, 0644);
+ if (LOCAL_LOGV) {
+ Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path);
+ }
+ } catch (ErrnoException | IOException e) {
+ Log.e(TAG, "Exception in chmod: " + e);
}
return 0;

View File

@ -0,0 +1,217 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 23 Jun 2022 14:20:30 -0700
Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.
In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.
bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
#testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
(cherry picked from commit 960147d4bba558c87a26df6f0328df637a30479b)
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
---
.../server/telecom/TelecomServiceImpl.java | 44 +++++++++++--------
.../telecom/tests/TelecomServiceImplTest.java | 21 +++++----
2 files changed, 39 insertions(+), 26 deletions(-)
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index f2e85c64c..6bb1a1226 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -32,6 +32,8 @@ import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.res.Resources;
+import android.content.pm.ParceledListSlice;
+import android.content.pm.ResolveInfo;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -176,19 +178,20 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getCallCapablePhoneAccounts(
+ public ParceledListSlice<PhoneAccountHandle> getCallCapablePhoneAccounts(
boolean includeDisabledAccounts, String callingPackage) {
try {
Log.startSession("TSI.gCCPA");
if (!canReadPhoneState(callingPackage, "getDefaultOutgoingPhoneAccount")) {
- return Collections.emptyList();
+ return ParceledListSlice.emptyList();
}
synchronized (mLock) {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null,
- includeDisabledAccounts, callingUserHandle);
+ return new ParceledListSlice<>(
+ mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null,
+ includeDisabledAccounts, callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getCallCapablePhoneAccounts");
throw e;
@@ -201,20 +204,22 @@ public class TelecomServiceImpl {
}
}
+
@Override
- public List<PhoneAccountHandle> getPhoneAccountsSupportingScheme(String uriScheme,
- String callingPackage) {
- try {
+ public ParceledListSlice<PhoneAccountHandle> getPhoneAccountsSupportingScheme(
+ String uriScheme, String callingPackage) {
+ try {
Log.startSession("TSI.gPASS");
synchronized (mLock) {
if (!canReadPhoneState(callingPackage, "getPhoneAccountsSupportingScheme")) {
- return Collections.emptyList();
+ return ParceledListSlice.emptyList();
}
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(uriScheme, false,
- callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getCallCapablePhoneAccounts(uriScheme, false,
+ callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getPhoneAccountsSupportingScheme %s", uriScheme);
throw e;
@@ -228,7 +233,8 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getPhoneAccountsForPackage(String packageName) {
+ public ParceledListSlice<PhoneAccountHandle> getPhoneAccountsForPackage(
+ String packageName) {
//TODO: Deprecate this in S
try {
enforceCallingPackage(packageName);
@@ -251,8 +257,8 @@ public class TelecomServiceImpl {
long token = Binder.clearCallingIdentity();
try {
Log.startSession("TSI.gPAFP");
- return mPhoneAccountRegistrar.getPhoneAccountsForPackage(packageName,
- callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getPhoneAccountsForPackage(packageName, callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getPhoneAccountsForPackage %s", packageName);
throw e;
@@ -293,7 +299,7 @@ public class TelecomServiceImpl {
try {
Log.startSession("TSI.gAPAC");
// This list is pre-filtered for the calling user.
- return getAllPhoneAccounts().size();
+ return getAllPhoneAccounts().getList().size();
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccountsCount");
throw e;
@@ -304,13 +310,14 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccount> getAllPhoneAccounts() {
+ public ParceledListSlice<PhoneAccount> getAllPhoneAccounts() {
synchronized (mLock) {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
Log.startSession("TSI.gAPA");
- return mPhoneAccountRegistrar.getAllPhoneAccounts(callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getAllPhoneAccounts(callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccounts");
throw e;
@@ -322,13 +329,14 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getAllPhoneAccountHandles() {
+ public ParceledListSlice<PhoneAccountHandle> getAllPhoneAccountHandles() {
synchronized (mLock) {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
Log.startSession("TSI.gAPAH");
- return mPhoneAccountRegistrar.getAllPhoneAccountHandles(callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getAllPhoneAccountHandles(callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccounts");
throw e;
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
index 8de54bfbf..8b194b220 100644
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
@@ -311,9 +311,12 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(fullPHList,
- mTSIBinder.getCallCapablePhoneAccounts(true, DEFAULT_DIALER_PACKAGE));
- assertEquals(smallPHList,
- mTSIBinder.getCallCapablePhoneAccounts(false, DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getCallCapablePhoneAccounts(
+ true, DEFAULT_DIALER_PACKAGE).getList());
+
+ assertEquals(smallPHList,
+ mTSIBinder.getCallCapablePhoneAccounts(
+ false, DEFAULT_DIALER_PACKAGE).getList());
}
@SmallTest
@@ -327,7 +330,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
List<PhoneAccountHandle> result = null;
try {
- result = mTSIBinder.getCallCapablePhoneAccounts(true, "");
+ result = mTSIBinder.getCallCapablePhoneAccounts(true, "").getList();
} catch (SecurityException e) {
// intended behavior
}
@@ -354,9 +357,11 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(telPHList,
- mTSIBinder.getPhoneAccountsSupportingScheme("tel", DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getPhoneAccountsSupportingScheme(
+ "tel", DEFAULT_DIALER_PACKAGE).getList());
assertEquals(sipPHList,
- mTSIBinder.getPhoneAccountsSupportingScheme("sip", DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getPhoneAccountsSupportingScheme(
+ "sip", DEFAULT_DIALER_PACKAGE).getList());
}
@SmallTest
@@ -371,7 +376,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(phoneAccountHandleList,
mTSIBinder.getPhoneAccountsForPackage(
- TEL_PA_HANDLE_16.getComponentName().getPackageName()));
+ TEL_PA_HANDLE_16.getComponentName().getPackageName()).getList());
}
@SmallTest
@@ -392,7 +397,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
when(mFakePhoneAccountRegistrar.getAllPhoneAccounts(any(UserHandle.class)))
.thenReturn(phoneAccountList);
- assertEquals(2, mTSIBinder.getAllPhoneAccounts().size());
+ assertEquals(2, mTSIBinder.getAllPhoneAccounts().getList().size());
}
@SmallTest

View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Sat, 13 Aug 2022 02:01:14 +0000
Subject: [PATCH] Add buffer in pin_reply in bluetooth.cc
Bug: 228602963
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75
(cherry picked from commit 0dc1c1c34961822f2f3f0a1e8e0b4819c823951b)
Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75
---
btif/src/bluetooth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/btif/src/bluetooth.c b/btif/src/bluetooth.c
index d2f81733d..b6552e251 100644
--- a/btif/src/bluetooth.c
+++ b/btif/src/bluetooth.c
@@ -342,11 +342,13 @@ static int get_connection_state(const bt_bdaddr_t *bd_addr)
static int pin_reply(const bt_bdaddr_t *bd_addr, uint8_t accept,
uint8_t pin_len, bt_pin_code_t *pin_code)
{
+ bt_pin_code_t tmp_pin_code;
/* sanity check */
if (interface_ready() == FALSE)
return BT_STATUS_NOT_READY;
- return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code);
+ memcpy(&tmp_pin_code, pin_code, pin_len);
+ return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
}
static int ssp_reply(const bt_bdaddr_t *bd_addr, bt_ssp_variant_t variant,

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Fri, 12 Aug 2022 17:26:19 +0000
Subject: [PATCH] Add negative length check in process_service_search_rsp
Bug: 225876506
Test: run supplied POC (updated to Android T)
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
(cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f)
Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
---
stack/sdp/sdp_discovery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 6f6fe2b15..ec85da47a 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -309,7 +309,7 @@ static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply,
orig = p_ccb->num_handles;
p_ccb->num_handles += cur_handles;
- if (p_ccb->num_handles == 0)
+ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig)
{
SDP_TRACE_WARNING ("SDP - Rcvd ServiceSearchRsp, no matches");
sdp_disconnect (p_ccb, SDP_NO_RECS_MATCH);

View File

@ -72,7 +72,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
awk -i inplace '!/Exchange2/' target/product/core.mk;
sed -i 's/2021-06-05/2022-10-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-10 #XXX
sed -i 's/2021-06-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-11 #XXX
fi;
if enterAndClear "device/qcom/sepolicy"; then
@ -109,6 +109,7 @@ applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332458.patch"; #n-asb-2022-
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332459.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332460.patch"; #n-asb-2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/341071.patch"; #n-asb-2022-10 The length of a packet should be non-zero
applyPatch "$DOS_PATCHES/android_external_libnfc-nci/343955.patch"; #n-asb-2022-11 OOBW in phNxpNciHal_write_unlocked()
fi;
if enterAndClear "external/sonivox"; then
@ -157,6 +158,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/334871.patch"; #n-asb-2022-08 O
applyPatch "$DOS_PATCHES/android_frameworks_base/334872.patch"; #n-asb-2022-08 Stop using invalid URL to prevent unexpected crash
applyPatch "$DOS_PATCHES/android_frameworks_base/334873.patch"; #n-asb-2022-08 Only allow the system server to connect to sync adapters
applyPatch "$DOS_PATCHES/android_frameworks_base/338003.patch"; #n-asb-2022-09 IMMS: Make IMMS PendingIntents immutable
applyPatch "$DOS_PATCHES/android_frameworks_base/343956.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice
applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 Check permission for VoiceInteraction
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@ -350,6 +353,7 @@ fi;
if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/343953.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice
fi;
if enterAndClear "packages/services/Telephony"; then
@ -365,6 +369,10 @@ if enterAndClear "packages/providers/MediaProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/324248.patch"; #n-asb-2022-02 Open all files with O_NOFOLLOW.
fi;
if enterAndClear "packages/providers/TelephonyProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/343954.patch"; #n-asb-2022-11 Check dir path before updating permissions.
fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/315718.patch"; #BLE: [IOT] Initiate disconnection when encryption fails during pairing #CVE-2021-1957
applyPatch "$DOS_PATCHES/android_system_bt/315719.patch"; #n-asb-2021-09 SMP: Reject pairing if public_key.x match
@ -380,6 +388,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/337998.patch"; #n-asb-2022-09 Fix OOB
applyPatch "$DOS_PATCHES/android_system_bt/337999.patch"; #n-asb-2022-09 Fix OOB in bnep_is_packet_allowed
applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB in reassemble_and_dispatch
applyPatch "$DOS_PATCHES/android_system_bt/341070.patch"; #n-asb-2022-10 Fix potential interger overflow when parsing vendor response
applyPatch "$DOS_PATCHES/android_system_bt/343958.patch"; #n-asb-2022-11 Add buffer in pin_reply in bluetooth.cc
applyPatch "$DOS_PATCHES/android_system_bt/343959.patch"; #n-asb-2022-11 Add negative length check in process_service_search_rsp
applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)

View File

@ -110,10 +110,11 @@ patchWorkspace() {
gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc";
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
#source build/envsetup.sh;
source build/envsetup.sh;
#repopick -it eleven-firewall;
#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
repopick -it R_asb_2022-11;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

View File

@ -113,8 +113,9 @@ patchWorkspace() {
gpgVerifyGitTag "$DOS_BUILD_BASE/external/SecureCamera";
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
#source build/envsetup.sh;
source build/envsetup.sh;
#repopick -it twelve-colors;
repopick -it S_asb_2022-11;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

View File

@ -211,6 +211,10 @@ if enterAndClear "frameworks/opt/net/wifi"; then
applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
fi;
if enterAndClear "hardware/nxp/nfc"; then
git fetch https://github.com/LineageOS/android_hardware_nxp_nfc refs/changes/21/343921/1 && git cherry-pick FETCH_HEAD; #S_asb_2022-11
fi;
if enterAndClear "hardware/qcom-caf/msm8953/audio"; then
applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-8998.patch"; #audio_extn: Fix unused parameter warning in utils.c (codeworkx)
fi;

View File

@ -16,7 +16,7 @@
umask 0022;
set -uo pipefail;
export version="107.0.5304.91-1";
export version="107.0.5304.105-1";
export PATH=$PATH:$HOME/Android/Sdk/build-tools/33.0.0;
export webviewARM32="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm/webview.apk";
export webviewARM64="/mnt/dos/Repos/DivestOS_WebView/prebuilt/arm64/webview.apk";