15.1 December ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_frameworks_base/377001-backport.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
+Date: Wed, 5 Jul 2023 13:52:21 +0200
+Subject: [PATCH] Visit Uris added by WearableExtender
+
+Bug: 283962802
+Test: atest + manual (POC app now crashes on notify() as expected)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab)
+Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed
+Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed
+---
+ core/java/android/app/Notification.java | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
+index b7d265c26f22..6513401f5bfa 100644
+--- a/core/java/android/app/Notification.java
++++ b/core/java/android/app/Notification.java
+@@ -1493,6 +1493,10 @@ public class Notification implements Parcelable
+             }
+         }
+ 
++        private void visitUris(@NonNull Consumer<Uri> visitor) {
++            visitIconUri(visitor, getIcon());
++        }
++
+         @Override
+         public Action clone() {
+             return new Action(
+@@ -2117,6 +2121,11 @@ public class Notification implements Parcelable
+                 }
+             }
+         }
++
++        if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) {
++            WearableExtender extender = new WearableExtender(this);
++            extender.visitUris(visitor);
++        }
+     }
+ 
+     /**
+@@ -7870,6 +7879,12 @@ public class Notification implements Parcelable
+                 mFlags &= ~mask;
+             }
+         }
++
++        private void visitUris(@NonNull Consumer<Uri> visitor) {
++            for (Action action : mActions) {
++                action.visitUris(visitor);
++            }
++        }
+     }
+ 
+     /**

Patches/LineageOS-15.1/android_frameworks_base/377004-backport.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kweku Adams <kwekua@google.com>
+Date: Fri, 23 Sep 2022 21:06:53 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data.
+
+Drop invalid data when writing or reading from XML. PersistableBundle
+does lazy unparcelling, so checking the values during unparcelling would
+remove the benefit of the lazy unparcelling. Checking the validity when
+writing to or reading from XML seems like the best alternative.
+
+Bug: 246542285
+Bug: 247513680
+Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file
+(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9)
+Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
+Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
+---
+ core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++----
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java
+index 3ed5b1745245..975b0da06c84 100644
+--- a/core/java/android/os/PersistableBundle.java
++++ b/core/java/android/os/PersistableBundle.java
+@@ -18,6 +18,7 @@ package android.os;
+ 
+ import android.annotation.Nullable;
+ import android.util.ArrayMap;
++import android.util.Slog;
+ 
+ import com.android.internal.util.XmlUtils;
+ 
+@@ -37,6 +38,8 @@ import java.util.ArrayList;
+  */
+ public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,
+         XmlUtils.WriteMapCallback {
++    private static final String TAG = "PersistableBundle";
++
+     private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";
+     public static final PersistableBundle EMPTY;
+ 
+@@ -99,7 +102,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
+      * @hide
+      */
+     public PersistableBundle(Bundle b) {
+-        this(b.getMap());
++        this(b, true);
++    }
++
++    private PersistableBundle(Bundle b, boolean throwException) {
++        this(b.getMap(), throwException);
+     }
+ 
+     /**
+@@ -108,7 +115,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
+      * @param map a Map containing only those items that can be persisted.
+      * @throws IllegalArgumentException if any element of #map cannot be persisted.
+      */
+-    private PersistableBundle(ArrayMap<String, Object> map) {
++    private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {
+         super();
+         mFlags = FLAG_DEFUSABLE;
+ 
+@@ -117,16 +124,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
+ 
+         // Now verify each item throwing an exception if there is a violation.
+         final int N = mMap.size();
+-        for (int i=0; i<N; i++) {
++        for (int i = N - 1; i >= 0; --i) {
+             Object value = mMap.valueAt(i);
+             if (value instanceof ArrayMap) {
+                 // Fix up any Maps by replacing them with PersistableBundles.
+-                mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));
++                mMap.setValueAt(i,
++                        new PersistableBundle((ArrayMap<String, Object>) value, throwException));
+             } else if (value instanceof Bundle) {
+-                mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));
++                mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));
+             } else if (!isValidType(value)) {
+-                throw new IllegalArgumentException("Bad value in PersistableBundle key="
+-                        + mMap.keyAt(i) + " value=" + value);
++                final String errorMsg = "Bad value in PersistableBundle key="
++                        + mMap.keyAt(i) + " value=" + value;
++                if (throwException) {
++                    throw new IllegalArgumentException(errorMsg);
++                } else {
++                    Slog.wtfStack(TAG, errorMsg);
++                    mMap.removeAt(i);
++                }
+             }
+         }
+     }
+@@ -241,6 +255,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
+     /** @hide */
+     public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException {
+         unparcel();
++        // Explicitly drop invalid types an attacker may have added before persisting.
++        for (int i = mMap.size() - 1; i >= 0; --i) {
++            final Object value = mMap.valueAt(i);
++            if (!isValidType(value)) {
++                Slog.e(TAG, "Dropping bad data before persisting: "
++                        + mMap.keyAt(i) + "=" + value);
++                mMap.removeAt(i);
++            }
++        }
+         XmlUtils.writeMapXml(mMap, out, this);
+     }
+ 
+@@ -289,9 +312,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
+         while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&
+                 (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {
+             if (event == XmlPullParser.START_TAG) {
++                // Don't throw an exception when restoring from XML since an attacker could try to
++                // input invalid data in the persisted file.
+                 return new PersistableBundle((ArrayMap<String, Object>)
+                         XmlUtils.readThisArrayMapXml(in, startTag, tagName,
+-                        new MyReadMapCallback()));
++                        new MyReadMapCallback()),
++                        /* throwException */ false);
+             }
+         }
+         return EMPTY;

Patches/LineageOS-15.1/android_frameworks_base/377009.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Mon, 24 Jul 2023 14:58:56 -0700
+Subject: [PATCH] Validate userId when publishing shortcuts
+
+Bug: 288110451
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c)
+Merged-In: Idbde676f871db83825155730e3714f3727e25762
+Change-Id: Idbde676f871db83825155730e3714f3727e25762
+---
+ services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index 83b817559c2a..7acb99c8270a 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -1543,6 +1543,10 @@ public class ShortcutService extends IShortcutService.Stub {
+             android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
+             throw new SecurityException("Shortcut package name mismatch");
+         }
++        final int callingUid = injectBinderCallingUid();
++        if (UserHandle.getUserId(callingUid) != si.getUserId()) {
++            throw new SecurityException("User-ID in shortcut doesn't match the caller");
++        }
+     }
+ 
+     private void verifyShortcutInfoPackages(

Patches/LineageOS-15.1/android_frameworks_base/377011.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <malhk@google.com>
+Date: Thu, 2 Feb 2023 23:48:27 +0000
+Subject: [PATCH] Adding in verification of calling UID in onShellCommand
+
+Test: manual testing on device
+Bug: b/261709193
+(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0)
+Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273
+Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273
+---
+ .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 6e1c913105aa..0bdc9531064e 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -15165,6 +15165,13 @@ public class ActivityManagerService extends IActivityManager.Stub
+     public void onShellCommand(FileDescriptor in, FileDescriptor out,
+             FileDescriptor err, String[] args, ShellCallback callback,
+             ResultReceiver resultReceiver) {
++        final int callingUid = Binder.getCallingUid();
++        if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) {
++            if (resultReceiver != null) {
++                resultReceiver.send(-1, null);
++            }
++            throw new SecurityException("Shell commands are only callable by root or shell");
++        }
+         (new ActivityManagerShellCommand(this, false)).exec(
+                 this, in, out, err, args, callback, resultReceiver);
+     }

Patches/LineageOS-15.1/android_packages_apps_Bluetooth/377014-backport.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 5 Oct 2023 00:01:03 +0000
+Subject: [PATCH] Fix UAF in ~CallbackEnv
+
+com_android_bluetooth_btservice_AdapterService does not null its local
+JNI environment variable after detaching the thread (which frees the
+environment context), allowing UAF under certain conditions.
+
+Null the variable in this case.
+
+Testing here was done through a custom unit test; see patchsets 4-6 for
+contents.  However, unit testing of the JNI layer is problematic in
+production, so that part of the patch is omitted for final merge.
+
+Bug: 291500341
+Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
+Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
+Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
+---
+ jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
+index ecda5ac62..53ff86469 100644
+--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
++++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
+@@ -387,6 +387,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
+       return;
+     }
+     vm->DetachCurrentThread();
++    callbackEnv = NULL;
+   }
+ }
+ 

Patches/LineageOS-15.1/android_packages_apps_Trebuchet/377015.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Tue, 12 Sep 2023 22:37:16 +0000
+Subject: [PATCH] Fix permission bypass in legacy shortcut
+
+Intent created for Chooser should not be allowed in legacy shortcuts
+since it doesn't make sense for user to tap on a shortcut in homescreen
+to share, the expected share flow started from ShareSheet.
+
+Bug: 295334906, 295045199
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305)
+Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
+Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
+---
+ .../android/launcher3/util/PackageManagerHelper.java  | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
+index 1c05c993c7..1b97e478c9 100644
+--- a/src/com/android/launcher3/util/PackageManagerHelper.java
++++ b/src/com/android/launcher3/util/PackageManagerHelper.java
+@@ -105,15 +105,8 @@ public class PackageManagerHelper {
+     public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
+         // b/270152142
+         if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
+-            final Bundle extras = intent.getExtras();
+-            if (extras == null) {
+-                return true;
+-            }
+-            // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
+-            intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
+-            if (intent == null) {
+-                return true;
+-            }
++            // Chooser shortcuts is not a valid target
++            return false;
+         }
+         ResolveInfo target = mPm.resolveActivity(intent, 0);
+         if (target == null) {

Patches/LineageOS-15.1/android_packages_services_Telecomm/377016-backport.patch

@@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Wed, 5 Apr 2023 21:36:12 +0000
+Subject: [PATCH] Resolve account image icon profile boundary exploit.
+
+Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit
+is possible where the user can upload an image icon (belonging to
+another user) via registering a phone account. This CL provides a
+lightweight solution for parsing the image URI to detect profile
+exploitation.
+
+Fixes: 273502295
+Fixes: 296915211
+Test: Unit test to enforce successful/failure path
+(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7)
+(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42)
+Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
+Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
+---
+ .../server/telecom/TelecomServiceImpl.java    | 22 +++++++++++++++++++
+ .../telecom/tests/TelecomServiceImplTest.java | 22 +++++++++++++++++++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
+index 2f9ffdbc4..4641f5436 100644
+--- a/src/com/android/server/telecom/TelecomServiceImpl.java
++++ b/src/com/android/server/telecom/TelecomServiceImpl.java
+@@ -35,6 +35,7 @@ import android.content.pm.PackageManager;
+ import android.content.res.Resources;
+ import android.content.pm.ParceledListSlice;
+ import android.content.pm.ResolveInfo;
++import android.graphics.drawable.Icon;
+ import android.net.Uri;
+ import android.os.Binder;
+ import android.os.Bundle;
+@@ -468,6 +469,9 @@ public class TelecomServiceImpl {
+                             enforceRegisterMultiUser();
+                         }
+                         enforceUserHandleMatchesCaller(account.getAccountHandle());
++                        // Validate the profile boundary of the given image URI.
++                        validateAccountIconUserBoundary(account.getIcon());
++
+                         final long token = Binder.clearCallingIdentity();
+                         try {
+                             mPhoneAccountRegistrar.registerPhoneAccount(account);
+@@ -1742,4 +1746,22 @@ public class TelecomServiceImpl {
+         // If only TX or RX were set (or neither), the video state is valid.
+         return remainingState == 0;
+     }
++
++    private void validateAccountIconUserBoundary(Icon icon) {
++        // Refer to Icon#getUriString for context. The URI string is invalid for icons of
++        // incompatible types.
++        if (icon != null && (icon.getType() == Icon.TYPE_URI
++                /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) {
++            String encodedUser = icon.getUri().getEncodedUserInfo();
++            // If there is no encoded user, the URI is calling into the calling user space
++            if (encodedUser != null) {
++                int userId = Integer.parseInt(encodedUser);
++                if (userId != UserHandle.getUserId(Binder.getCallingUid())) {
++                    // If we are transcending the profile boundary, throw an error.
++                    throw new IllegalArgumentException("Attempting to register a phone account with"
++                            + " an image icon belonging to another user.");
++                }
++            }
++        }
++    }
+ }
+diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+index 1d46f1abb..491b6183f 100644
+--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+@@ -28,6 +28,7 @@ import android.content.Context;
+ import android.content.Intent;
+ import android.content.pm.ApplicationInfo;
+ import android.content.pm.PackageManager;
++import android.graphics.drawable.Icon;
+ import android.net.Uri;
+ import android.os.Binder;
+ import android.os.Bundle;
+@@ -478,6 +479,27 @@ public class TelecomServiceImplTest extends TelecomTestCase {
+         }
+     }
+ 
++    @SmallTest
++    @Test
++    public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException {
++        String packageNameToUse = "com.android.officialpackage";
++        PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName(
++                packageNameToUse, "cs"), "test", Binder.getCallingUserHandle());
++        Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
++        PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
++        doReturn(PackageManager.PERMISSION_GRANTED)
++                .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE);
++
++        // This should fail; security exception will be thrown.
++        registerPhoneAccountTestHelper(phoneAccount, false);
++
++        icon = Icon.createWithContentUri("content://0@media/external/images/media/");
++        phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
++        // This should succeed.
++        registerPhoneAccountTestHelper(phoneAccount, true);
++    }
++
++
+     @SmallTest
+     public void testUnregisterPhoneAccount() throws RemoteException {
+         String packageNameToUse = "com.android.officialpackage";

Patches/LineageOS-15.1/android_system_bt/377017.patch

@@ -0,0 +1,99 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Sat, 2 Sep 2023 04:20:10 +0000
+Subject: [PATCH] Reject access to secure service authenticated from a temp
+ bonding [1]
+
+Rejecct access to services running on l2cap
+
+Backport of
+Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+
+Bug: 294854926
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
+Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+---
+ stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 9be18a42b..c0cade2f2 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -100,7 +100,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
+                                        uint32_t mx_proto_id,
+                                        uint32_t mx_chan_id);
+ 
+-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
+ static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
+ static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
+ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
+@@ -142,7 +142,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
+  * Returns          bool    true or false
+  *
+  ******************************************************************************/
+-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) {
+   if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
+     return (true);
+   }
+@@ -216,6 +216,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
+   return (false);
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         access_secure_service_from_temp_bond
++ *
++ * Description      a utility function to test whether an access to
++ *                  secure service from temp bonding is happening
++ *
++ * Returns          true if the aforementioned condition holds,
++ *                  false otherwise
++ *
++ ******************************************************************************/
++static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
++                                                 bool locally_initiated,
++                                                 uint16_t security_req) {
++  return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
++    btm_dev_authenticated(p_dev_rec) &&
++    p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
++}
++
+ /*******************************************************************************
+  *
+  * Function         BTM_SecRegister
+@@ -2212,9 +2231,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+       }
+ 
+       if (rc == BTM_SUCCESS) {
++        if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) {
++          LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
++          rc = BTM_FAILED_ON_SECURITY;
++        }
+         if (p_callback)
+-          (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
+-        return (BTM_SUCCESS);
++          (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
++        return (rc);
+       }
+     }
+ 
+@@ -5271,6 +5294,13 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
+     }
+   }
+ 
++  if (access_secure_service_from_temp_bond(p_dev_rec,
++                                           p_dev_rec->is_originator,
++                                           p_dev_rec->security_required)) {
++    LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
++    return (BTM_FAILED_ON_SECURITY);
++  }
++
+   /* All required  security procedures already established */
+   p_dev_rec->security_required &=
+       ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |

Patches/LineageOS-15.1/android_system_bt/377018.patch

@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Sat, 2 Sep 2023 04:27:29 +0000
+Subject: [PATCH] Reject access to secure services authenticated from temp
+ bonding [2]
+
+Reject access to service running on rfcomm
+
+this is a backport of
+I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
+
+Bug: 294854926
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb)
+Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
+Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
+---
+ stack/btm/btm_sec.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index c0cade2f2..5f35733f5 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -2570,6 +2570,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+                                mx_chan_id, p_callback, p_ref_data);
+     } else /* rc == BTM_SUCCESS */
+     {
++      if (access_secure_service_from_temp_bond(p_dev_rec,
++          is_originator, security_required)) {
++        LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject");
++        rc = BTM_FAILED_ON_SECURITY;
++      }
+       /* access granted */
+       if (p_callback) {
+         (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);

Patches/LineageOS-15.1/android_system_bt/377019.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 12 Sep 2023 23:47:48 +0000
+Subject: [PATCH] Reject access to secure service authenticated from a temp
+ bonding [3]
+
+Allow access to rfcomm PSM by default
+
+Original bug
+Bug: 294854926
+
+Nearby regressions:
+Bug: 298539299
+
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec)
+Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
+Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
+---
+ stack/btm/btm_sec.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 5f35733f5..fb00cb230 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -2254,15 +2254,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+       btm_cb.security_mode == BTM_SEC_MODE_SC) {
+     if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
+       if (is_originator) {
+-        /* SM4 to SM4 -> always authenticate & encrypt */
+-        security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
++        /* SM4 to SM4 -> always encrypt */
++        security_required |= BTM_SEC_OUT_ENCRYPT;
+       } else /* acceptor */
+       {
+         /* SM4 to SM4: the acceptor needs to make sure the authentication is
+          * already done */
+         chk_acp_auth_done = true;
+-        /* SM4 to SM4 -> always authenticate & encrypt */
+-        security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
++        /* SM4 to SM4 -> always encrypt */
++        security_required |= BTM_SEC_IN_ENCRYPT;
+       }
+     } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
+       /* the remote features are not known yet */

Patches/LineageOS-15.1/android_system_bt/377020-backport.patch

@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Tue, 12 Sep 2023 23:54:08 +0000
+Subject: [PATCH] Reorganize the code for checking auth requirement
+
+Original bug
+Bug: 294854926
+
+regressions:
+Bug: 299570702
+
+Test: Test: m com.android.btservices
+Test: QA validation
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91)
+Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
+Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
+---
+ stack/btm/btm_sec.cc | 99 ++++++++++++++++++++++++++------------------
+ 1 file changed, 59 insertions(+), 40 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index fb00cb230..005629c48 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -5202,52 +5202,71 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
+ 
+   /* If connection is not authenticated and authentication is required */
+   /* start authentication and return PENDING to the caller */
+-  if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) &&
+-        ((p_dev_rec->is_originator &&
+-          (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) ||
+-         (!p_dev_rec->is_originator &&
+-          (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) ||
+-       (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
+-        (!p_dev_rec->is_originator &&
+-         (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) &&
+-      (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
+-/*
+- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
+- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
+- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
+- * authenticated connections, hence we cannot distinguish here.
+- */
++  if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) {
++    bool start_auth = false;
++
++    // Check link status of BR/EDR
++    if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
++      if (p_dev_rec->is_originator) {
++        if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
++          LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
++          start_auth = true;
++        }
++      } else {
++        if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
++          LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
++          start_auth = true;
++        }
++      }
++    }
++
++    if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) {
++      /*
++       * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
++       * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
++       * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
++       * authenticated connections, hence we cannot distinguish here.
++       */
++      if (!p_dev_rec->is_originator) {
++        if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) {
++          LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required");
++          start_auth = true;
++        }
++      }
++    }
+ 
++    if (start_auth) {
+ #if (L2CAP_UCD_INCLUDED == TRUE)
+-    /* if incoming UCD packet, discard it */
+-    if (!p_dev_rec->is_originator && (p_dev_rec->is_ucd == true))
+-      return (BTM_FAILED_ON_SECURITY);
++        /* if incoming UCD packet, discard it */
++        if (!p_dev_rec->is_originator && (p_dev_rec->is_ucd == true))
++          return (BTM_FAILED_ON_SECURITY);
+ #endif
+ 
+-    BTM_TRACE_EVENT("Security Manager: Start authentication");
++      LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication");
+ 
+-    /*
+-     * If we do have a link-key, but we end up here because we need an
+-     * upgrade, then clear the link-key known and authenticated flag before
+-     * restarting authentication.
+-     * WARNING: If the controller has link-key, it is optional and
+-     * recommended for the controller to send a Link_Key_Request.
+-     * In case we need an upgrade, the only alternative would be to delete
+-     * the existing link-key. That could lead to very bad user experience
+-     * or even IOP issues, if a reconnect causes a new connection that
+-     * requires an upgrade.
+-     */
+-    if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
+-        (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
+-         (!p_dev_rec->is_originator &&
+-          (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
+-      p_dev_rec->sec_flags &=
+-          ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
+-            BTM_SEC_AUTHENTICATED);
+-    }
++      /*
++       * If we do have a link-key, but we end up here because we need an
++       * upgrade, then clear the link-key known and authenticated flag before
++       * restarting authentication.
++       * WARNING: If the controller has link-key, it is optional and
++       * recommended for the controller to send a Link_Key_Request.
++       * In case we need an upgrade, the only alternative would be to delete
++       * the existing link-key. That could lead to very bad user experience
++       * or even IOP issues, if a reconnect causes a new connection that
++       * requires an upgrade.
++       */
++      if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
++          (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
++          (!p_dev_rec->is_originator &&
++            (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
++        p_dev_rec->sec_flags &=
++            ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
++              BTM_SEC_AUTHENTICATED);
++      }
+ 
+-    btm_sec_start_authentication(p_dev_rec);
+-    return (BTM_CMD_STARTED);
++      btm_sec_start_authentication(p_dev_rec);
++      return (BTM_CMD_STARTED);
++    }
+   }
+ 
+   /* If connection is not encrypted and encryption is required */

Patches/LineageOS-15.1/android_system_bt/377021.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 13 Sep 2023 00:00:44 +0000
+Subject: [PATCH] Enforce authentication if encryption is required
+
+Original bug
+Bug: 294854926
+
+regressions:
+Bug: 299570702
+Bug: 299561281
+
+Test: Test: m com.android.btservices
+Test: QA validation
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553)
+Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
+Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
+---
+ stack/btm/btm_sec.cc | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 005629c48..29ca8320f 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -5208,13 +5208,15 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
+     // Check link status of BR/EDR
+     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
+       if (p_dev_rec->is_originator) {
+-        if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
+-          LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
++        if (p_dev_rec->security_required &
++            (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) {
++          LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required");
+           start_auth = true;
+         }
+       } else {
+-        if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
+-          LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
++        if (p_dev_rec->security_required &
++            (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) {
++          LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required");
+           start_auth = true;
+         }
+       }

Patches/LineageOS-15.1/android_system_bt/377023-backport.patch

@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 3 Oct 2023 21:27:49 +0000
+Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature
+
+BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
+to be deduced through a side-channel attack.
+
+Change to CRYPTO_memcmp, which is hardened against this attack, to
+eliminate this attack.
+
+Bug: 274478807
+Test: atest bluetooth_test_gd_unit
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)
+Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c
+Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c
+---
+ main/Android.bp      | 1 +
+ stack/Android.bp     | 1 +
+ stack/btm/btm_ble.cc | 3 ++-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/main/Android.bp b/main/Android.bp
+index 9dc5a9866..35df9e6d4 100644
+--- a/main/Android.bp
++++ b/main/Android.bp
+@@ -48,6 +48,7 @@ cc_library_shared {
+         "libutils",
+         "libtinyxml2",
+         "libz",
++        "libcrypto",
+     ],
+     static_libs: [
+         "libbt-sbc-decoder",
+diff --git a/stack/Android.bp b/stack/Android.bp
+index 5cb567895..dd0f934f3 100644
+--- a/stack/Android.bp
++++ b/stack/Android.bp
+@@ -176,6 +176,7 @@ cc_library_static {
+     shared_libs: [
+         "libcutils",
+         "liblog",
++        "libcrypto",
+     ],
+     required: [
+         "libldacBT_enc",
+diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
+index 3a67f75ba..b8dfba239 100644
+--- a/stack/btm/btm_ble.cc
++++ b/stack/btm/btm_ble.cc
+@@ -41,6 +41,7 @@
+ #include "hcimsgs.h"
+ #include "log/log.h"
+ #include "l2c_int.h"
++#include "openssl/mem.h"
+ #include "osi/include/log.h"
+ #include "osi/include/osi.h"
+ #include "smp_api.h"
+@@ -2235,7 +2236,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
+ 
+     if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len,
+                                  BTM_CMAC_TLEN_SIZE, p_mac)) {
+-      if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
++      if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
+         btm_ble_increment_sign_ctr(bd_addr, false);
+         verified = true;
+       }

Patches/LineageOS-15.1/android_system_netd/377024-backport.patch

@@ -0,0 +1,114 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lin Lee <linlee@google.com>
+Date: Mon, 7 Aug 2023 09:34:41 +0000
+Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run
+
+Use thread join to avoid thread exiting after instance
+recycled.
+
+Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds.
+
+Test: m, fuzzing
+Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer
+
+Bug: 272382770
+Ignore-AOSP-First: Security Issue
+(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd)
+Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138
+Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138
+---
+ server/MDnsSdListener.cpp | 36 ++++++++++++++++++++++++------------
+ server/MDnsSdListener.h   |  4 +++-
+ 2 files changed, 27 insertions(+), 13 deletions(-)
+
+diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
+index ef53d249..6eaaf5c0 100644
+--- a/server/MDnsSdListener.cpp
++++ b/server/MDnsSdListener.cpp
+@@ -27,6 +27,7 @@
+ #include <sys/types.h>
+ #include <string.h>
+ #include <resolv.h>
++#include <thread>
+ 
+ #define LOG_TAG "MDnsDS"
+ #define DBG 1
+@@ -524,10 +525,17 @@ MDnsSdListener::Monitor::Monitor() {
+     socketpair(AF_LOCAL, SOCK_STREAM, 0, mCtrlSocketPair);
+     pthread_mutex_init(&mHeadMutex, NULL);
+ 
+-    const int rval = ::android::net::threadLaunch(this);
+-    if (rval != 0) {
+-        ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval);
+-    }
++    mRescanThread = new std::thread(&Monitor::run, this);
++    if (!mRescanThread->joinable()) ALOGE("Unable to launch thread.");
++}
++
++MDnsSdListener::Monitor::~Monitor() {
++    if (VDBG) ALOGD("Monitor recycling");
++    close(mCtrlSocketPair[1]);  // interrupt poll in MDnsSdListener::Monitor::run() and revent will
++                                // be 17 = POLLIN | POLLHUP
++    mRescanThread->join();
++    delete mRescanThread;
++    if (VDBG) ALOGD("Monitor recycled");
+ }
+ 
+ #define NAP_TIME 200  // 200 ms between polls
+@@ -617,14 +625,18 @@ void MDnsSdListener::Monitor::run() {
+                 }
+             }
+             if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents);
+-            switch (mPollFds[0].revents) {
+-                case POLLIN: {
+-                    char readBuf[2];
+-                    read(mCtrlSocketPair[0], &readBuf, 1);
+-                    if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
+-                    if (memcmp(RESCAN, readBuf, 1) == 0) {
+-                        pollCount = rescan();
+-                    }
++            if (mPollFds[0].revents & POLLHUP) {
++                free(mPollFds);
++                free(mPollRefs);
++                if (VDBG) ALOGD("Monitor thread leaving.");
++                return;
++            }
++            if (mPollFds[0].revents == POLLIN) {
++                char readBuf[2];
++                read(mCtrlSocketPair[0], &readBuf, 1);
++                if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
++                if (memcmp(RESCAN, readBuf, 1) == 0) {
++                    pollCount = rescan();
+                 }
+             }
+             mPollFds[0].revents = 0;
+diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
+index 8c6096e8..2b3cb5e2 100644
+--- a/server/MDnsSdListener.h
++++ b/server/MDnsSdListener.h
+@@ -20,6 +20,7 @@
+ #include <pthread.h>
+ #include <sysutils/FrameworkListener.h>
+ #include <dns_sd.h>
++#include <thread>
+ 
+ #include "NetdCommand.h"
+ 
+@@ -71,7 +72,7 @@ private:
+     class Monitor {
+     public:
+         Monitor();
+-        virtual ~Monitor() {}
++        ~Monitor();
+         DNSServiceRef *allocateServiceRef(int id, Context *c);
+         void startMonitoring(int id);
+         DNSServiceRef *lookupServiceRef(int id);
+@@ -101,6 +102,7 @@ private:
+         int mPollSize;
+         int mCtrlSocketPair[2];
+         pthread_mutex_t mHeadMutex;
++        std::thread* mRescanThread;
+     };
+ 
+     class Handler : public NetdCommand {

Patches/LineageOS-16.0/android_packages_services_Telecomm/377016-backport.patch

@@ -18,15 +18,23 @@ Test: Unit test to enforce successful/failure path
 Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
 Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
 ---
- .../server/telecom/TelecomServiceImpl.java    | 21 +++++++++++++++++++
+ .../server/telecom/TelecomServiceImpl.java    | 22 +++++++++++++++++++
- .../telecom/tests/TelecomServiceImplTest.java | 21 +++++++++++++++++++
+ .../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++
- 2 files changed, 42 insertions(+)
+ 2 files changed, 43 insertions(+)
 
 diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
-index 74a7d840b..008b99de2 100644
+index 74a7d840b..14804f0d3 100644
 --- a/src/com/android/server/telecom/TelecomServiceImpl.java
 +++ b/src/com/android/server/telecom/TelecomServiceImpl.java
-@@ -469,6 +469,9 @@ public class TelecomServiceImpl {
+@@ -36,6 +36,7 @@ import android.content.pm.PackageManager;
+ import android.content.res.Resources;
+ import android.content.pm.ParceledListSlice;
+ import android.content.pm.ResolveInfo;
++import android.graphics.drawable.Icon;
+ import android.net.Uri;
+ import android.os.Binder;
+ import android.os.Bundle;
+@@ -469,6 +470,9 @@ public class TelecomServiceImpl {
                              enforceRegisterMultiUser();
                          }
                          enforceUserHandleMatchesCaller(account.getAccountHandle());
@@ -36,7 +44,7 @@ index 74a7d840b..008b99de2 100644
                          final long token = Binder.clearCallingIdentity();
                          try {
                              mPhoneAccountRegistrar.registerPhoneAccount(account);
-@@ -1820,4 +1823,22 @@ public class TelecomServiceImpl {
+@@ -1820,4 +1824,22 @@ public class TelecomServiceImpl {
          // If only TX or RX were set (or neither), the video state is valid.
          return remainingState == 0;
      }

Scripts/LineageOS-15.1/Patch.sh

@@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-11-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -224,6 +224,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/368062-backport.patch"; #R_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/368063.patch"; #R_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
 applyPatch "$DOS_PATCHES/android_frameworks_base/373953.patch"; #R_asb_2023-11 Use type safe API of readParcelableArray
 applyPatch "$DOS_PATCHES/android_frameworks_base/373955.patch"; #R_asb_2023-11 [SettingsProvider] verify ringtone URI before setting
+#applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
+applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
+applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
+applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@@ -317,6 +321,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch";
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907-backport.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332-backport.patch"; #P_asb_2023-02 Fix OPP comparison
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv
 fi;
 
 if enterAndClear "packages/apps/Contacts"; then
@@ -388,6 +393,7 @@ fi;
 
 if enterAndClear "packages/apps/Trebuchet"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
+applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut
 fi;
 
 if enterAndClear "packages/apps/TvSettings"; then
@@ -433,6 +439,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_as
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccount
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit.
 fi;
 
 if enterAndClear "packages/services/Telephony"; then
@@ -477,6 +484,12 @@ applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix int
 applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
 applyPatch "$DOS_PATCHES/android_system_bt/365982-prereq.patch"; #Fix reliable write
 applyPatch "$DOS_PATCHES/android_system_bt/365982.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
+applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
+applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
+applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to  secure service authenticated from a temp bonding [3]
+applyPatch "$DOS_PATCHES/android_system_bt/377020-backport.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
+applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
+applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
 fi;
 
 if enterAndClear "system/ca-certificates"; then
@@ -492,6 +505,10 @@ applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
 fi;
 
+if enterAndClear "system/netd"; then
+applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
+fi;
+
 if enterAndClear "system/nfc"; then
 applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
 applyPatch "$DOS_PATCHES/android_system_nfc/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config

Scripts/LineageOS-16.0/Patch.sh

@@ -166,9 +166,9 @@ fi;
 
 if enterAndClear "frameworks/base"; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
-applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
+#applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
 applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
-applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
+#applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service #FIXME
 applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
 applyPatch "$DOS_PATCHES/android_frameworks_base/377010-backport.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard"
 applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand