15.1 December ASB work

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-12-12 00:44:44 -05:00
parent 4986da8250
commit 9926f25ada
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
17 changed files with 1009 additions and 9 deletions

View File

@ -0,0 +1,54 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
Date: Wed, 5 Jul 2023 13:52:21 +0200
Subject: [PATCH] Visit Uris added by WearableExtender
Bug: 283962802
Test: atest + manual (POC app now crashes on notify() as expected)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab)
Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed
Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed
---
core/java/android/app/Notification.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
index b7d265c26f22..6513401f5bfa 100644
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java
@@ -1493,6 +1493,10 @@ public class Notification implements Parcelable
}
}
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
+ visitIconUri(visitor, getIcon());
+ }
+
@Override
public Action clone() {
return new Action(
@@ -2117,6 +2121,11 @@ public class Notification implements Parcelable
}
}
}
+
+ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) {
+ WearableExtender extender = new WearableExtender(this);
+ extender.visitUris(visitor);
+ }
}
/**
@@ -7870,6 +7879,12 @@ public class Notification implements Parcelable
mFlags &= ~mask;
}
}
+
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
+ for (Action action : mActions) {
+ action.visitUris(visitor);
+ }
+ }
}
/**

View File

@ -0,0 +1,123 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kweku Adams <kwekua@google.com>
Date: Fri, 23 Sep 2022 21:06:53 +0000
Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data.
Drop invalid data when writing or reading from XML. PersistableBundle
does lazy unparcelling, so checking the values during unparcelling would
remove the benefit of the lazy unparcelling. Checking the validity when
writing to or reading from XML seems like the best alternative.
Bug: 246542285
Bug: 247513680
Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file
(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9)
Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
---
core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++----
1 file changed, 34 insertions(+), 8 deletions(-)
diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java
index 3ed5b1745245..975b0da06c84 100644
--- a/core/java/android/os/PersistableBundle.java
+++ b/core/java/android/os/PersistableBundle.java
@@ -18,6 +18,7 @@ package android.os;
import android.annotation.Nullable;
import android.util.ArrayMap;
+import android.util.Slog;
import com.android.internal.util.XmlUtils;
@@ -37,6 +38,8 @@ import java.util.ArrayList;
*/
public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,
XmlUtils.WriteMapCallback {
+ private static final String TAG = "PersistableBundle";
+
private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";
public static final PersistableBundle EMPTY;
@@ -99,7 +102,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
* @hide
*/
public PersistableBundle(Bundle b) {
- this(b.getMap());
+ this(b, true);
+ }
+
+ private PersistableBundle(Bundle b, boolean throwException) {
+ this(b.getMap(), throwException);
}
/**
@@ -108,7 +115,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
* @param map a Map containing only those items that can be persisted.
* @throws IllegalArgumentException if any element of #map cannot be persisted.
*/
- private PersistableBundle(ArrayMap<String, Object> map) {
+ private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {
super();
mFlags = FLAG_DEFUSABLE;
@@ -117,16 +124,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
// Now verify each item throwing an exception if there is a violation.
final int N = mMap.size();
- for (int i=0; i<N; i++) {
+ for (int i = N - 1; i >= 0; --i) {
Object value = mMap.valueAt(i);
if (value instanceof ArrayMap) {
// Fix up any Maps by replacing them with PersistableBundles.
- mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));
+ mMap.setValueAt(i,
+ new PersistableBundle((ArrayMap<String, Object>) value, throwException));
} else if (value instanceof Bundle) {
- mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));
+ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));
} else if (!isValidType(value)) {
- throw new IllegalArgumentException("Bad value in PersistableBundle key="
- + mMap.keyAt(i) + " value=" + value);
+ final String errorMsg = "Bad value in PersistableBundle key="
+ + mMap.keyAt(i) + " value=" + value;
+ if (throwException) {
+ throw new IllegalArgumentException(errorMsg);
+ } else {
+ Slog.wtfStack(TAG, errorMsg);
+ mMap.removeAt(i);
+ }
}
}
}
@@ -241,6 +255,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
/** @hide */
public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException {
unparcel();
+ // Explicitly drop invalid types an attacker may have added before persisting.
+ for (int i = mMap.size() - 1; i >= 0; --i) {
+ final Object value = mMap.valueAt(i);
+ if (!isValidType(value)) {
+ Slog.e(TAG, "Dropping bad data before persisting: "
+ + mMap.keyAt(i) + "=" + value);
+ mMap.removeAt(i);
+ }
+ }
XmlUtils.writeMapXml(mMap, out, this);
}
@@ -289,9 +312,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&
(event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {
if (event == XmlPullParser.START_TAG) {
+ // Don't throw an exception when restoring from XML since an attacker could try to
+ // input invalid data in the persisted file.
return new PersistableBundle((ArrayMap<String, Object>)
XmlUtils.readThisArrayMapXml(in, startTag, tagName,
- new MyReadMapCallback()));
+ new MyReadMapCallback()),
+ /* throwException */ false);
}
}
return EMPTY;

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Mon, 24 Jul 2023 14:58:56 -0700
Subject: [PATCH] Validate userId when publishing shortcuts
Bug: 288110451
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c)
Merged-In: Idbde676f871db83825155730e3714f3727e25762
Change-Id: Idbde676f871db83825155730e3714f3727e25762
---
services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
index 83b817559c2a..7acb99c8270a 100644
--- a/services/core/java/com/android/server/pm/ShortcutService.java
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
@@ -1543,6 +1543,10 @@ public class ShortcutService extends IShortcutService.Stub {
android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
throw new SecurityException("Shortcut package name mismatch");
}
+ final int callingUid = injectBinderCallingUid();
+ if (UserHandle.getUserId(callingUid) != si.getUserId()) {
+ throw new SecurityException("User-ID in shortcut doesn't match the caller");
+ }
}
private void verifyShortcutInfoPackages(

View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Kunal Malhotra <malhk@google.com>
Date: Thu, 2 Feb 2023 23:48:27 +0000
Subject: [PATCH] Adding in verification of calling UID in onShellCommand
Test: manual testing on device
Bug: b/261709193
(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0)
Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273
Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273
---
.../java/com/android/server/am/ActivityManagerService.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 6e1c913105aa..0bdc9531064e 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -15165,6 +15165,13 @@ public class ActivityManagerService extends IActivityManager.Stub
public void onShellCommand(FileDescriptor in, FileDescriptor out,
FileDescriptor err, String[] args, ShellCallback callback,
ResultReceiver resultReceiver) {
+ final int callingUid = Binder.getCallingUid();
+ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) {
+ if (resultReceiver != null) {
+ resultReceiver.send(-1, null);
+ }
+ throw new SecurityException("Shell commands are only callable by root or shell");
+ }
(new ActivityManagerShellCommand(this, false)).exec(
this, in, out, err, args, callback, resultReceiver);
}

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 5 Oct 2023 00:01:03 +0000
Subject: [PATCH] Fix UAF in ~CallbackEnv
com_android_bluetooth_btservice_AdapterService does not null its local
JNI environment variable after detaching the thread (which frees the
environment context), allowing UAF under certain conditions.
Null the variable in this case.
Testing here was done through a custom unit test; see patchsets 4-6 for
contents. However, unit testing of the JNI layer is problematic in
production, so that part of the patch is omitted for final merge.
Bug: 291500341
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
---
jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
index ecda5ac62..53ff86469 100644
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
@@ -387,6 +387,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
return;
}
vm->DetachCurrentThread();
+ callbackEnv = NULL;
}
}

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinyao Ting <pinyaoting@google.com>
Date: Tue, 12 Sep 2023 22:37:16 +0000
Subject: [PATCH] Fix permission bypass in legacy shortcut
Intent created for Chooser should not be allowed in legacy shortcuts
since it doesn't make sense for user to tap on a shortcut in homescreen
to share, the expected share flow started from ShareSheet.
Bug: 295334906, 295045199
Test: manual
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305)
Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
---
.../android/launcher3/util/PackageManagerHelper.java | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
index 1c05c993c7..1b97e478c9 100644
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
@@ -105,15 +105,8 @@ public class PackageManagerHelper {
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
// b/270152142
if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
- final Bundle extras = intent.getExtras();
- if (extras == null) {
- return true;
- }
- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
- if (intent == null) {
- return true;
- }
+ // Chooser shortcuts is not a valid target
+ return false;
}
ResolveInfo target = mPm.resolveActivity(intent, 0);
if (target == null) {

View File

@ -0,0 +1,109 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pranav Madapurmath <pmadapurmath@google.com>
Date: Wed, 5 Apr 2023 21:36:12 +0000
Subject: [PATCH] Resolve account image icon profile boundary exploit.
Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit
is possible where the user can upload an image icon (belonging to
another user) via registering a phone account. This CL provides a
lightweight solution for parsing the image URI to detect profile
exploitation.
Fixes: 273502295
Fixes: 296915211
Test: Unit test to enforce successful/failure path
(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7)
(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42)
Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
---
.../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++
.../telecom/tests/TelecomServiceImplTest.java | 22 +++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index 2f9ffdbc4..4641f5436 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -35,6 +35,7 @@ import android.content.pm.PackageManager;
import android.content.res.Resources;
import android.content.pm.ParceledListSlice;
import android.content.pm.ResolveInfo;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -468,6 +469,9 @@ public class TelecomServiceImpl {
enforceRegisterMultiUser();
}
enforceUserHandleMatchesCaller(account.getAccountHandle());
+ // Validate the profile boundary of the given image URI.
+ validateAccountIconUserBoundary(account.getIcon());
+
final long token = Binder.clearCallingIdentity();
try {
mPhoneAccountRegistrar.registerPhoneAccount(account);
@@ -1742,4 +1746,22 @@ public class TelecomServiceImpl {
// If only TX or RX were set (or neither), the video state is valid.
return remainingState == 0;
}
+
+ private void validateAccountIconUserBoundary(Icon icon) {
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
+ // incompatible types.
+ if (icon != null && (icon.getType() == Icon.TYPE_URI
+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) {
+ String encodedUser = icon.getUri().getEncodedUserInfo();
+ // If there is no encoded user, the URI is calling into the calling user space
+ if (encodedUser != null) {
+ int userId = Integer.parseInt(encodedUser);
+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) {
+ // If we are transcending the profile boundary, throw an error.
+ throw new IllegalArgumentException("Attempting to register a phone account with"
+ + " an image icon belonging to another user.");
+ }
+ }
+ }
+ }
}
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
index 1d46f1abb..491b6183f 100644
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
@@ -28,6 +28,7 @@ import android.content.Context;
import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -478,6 +479,27 @@ public class TelecomServiceImplTest extends TelecomTestCase {
}
}
+ @SmallTest
+ @Test
+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException {
+ String packageNameToUse = "com.android.officialpackage";
+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName(
+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle());
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
+ doReturn(PackageManager.PERMISSION_GRANTED)
+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE);
+
+ // This should fail; security exception will be thrown.
+ registerPhoneAccountTestHelper(phoneAccount, false);
+
+ icon = Icon.createWithContentUri("content://0@media/external/images/media/");
+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
+ // This should succeed.
+ registerPhoneAccountTestHelper(phoneAccount, true);
+ }
+
+
@SmallTest
public void testUnregisterPhoneAccount() throws RemoteException {
String packageNameToUse = "com.android.officialpackage";

View File

@ -0,0 +1,99 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:20:10 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
bonding [1]
Rejecct access to services running on l2cap
Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
---
stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 9be18a42b..c0cade2f2 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -100,7 +100,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
uint32_t mx_proto_id,
uint32_t mx_chan_id);
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
@@ -142,7 +142,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
* Returns bool true or false
*
******************************************************************************/
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) {
if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
return (true);
}
@@ -216,6 +216,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
return (false);
}
+/*******************************************************************************
+ *
+ * Function access_secure_service_from_temp_bond
+ *
+ * Description a utility function to test whether an access to
+ * secure service from temp bonding is happening
+ *
+ * Returns true if the aforementioned condition holds,
+ * false otherwise
+ *
+ ******************************************************************************/
+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
+ bool locally_initiated,
+ uint16_t security_req) {
+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
+ btm_dev_authenticated(p_dev_rec) &&
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
+}
+
/*******************************************************************************
*
* Function BTM_SecRegister
@@ -2212,9 +2231,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
}
if (rc == BTM_SUCCESS) {
+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ rc = BTM_FAILED_ON_SECURITY;
+ }
if (p_callback)
- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
- return (BTM_SUCCESS);
+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
+ return (rc);
}
}
@@ -5271,6 +5294,13 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
}
}
+ if (access_secure_service_from_temp_bond(p_dev_rec,
+ p_dev_rec->is_originator,
+ p_dev_rec->security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
+ return (BTM_FAILED_ON_SECURITY);
+ }
+
/* All required security procedures already established */
p_dev_rec->security_required &=
~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |

View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 2 Sep 2023 04:27:29 +0000
Subject: [PATCH] Reject access to secure services authenticated from temp
bonding [2]
Reject access to service running on rfcomm
this is a backport of
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb)
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
---
stack/btm/btm_sec.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index c0cade2f2..5f35733f5 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -2570,6 +2570,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
mx_chan_id, p_callback, p_ref_data);
} else /* rc == BTM_SUCCESS */
{
+ if (access_secure_service_from_temp_bond(p_dev_rec,
+ is_originator, security_required)) {
+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject");
+ rc = BTM_FAILED_ON_SECURITY;
+ }
/* access granted */
if (p_callback) {
(*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);

View File

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 12 Sep 2023 23:47:48 +0000
Subject: [PATCH] Reject access to secure service authenticated from a temp
bonding [3]
Allow access to rfcomm PSM by default
Original bug
Bug: 294854926
Nearby regressions:
Bug: 298539299
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec)
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
---
stack/btm/btm_sec.cc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 5f35733f5..fb00cb230 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -2254,15 +2254,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
btm_cb.security_mode == BTM_SEC_MODE_SC) {
if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
if (is_originator) {
- /* SM4 to SM4 -> always authenticate & encrypt */
- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
+ /* SM4 to SM4 -> always encrypt */
+ security_required |= BTM_SEC_OUT_ENCRYPT;
} else /* acceptor */
{
/* SM4 to SM4: the acceptor needs to make sure the authentication is
* already done */
chk_acp_auth_done = true;
- /* SM4 to SM4 -> always authenticate & encrypt */
- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
+ /* SM4 to SM4 -> always encrypt */
+ security_required |= BTM_SEC_IN_ENCRYPT;
}
} else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
/* the remote features are not known yet */

View File

@ -0,0 +1,137 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 12 Sep 2023 23:54:08 +0000
Subject: [PATCH] Reorganize the code for checking auth requirement
Original bug
Bug: 294854926
regressions:
Bug: 299570702
Test: Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91)
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
---
stack/btm/btm_sec.cc | 99 ++++++++++++++++++++++++++------------------
1 file changed, 59 insertions(+), 40 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index fb00cb230..005629c48 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -5202,52 +5202,71 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
/* If connection is not authenticated and authentication is required */
/* start authentication and return PENDING to the caller */
- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) &&
- ((p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) ||
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) ||
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) &&
- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
-/*
- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
- * authenticated connections, hence we cannot distinguish here.
- */
+ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) {
+ bool start_auth = false;
+
+ // Check link status of BR/EDR
+ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
+ if (p_dev_rec->is_originator) {
+ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
+ start_auth = true;
+ }
+ } else {
+ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
+ LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
+ start_auth = true;
+ }
+ }
+ }
+
+ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) {
+ /*
+ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
+ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
+ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
+ * authenticated connections, hence we cannot distinguish here.
+ */
+ if (!p_dev_rec->is_originator) {
+ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) {
+ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required");
+ start_auth = true;
+ }
+ }
+ }
+ if (start_auth) {
#if (L2CAP_UCD_INCLUDED == TRUE)
- /* if incoming UCD packet, discard it */
- if (!p_dev_rec->is_originator && (p_dev_rec->is_ucd == true))
- return (BTM_FAILED_ON_SECURITY);
+ /* if incoming UCD packet, discard it */
+ if (!p_dev_rec->is_originator && (p_dev_rec->is_ucd == true))
+ return (BTM_FAILED_ON_SECURITY);
#endif
- BTM_TRACE_EVENT("Security Manager: Start authentication");
+ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication");
- /*
- * If we do have a link-key, but we end up here because we need an
- * upgrade, then clear the link-key known and authenticated flag before
- * restarting authentication.
- * WARNING: If the controller has link-key, it is optional and
- * recommended for the controller to send a Link_Key_Request.
- * In case we need an upgrade, the only alternative would be to delete
- * the existing link-key. That could lead to very bad user experience
- * or even IOP issues, if a reconnect causes a new connection that
- * requires an upgrade.
- */
- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
- (!p_dev_rec->is_originator &&
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
- p_dev_rec->sec_flags &=
- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
- BTM_SEC_AUTHENTICATED);
- }
+ /*
+ * If we do have a link-key, but we end up here because we need an
+ * upgrade, then clear the link-key known and authenticated flag before
+ * restarting authentication.
+ * WARNING: If the controller has link-key, it is optional and
+ * recommended for the controller to send a Link_Key_Request.
+ * In case we need an upgrade, the only alternative would be to delete
+ * the existing link-key. That could lead to very bad user experience
+ * or even IOP issues, if a reconnect causes a new connection that
+ * requires an upgrade.
+ */
+ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
+ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
+ (!p_dev_rec->is_originator &&
+ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
+ p_dev_rec->sec_flags &=
+ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
+ BTM_SEC_AUTHENTICATED);
+ }
- btm_sec_start_authentication(p_dev_rec);
- return (BTM_CMD_STARTED);
+ btm_sec_start_authentication(p_dev_rec);
+ return (BTM_CMD_STARTED);
+ }
}
/* If connection is not encrypted and encryption is required */

View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 13 Sep 2023 00:00:44 +0000
Subject: [PATCH] Enforce authentication if encryption is required
Original bug
Bug: 294854926
regressions:
Bug: 299570702
Bug: 299561281
Test: Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553)
Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
---
stack/btm/btm_sec.cc | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 005629c48..29ca8320f 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -5208,13 +5208,15 @@ static tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
// Check link status of BR/EDR
if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
if (p_dev_rec->is_originator) {
- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
+ if (p_dev_rec->security_required &
+ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) {
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required");
start_auth = true;
}
} else {
- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
- LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
+ if (p_dev_rec->security_required &
+ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) {
+ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required");
start_auth = true;
}
}

View File

@ -0,0 +1,69 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 3 Oct 2023 21:27:49 +0000
Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature
BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.
Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.
Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)
Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c
Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c
---
main/Android.bp | 1 +
stack/Android.bp | 1 +
stack/btm/btm_ble.cc | 3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/main/Android.bp b/main/Android.bp
index 9dc5a9866..35df9e6d4 100644
--- a/main/Android.bp
+++ b/main/Android.bp
@@ -48,6 +48,7 @@ cc_library_shared {
"libutils",
"libtinyxml2",
"libz",
+ "libcrypto",
],
static_libs: [
"libbt-sbc-decoder",
diff --git a/stack/Android.bp b/stack/Android.bp
index 5cb567895..dd0f934f3 100644
--- a/stack/Android.bp
+++ b/stack/Android.bp
@@ -176,6 +176,7 @@ cc_library_static {
shared_libs: [
"libcutils",
"liblog",
+ "libcrypto",
],
required: [
"libldacBT_enc",
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
index 3a67f75ba..b8dfba239 100644
--- a/stack/btm/btm_ble.cc
+++ b/stack/btm/btm_ble.cc
@@ -41,6 +41,7 @@
#include "hcimsgs.h"
#include "log/log.h"
#include "l2c_int.h"
+#include "openssl/mem.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
#include "smp_api.h"
@@ -2235,7 +2236,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len,
BTM_CMAC_TLEN_SIZE, p_mac)) {
- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
btm_ble_increment_sign_ctr(bd_addr, false);
verified = true;
}

View File

@ -0,0 +1,114 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lin Lee <linlee@google.com>
Date: Mon, 7 Aug 2023 09:34:41 +0000
Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run
Use thread join to avoid thread exiting after instance
recycled.
Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds.
Test: m, fuzzing
Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer
Bug: 272382770
Ignore-AOSP-First: Security Issue
(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd)
Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138
Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138
---
server/MDnsSdListener.cpp | 36 ++++++++++++++++++++++++------------
server/MDnsSdListener.h | 4 +++-
2 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index ef53d249..6eaaf5c0 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <string.h>
#include <resolv.h>
+#include <thread>
#define LOG_TAG "MDnsDS"
#define DBG 1
@@ -524,10 +525,17 @@ MDnsSdListener::Monitor::Monitor() {
socketpair(AF_LOCAL, SOCK_STREAM, 0, mCtrlSocketPair);
pthread_mutex_init(&mHeadMutex, NULL);
- const int rval = ::android::net::threadLaunch(this);
- if (rval != 0) {
- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval);
- }
+ mRescanThread = new std::thread(&Monitor::run, this);
+ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread.");
+}
+
+MDnsSdListener::Monitor::~Monitor() {
+ if (VDBG) ALOGD("Monitor recycling");
+ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will
+ // be 17 = POLLIN | POLLHUP
+ mRescanThread->join();
+ delete mRescanThread;
+ if (VDBG) ALOGD("Monitor recycled");
}
#define NAP_TIME 200 // 200 ms between polls
@@ -617,14 +625,18 @@ void MDnsSdListener::Monitor::run() {
}
}
if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents);
- switch (mPollFds[0].revents) {
- case POLLIN: {
- char readBuf[2];
- read(mCtrlSocketPair[0], &readBuf, 1);
- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
- if (memcmp(RESCAN, readBuf, 1) == 0) {
- pollCount = rescan();
- }
+ if (mPollFds[0].revents & POLLHUP) {
+ free(mPollFds);
+ free(mPollRefs);
+ if (VDBG) ALOGD("Monitor thread leaving.");
+ return;
+ }
+ if (mPollFds[0].revents == POLLIN) {
+ char readBuf[2];
+ read(mCtrlSocketPair[0], &readBuf, 1);
+ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
+ if (memcmp(RESCAN, readBuf, 1) == 0) {
+ pollCount = rescan();
}
}
mPollFds[0].revents = 0;
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index 8c6096e8..2b3cb5e2 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -20,6 +20,7 @@
#include <pthread.h>
#include <sysutils/FrameworkListener.h>
#include <dns_sd.h>
+#include <thread>
#include "NetdCommand.h"
@@ -71,7 +72,7 @@ private:
class Monitor {
public:
Monitor();
- virtual ~Monitor() {}
+ ~Monitor();
DNSServiceRef *allocateServiceRef(int id, Context *c);
void startMonitoring(int id);
DNSServiceRef *lookupServiceRef(int id);
@@ -101,6 +102,7 @@ private:
int mPollSize;
int mCtrlSocketPair[2];
pthread_mutex_t mHeadMutex;
+ std::thread* mRescanThread;
};
class Handler : public NetdCommand {

View File

@ -18,15 +18,23 @@ Test: Unit test to enforce successful/failure path
Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
---
.../server/telecom/TelecomServiceImpl.java | 21 +++++++++++++++++++
.../telecom/tests/TelecomServiceImplTest.java | 21 +++++++++++++++++++
2 files changed, 42 insertions(+)
.../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++
.../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index 74a7d840b..008b99de2 100644
index 74a7d840b..14804f0d3 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -469,6 +469,9 @@ public class TelecomServiceImpl {
@@ -36,6 +36,7 @@ import android.content.pm.PackageManager;
import android.content.res.Resources;
import android.content.pm.ParceledListSlice;
import android.content.pm.ResolveInfo;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -469,6 +470,9 @@ public class TelecomServiceImpl {
enforceRegisterMultiUser();
}
enforceUserHandleMatchesCaller(account.getAccountHandle());
@ -36,7 +44,7 @@ index 74a7d840b..008b99de2 100644
final long token = Binder.clearCallingIdentity();
try {
mPhoneAccountRegistrar.registerPhoneAccount(account);
@@ -1820,4 +1823,22 @@ public class TelecomServiceImpl {
@@ -1820,4 +1824,22 @@ public class TelecomServiceImpl {
// If only TX or RX were set (or neither), the video state is valid.
return remainingState == 0;
}

View File

@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2023-11-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -224,6 +224,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/368062-backport.patch"; #R_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/368063.patch"; #R_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
applyPatch "$DOS_PATCHES/android_frameworks_base/373953.patch"; #R_asb_2023-11 Use type safe API of readParcelableArray
applyPatch "$DOS_PATCHES/android_frameworks_base/373955.patch"; #R_asb_2023-11 [SettingsProvider] verify ringtone URI before setting
#applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@ -317,6 +321,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch";
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907-backport.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332-backport.patch"; #P_asb_2023-02 Fix OPP comparison
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv
fi;
if enterAndClear "packages/apps/Contacts"; then
@ -388,6 +393,7 @@ fi;
if enterAndClear "packages/apps/Trebuchet"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/365974.patch"; #R_asb_2023-09 Fix permission issue in legacy shortcut
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut
fi;
if enterAndClear "packages/apps/TvSettings"; then
@ -433,6 +439,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_as
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccount
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit.
fi;
if enterAndClear "packages/services/Telephony"; then
@ -477,6 +484,12 @@ applyPatch "$DOS_PATCHES/android_system_bt/365980.patch"; #R_asb_2023-09 Fix int
applyPatch "$DOS_PATCHES/android_system_bt/365981.patch"; #R_asb_2023-09 Fix potential abort in btu_av_act.cc
applyPatch "$DOS_PATCHES/android_system_bt/365982-prereq.patch"; #Fix reliable write
applyPatch "$DOS_PATCHES/android_system_bt/365982.patch"; #R_asb_2023-09 Fix UAF in gatt_cl.cc
applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
applyPatch "$DOS_PATCHES/android_system_bt/377020-backport.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
fi;
if enterAndClear "system/ca-certificates"; then
@ -492,6 +505,10 @@ applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
fi;
if enterAndClear "system/netd"; then
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run #XXX
fi;
if enterAndClear "system/nfc"; then
applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_system_nfc/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config

View File

@ -166,9 +166,9 @@ fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/377001-backport.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
#applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
#applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service #FIXME
applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/377010-backport.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard"
applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand