Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

More 14.1 picks + 15.1 November ASB work

Browse Source 
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-11-13 18:03:16 -05:00
parent 14f7f1db32
commit 9d1efb33c3
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
25 changed files with 2017 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Patches/LineageOS-14.1/android_frameworks_base/344188.patch
View File

@ -1,8 +1,8 @@
From 623d9421f9f175283af8c562604af2385e7addb1 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Louis Chang <louischang@google.com>
Date: Tue, 2 Aug 2022 03:33:39 +0000
Subject: [PATCH] [BACKPORT] Do not send new Intent to non-exported activity
when navigateUpTo
Subject: [PATCH] Do not send new Intent to non-exported activity when
navigateUpTo
The new Intent was delivered to a non-exported activity while
@ -22,7 +22,7 @@ diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/serv
index d6c53076614d..a3ace26df5f7 100755
--- a/services/core/java/com/android/server/am/ActivityRecord.java
+++ b/services/core/java/com/android/server/am/ActivityRecord.java
@@ -1535,6 +1535,10 @@ int getUid() {
@@ -1535,6 +1535,10 @@ final class ActivityRecord {
return info.applicationInfo.uid;
}
@ -37,7 +37,7 @@ diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/servi
index 7376fa869ab9..696079848995 100644
--- a/services/core/java/com/android/server/am/ActivityStack.java
+++ b/services/core/java/com/android/server/am/ActivityStack.java
@@ -3794,14 +3794,30 @@ final boolean navigateUpToLocked(ActivityRecord srec, Intent destIntent, int res
@@ -3794,14 +3794,30 @@ final class ActivityStack {
}
if (parent != null && foundParentInTask) {
@ -74,7 +74,7 @@ diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/servi
index 7746f1e3508d..d8fe39cf2162 100644
--- a/services/core/java/com/android/server/am/ProcessRecord.java
+++ b/services/core/java/com/android/server/am/ProcessRecord.java
@@ -465,6 +465,10 @@ public void setPid(int _pid) {
@@ -465,6 +465,10 @@ final class ProcessRecord {
stringName = null;
}

14
Patches/LineageOS-14.1/android_frameworks_base/344189.patch
View File

@ -1,4 +1,4 @@
From 2d476338e9c714405c9fda55283911e00192534d Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aseem Kumar <aseemk@google.com>
Date: Mon, 21 Mar 2022 20:35:20 -0700
Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from
@ -19,7 +19,7 @@ diff --git a/core/java/android/accounts/Account.java b/core/java/android/account
index 1546ae14862d..3f90f36fb2a1 100644
--- a/core/java/android/accounts/Account.java
+++ b/core/java/android/accounts/Account.java
@@ -28,7 +28,6 @@
@@ -28,7 +28,6 @@ import android.util.ArraySet;
import android.util.Log;
import com.android.internal.annotations.GuardedBy;
@ -27,7 +27,7 @@ index 1546ae14862d..3f90f36fb2a1 100644
import java.util.Set;
/**
@@ -81,12 +80,6 @@ public Account(String name, String type, String accessId) {
@@ -81,12 +80,6 @@ public class Account implements Parcelable {
if (TextUtils.isEmpty(type)) {
throw new IllegalArgumentException("the type must not be empty: " + type);
}
@ -41,10 +41,10 @@ index 1546ae14862d..3f90f36fb2a1 100644
this.type = type;
this.accessId = accessId;
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 126955add01a..30ddc6763842 100644
index 3aea365b7ced..239297cc420a 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -1304,6 +1304,14 @@ private boolean addAccountInternal(UserAccounts accounts, Account account, Strin
@@ -1305,6 +1305,14 @@ public class AccountManagerService
if (account == null) {
return false;
}
@ -59,7 +59,7 @@ index 126955add01a..30ddc6763842 100644
if (!isLocalUnlockedUser(accounts.userId)) {
Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId
+ " is locked. callingUid=" + callingUid);
@@ -1500,6 +1508,10 @@ public void renameAccount(
@@ -1501,6 +1509,10 @@ public class AccountManagerService
+ ", pid " + Binder.getCallingPid());
}
if (accountToRename == null) throw new IllegalArgumentException("account is null");
@ -74,7 +74,7 @@ diff --git a/services/tests/servicestests/src/com/android/server/accounts/Accoun
index a3d0afab88eb..5467f2264efe 100644
--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
@@ -132,6 +132,21 @@ public void testCheckAddAccount() throws Exception {
@@ -132,6 +132,21 @@ public class AccountManagerServiceTest extends AndroidTestCase {
assertEquals(a31, accounts[1]);
}

336
Patches/LineageOS-14.1/android_frameworks_base/344217.patch Normal file
View File

@ -0,0 +1,336 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matt Pietal <mpietal@google.com>
Date: Thu, 18 Aug 2022 12:04:43 +0000
Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock
After PUK unlock, multiple calls to
KeyguardSecurityContainerController#dismiss() were being called from
the KeyguardSimPukViewController, which begins the transition to the
next security screen, if any. At the same time, other parts of the
system, also listening to SIM events, recognize the PUK unlock and
call KeyguardSecurityContainer#showSecurityScreen, which updates which
security method comes next. After boot, this should be one of PIN,
Password, Pattern, assuming they have a security method. If one of the
first dismiss() calls comes AFTER the security method changes, this is
incorrectly recognized by the code as a successful
PIN/pattern/password unlock. This causes the keyguard to be marked as
done, causing screen flickers and incorrect system state.
The solution: every call to dismiss() should include a new parameter
for the security method used. If there is a difference between this
parameter and the current value in KeyguardSecurityContainerCallback,
ignore the request, as the system state has changed.
Bug: 218500036
Test: atest KeyguardSecurityContainerTest
Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243
Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8
(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3)
Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8
---
.../keyguard/KeyguardAbsKeyInputView.java | 4 ++-
.../android/keyguard/KeyguardHostView.java | 11 ++++---
.../com/android/keyguard/KeyguardPINView.java | 6 ++++
.../keyguard/KeyguardPasswordView.java | 6 ++++
.../android/keyguard/KeyguardPatternView.java | 3 +-
.../keyguard/KeyguardSecurityCallback.java | 5 ++-
.../keyguard/KeyguardSecurityContainer.java | 31 ++++++++++++++-----
.../android/keyguard/KeyguardSimPinView.java | 8 ++++-
.../android/keyguard/KeyguardSimPukView.java | 8 ++++-
9 files changed, 65 insertions(+), 17 deletions(-)
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java
index 9b85e13b2839..f77b32391f3f 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java
@@ -28,6 +28,7 @@ import android.widget.LinearLayout;
import com.android.internal.widget.LockPatternChecker;
import com.android.internal.widget.LockPatternUtils;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
/**
* Base class for PIN and password unlock screens.
@@ -88,6 +89,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
protected abstract int getPasswordTextViewId();
protected abstract void resetState();
+ protected abstract SecurityMode getSecurityMode();
@Override
protected void onFinishInflate() {
@@ -168,7 +170,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
mCallback.reportUnlockAttempt(userId, true, 0);
if (dismissKeyguard) {
mDismissing = true;
- mCallback.dismiss(true);
+ mCallback.dismiss(true, getSecurityMode());
}
} else {
if (isValidPassword) {
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java
index 434631e1c0fd..ad2a2048f913 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java
@@ -88,7 +88,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
// the user proved presence via some other way to the trust agent.
Log.i(TAG, "TrustAgent dismissed Keyguard.");
}
- dismiss(false /* authenticated */);
+ dismiss(false /* authenticated */, SecurityMode.Invalid);
} else {
mViewMediatorCallback.playTrustedSound();
}
@@ -181,12 +181,12 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
* @return True if the keyguard is done.
*/
public boolean dismiss() {
- return dismiss(false);
+ return dismiss(false, getCurrentSecurityMode());
}
public boolean handleBackKey() {
if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) {
- mSecurityContainer.dismiss(false);
+ mSecurityContainer.dismiss(false, getCurrentSecurityMode());
return true;
}
return false;
@@ -207,8 +207,9 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
}
@Override
- public boolean dismiss(boolean authenticated) {
- return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated);
+ public boolean dismiss(boolean authenticated, SecurityMode expectedSecurityMode) {
+ return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated,
+ expectedSecurityMode);
}
/**
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java
index 113c212697f0..35a1201fd744 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java
@@ -29,6 +29,7 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.List;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import com.android.settingslib.animation.AppearAnimationUtils;
import com.android.settingslib.animation.DisappearAnimationUtils;
@@ -208,4 +209,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView {
public boolean hasOverlappingRendering() {
return false;
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.PIN;
+ }
}
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java
index a9d7cf012e28..22bdbaf72ce5 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java
@@ -36,6 +36,7 @@ import android.widget.TextView;
import android.widget.TextView.OnEditorActionListener;
import com.android.internal.widget.TextViewInputDisabler;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import java.util.List;
/**
@@ -363,4 +364,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
}
return false;
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.Password;
+ }
}
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java
index 094209e53b4e..081d67314d31 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java
@@ -33,6 +33,7 @@ import android.widget.LinearLayout;
import com.android.internal.widget.LockPatternChecker;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockPatternView;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import com.android.settingslib.animation.AppearAnimationCreator;
import com.android.settingslib.animation.AppearAnimationUtils;
import com.android.settingslib.animation.DisappearAnimationUtils;
@@ -289,7 +290,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit
mCallback.reportUnlockAttempt(userId, true, 0);
if (dismissKeyguard) {
mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct);
- mCallback.dismiss(true);
+ mCallback.dismiss(true, SecurityMode.Pattern);
}
} else {
mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong);
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java
index 232d4d298e3a..ef6e76b113da 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java
@@ -15,13 +15,16 @@
*/
package com.android.keyguard;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+
public interface KeyguardSecurityCallback {
/**
* Dismiss the given security screen.
* @param securityVerified true if the user correctly entered credentials for the given screen.
+ * @param expectedSecurityMode The security mode that is invoking this dismiss.
*/
- void dismiss(boolean securityVerified);
+ void dismiss(boolean securityVerified, SecurityMode expectedSecurityMode);
/**
* Manually report user activity to keep the device awake.
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java
index aaff26511eec..e2c1ae413fd3 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -56,7 +56,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
// Used to notify the container when something interesting happens.
public interface SecurityCallback {
- public boolean dismiss(boolean authenticated);
+ public boolean dismiss(boolean authenticated, SecurityMode expectedSecurityMode);
public void userActivity();
public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput);
@@ -382,10 +382,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
/**
* Shows the next security screen if there is one.
* @param authenticated true if the user entered the correct authentication
+ * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid
+ * indicates that no check should be done
* @return true if keyguard is done
*/
- boolean showNextSecurityScreenOrFinish(boolean authenticated) {
+ boolean showNextSecurityScreenOrFinish(boolean authenticated,
+ SecurityMode expectedSecurityMode) {
if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")");
+ if (expectedSecurityMode != SecurityMode.Invalid
+ && expectedSecurityMode != getCurrentSecurityMode()) {
+ Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode "
+ + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode());
+ return false;
+ }
+
boolean finish = false;
boolean strongAuth = false;
if (mUpdateMonitor.getUserCanSkipBouncer(
@@ -489,8 +499,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
}
}
- public void dismiss(boolean authenticated) {
- mSecurityCallback.dismiss(authenticated);
+ /**
+ * Potentially dismiss the current security screen, after validating that all device
+ * security has been unlocked. Otherwise show the next screen.
+ */
+ public void dismiss(boolean authenticated,
+ SecurityMode expectedSecurityMode) {
+ mSecurityCallback.dismiss(authenticated, expectedSecurityMode);
}
public boolean isVerifyUnlockOnly() {
@@ -523,7 +538,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
@Override
public boolean isVerifyUnlockOnly() { return false; }
@Override
- public void dismiss(boolean securityVerified) { }
+ public void dismiss(boolean securityVerified,
+ SecurityMode expectedSecurityMode) { }
@Override
public void reset() {}
};
@@ -568,8 +584,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
return mCurrentSecuritySelection;
}
- public void dismiss(boolean authenticated) {
- mCallback.dismiss(authenticated);
+ public void dismiss(boolean authenticated,
+ SecurityMode expectedSecurityMode) {
+ mCallback.dismiss(authenticated, expectedSecurityMode);
}
public boolean needsInput() {
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java
index 209d0fdae71f..06cc154fbaac 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java
@@ -20,6 +20,7 @@ import com.android.internal.telephony.ITelephony;
import com.android.internal.telephony.IccCardConstants;
import com.android.internal.telephony.IccCardConstants.State;
import com.android.internal.telephony.PhoneConstants;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import android.content.Context;
import android.content.res.ColorStateList;
@@ -282,7 +283,7 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
mRemainingAttempts = -1;
mShowDefaultMessage = true;
if (mCallback != null) {
- mCallback.dismiss(true);
+ mCallback.dismiss(true, SecurityMode.SimPin);
}
} else {
mShowDefaultMessage = false;
@@ -355,5 +356,10 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
mSecurityMessageDisplay.setMessage(msg, true);
mSimImageView.setImageTintList(ColorStateList.valueOf(color));
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.SimPin;
+ }
}
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java
index 0f0d000b1df6..a92976f31c13 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java
@@ -38,6 +38,7 @@ import com.android.internal.telephony.ITelephony;
import com.android.internal.telephony.IccCardConstants;
import com.android.internal.telephony.PhoneConstants;
import com.android.internal.telephony.IccCardConstants.State;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
/**
@@ -337,7 +338,7 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
mRemainingAttempts = -1;
mShowDefaultMessage = true;
if (mCallback != null) {
- mCallback.dismiss(true);
+ mCallback.dismiss(true, SecurityMode.SimPuk);
}
} else {
mShowDefaultMessage = false;
@@ -424,6 +425,11 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
}
}.start();
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.SimPuk;
+ }
}

10
Patches/LineageOS-14.1/android_packages_apps_PackageInstaller/344187.patch
View File

@ -1,7 +1,7 @@
From 134b1251174395e75f638d53e5449815dc965e8b Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Evan Severson <evanseverson@google.com>
Date: Tue, 30 Nov 2021 18:19:18 -0800
Subject: [PATCH] [BACKPORT] Hide overlays on ReviewPermissionsAtivity
Subject: [PATCH] Hide overlays on ReviewPermissionsAtivity
Test: atest PermissionReviewTapjackingTest
Bug: 176094367
@ -14,10 +14,10 @@ Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7
1 file changed, 4 insertions(+)
diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
index 6bc251aed..829e81856 100644
index b6fd0c161..bb1e1dd9a 100644
--- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
+++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
@@ -39,6 +39,7 @@
@@ -39,6 +39,7 @@ import android.text.TextUtils;
import android.text.style.ForegroundColorSpan;
import android.util.TypedValue;
import android.view.View;
@ -25,7 +25,7 @@ index 6bc251aed..829e81856 100644
import android.widget.Button;
import android.widget.ImageView;
import android.widget.TextView;
@@ -57,6 +58,9 @@ public final class ReviewPermissionsActivity extends Activity
@@ -58,6 +59,9 @@ public final class ReviewPermissionsActivity extends Activity
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);

49
Patches/LineageOS-15.1/android_external_dtc/344161.patch Normal file
View File

@ -0,0 +1,49 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Mike McTernan <mikemcternan@google.com>
Date: Fri, 22 Jul 2022 11:44:33 +0100
Subject: [PATCH] Fix integer wrap sanitisation.
Test: make check
Bug: 239630493
Bug: 242096164
Change-Id: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
(cherry picked from commit 05dec6d1827dc7016cad11c4ddfe8f965bceddb7)
(cherry picked from commit 61e10c9c53b170ff8a5612ba4ec79e51d58e5eb3)
Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
---
libfdt/fdt.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 5baaed3..ed7e947 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -124,9 +124,15 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!lenp)
return FDT_END; /* premature end */
- /* skip-name offset, length and value */
- offset += sizeof(struct fdt_property) - FDT_TAGSIZE
- + fdt32_to_cpu(*lenp);
+
+ /* skip-name offset, length */
+ offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
+
+ if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
+ return FDT_END; /* premature end */
+
+ /* skip value */
+ offset += fdt32_to_cpu(*lenp);
break;
case FDT_END:
@@ -138,7 +144,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
return FDT_END;
}
- if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
+ if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))
return FDT_END; /* premature end */
*nextoffset = FDT_TAGALIGN(offset);

102
Patches/LineageOS-15.1/android_frameworks_base/344168.patch Normal file
View File

@ -0,0 +1,102 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aseem Kumar <aseemk@google.com>
Date: Mon, 21 Mar 2022 20:35:20 -0700
Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from
Account.java to AccountManagerService.
Bug: 169762606
Test: atest AccountManagerServiceTest
Change-Id: I80fabf3a64c55837db98ff316e7e5420129c001b
(cherry picked from commit 3f218c9a5e1f7c3213ceb84c15afca0d3041057b)
Merged-In: I80fabf3a64c55837db98ff316e7e5420129c001b
---
core/java/android/accounts/Account.java | 7 -------
.../accounts/AccountManagerService.java | 12 ++++++++++++
.../accounts/AccountManagerServiceTest.java | 19 +++++++++++++++++++
3 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/core/java/android/accounts/Account.java b/core/java/android/accounts/Account.java
index 1546ae14862d..3f90f36fb2a1 100644
--- a/core/java/android/accounts/Account.java
+++ b/core/java/android/accounts/Account.java
@@ -28,7 +28,6 @@ import android.util.ArraySet;
import android.util.Log;
import com.android.internal.annotations.GuardedBy;
-import java.util.Objects;
import java.util.Set;
/**
@@ -81,12 +80,6 @@ public class Account implements Parcelable {
if (TextUtils.isEmpty(type)) {
throw new IllegalArgumentException("the type must not be empty: " + type);
}
- if (name.length() > 200) {
- throw new IllegalArgumentException("account name is longer than 200 characters");
- }
- if (type.length() > 200) {
- throw new IllegalArgumentException("account type is longer than 200 characters");
- }
this.name = name;
this.type = type;
this.accessId = accessId;
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
index 98280d52a622..dcc571d84314 100644
--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
@@ -1764,6 +1764,14 @@ public class AccountManagerService
if (account == null) {
return false;
}
+ if (account.name != null && account.name.length() > 200) {
+ Log.w(TAG, "Account cannot be added - Name longer than 200 chars");
+ return false;
+ }
+ if (account.type != null && account.type.length() > 200) {
+ Log.w(TAG, "Account cannot be added - Name longer than 200 chars");
+ return false;
+ }
if (!isLocalUnlockedUser(accounts.userId)) {
Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId
+ " is locked. callingUid=" + callingUid);
@@ -1956,6 +1964,10 @@ public class AccountManagerService
+ ", pid " + Binder.getCallingPid());
}
if (accountToRename == null) throw new IllegalArgumentException("account is null");
+ if (newName != null && newName.length() > 200) {
+ Log.e(TAG, "renameAccount failed - account name longer than 200");
+ throw new IllegalArgumentException("account name longer than 200");
+ }
int userId = UserHandle.getCallingUserId();
if (!isAccountManagedByCaller(accountToRename.type, callingUid, userId)) {
String msg = String.format(
diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
index 791d3e997f3b..68696344220b 100644
--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
@@ -237,6 +237,25 @@ public class AccountManagerServiceTest extends AndroidTestCase {
assertEquals(a31, accounts[1]);
}
+ @SmallTest
+ public void testCheckAddAccountLongName() throws Exception {
+ unlockSystemUser();
+ String longString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ + "aaaaa";
+ Account a11 = new Account(longString, AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1);
+
+ mAms.addAccountExplicitly(a11, /* password= */ "p11", /* extras= */ null);
+
+ String[] list = new String[]{AccountManagerServiceTestFixtures.CALLER_PACKAGE};
+ when(mMockPackageManager.getPackagesForUid(anyInt())).thenReturn(list);
+ Account[] accounts = mAms.getAccountsAsUser(null,
+ UserHandle.getCallingUserId(), mContext.getOpPackageName());
+ assertEquals(0, accounts.length);
+ }
+
+
@SmallTest
public void testPasswords() throws Exception {
unlockSystemUser();

141
Patches/LineageOS-15.1/android_frameworks_base/344169.patch Normal file
View File

@ -0,0 +1,141 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 23 Jun 2022 14:27:43 -0700
Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.
In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.
bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
#testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09)
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
---
telecomm/java/android/telecom/TelecomManager.java | 14 ++++++++------
.../android/internal/telecom/ITelecomService.aidl | 13 +++++++------
2 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
index 6dc3f917533a..b2734cecf4a6 100644
--- a/telecomm/java/android/telecom/TelecomManager.java
+++ b/telecomm/java/android/telecom/TelecomManager.java
@@ -791,7 +791,7 @@ public class TelecomManager {
try {
if (isServiceConnected()) {
return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme,
- mContext.getOpPackageName());
+ mContext.getOpPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e);
@@ -833,7 +833,8 @@ public class TelecomManager {
public List<PhoneAccountHandle> getSelfManagedPhoneAccounts() {
try {
if (isServiceConnected()) {
- return getTelecomService().getSelfManagedPhoneAccounts(mContext.getOpPackageName());
+ return getTelecomService()
+ .getSelfManagedPhoneAccounts(mContext.getOpPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getSelfManagedPhoneAccounts()", e);
@@ -852,7 +853,7 @@ public class TelecomManager {
try {
if (isServiceConnected()) {
return getTelecomService().getCallCapablePhoneAccounts(
- includeDisabledAccounts, mContext.getOpPackageName());
+ includeDisabledAccounts, mContext.getOpPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" +
@@ -872,7 +873,8 @@ public class TelecomManager {
public List<PhoneAccountHandle> getPhoneAccountsForPackage() {
try {
if (isServiceConnected()) {
- return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName());
+ return getTelecomService()
+ .getPhoneAccountsForPackage(mContext.getPackageName()).getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e);
@@ -926,7 +928,7 @@ public class TelecomManager {
public List<PhoneAccount> getAllPhoneAccounts() {
try {
if (isServiceConnected()) {
- return getTelecomService().getAllPhoneAccounts();
+ return getTelecomService().getAllPhoneAccounts().getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e);
@@ -944,7 +946,7 @@ public class TelecomManager {
public List<PhoneAccountHandle> getAllPhoneAccountHandles() {
try {
if (isServiceConnected()) {
- return getTelecomService().getAllPhoneAccountHandles();
+ return getTelecomService().getAllPhoneAccountHandles().getList();
}
} catch (RemoteException e) {
Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e);
diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
index 8ebac2c6273a..64a9b2bd0d84 100644
--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
+++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle;
import android.net.Uri;
import android.os.Bundle;
import android.telecom.PhoneAccount;
+import android.content.pm.ParceledListSlice;
/**
* Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing
@@ -55,24 +56,24 @@ interface ITelecomService {
/**
* @see TelecomServiceImpl#getCallCapablePhoneAccounts
*/
- List<PhoneAccountHandle> getCallCapablePhoneAccounts(
+ ParceledListSlice getCallCapablePhoneAccounts(
boolean includeDisabledAccounts, String callingPackage);
/**
* @see TelecomServiceImpl#getSelfManagedPhoneAccounts
*/
- List<PhoneAccountHandle> getSelfManagedPhoneAccounts(String callingPackage);
+ ParceledListSlice getSelfManagedPhoneAccounts(String callingPackage);
/**
* @see TelecomManager#getPhoneAccountsSupportingScheme
*/
- List<PhoneAccountHandle> getPhoneAccountsSupportingScheme(in String uriScheme,
+ ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme,
String callingPackage);
/**
* @see TelecomManager#getPhoneAccountsForPackage
*/
- List<PhoneAccountHandle> getPhoneAccountsForPackage(in String packageName);
+ ParceledListSlice getPhoneAccountsForPackage(in String packageName);
/**
* @see TelecomManager#getPhoneAccount
@@ -87,12 +88,12 @@ interface ITelecomService {
/**
* @see TelecomManager#getAllPhoneAccounts
*/
- List<PhoneAccount> getAllPhoneAccounts();
+ ParceledListSlice getAllPhoneAccounts();
/**
* @see TelecomManager#getAllPhoneAccountHandles
*/
- List<PhoneAccountHandle> getAllPhoneAccountHandles();
+ ParceledListSlice getAllPhoneAccountHandles();
/**
* @see TelecomServiceImpl#getSimCallManager

84
Patches/LineageOS-15.1/android_frameworks_base/344170-backport.patch Normal file
View File

@ -0,0 +1,84 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Louis Chang <louischang@google.com>
Date: Tue, 2 Aug 2022 03:33:39 +0000
Subject: [PATCH] Do not send new Intent to non-exported activity when
navigateUpTo
The new Intent was delivered to a non-exported activity while
'#navigateUpTo was called from an Activity of a different uid.
Backport to pie:
* services/core/java/com/android/server/am directory (not wm)
* back port of getPid() method
Bug: 238605611
Test: atest StartActivityTests
Change-Id: I854dd825bfd9a2c08851980d480d1f3a177af6cf
Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
(cherry picked from commit b9a934064598aa655fab4ce75c8eab6165409670)
Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
---
.../com/android/server/am/ActivityRecord.java | 4 ++++
.../com/android/server/am/ActivityStack.java | 18 +++++++++++++++++-
.../com/android/server/am/ProcessRecord.java | 4 ++++
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/services/core/java/com/android/server/am/ActivityRecord.java
index 081a4eb0d245..72e03209bfbc 100644
--- a/services/core/java/com/android/server/am/ActivityRecord.java
+++ b/services/core/java/com/android/server/am/ActivityRecord.java
@@ -2829,6 +2829,10 @@ final class ActivityRecord extends ConfigurationContainer implements AppWindowCo
return info.applicationInfo.uid;
}
+ int getPid() {
+ return app != null ? app.getPid() : 0;
+ }
+
void setShowWhenLocked(boolean showWhenLocked) {
mShowWhenLocked = showWhenLocked;
}
diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/services/core/java/com/android/server/am/ActivityStack.java
index c1ea022f1c11..5e8b8cb464a1 100644
--- a/services/core/java/com/android/server/am/ActivityStack.java
+++ b/services/core/java/com/android/server/am/ActivityStack.java
@@ -4024,7 +4024,23 @@ class ActivityStack<T extends StackWindowController> extends ConfigurationContai
parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TASK ||
parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TOP ||
(destIntentFlags & Intent.FLAG_ACTIVITY_CLEAR_TOP) != 0) {
- parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName);
+ boolean abort;
+ try {
+ final int callingPid = srec.app != null ? srec.app.getPid() : 0;
+ abort = !mStackSupervisor.checkStartAnyActivityPermission(destIntent,
+ parent.info, null /* resultWho */, -1 /* requestCode */, callingPid,
+ callingUid, srec.info.packageName, false /* ignoreTargetSecurity */,
+ srec.app, null /* resultRecord */, null /* resultStack */,
+ null /* options */);
+ } catch (SecurityException e) {
+ abort = true;
+ }
+ if (abort) {
+ android.util.EventLog.writeEvent(0x534e4554, "238605611", callingUid, "");
+ foundParentInTask = false;
+ } else {
+ parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName);
+ }
} else {
try {
ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo(
diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java
index 411e973de032..7e037eea285c 100644
--- a/services/core/java/com/android/server/am/ProcessRecord.java
+++ b/services/core/java/com/android/server/am/ProcessRecord.java
@@ -455,6 +455,10 @@ final class ProcessRecord {
stringName = null;
}
+ public int getPid() {
+ return pid;
+ }
+
public void makeActive(IApplicationThread _thread, ProcessStatsService tracker) {
if (thread == null) {
final ProcessState origBase = baseProcessTracker;

57
Patches/LineageOS-15.1/android_frameworks_base/344171-backport.patch Normal file
View File

@ -0,0 +1,57 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Fri, 12 Aug 2022 11:40:41 -0700
Subject: [PATCH] Do not send AccessibilityEvent if notification is for
different user.
Bug: 237540408
Test: BuzzBeepBlinkTest#testA11yCrossUserEventNotSent
Change-Id: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
(cherry picked from commit 18f2ec86d680bff26ce9248061878894ad16e05f)
Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
---
.../notification/NotificationManagerService.java | 3 ++-
.../server/notification/BuzzBeepBlinkTest.java | 15 +++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
index 9e63265e4e93..ee0c3c1b7bc2 100755
--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
+++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
@@ -4097,7 +4097,8 @@ public class NotificationManagerService extends SystemService {
boolean sentAccessibilityEvent = false;
// If the notification will appear in the status bar, it should send an accessibility
// event
- if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN) {
+ if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN
+ && isNotificationForCurrentUser(record)) {
sendAccessibilityEvent(record);
sentAccessibilityEvent = true;
}
diff --git a/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java b/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java
index 0b4d61fb783e..6c6fbcd0afe4 100644
--- a/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java
+++ b/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java
@@ -934,6 +934,21 @@ public class BuzzBeepBlinkTest extends NotificationTestCase {
verify(mAccessibilityService, times(1)).sendAccessibilityEvent(any(), anyInt());
}
+ @Test
+ public void testA11yCrossUserEventNotSent() throws Exception {
+ final Notification n = new Builder(getContext(), "test")
+ .setSmallIcon(android.R.drawable.sym_def_app_icon).build();
+ int userId = mUser.getIdentifier() + 1;
+ StatusBarNotification sbn = new StatusBarNotification(mPkg, mPkg, 0, mTag, mUid,
+ mPid, n, UserHandle.of(userId), null, System.currentTimeMillis());
+ NotificationRecord r = new NotificationRecord(getContext(), sbn,
+ new NotificationChannel("test", "test", IMPORTANCE_HIGH));
+
+ mService.buzzBeepBlinkLocked(r);
+
+ verify(mAccessibilityService, never()).sendAccessibilityEvent(any(), anyInt());
+ }
+
static class VibrateRepeatMatcher implements ArgumentMatcher<VibrationEffect> {
private final int mRepeatIndex;

126
Patches/LineageOS-15.1/android_frameworks_base/344172.patch Normal file
View File

@ -0,0 +1,126 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yuri Lin <yurilin@google.com>
Date: Mon, 29 Aug 2022 17:40:14 -0400
Subject: [PATCH] Trim any long string inputs that come in to AutomaticZenRule
This change both prevents any rules from being unable to be written to
disk and also avoids risk of running out of memory while handling all
the zen rules.
Bug: 242703460
Bug: 242703505
Bug: 242703780
Bug: 242704043
Bug: 243794204
Test: cts AutomaticZenRuleTest; atest android.app.AutomaticZenRuleTest;
manually confirmed each exploit example either saves the rule
successfully with a truncated string (in the case of name & conditionId)
or may fail to save the rule at all (if the owner/configactivity is invalid).
Additionally ran the memory-exhausting PoC without device crashes.
Change-Id: I110172a43f28528dd274b3b346eb29c3796ff2c6
Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
(cherry picked from commit de172ba0d434c940be9e2aad8685719731ab7da2)
(cherry picked from commit c4b2c877ec28e2473104d9fcdcf321bd81da881b)
Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
---
core/java/android/app/AutomaticZenRule.java | 50 ++++++++++++++++++---
1 file changed, 43 insertions(+), 7 deletions(-)
diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java
index cd4ace669b6c..29dd91ec1ad6 100644
--- a/core/java/android/app/AutomaticZenRule.java
+++ b/core/java/android/app/AutomaticZenRule.java
@@ -36,6 +36,13 @@ public final class AutomaticZenRule implements Parcelable {
private ComponentName owner;
private long creationTime;
+ /**
+ * The maximum string length for any string contained in this automatic zen rule. This pertains
+ * both to fields in the rule itself (such as its name) and items with sub-fields.
+ * @hide
+ */
+ public static final int MAX_STRING_LENGTH = 1000;
+
/**
* Creates an automatic zen rule.
*
@@ -50,9 +57,9 @@ public final class AutomaticZenRule implements Parcelable {
*/
public AutomaticZenRule(String name, ComponentName owner, Uri conditionId,
int interruptionFilter, boolean enabled) {
- this.name = name;
- this.owner = owner;
- this.conditionId = conditionId;
+ this.name = getTrimmedString(name);
+ this.owner = getTrimmedComponentName(owner);
+ this.conditionId = getTrimmedUri(conditionId);
this.interruptionFilter = interruptionFilter;
this.enabled = enabled;
}
@@ -70,11 +77,11 @@ public final class AutomaticZenRule implements Parcelable {
public AutomaticZenRule(Parcel source) {
enabled = source.readInt() == 1;
if (source.readInt() == 1) {
- name = source.readString();
+ name = getTrimmedString(source.readString());
}
interruptionFilter = source.readInt();
conditionId = source.readParcelable(null);
- owner = source.readParcelable(null);
+ owner = getTrimmedComponentName(source.readParcelable(null));
creationTime = source.readLong();
}
@@ -124,7 +131,7 @@ public final class AutomaticZenRule implements Parcelable {
* Sets the representation of the state that causes this rule to become active.
*/
public void setConditionId(Uri conditionId) {
- this.conditionId = conditionId;
+ this.conditionId = getTrimmedUri(conditionId);
}
/**
@@ -139,7 +146,7 @@ public final class AutomaticZenRule implements Parcelable {
* Sets the name of this rule.
*/
public void setName(String name) {
- this.name = name;
+ this.name = getTrimmedString(name);
}
/**
@@ -210,4 +217,33 @@ public final class AutomaticZenRule implements Parcelable {
return new AutomaticZenRule[size];
}
};
+
+ /**
+ * If the package or class name of the provided ComponentName are longer than MAX_STRING_LENGTH,
+ * return a trimmed version that truncates each of the package and class name at the max length.
+ */
+ private static ComponentName getTrimmedComponentName(ComponentName cn) {
+ if (cn == null) return null;
+ return new ComponentName(getTrimmedString(cn.getPackageName()),
+ getTrimmedString(cn.getClassName()));
+ }
+ /**
+ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH.
+ */
+ private static String getTrimmedString(String input) {
+ if (input != null && input.length() > MAX_STRING_LENGTH) {
+ return input.substring(0, MAX_STRING_LENGTH);
+ }
+ return input;
+ }
+ /**
+ * Returns a truncated copy of the Uri by trimming the string representation to the maximum
+ * string length.
+ */
+ private static Uri getTrimmedUri(Uri input) {
+ if (input != null && input.toString().length() > MAX_STRING_LENGTH) {
+ return Uri.parse(getTrimmedString(input.toString()));
+ }
+ return input;
+ }
}

202
Patches/LineageOS-15.1/android_frameworks_base/344173.patch Normal file
View File

@ -0,0 +1,202 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ivan Chiang <chiangi@google.com>
Date: Mon, 15 Aug 2022 15:09:33 +0800
Subject: [PATCH] Check permission for VoiceInteraction
The service must have the CAPTURE_AUDIO_HOTWORD permission to access
AlwaysOnHotwordDetector. If it doesn't have the permission, return
STATE_HARDWARE_UNAVAILABLE state. If it is not granted the
RECORD_AUDIO permisison, it also can't start to recognize the audio.
Test: manual
Test: atest CtsVoiceInteractionTestCases
Test: atest CtsAssistTestCases
Bug: 229793943
Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a)
Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
---
.../voice/AlwaysOnHotwordDetector.java | 40 ++++++++++++++++++-
.../voice/VoiceInteractionService.java | 2 +-
.../VoiceInteractionManagerService.java | 14 +++++++
3 files changed, 53 insertions(+), 3 deletions(-)
diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
index 9464a8754fa8..b188eb3ca898 100644
--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java
+++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
@@ -16,11 +16,14 @@
package android.service.voice;
+import android.Manifest;
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.Activity;
+import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.hardware.soundtrigger.IRecognitionStatusCallback;
import android.hardware.soundtrigger.KeyphraseEnrollmentInfo;
import android.hardware.soundtrigger.KeyphraseMetadata;
@@ -196,8 +199,10 @@ public class AlwaysOnHotwordDetector {
private final Callback mExternalCallback;
private final Object mLock = new Object();
private final Handler mHandler;
+ private final Context mContext;
private int mAvailability = STATE_NOT_READY;
+ private boolean mIsGrantedHotwordPermission;
/**
* Additional payload for {@link Callback#onDetected}.
@@ -324,19 +329,32 @@ public class AlwaysOnHotwordDetector {
public abstract void onRecognitionResumed();
}
+ private static boolean hasHotwordPermission(Context context) {
+ return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD)
+ == PackageManager.PERMISSION_GRANTED;
+ }
+
+ private static boolean hasRecordAudioPermission(Context context) {
+ return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO)
+ == PackageManager.PERMISSION_GRANTED;
+ }
+
/**
+ * @param context The context to check permission
* @param text The keyphrase text to get the detector for.
* @param locale The java locale for the detector.
* @param callback A non-null Callback for receiving the recognition events.
+ * @param keyphraseEnrollmentInfo The Enrollment info of key phrase
* @param voiceInteractionService The current voice interaction service.
* @param modelManagementService A service that allows management of sound models.
*
* @hide
*/
- public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback,
+ public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback,
KeyphraseEnrollmentInfo keyphraseEnrollmentInfo,
IVoiceInteractionService voiceInteractionService,
IVoiceInteractionManagerService modelManagementService) {
+ mContext = context;
mText = text;
mLocale = locale;
mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo;
@@ -346,6 +364,7 @@ public class AlwaysOnHotwordDetector {
mInternalCallback = new SoundTriggerListener(mHandler);
mVoiceInteractionService = voiceInteractionService;
mModelManagementService = modelManagementService;
+ mIsGrantedHotwordPermission = hasHotwordPermission(mContext);
new RefreshAvailabiltyTask().execute();
}
@@ -402,6 +421,12 @@ public class AlwaysOnHotwordDetector {
*/
public boolean startRecognition(@RecognitionFlags int recognitionFlags) {
if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")");
+
+ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
+ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
+ + "permissions to access the detector.");
+ }
+
synchronized (mLock) {
if (mAvailability == STATE_INVALID) {
throw new IllegalStateException("startRecognition called on an invalid detector");
@@ -430,6 +455,12 @@ public class AlwaysOnHotwordDetector {
*/
public boolean stopRecognition() {
if (DBG) Slog.d(TAG, "stopRecognition()");
+
+ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
+ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
+ + "permissions to access the detector.");
+ }
+
synchronized (mLock) {
if (mAvailability == STATE_INVALID) {
throw new IllegalStateException("stopRecognition called on an invalid detector");
@@ -546,7 +577,8 @@ public class AlwaysOnHotwordDetector {
synchronized (mLock) {
if (mAvailability == STATE_INVALID
|| mAvailability == STATE_HARDWARE_UNAVAILABLE
- || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) {
+ || mAvailability == STATE_KEYPHRASE_UNSUPPORTED
+ || !hasRecordAudioPermission(mContext)) {
Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config");
return;
}
@@ -717,6 +749,10 @@ public class AlwaysOnHotwordDetector {
* @return The initial availability without checking the enrollment status.
*/
private int internalGetInitialAvailability() {
+ if (!mIsGrantedHotwordPermission) {
+ return STATE_HARDWARE_UNAVAILABLE;
+ }
+
synchronized (mLock) {
// This detector has already been invalidated.
if (mAvailability == STATE_INVALID) {
diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java
index 8f79bcffa776..409d8ddddc2d 100644
--- a/core/java/android/service/voice/VoiceInteractionService.java
+++ b/core/java/android/service/voice/VoiceInteractionService.java
@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service {
synchronized (mLock) {
// Allow only one concurrent recognition via the APIs.
safelyShutdownHotwordDetector();
- mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback,
+ mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback,
mKeyphraseEnrollmentInfo, mInterface, mSystemService);
}
return mHotwordDetector;
diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
index 1569ac32128b..734a4dcb58df 100644
--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
+++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
@@ -874,6 +874,9 @@ public class VoiceInteractionManagerService extends SystemService {
@Override
public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) {
+ // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD.
+ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -895,6 +898,9 @@ public class VoiceInteractionManagerService extends SystemService {
public int startRecognition(IVoiceInteractionService service, int keyphraseId,
String bcp47Locale, IRecognitionStatusCallback callback,
RecognitionConfig recognitionConfig) {
+ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
+ enforceAlwaysOnHotwordPermissions();
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -935,6 +941,9 @@ public class VoiceInteractionManagerService extends SystemService {
@Override
public int stopRecognition(IVoiceInteractionService service, int keyphraseId,
IRecognitionStatusCallback callback) {
+ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
+ enforceAlwaysOnHotwordPermissions();
+
// Allow the call if this is the current voice interaction service.
synchronized (this) {
if (mImpl == null || mImpl.mService == null
@@ -1142,6 +1151,11 @@ public class VoiceInteractionManagerService extends SystemService {
mSoundTriggerInternal.dump(fd, pw, args);
}
+ private void enforceAlwaysOnHotwordPermissions() {
+ enforceCallingPermission(Manifest.permission.RECORD_AUDIO);
+ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
+ }
+
private void enforceCallingPermission(String permission) {
if (mContext.checkCallingOrSelfPermission(permission)
!= PackageManager.PERMISSION_GRANTED) {

365
Patches/LineageOS-15.1/android_frameworks_base/344174-backport.patch Normal file
View File

@ -0,0 +1,365 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matt Pietal <mpietal@google.com>
Date: Thu, 18 Aug 2022 12:04:43 +0000
Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock
After PUK unlock, multiple calls to
KeyguardSecurityContainerController#dismiss() were being called from
the KeyguardSimPukViewController, which begins the transition to the
next security screen, if any. At the same time, other parts of the
system, also listening to SIM events, recognize the PUK unlock and
call KeyguardSecurityContainer#showSecurityScreen, which updates which
security method comes next. After boot, this should be one of PIN,
Password, Pattern, assuming they have a security method. If one of the
first dismiss() calls comes AFTER the security method changes, this is
incorrectly recognized by the code as a successful
PIN/pattern/password unlock. This causes the keyguard to be marked as
done, causing screen flickers and incorrect system state.
The solution: every call to dismiss() should include a new parameter
for the security method used. If there is a difference between this
parameter and the current value in KeyguardSecurityContainerCallback,
ignore the request, as the system state has changed.
Bug: 218500036
Test: atest KeyguardSecurityContainerTest
Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243
Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8
(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3)
Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8
---
.../keyguard/KeyguardAbsKeyInputView.java | 4 ++-
.../android/keyguard/KeyguardHostView.java | 13 +++++---
.../com/android/keyguard/KeyguardPINView.java | 6 ++++
.../keyguard/KeyguardPasswordView.java | 6 ++++
.../android/keyguard/KeyguardPatternView.java | 3 +-
.../keyguard/KeyguardSecurityCallback.java | 5 ++-
.../keyguard/KeyguardSecurityContainer.java | 32 +++++++++++++++----
.../android/keyguard/KeyguardSimPinView.java | 14 ++++++--
.../android/keyguard/KeyguardSimPukView.java | 13 ++++++--
9 files changed, 77 insertions(+), 19 deletions(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
index 8dc743d67189..42236155685b 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
@@ -29,6 +29,7 @@ import android.view.KeyEvent;
import android.view.View;
import android.widget.LinearLayout;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import com.android.internal.widget.LockPatternChecker;
import com.android.internal.widget.LockPatternUtils;
@@ -91,6 +92,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
protected abstract int getPasswordTextViewId();
protected abstract void resetState();
+ protected abstract SecurityMode getSecurityMode();
@Override
protected void onFinishInflate() {
@@ -190,7 +192,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
mCallback.reportUnlockAttempt(userId, true, 0);
if (dismissKeyguard) {
mDismissing = true;
- mCallback.dismiss(true, userId);
+ mCallback.dismiss(true, userId, getSecurityMode());
}
} else {
if (isValidPassword) {
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
index 27a3f7d44890..840483aa17a1 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
@@ -88,7 +88,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
// the user proved presence via some other way to the trust agent.
Log.i(TAG, "TrustAgent dismissed Keyguard.");
}
- dismiss(false /* authenticated */, userId);
+ dismiss(false /* authenticated */, userId, SecurityMode.Invalid);
} else {
mViewMediatorCallback.playTrustedSound();
}
@@ -181,12 +181,13 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
* @return True if the keyguard is done.
*/
public boolean dismiss(int targetUserId) {
- return dismiss(false, targetUserId);
+ return dismiss(false, targetUserId, getCurrentSecurityMode());
}
public boolean handleBackKey() {
if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) {
- mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser());
+ mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser(),
+ getCurrentSecurityMode());
return true;
}
return false;
@@ -207,8 +208,10 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
}
@Override
- public boolean dismiss(boolean authenticated, int targetUserId) {
- return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId);
+ public boolean dismiss(boolean authenticated, int targetUserId,
+ SecurityMode expectedSecurityMode) {
+ return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId,
+ expectedSecurityMode);
}
/**
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
index 2527bebd32c0..1b0e8751d28b 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
@@ -23,6 +23,7 @@ import android.view.ViewGroup;
import android.view.animation.AnimationUtils;
import android.widget.LinearLayout;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import com.android.settingslib.animation.AppearAnimationUtils;
import com.android.settingslib.animation.DisappearAnimationUtils;
@@ -207,4 +208,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView {
public boolean hasOverlappingRendering() {
return false;
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.PIN;
+ }
}
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
index 4f6d15165fcd..fbe943587ebf 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
@@ -36,6 +36,7 @@ import android.widget.TextView;
import android.widget.TextView.OnEditorActionListener;
import com.android.internal.widget.TextViewInputDisabler;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import java.util.List;
/**
@@ -363,4 +364,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
}
return false;
}
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.Password;
+ }
}
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
index 8f98c781bd3d..7ddae99b973a 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
@@ -36,6 +36,7 @@ import android.widget.LinearLayout;
import com.android.internal.widget.LockPatternChecker;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockPatternView;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
import com.android.settingslib.animation.AppearAnimationCreator;
import com.android.settingslib.animation.AppearAnimationUtils;
import com.android.settingslib.animation.DisappearAnimationUtils;
@@ -311,7 +312,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit
mCallback.reportUnlockAttempt(userId, true, 0);
if (dismissKeyguard) {
mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct);
- mCallback.dismiss(true, userId);
+ mCallback.dismiss(true, userId, SecurityMode.Pattern);
}
} else {
mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong);
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
index 5b743c1a20c5..c8eec6b80897 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
@@ -15,14 +15,17 @@
*/
package com.android.keyguard;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+
public interface KeyguardSecurityCallback {
/**
* Dismiss the given security screen.
* @param securityVerified true if the user correctly entered credentials for the given screen.
* @param targetUserId a user that needs to be the foreground user at the dismissal completion.
+ * @param expectedSecurityMode The security mode that is invoking this dismiss.
*/
- void dismiss(boolean securityVerified, int targetUserId);
+ void dismiss(boolean securityVerified, int targetUserId, SecurityMode expectedSecurityMode);
/**
* Manually report user activity to keep the device awake.
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index 27bc599f7f52..66fc523ad90e 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -54,7 +54,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
// Used to notify the container when something interesting happens.
public interface SecurityCallback {
- public boolean dismiss(boolean authenticated, int targetUserId);
+ public boolean dismiss(boolean authenticated, int targetUserId,
+ SecurityMode expectedSecurityMode);
public void userActivity();
public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput);
@@ -315,10 +316,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
* @param authenticated true if the user entered the correct authentication
* @param targetUserId a user that needs to be the foreground user at the finish (if called)
* completion.
+ * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid
+ * indicates that no check should be done
* @return true if keyguard is done
*/
- boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId) {
+ boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId,
+ SecurityMode expectedSecurityMode) {
if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")");
+ if (expectedSecurityMode != SecurityMode.Invalid
+ && expectedSecurityMode != getCurrentSecurityMode()) {
+ Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode "
+ + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode());
+ return false;
+ }
+
boolean finish = false;
boolean strongAuth = false;
if (mUpdateMonitor.getUserCanSkipBouncer(targetUserId)) {
@@ -421,8 +432,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
}
}
- public void dismiss(boolean authenticated, int targetId) {
- mSecurityCallback.dismiss(authenticated, targetId);
+ /**
+ * Potentially dismiss the current security screen, after validating that all device
+ * security has been unlocked. Otherwise show the next screen.
+ */
+ public void dismiss(boolean authenticated, int targetId,
+ SecurityMode expectedSecurityMode) {
+ mSecurityCallback.dismiss(authenticated, targetId, expectedSecurityMode);
}
public boolean isVerifyUnlockOnly() {
@@ -455,7 +471,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
@Override
public boolean isVerifyUnlockOnly() { return false; }
@Override
- public void dismiss(boolean securityVerified, int targetUserId) { }
+ public void dismiss(boolean securityVerified, int targetUserId,
+ SecurityMode expectedSecurityMode) { }
@Override
public void reset() {}
};
@@ -501,8 +518,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
return mCurrentSecuritySelection;
}
- public void dismiss(boolean authenticated, int targetUserId) {
- mCallback.dismiss(authenticated, targetUserId);
+ public void dismiss(boolean authenticated, int targetUserId,
+ SecurityMode expectedSecurityMode) {
+ mCallback.dismiss(authenticated, targetUserId, expectedSecurityMode);
}
public boolean needsInput() {
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
index 432b4061b5d0..10adebeff90d 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
@@ -42,6 +42,8 @@ import android.view.View;
import android.view.WindowManager;
import android.widget.ImageView;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+
/**
* Displays a PIN pad for unlocking.
*/
@@ -69,7 +71,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
// onSimStateChanged callback can fire when the SIM PIN lock is not currently
// active and mCallback is null.
if (mCallback != null) {
- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
+ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
+ SecurityMode.SimPin);
}
break;
}
@@ -296,7 +299,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
if (result == PhoneConstants.PIN_RESULT_SUCCESS) {
KeyguardUpdateMonitor.getInstance(getContext())
.reportSimUnlocked(mSubId);
- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
+ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
+ SecurityMode.SimPin);
} else {
if (result == PhoneConstants.PIN_PASSWORD_INCORRECT) {
if (attemptsRemaining <= 2) {
@@ -336,5 +340,11 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
public boolean startDisappearAnimation(Runnable finishRunnable) {
return false;
}
+
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.SimPin;
+ }
}
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
index 7f79008b7c91..5ccae73babe4 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
@@ -40,6 +40,7 @@ import com.android.internal.telephony.ITelephony;
import com.android.internal.telephony.IccCardConstants;
import com.android.internal.telephony.PhoneConstants;
import com.android.internal.telephony.IccCardConstants.State;
+import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
/**
@@ -75,7 +76,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
// mCallback can be null if onSimStateChanged callback is called when keyguard
// isn't active.
if (mCallback != null) {
- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
+ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
+ SecurityMode.SimPuk);
}
break;
}
@@ -359,7 +361,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
if (result == PhoneConstants.PIN_RESULT_SUCCESS) {
KeyguardUpdateMonitor.getInstance(getContext())
.reportSimUnlocked(mSubId);
- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
+ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
+ SecurityMode.SimPuk);
} else {
if (result == PhoneConstants.PIN_PASSWORD_INCORRECT) {
if (attemptsRemaining <= 2) {
@@ -402,6 +405,12 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
public boolean startDisappearAnimation(Runnable finishRunnable) {
return false;
}
+
+
+ @Override
+ public SecurityMode getSecurityMode() {
+ return SecurityMode.SimPuk;
+ }
}

38
Patches/LineageOS-15.1/android_packages_apps_PackageInstaller/344181.patch Normal file
View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Evan Severson <evanseverson@google.com>
Date: Tue, 30 Nov 2021 18:19:18 -0800
Subject: [PATCH] Hide overlays on ReviewPermissionsAtivity
Test: atest PermissionReviewTapjackingTest
Bug: 176094367
Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7
Change-Id: I9f263b947853e14d081a73ce907917e9326b6ef7
(cherry picked from commit 725244f010c9c5ed5b169c2ec00600864fce38ab)
Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7
---
.../permission/ui/ReviewPermissionsActivity.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
index 4caf4ce8a..81d9d7c4c 100644
--- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
+++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java
@@ -24,6 +24,8 @@ import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.os.Bundle;
import android.text.TextUtils;
+import android.view.WindowManager;
+
import com.android.packageinstaller.DeviceUtils;
import com.android.packageinstaller.R;
import com.android.packageinstaller.permission.ui.handheld.ReviewPermissionsFragment;
@@ -37,6 +39,9 @@ public final class ReviewPermissionsActivity extends Activity
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
+ getWindow().addPrivateFlags(
+ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+
PackageInfo packageInfo = getTargetPackageInfo();
if (packageInfo == null) {
finish();

59
Patches/LineageOS-15.1/android_packages_providers_TelephonyProvider/344182.patch Normal file
View File

@ -0,0 +1,59 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aishwarya Mallampati <amallampati@google.com>
Date: Wed, 17 Aug 2022 23:21:18 +0000
Subject: [PATCH] Check dir path before updating permissions.
Bug: 240685104
Test: atest android.telephonyprovider.cts.MmsPartTest
atest CtsTelephonyTestCases
Sanity check - sending and receiving sms and mms manually
Change-Id: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
(cherry picked from commit 0c3e2ce2810e4f5988b342f96bdd600c293c3187)
Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f
---
.../providers/telephony/MmsProvider.java | 23 +++++++++++++++----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java
index 547b22e3..a804fa68 100644
--- a/src/com/android/providers/telephony/MmsProvider.java
+++ b/src/com/android/providers/telephony/MmsProvider.java
@@ -42,7 +42,10 @@ import android.provider.Telephony.Mms.Part;
import android.provider.Telephony.Mms.Rate;
import android.provider.Telephony.MmsSms;
import android.provider.Telephony.Threads;
+import android.system.ErrnoException;
+import android.system.Os;
import android.text.TextUtils;
+import android.util.EventLog;
import android.util.Log;
import com.google.android.mms.pdu.PduHeaders;
@@ -807,11 +810,21 @@ public class MmsProvider extends ContentProvider {
case MMS_PART_RESET_FILE_PERMISSION:
String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' +
uri.getPathSegments().get(1);
- // Reset the file permission back to read for everyone but me.
- int result = FileUtils.setPermissions(path, 0644, -1, -1);
- if (LOCAL_LOGV) {
- Log.d(TAG, "MmsProvider.update setPermissions result: " + result +
- " for path: " + path);
+ try {
+ String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath();
+ if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) {
+ EventLog.writeEvent(0x534e4554, "240685104",
+ Binder.getCallingUid(), (TAG + " update: path " + path +
+ " does not start with " + partsDirPath));
+ return 0;
+ }
+ // Reset the file permission back to read for everyone but me.
+ Os.chmod(path, 0644);
+ if (LOCAL_LOGV) {
+ Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path);
+ }
+ } catch (ErrnoException | IOException e) {
+ Log.e(TAG, "Exception in chmod: " + e);
}
return 0;

248
Patches/LineageOS-15.1/android_packages_services_Telecomm/344183.patch Normal file
View File

@ -0,0 +1,248 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Thu, 23 Jun 2022 14:20:30 -0700
Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.
In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.
bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
#testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
(cherry picked from commit 960147d4bba558c87a26df6f0328df637a30479b)
Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015
---
.../server/telecom/TelecomServiceImpl.java | 51 +++++++++++--------
.../telecom/tests/TelecomServiceImplTest.java | 21 +++++---
2 files changed, 43 insertions(+), 29 deletions(-)
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index d5fafdf5b..e3e0a8511 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -33,6 +33,8 @@ import android.content.Intent;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.res.Resources;
+import android.content.pm.ParceledListSlice;
+import android.content.pm.ResolveInfo;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
@@ -149,19 +151,20 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getCallCapablePhoneAccounts(
+ public ParceledListSlice<PhoneAccountHandle> getCallCapablePhoneAccounts(
boolean includeDisabledAccounts, String callingPackage) {
try {
Log.startSession("TSI.gCCPA");
if (!canReadPhoneState(callingPackage, "getDefaultOutgoingPhoneAccount")) {
- return Collections.emptyList();
+ return ParceledListSlice.emptyList();
}
synchronized (mLock) {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null,
- includeDisabledAccounts, callingUserHandle);
+ return new ParceledListSlice<>(
+ mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null,
+ includeDisabledAccounts, callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getCallCapablePhoneAccounts");
throw e;
@@ -175,7 +178,8 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getSelfManagedPhoneAccounts(String callingPackage) {
+ public ParceledListSlice<PhoneAccountHandle> getSelfManagedPhoneAccounts(
+ String callingPackage) {
try {
Log.startSession("TSI.gSMPA");
if (!canReadPhoneState(callingPackage, "Requires READ_PHONE_STATE permission.")) {
@@ -185,8 +189,8 @@ public class TelecomServiceImpl {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getSelfManagedPhoneAccounts(
- callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getSelfManagedPhoneAccounts(callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getSelfManagedPhoneAccounts");
throw e;
@@ -199,10 +203,11 @@ public class TelecomServiceImpl {
}
}
+
@Override
- public List<PhoneAccountHandle> getPhoneAccountsSupportingScheme(String uriScheme,
- String callingPackage) {
- try {
+ public ParceledListSlice<PhoneAccountHandle> getPhoneAccountsSupportingScheme(
+ String uriScheme, String callingPackage) {
+ try {
Log.startSession("TSI.gPASS");
try {
enforceModifyPermission(
@@ -210,15 +215,16 @@ public class TelecomServiceImpl {
} catch (SecurityException e) {
EventLog.writeEvent(0x534e4554, "62347125", Binder.getCallingUid(),
"getPhoneAccountsSupportingScheme: " + callingPackage);
- return Collections.emptyList();
+ return ParceledListSlice.emptyList();
}
synchronized (mLock) {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(uriScheme, false,
- callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getCallCapablePhoneAccounts(uriScheme, false,
+ callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getPhoneAccountsSupportingScheme %s", uriScheme);
throw e;
@@ -232,7 +238,8 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getPhoneAccountsForPackage(String packageName) {
+ public ParceledListSlice<PhoneAccountHandle> getPhoneAccountsForPackage(
+ String packageName) {
//TODO: Deprecate this in S
try {
enforceCallingPackage(packageName);
@@ -255,8 +262,8 @@ public class TelecomServiceImpl {
long token = Binder.clearCallingIdentity();
try {
Log.startSession("TSI.gPAFP");
- return mPhoneAccountRegistrar.getPhoneAccountsForPackage(packageName,
- callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getPhoneAccountsForPackage(packageName, callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getPhoneAccountsForPackage %s", packageName);
throw e;
@@ -307,7 +314,7 @@ public class TelecomServiceImpl {
synchronized (mLock) {
try {
// This list is pre-filtered for the calling user.
- return getAllPhoneAccounts().size();
+ return getAllPhoneAccounts().getList().size();
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccountsCount");
throw e;
@@ -320,7 +327,7 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccount> getAllPhoneAccounts() {
+ public ParceledListSlice<PhoneAccount> getAllPhoneAccounts() {
synchronized (mLock) {
try {
Log.startSession("TSI.gAPA");
@@ -336,7 +343,8 @@ public class TelecomServiceImpl {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getAllPhoneAccounts(callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getAllPhoneAccounts(callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccounts");
throw e;
@@ -350,7 +358,7 @@ public class TelecomServiceImpl {
}
@Override
- public List<PhoneAccountHandle> getAllPhoneAccountHandles() {
+ public ParceledListSlice<PhoneAccountHandle> getAllPhoneAccountHandles() {
try {
Log.startSession("TSI.gAPAH");
try {
@@ -366,7 +374,8 @@ public class TelecomServiceImpl {
final UserHandle callingUserHandle = Binder.getCallingUserHandle();
long token = Binder.clearCallingIdentity();
try {
- return mPhoneAccountRegistrar.getAllPhoneAccountHandles(callingUserHandle);
+ return new ParceledListSlice<>(mPhoneAccountRegistrar
+ .getAllPhoneAccountHandles(callingUserHandle));
} catch (Exception e) {
Log.e(this, e, "getAllPhoneAccounts");
throw e;
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
index 305475dbe..afeb7122b 100644
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
@@ -286,9 +286,12 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(fullPHList,
- mTSIBinder.getCallCapablePhoneAccounts(true, DEFAULT_DIALER_PACKAGE));
- assertEquals(smallPHList,
- mTSIBinder.getCallCapablePhoneAccounts(false, DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getCallCapablePhoneAccounts(
+ true, DEFAULT_DIALER_PACKAGE).getList());
+
+ assertEquals(smallPHList,
+ mTSIBinder.getCallCapablePhoneAccounts(
+ false, DEFAULT_DIALER_PACKAGE).getList());
}
@SmallTest
@@ -302,7 +305,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
List<PhoneAccountHandle> result = null;
try {
- result = mTSIBinder.getCallCapablePhoneAccounts(true, "");
+ result = mTSIBinder.getCallCapablePhoneAccounts(true, "").getList();
} catch (SecurityException e) {
// intended behavior
}
@@ -329,9 +332,11 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(telPHList,
- mTSIBinder.getPhoneAccountsSupportingScheme("tel", DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getPhoneAccountsSupportingScheme(
+ "tel", DEFAULT_DIALER_PACKAGE).getList());
assertEquals(sipPHList,
- mTSIBinder.getPhoneAccountsSupportingScheme("sip", DEFAULT_DIALER_PACKAGE));
+ mTSIBinder.getPhoneAccountsSupportingScheme(
+ "sip", DEFAULT_DIALER_PACKAGE).getList());
}
@SmallTest
@@ -346,7 +351,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17);
assertEquals(phoneAccountHandleList,
mTSIBinder.getPhoneAccountsForPackage(
- TEL_PA_HANDLE_16.getComponentName().getPackageName()));
+ TEL_PA_HANDLE_16.getComponentName().getPackageName()).getList());
}
@SmallTest
@@ -367,7 +372,7 @@ public class TelecomServiceImplTest extends TelecomTestCase {
when(mFakePhoneAccountRegistrar.getAllPhoneAccounts(any(UserHandle.class)))
.thenReturn(phoneAccountList);
- assertEquals(2, mTSIBinder.getAllPhoneAccounts().size());
+ assertEquals(2, mTSIBinder.getAllPhoneAccounts().getList().size());
}
@SmallTest

29
Patches/LineageOS-15.1/android_system_bt/344184.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Fri, 12 Aug 2022 17:26:19 +0000
Subject: [PATCH] Add negative length check in process_service_search_rsp
Bug: 225876506
Test: run supplied POC (updated to Android T)
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
(cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f)
Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
---
stack/sdp/sdp_discovery.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index dcacda832..11491f790 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -289,7 +289,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
orig = p_ccb->num_handles;
p_ccb->num_handles += cur_handles;
- if (p_ccb->num_handles == 0) {
+ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {
SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches");
sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);
return;

34
Patches/LineageOS-15.1/android_system_bt/344185.patch Normal file
View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Sat, 13 Aug 2022 02:01:14 +0000
Subject: [PATCH] Add buffer in pin_reply in bluetooth.cc
Bug: 228602963
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75
(cherry picked from commit 0dc1c1c34961822f2f3f0a1e8e0b4819c823951b)
Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75
---
btif/src/bluetooth.cc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
index 38f992b9c..1121a587d 100644
--- a/btif/src/bluetooth.cc
+++ b/btif/src/bluetooth.cc
@@ -285,10 +285,12 @@ static int get_connection_state(const RawAddress* bd_addr) {
static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
bt_pin_code_t* pin_code) {
+ bt_pin_code_t tmp_pin_code;
/* sanity check */
if (interface_ready() == false) return BT_STATUS_NOT_READY;
- return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code);
+ memcpy(&tmp_pin_code, pin_code, pin_len);
+ return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
}
static int ssp_reply(const RawAddress* bd_addr, bt_ssp_variant_t variant,

41
Patches/LineageOS-15.1/android_system_nfc/332458-backport.patch Normal file
View File

@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Thu, 17 Mar 2022 15:39:20 -0700
Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config
Bug: 221216105
Test: build ok
Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99)
Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229
---
src/nfa/dm/nfa_dm_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c
index dbc51ba..3d4114e 100644
--- a/src/nfa/dm/nfa_dm_main.c
+++ b/src/nfa/dm/nfa_dm_main.c
@@ -27,6 +27,7 @@
#include "nfa_dm_int.h"
#include "nfa_sys.h"
#include "nfa_sys_int.h"
+#include <log/log.h>
/*****************************************************************************
** Constants and types
@@ -237,6 +238,14 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list,
p_value = p_tlv_list + xx + 2;
p_cur_len = NULL;
+ if (len > (tlv_list_len - xx - 2))
+ {
+ NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d",
+ type, len);
+ android_errorWriteLog(0x534e4554, "221216105");
+ return NFA_STATUS_FAILED;
+ }
+
switch (type) {
/*
** Poll F Configuration

29
Patches/LineageOS-15.1/android_system_nfc/344180-backport.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 3 Aug 2022 12:25:33 -0700
Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked()
Bug: 230356196
Test: builds ok
Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581
Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491)
Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
---
halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c
index 0e9f2ae..ed996e0 100644
--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c
+++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c
@@ -735,7 +735,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
status = NFCSTATUS_FAILED;
}
// 2002 0904 3000 3100 3200 5000
- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) &&
+ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) &&
+ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) &&
((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*||
(p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/
)) {

29
Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch Normal file
View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 3 Aug 2022 12:25:33 -0700
Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked()
Bug: 230356196
Test: builds ok
Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581
Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491)
Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c
---
halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c
index c0145500..efad26cc 100644
--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c
+++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c
@@ -811,7 +811,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
status = NFCSTATUS_FAILED;
}
// 2002 0904 3000 3100 3200 5000
- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) &&
+ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) &&
+ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) &&
((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*||
(p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/
)) {

1
Scripts/LineageOS-14.1/Patch.sh
View File

@ -166,6 +166,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/343956.patch"; #n-asb-2022-11 S
applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 Check permission for VoiceInteraction
applyPatch "$DOS_PATCHES/android_frameworks_base/344188.patch"; #n-asb-2022-11 Do not send new Intent to non-exported activity when navigateUpTo
applyPatch "$DOS_PATCHES/android_frameworks_base/344189.patch"; #n-asb-2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
applyPatch "$DOS_PATCHES/android_frameworks_base/344217.patch"; #n-asb-2022-11 Do not dismiss keyguard after SIM PUK unlock
git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)

24
Scripts/LineageOS-15.1/Patch.sh
View File

@ -77,7 +77,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2022-10-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -101,6 +101,7 @@ fi;
if enterAndClear "external/dtc"; then
applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings
applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation.
fi;
if enterAndClear "external/expat"; then
@ -143,6 +144,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/335121-backport.patch"; #P_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/337991.patch"; #Q_asb_2022-09 Parcel: recycle recycles
applyPatch "$DOS_PATCHES/android_frameworks_base/337992-backport.patch"; #Q_asb_2022-09 IMMS: Make IMMS PendingIntents immutable
#applyPatch "$DOS_PATCHES/android_frameworks_base/337993.patch"; #Q_asb_2022-09 Remove package name from SafetyNet logs #XXX: depends on 337990
applyPatch "$DOS_PATCHES/android_frameworks_base/344168.patch"; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
applyPatch "$DOS_PATCHES/android_frameworks_base/344169.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
applyPatch "$DOS_PATCHES/android_frameworks_base/344170-backport.patch"; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo
applyPatch "$DOS_PATCHES/android_frameworks_base/344171-backport.patch"; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user.
applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule
applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction
applyPatch "$DOS_PATCHES/android_frameworks_base/344174-backport.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@ -249,6 +257,10 @@ applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytic
cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update contributors cloud
fi;
if enterAndClear "packages/apps/PackageInstaller"; then
applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/344181.patch"; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity
fi;
if enterAndClear "packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
@ -304,8 +316,13 @@ if enterAndClear "packages/providers/MediaProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/0001-External_Permission.patch"; #Fix permission denial (luca.stefani)
fi;
if enterAndClear "packages/providers/TelephonyProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/344182.patch"; #P_asb_2022-11 Check dir path before updating permissions.
fi;
if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
fi;
if enterAndClear "packages/services/Telephony"; then
@ -323,6 +340,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/337995-backport.patch"; #Q_asb_2022-0
applyPatch "$DOS_PATCHES/android_system_bt/337996.patch"; #Q_asb_2022-09 Fix OOB in BNEP_Write
applyPatch "$DOS_PATCHES/android_system_bt/337997.patch"; #Q_asb_2022-09 Fix OOB in reassemble_and_dispatch
applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response
applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp
applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc
fi;
if enterAndClear "system/core"; then
@ -335,6 +354,8 @@ fi;
if enterAndClear "system/nfc"; then
applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_system_nfc/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
applyPatch "$DOS_PATCHES/android_system_nfc/344180-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
fi;
if enterAndClear "system/sepolicy"; then
@ -351,6 +372,7 @@ if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
fi;
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then

2
Scripts/LineageOS-16.0/Functions.sh
View File

@ -85,7 +85,7 @@ patchWorkspace() {
repopick -it P_asb_2022-09 -e 342116;
repopick -it P_asb_2022-10 -e 342119;
repopick -it P_tzdata_2022;
repopick -it P_asb_2022-11;
repopick -it P_asb_2022-11 -e 344200;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

3
Scripts/LineageOS-17.1/Functions.sh
View File

@ -81,9 +81,8 @@ patchWorkspace() {
gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc";
gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
source build/envsetup.sh;
#source build/envsetup.sh;
#repopick -it ten-firewall;
repopick -it Q_asb_2022-11;
repopick -it Q_tzdb2022f;
sh "$DOS_SCRIPTS/Patch.sh";

4
Scripts/LineageOS-19.1/Patch.sh
View File

@ -442,6 +442,10 @@ sed -i '/PRODUCT_SYSTEM_VERITY_PARTITION/iPRODUCT_VENDOR_VERITY_PARTITION := /de
awk -i inplace '!/vendor_sensors_dbg_prop/' sepolicy/vendor/hal_camera_default.te; #fixup
fi;
#if enterAndClear "hardware/oplus"; then
#echo "allow update_engine_common vendor_custom_ab_block_device:blk_file rw_file_perms;" >> sepolicy/qti/vendor/update_engine_common.te; #fix firmware flash denial #TODO: VERIFY ME
#fi;
if enterAndClear "kernel/fairphone/sdm632"; then
sed -i 's|/../../prebuilts/tools-lineage|/../../../prebuilts/tools-lineage|' lib/Makefile; #fixup typo
fi;