diff --git a/Patches/LineageOS-14.1/android_frameworks_base/344188.patch b/Patches/LineageOS-14.1/android_frameworks_base/344188.patch index fae12da4..72bef14b 100644 --- a/Patches/LineageOS-14.1/android_frameworks_base/344188.patch +++ b/Patches/LineageOS-14.1/android_frameworks_base/344188.patch @@ -1,8 +1,8 @@ -From 623d9421f9f175283af8c562604af2385e7addb1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Louis Chang Date: Tue, 2 Aug 2022 03:33:39 +0000 -Subject: [PATCH] [BACKPORT] Do not send new Intent to non-exported activity - when navigateUpTo +Subject: [PATCH] Do not send new Intent to non-exported activity when + navigateUpTo The new Intent was delivered to a non-exported activity while @@ -22,7 +22,7 @@ diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/serv index d6c53076614d..a3ace26df5f7 100755 --- a/services/core/java/com/android/server/am/ActivityRecord.java +++ b/services/core/java/com/android/server/am/ActivityRecord.java -@@ -1535,6 +1535,10 @@ int getUid() { +@@ -1535,6 +1535,10 @@ final class ActivityRecord { return info.applicationInfo.uid; } @@ -37,7 +37,7 @@ diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/servi index 7376fa869ab9..696079848995 100644 --- a/services/core/java/com/android/server/am/ActivityStack.java +++ b/services/core/java/com/android/server/am/ActivityStack.java -@@ -3794,14 +3794,30 @@ final boolean navigateUpToLocked(ActivityRecord srec, Intent destIntent, int res +@@ -3794,14 +3794,30 @@ final class ActivityStack { } if (parent != null && foundParentInTask) { @@ -74,7 +74,7 @@ diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/servi index 7746f1e3508d..d8fe39cf2162 100644 --- a/services/core/java/com/android/server/am/ProcessRecord.java +++ b/services/core/java/com/android/server/am/ProcessRecord.java -@@ -465,6 +465,10 @@ public void setPid(int _pid) { +@@ -465,6 +465,10 @@ final class ProcessRecord { stringName = null; } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/344189.patch b/Patches/LineageOS-14.1/android_frameworks_base/344189.patch index c5d9307e..a4908428 100644 --- a/Patches/LineageOS-14.1/android_frameworks_base/344189.patch +++ b/Patches/LineageOS-14.1/android_frameworks_base/344189.patch @@ -1,4 +1,4 @@ -From 2d476338e9c714405c9fda55283911e00192534d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Aseem Kumar Date: Mon, 21 Mar 2022 20:35:20 -0700 Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from @@ -19,7 +19,7 @@ diff --git a/core/java/android/accounts/Account.java b/core/java/android/account index 1546ae14862d..3f90f36fb2a1 100644 --- a/core/java/android/accounts/Account.java +++ b/core/java/android/accounts/Account.java -@@ -28,7 +28,6 @@ +@@ -28,7 +28,6 @@ import android.util.ArraySet; import android.util.Log; import com.android.internal.annotations.GuardedBy; @@ -27,7 +27,7 @@ index 1546ae14862d..3f90f36fb2a1 100644 import java.util.Set; /** -@@ -81,12 +80,6 @@ public Account(String name, String type, String accessId) { +@@ -81,12 +80,6 @@ public class Account implements Parcelable { if (TextUtils.isEmpty(type)) { throw new IllegalArgumentException("the type must not be empty: " + type); } @@ -41,10 +41,10 @@ index 1546ae14862d..3f90f36fb2a1 100644 this.type = type; this.accessId = accessId; diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java -index 126955add01a..30ddc6763842 100644 +index 3aea365b7ced..239297cc420a 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java -@@ -1304,6 +1304,14 @@ private boolean addAccountInternal(UserAccounts accounts, Account account, Strin +@@ -1305,6 +1305,14 @@ public class AccountManagerService if (account == null) { return false; } @@ -59,7 +59,7 @@ index 126955add01a..30ddc6763842 100644 if (!isLocalUnlockedUser(accounts.userId)) { Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId + " is locked. callingUid=" + callingUid); -@@ -1500,6 +1508,10 @@ public void renameAccount( +@@ -1501,6 +1509,10 @@ public class AccountManagerService + ", pid " + Binder.getCallingPid()); } if (accountToRename == null) throw new IllegalArgumentException("account is null"); @@ -74,7 +74,7 @@ diff --git a/services/tests/servicestests/src/com/android/server/accounts/Accoun index a3d0afab88eb..5467f2264efe 100644 --- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java -@@ -132,6 +132,21 @@ public void testCheckAddAccount() throws Exception { +@@ -132,6 +132,21 @@ public class AccountManagerServiceTest extends AndroidTestCase { assertEquals(a31, accounts[1]); } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/344217.patch b/Patches/LineageOS-14.1/android_frameworks_base/344217.patch new file mode 100644 index 00000000..78a5a861 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/344217.patch @@ -0,0 +1,336 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Matt Pietal +Date: Thu, 18 Aug 2022 12:04:43 +0000 +Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock + +After PUK unlock, multiple calls to +KeyguardSecurityContainerController#dismiss() were being called from +the KeyguardSimPukViewController, which begins the transition to the +next security screen, if any. At the same time, other parts of the +system, also listening to SIM events, recognize the PUK unlock and +call KeyguardSecurityContainer#showSecurityScreen, which updates which +security method comes next. After boot, this should be one of PIN, +Password, Pattern, assuming they have a security method. If one of the +first dismiss() calls comes AFTER the security method changes, this is +incorrectly recognized by the code as a successful +PIN/pattern/password unlock. This causes the keyguard to be marked as +done, causing screen flickers and incorrect system state. + +The solution: every call to dismiss() should include a new parameter +for the security method used. If there is a difference between this +parameter and the current value in KeyguardSecurityContainerCallback, +ignore the request, as the system state has changed. + +Bug: 218500036 +Test: atest KeyguardSecurityContainerTest + +Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243 +Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3) +Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +--- + .../keyguard/KeyguardAbsKeyInputView.java | 4 ++- + .../android/keyguard/KeyguardHostView.java | 11 ++++--- + .../com/android/keyguard/KeyguardPINView.java | 6 ++++ + .../keyguard/KeyguardPasswordView.java | 6 ++++ + .../android/keyguard/KeyguardPatternView.java | 3 +- + .../keyguard/KeyguardSecurityCallback.java | 5 ++- + .../keyguard/KeyguardSecurityContainer.java | 31 ++++++++++++++----- + .../android/keyguard/KeyguardSimPinView.java | 8 ++++- + .../android/keyguard/KeyguardSimPukView.java | 8 ++++- + 9 files changed, 65 insertions(+), 17 deletions(-) + +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java +index 9b85e13b2839..f77b32391f3f 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardAbsKeyInputView.java +@@ -28,6 +28,7 @@ import android.widget.LinearLayout; + + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + /** + * Base class for PIN and password unlock screens. +@@ -88,6 +89,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + + protected abstract int getPasswordTextViewId(); + protected abstract void resetState(); ++ protected abstract SecurityMode getSecurityMode(); + + @Override + protected void onFinishInflate() { +@@ -168,7 +170,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mDismissing = true; +- mCallback.dismiss(true); ++ mCallback.dismiss(true, getSecurityMode()); + } + } else { + if (isValidPassword) { +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java +index 434631e1c0fd..ad2a2048f913 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardHostView.java +@@ -88,7 +88,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + // the user proved presence via some other way to the trust agent. + Log.i(TAG, "TrustAgent dismissed Keyguard."); + } +- dismiss(false /* authenticated */); ++ dismiss(false /* authenticated */, SecurityMode.Invalid); + } else { + mViewMediatorCallback.playTrustedSound(); + } +@@ -181,12 +181,12 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + * @return True if the keyguard is done. + */ + public boolean dismiss() { +- return dismiss(false); ++ return dismiss(false, getCurrentSecurityMode()); + } + + public boolean handleBackKey() { + if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) { +- mSecurityContainer.dismiss(false); ++ mSecurityContainer.dismiss(false, getCurrentSecurityMode()); + return true; + } + return false; +@@ -207,8 +207,9 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + } + + @Override +- public boolean dismiss(boolean authenticated) { +- return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated); ++ public boolean dismiss(boolean authenticated, SecurityMode expectedSecurityMode) { ++ return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, ++ expectedSecurityMode); + } + + /** +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java +index 113c212697f0..35a1201fd744 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPINView.java +@@ -29,6 +29,7 @@ import java.util.Arrays; + import java.util.Collections; + import java.util.List; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; + +@@ -208,4 +209,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView { + public boolean hasOverlappingRendering() { + return false; + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.PIN; ++ } + } +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java +index a9d7cf012e28..22bdbaf72ce5 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPasswordView.java +@@ -36,6 +36,7 @@ import android.widget.TextView; + import android.widget.TextView.OnEditorActionListener; + + import com.android.internal.widget.TextViewInputDisabler; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + import java.util.List; + /** +@@ -363,4 +364,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView + } + return false; + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.Password; ++ } + } +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java +index 094209e53b4e..081d67314d31 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardPatternView.java +@@ -33,6 +33,7 @@ import android.widget.LinearLayout; + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; + import com.android.internal.widget.LockPatternView; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationCreator; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; +@@ -289,7 +290,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct); +- mCallback.dismiss(true); ++ mCallback.dismiss(true, SecurityMode.Pattern); + } + } else { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong); +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java +index 232d4d298e3a..ef6e76b113da 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityCallback.java +@@ -15,13 +15,16 @@ + */ + package com.android.keyguard; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++ + public interface KeyguardSecurityCallback { + + /** + * Dismiss the given security screen. + * @param securityVerified true if the user correctly entered credentials for the given screen. ++ * @param expectedSecurityMode The security mode that is invoking this dismiss. + */ +- void dismiss(boolean securityVerified); ++ void dismiss(boolean securityVerified, SecurityMode expectedSecurityMode); + + /** + * Manually report user activity to keep the device awake. +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java +index aaff26511eec..e2c1ae413fd3 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -56,7 +56,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + + // Used to notify the container when something interesting happens. + public interface SecurityCallback { +- public boolean dismiss(boolean authenticated); ++ public boolean dismiss(boolean authenticated, SecurityMode expectedSecurityMode); + public void userActivity(); + public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput); + +@@ -382,10 +382,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + /** + * Shows the next security screen if there is one. + * @param authenticated true if the user entered the correct authentication ++ * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid ++ * indicates that no check should be done + * @return true if keyguard is done + */ +- boolean showNextSecurityScreenOrFinish(boolean authenticated) { ++ boolean showNextSecurityScreenOrFinish(boolean authenticated, ++ SecurityMode expectedSecurityMode) { + if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")"); ++ if (expectedSecurityMode != SecurityMode.Invalid ++ && expectedSecurityMode != getCurrentSecurityMode()) { ++ Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode " ++ + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode()); ++ return false; ++ } ++ + boolean finish = false; + boolean strongAuth = false; + if (mUpdateMonitor.getUserCanSkipBouncer( +@@ -489,8 +499,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + } + } + +- public void dismiss(boolean authenticated) { +- mSecurityCallback.dismiss(authenticated); ++ /** ++ * Potentially dismiss the current security screen, after validating that all device ++ * security has been unlocked. Otherwise show the next screen. ++ */ ++ public void dismiss(boolean authenticated, ++ SecurityMode expectedSecurityMode) { ++ mSecurityCallback.dismiss(authenticated, expectedSecurityMode); + } + + public boolean isVerifyUnlockOnly() { +@@ -523,7 +538,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + @Override + public boolean isVerifyUnlockOnly() { return false; } + @Override +- public void dismiss(boolean securityVerified) { } ++ public void dismiss(boolean securityVerified, ++ SecurityMode expectedSecurityMode) { } + @Override + public void reset() {} + }; +@@ -568,8 +584,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + return mCurrentSecuritySelection; + } + +- public void dismiss(boolean authenticated) { +- mCallback.dismiss(authenticated); ++ public void dismiss(boolean authenticated, ++ SecurityMode expectedSecurityMode) { ++ mCallback.dismiss(authenticated, expectedSecurityMode); + } + + public boolean needsInput() { +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java +index 209d0fdae71f..06cc154fbaac 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPinView.java +@@ -20,6 +20,7 @@ import com.android.internal.telephony.ITelephony; + import com.android.internal.telephony.IccCardConstants; + import com.android.internal.telephony.IccCardConstants.State; + import com.android.internal.telephony.PhoneConstants; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + import android.content.Context; + import android.content.res.ColorStateList; +@@ -282,7 +283,7 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + mRemainingAttempts = -1; + mShowDefaultMessage = true; + if (mCallback != null) { +- mCallback.dismiss(true); ++ mCallback.dismiss(true, SecurityMode.SimPin); + } + } else { + mShowDefaultMessage = false; +@@ -355,5 +356,10 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + mSecurityMessageDisplay.setMessage(msg, true); + mSimImageView.setImageTintList(ColorStateList.valueOf(color)); + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPin; ++ } + } + +diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java +index 0f0d000b1df6..a92976f31c13 100644 +--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java ++++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSimPukView.java +@@ -38,6 +38,7 @@ import com.android.internal.telephony.ITelephony; + import com.android.internal.telephony.IccCardConstants; + import com.android.internal.telephony.PhoneConstants; + import com.android.internal.telephony.IccCardConstants.State; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + + /** +@@ -337,7 +338,7 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + mRemainingAttempts = -1; + mShowDefaultMessage = true; + if (mCallback != null) { +- mCallback.dismiss(true); ++ mCallback.dismiss(true, SecurityMode.SimPuk); + } + } else { + mShowDefaultMessage = false; +@@ -424,6 +425,11 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + } + }.start(); + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPuk; ++ } + } + + diff --git a/Patches/LineageOS-14.1/android_packages_apps_PackageInstaller/344187.patch b/Patches/LineageOS-14.1/android_packages_apps_PackageInstaller/344187.patch index 12732c57..06032bb0 100644 --- a/Patches/LineageOS-14.1/android_packages_apps_PackageInstaller/344187.patch +++ b/Patches/LineageOS-14.1/android_packages_apps_PackageInstaller/344187.patch @@ -1,7 +1,7 @@ -From 134b1251174395e75f638d53e5449815dc965e8b Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Evan Severson Date: Tue, 30 Nov 2021 18:19:18 -0800 -Subject: [PATCH] [BACKPORT] Hide overlays on ReviewPermissionsAtivity +Subject: [PATCH] Hide overlays on ReviewPermissionsAtivity Test: atest PermissionReviewTapjackingTest Bug: 176094367 @@ -14,10 +14,10 @@ Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7 1 file changed, 4 insertions(+) diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java -index 6bc251aed..829e81856 100644 +index b6fd0c161..bb1e1dd9a 100644 --- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java +++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java -@@ -39,6 +39,7 @@ +@@ -39,6 +39,7 @@ import android.text.TextUtils; import android.text.style.ForegroundColorSpan; import android.util.TypedValue; import android.view.View; @@ -25,7 +25,7 @@ index 6bc251aed..829e81856 100644 import android.widget.Button; import android.widget.ImageView; import android.widget.TextView; -@@ -57,6 +58,9 @@ public final class ReviewPermissionsActivity extends Activity +@@ -58,6 +59,9 @@ public final class ReviewPermissionsActivity extends Activity protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); diff --git a/Patches/LineageOS-15.1/android_external_dtc/344161.patch b/Patches/LineageOS-15.1/android_external_dtc/344161.patch new file mode 100644 index 00000000..cc27b645 --- /dev/null +++ b/Patches/LineageOS-15.1/android_external_dtc/344161.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mike McTernan +Date: Fri, 22 Jul 2022 11:44:33 +0100 +Subject: [PATCH] Fix integer wrap sanitisation. + +Test: make check +Bug: 239630493 +Bug: 242096164 +Change-Id: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +(cherry picked from commit 05dec6d1827dc7016cad11c4ddfe8f965bceddb7) +(cherry picked from commit 61e10c9c53b170ff8a5612ba4ec79e51d58e5eb3) +Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f +--- + libfdt/fdt.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/libfdt/fdt.c b/libfdt/fdt.c +index 5baaed3..ed7e947 100644 +--- a/libfdt/fdt.c ++++ b/libfdt/fdt.c +@@ -124,9 +124,15 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); + if (!lenp) + return FDT_END; /* premature end */ +- /* skip-name offset, length and value */ +- offset += sizeof(struct fdt_property) - FDT_TAGSIZE +- + fdt32_to_cpu(*lenp); ++ ++ /* skip-name offset, length */ ++ offset += sizeof(struct fdt_property) - FDT_TAGSIZE; ++ ++ if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) ++ return FDT_END; /* premature end */ ++ ++ /* skip value */ ++ offset += fdt32_to_cpu(*lenp); + break; + + case FDT_END: +@@ -138,7 +144,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) + return FDT_END; + } + +- if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) ++ if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)) + return FDT_END; /* premature end */ + + *nextoffset = FDT_TAGALIGN(offset); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344168.patch b/Patches/LineageOS-15.1/android_frameworks_base/344168.patch new file mode 100644 index 00000000..8db5b80d --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344168.patch @@ -0,0 +1,102 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aseem Kumar +Date: Mon, 21 Mar 2022 20:35:20 -0700 +Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from + Account.java to AccountManagerService. + +Bug: 169762606 +Test: atest AccountManagerServiceTest +Change-Id: I80fabf3a64c55837db98ff316e7e5420129c001b +(cherry picked from commit 3f218c9a5e1f7c3213ceb84c15afca0d3041057b) +Merged-In: I80fabf3a64c55837db98ff316e7e5420129c001b +--- + core/java/android/accounts/Account.java | 7 ------- + .../accounts/AccountManagerService.java | 12 ++++++++++++ + .../accounts/AccountManagerServiceTest.java | 19 +++++++++++++++++++ + 3 files changed, 31 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/accounts/Account.java b/core/java/android/accounts/Account.java +index 1546ae14862d..3f90f36fb2a1 100644 +--- a/core/java/android/accounts/Account.java ++++ b/core/java/android/accounts/Account.java +@@ -28,7 +28,6 @@ import android.util.ArraySet; + import android.util.Log; + import com.android.internal.annotations.GuardedBy; + +-import java.util.Objects; + import java.util.Set; + + /** +@@ -81,12 +80,6 @@ public class Account implements Parcelable { + if (TextUtils.isEmpty(type)) { + throw new IllegalArgumentException("the type must not be empty: " + type); + } +- if (name.length() > 200) { +- throw new IllegalArgumentException("account name is longer than 200 characters"); +- } +- if (type.length() > 200) { +- throw new IllegalArgumentException("account type is longer than 200 characters"); +- } + this.name = name; + this.type = type; + this.accessId = accessId; +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 98280d52a622..dcc571d84314 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -1764,6 +1764,14 @@ public class AccountManagerService + if (account == null) { + return false; + } ++ if (account.name != null && account.name.length() > 200) { ++ Log.w(TAG, "Account cannot be added - Name longer than 200 chars"); ++ return false; ++ } ++ if (account.type != null && account.type.length() > 200) { ++ Log.w(TAG, "Account cannot be added - Name longer than 200 chars"); ++ return false; ++ } + if (!isLocalUnlockedUser(accounts.userId)) { + Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId + + " is locked. callingUid=" + callingUid); +@@ -1956,6 +1964,10 @@ public class AccountManagerService + + ", pid " + Binder.getCallingPid()); + } + if (accountToRename == null) throw new IllegalArgumentException("account is null"); ++ if (newName != null && newName.length() > 200) { ++ Log.e(TAG, "renameAccount failed - account name longer than 200"); ++ throw new IllegalArgumentException("account name longer than 200"); ++ } + int userId = UserHandle.getCallingUserId(); + if (!isAccountManagedByCaller(accountToRename.type, callingUid, userId)) { + String msg = String.format( +diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +index 791d3e997f3b..68696344220b 100644 +--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java ++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java +@@ -237,6 +237,25 @@ public class AccountManagerServiceTest extends AndroidTestCase { + assertEquals(a31, accounts[1]); + } + ++ @SmallTest ++ public void testCheckAddAccountLongName() throws Exception { ++ unlockSystemUser(); ++ String longString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ + "aaaaa"; ++ Account a11 = new Account(longString, AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1); ++ ++ mAms.addAccountExplicitly(a11, /* password= */ "p11", /* extras= */ null); ++ ++ String[] list = new String[]{AccountManagerServiceTestFixtures.CALLER_PACKAGE}; ++ when(mMockPackageManager.getPackagesForUid(anyInt())).thenReturn(list); ++ Account[] accounts = mAms.getAccountsAsUser(null, ++ UserHandle.getCallingUserId(), mContext.getOpPackageName()); ++ assertEquals(0, accounts.length); ++ } ++ ++ + @SmallTest + public void testPasswords() throws Exception { + unlockSystemUser(); diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344169.patch b/Patches/LineageOS-15.1/android_frameworks_base/344169.patch new file mode 100644 index 00000000..389a6ce0 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344169.patch @@ -0,0 +1,141 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:27:43 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09) +Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd +--- + telecomm/java/android/telecom/TelecomManager.java | 14 ++++++++------ + .../android/internal/telecom/ITelecomService.aidl | 13 +++++++------ + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java +index 6dc3f917533a..b2734cecf4a6 100644 +--- a/telecomm/java/android/telecom/TelecomManager.java ++++ b/telecomm/java/android/telecom/TelecomManager.java +@@ -791,7 +791,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme, +- mContext.getOpPackageName()); ++ mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e); +@@ -833,7 +833,8 @@ public class TelecomManager { + public List getSelfManagedPhoneAccounts() { + try { + if (isServiceConnected()) { +- return getTelecomService().getSelfManagedPhoneAccounts(mContext.getOpPackageName()); ++ return getTelecomService() ++ .getSelfManagedPhoneAccounts(mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getSelfManagedPhoneAccounts()", e); +@@ -852,7 +853,7 @@ public class TelecomManager { + try { + if (isServiceConnected()) { + return getTelecomService().getCallCapablePhoneAccounts( +- includeDisabledAccounts, mContext.getOpPackageName()); ++ includeDisabledAccounts, mContext.getOpPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" + +@@ -872,7 +873,8 @@ public class TelecomManager { + public List getPhoneAccountsForPackage() { + try { + if (isServiceConnected()) { +- return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName()); ++ return getTelecomService() ++ .getPhoneAccountsForPackage(mContext.getPackageName()).getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e); +@@ -926,7 +928,7 @@ public class TelecomManager { + public List getAllPhoneAccounts() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccounts(); ++ return getTelecomService().getAllPhoneAccounts().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e); +@@ -944,7 +946,7 @@ public class TelecomManager { + public List getAllPhoneAccountHandles() { + try { + if (isServiceConnected()) { +- return getTelecomService().getAllPhoneAccountHandles(); ++ return getTelecomService().getAllPhoneAccountHandles().getList(); + } + } catch (RemoteException e) { + Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e); +diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +index 8ebac2c6273a..64a9b2bd0d84 100644 +--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl ++++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl +@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle; + import android.net.Uri; + import android.os.Bundle; + import android.telecom.PhoneAccount; ++import android.content.pm.ParceledListSlice; + + /** + * Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing +@@ -55,24 +56,24 @@ interface ITelecomService { + /** + * @see TelecomServiceImpl#getCallCapablePhoneAccounts + */ +- List getCallCapablePhoneAccounts( ++ ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage); + + /** + * @see TelecomServiceImpl#getSelfManagedPhoneAccounts + */ +- List getSelfManagedPhoneAccounts(String callingPackage); ++ ParceledListSlice getSelfManagedPhoneAccounts(String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsSupportingScheme + */ +- List getPhoneAccountsSupportingScheme(in String uriScheme, ++ ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme, + String callingPackage); + + /** + * @see TelecomManager#getPhoneAccountsForPackage + */ +- List getPhoneAccountsForPackage(in String packageName); ++ ParceledListSlice getPhoneAccountsForPackage(in String packageName); + + /** + * @see TelecomManager#getPhoneAccount +@@ -87,12 +88,12 @@ interface ITelecomService { + /** + * @see TelecomManager#getAllPhoneAccounts + */ +- List getAllPhoneAccounts(); ++ ParceledListSlice getAllPhoneAccounts(); + + /** + * @see TelecomManager#getAllPhoneAccountHandles + */ +- List getAllPhoneAccountHandles(); ++ ParceledListSlice getAllPhoneAccountHandles(); + + /** + * @see TelecomServiceImpl#getSimCallManager diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344170-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/344170-backport.patch new file mode 100644 index 00000000..769e4118 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344170-backport.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Louis Chang +Date: Tue, 2 Aug 2022 03:33:39 +0000 +Subject: [PATCH] Do not send new Intent to non-exported activity when + navigateUpTo + +The new Intent was delivered to a non-exported activity while +'#navigateUpTo was called from an Activity of a different uid. + +Backport to pie: + * services/core/java/com/android/server/am directory (not wm) + * back port of getPid() method + +Bug: 238605611 +Test: atest StartActivityTests +Change-Id: I854dd825bfd9a2c08851980d480d1f3a177af6cf +Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf +(cherry picked from commit b9a934064598aa655fab4ce75c8eab6165409670) +Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf +--- + .../com/android/server/am/ActivityRecord.java | 4 ++++ + .../com/android/server/am/ActivityStack.java | 18 +++++++++++++++++- + .../com/android/server/am/ProcessRecord.java | 4 ++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/services/core/java/com/android/server/am/ActivityRecord.java +index 081a4eb0d245..72e03209bfbc 100644 +--- a/services/core/java/com/android/server/am/ActivityRecord.java ++++ b/services/core/java/com/android/server/am/ActivityRecord.java +@@ -2829,6 +2829,10 @@ final class ActivityRecord extends ConfigurationContainer implements AppWindowCo + return info.applicationInfo.uid; + } + ++ int getPid() { ++ return app != null ? app.getPid() : 0; ++ } ++ + void setShowWhenLocked(boolean showWhenLocked) { + mShowWhenLocked = showWhenLocked; + } +diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/services/core/java/com/android/server/am/ActivityStack.java +index c1ea022f1c11..5e8b8cb464a1 100644 +--- a/services/core/java/com/android/server/am/ActivityStack.java ++++ b/services/core/java/com/android/server/am/ActivityStack.java +@@ -4024,7 +4024,23 @@ class ActivityStack extends ConfigurationContai + parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TASK || + parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TOP || + (destIntentFlags & Intent.FLAG_ACTIVITY_CLEAR_TOP) != 0) { +- parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName); ++ boolean abort; ++ try { ++ final int callingPid = srec.app != null ? srec.app.getPid() : 0; ++ abort = !mStackSupervisor.checkStartAnyActivityPermission(destIntent, ++ parent.info, null /* resultWho */, -1 /* requestCode */, callingPid, ++ callingUid, srec.info.packageName, false /* ignoreTargetSecurity */, ++ srec.app, null /* resultRecord */, null /* resultStack */, ++ null /* options */); ++ } catch (SecurityException e) { ++ abort = true; ++ } ++ if (abort) { ++ android.util.EventLog.writeEvent(0x534e4554, "238605611", callingUid, ""); ++ foundParentInTask = false; ++ } else { ++ parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName); ++ } + } else { + try { + ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo( +diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java +index 411e973de032..7e037eea285c 100644 +--- a/services/core/java/com/android/server/am/ProcessRecord.java ++++ b/services/core/java/com/android/server/am/ProcessRecord.java +@@ -455,6 +455,10 @@ final class ProcessRecord { + stringName = null; + } + ++ public int getPid() { ++ return pid; ++ } ++ + public void makeActive(IApplicationThread _thread, ProcessStatsService tracker) { + if (thread == null) { + final ProcessState origBase = baseProcessTracker; diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344171-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/344171-backport.patch new file mode 100644 index 00000000..a938bb06 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344171-backport.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Fri, 12 Aug 2022 11:40:41 -0700 +Subject: [PATCH] Do not send AccessibilityEvent if notification is for + different user. + +Bug: 237540408 +Test: BuzzBeepBlinkTest#testA11yCrossUserEventNotSent +Change-Id: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +(cherry picked from commit 18f2ec86d680bff26ce9248061878894ad16e05f) +Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07 +--- + .../notification/NotificationManagerService.java | 3 ++- + .../server/notification/BuzzBeepBlinkTest.java | 15 +++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java +index 9e63265e4e93..ee0c3c1b7bc2 100755 +--- a/services/core/java/com/android/server/notification/NotificationManagerService.java ++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java +@@ -4097,7 +4097,8 @@ public class NotificationManagerService extends SystemService { + boolean sentAccessibilityEvent = false; + // If the notification will appear in the status bar, it should send an accessibility + // event +- if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN) { ++ if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN ++ && isNotificationForCurrentUser(record)) { + sendAccessibilityEvent(record); + sentAccessibilityEvent = true; + } +diff --git a/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java b/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java +index 0b4d61fb783e..6c6fbcd0afe4 100644 +--- a/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java ++++ b/services/tests/notification/src/com/android/server/notification/BuzzBeepBlinkTest.java +@@ -934,6 +934,21 @@ public class BuzzBeepBlinkTest extends NotificationTestCase { + verify(mAccessibilityService, times(1)).sendAccessibilityEvent(any(), anyInt()); + } + ++ @Test ++ public void testA11yCrossUserEventNotSent() throws Exception { ++ final Notification n = new Builder(getContext(), "test") ++ .setSmallIcon(android.R.drawable.sym_def_app_icon).build(); ++ int userId = mUser.getIdentifier() + 1; ++ StatusBarNotification sbn = new StatusBarNotification(mPkg, mPkg, 0, mTag, mUid, ++ mPid, n, UserHandle.of(userId), null, System.currentTimeMillis()); ++ NotificationRecord r = new NotificationRecord(getContext(), sbn, ++ new NotificationChannel("test", "test", IMPORTANCE_HIGH)); ++ ++ mService.buzzBeepBlinkLocked(r); ++ ++ verify(mAccessibilityService, never()).sendAccessibilityEvent(any(), anyInt()); ++ } ++ + static class VibrateRepeatMatcher implements ArgumentMatcher { + private final int mRepeatIndex; + diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344172.patch b/Patches/LineageOS-15.1/android_frameworks_base/344172.patch new file mode 100644 index 00000000..f08d80b1 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344172.patch @@ -0,0 +1,126 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Mon, 29 Aug 2022 17:40:14 -0400 +Subject: [PATCH] Trim any long string inputs that come in to AutomaticZenRule + +This change both prevents any rules from being unable to be written to +disk and also avoids risk of running out of memory while handling all +the zen rules. + +Bug: 242703460 +Bug: 242703505 +Bug: 242703780 +Bug: 242704043 +Bug: 243794204 +Test: cts AutomaticZenRuleTest; atest android.app.AutomaticZenRuleTest; +manually confirmed each exploit example either saves the rule +successfully with a truncated string (in the case of name & conditionId) +or may fail to save the rule at all (if the owner/configactivity is invalid). +Additionally ran the memory-exhausting PoC without device crashes. + +Change-Id: I110172a43f28528dd274b3b346eb29c3796ff2c6 +Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6 +(cherry picked from commit de172ba0d434c940be9e2aad8685719731ab7da2) +(cherry picked from commit c4b2c877ec28e2473104d9fcdcf321bd81da881b) +Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6 +--- + core/java/android/app/AutomaticZenRule.java | 50 ++++++++++++++++++--- + 1 file changed, 43 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java +index cd4ace669b6c..29dd91ec1ad6 100644 +--- a/core/java/android/app/AutomaticZenRule.java ++++ b/core/java/android/app/AutomaticZenRule.java +@@ -36,6 +36,13 @@ public final class AutomaticZenRule implements Parcelable { + private ComponentName owner; + private long creationTime; + ++ /** ++ * The maximum string length for any string contained in this automatic zen rule. This pertains ++ * both to fields in the rule itself (such as its name) and items with sub-fields. ++ * @hide ++ */ ++ public static final int MAX_STRING_LENGTH = 1000; ++ + /** + * Creates an automatic zen rule. + * +@@ -50,9 +57,9 @@ public final class AutomaticZenRule implements Parcelable { + */ + public AutomaticZenRule(String name, ComponentName owner, Uri conditionId, + int interruptionFilter, boolean enabled) { +- this.name = name; +- this.owner = owner; +- this.conditionId = conditionId; ++ this.name = getTrimmedString(name); ++ this.owner = getTrimmedComponentName(owner); ++ this.conditionId = getTrimmedUri(conditionId); + this.interruptionFilter = interruptionFilter; + this.enabled = enabled; + } +@@ -70,11 +77,11 @@ public final class AutomaticZenRule implements Parcelable { + public AutomaticZenRule(Parcel source) { + enabled = source.readInt() == 1; + if (source.readInt() == 1) { +- name = source.readString(); ++ name = getTrimmedString(source.readString()); + } + interruptionFilter = source.readInt(); + conditionId = source.readParcelable(null); +- owner = source.readParcelable(null); ++ owner = getTrimmedComponentName(source.readParcelable(null)); + creationTime = source.readLong(); + } + +@@ -124,7 +131,7 @@ public final class AutomaticZenRule implements Parcelable { + * Sets the representation of the state that causes this rule to become active. + */ + public void setConditionId(Uri conditionId) { +- this.conditionId = conditionId; ++ this.conditionId = getTrimmedUri(conditionId); + } + + /** +@@ -139,7 +146,7 @@ public final class AutomaticZenRule implements Parcelable { + * Sets the name of this rule. + */ + public void setName(String name) { +- this.name = name; ++ this.name = getTrimmedString(name); + } + + /** +@@ -210,4 +217,33 @@ public final class AutomaticZenRule implements Parcelable { + return new AutomaticZenRule[size]; + } + }; ++ ++ /** ++ * If the package or class name of the provided ComponentName are longer than MAX_STRING_LENGTH, ++ * return a trimmed version that truncates each of the package and class name at the max length. ++ */ ++ private static ComponentName getTrimmedComponentName(ComponentName cn) { ++ if (cn == null) return null; ++ return new ComponentName(getTrimmedString(cn.getPackageName()), ++ getTrimmedString(cn.getClassName())); ++ } ++ /** ++ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH. ++ */ ++ private static String getTrimmedString(String input) { ++ if (input != null && input.length() > MAX_STRING_LENGTH) { ++ return input.substring(0, MAX_STRING_LENGTH); ++ } ++ return input; ++ } ++ /** ++ * Returns a truncated copy of the Uri by trimming the string representation to the maximum ++ * string length. ++ */ ++ private static Uri getTrimmedUri(Uri input) { ++ if (input != null && input.toString().length() > MAX_STRING_LENGTH) { ++ return Uri.parse(getTrimmedString(input.toString())); ++ } ++ return input; ++ } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344173.patch b/Patches/LineageOS-15.1/android_frameworks_base/344173.patch new file mode 100644 index 00000000..fa0ff05b --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344173.patch @@ -0,0 +1,202 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ivan Chiang +Date: Mon, 15 Aug 2022 15:09:33 +0800 +Subject: [PATCH] Check permission for VoiceInteraction + +The service must have the CAPTURE_AUDIO_HOTWORD permission to access +AlwaysOnHotwordDetector. If it doesn't have the permission, return +STATE_HARDWARE_UNAVAILABLE state. If it is not granted the +RECORD_AUDIO permisison, it also can't start to recognize the audio. + +Test: manual +Test: atest CtsVoiceInteractionTestCases +Test: atest CtsAssistTestCases +Bug: 229793943 +Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a) +Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb +--- + .../voice/AlwaysOnHotwordDetector.java | 40 ++++++++++++++++++- + .../voice/VoiceInteractionService.java | 2 +- + .../VoiceInteractionManagerService.java | 14 +++++++ + 3 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +index 9464a8754fa8..b188eb3ca898 100644 +--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java ++++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java +@@ -16,11 +16,14 @@ + + package android.service.voice; + ++import android.Manifest; + import android.annotation.IntDef; + import android.annotation.NonNull; + import android.annotation.Nullable; + import android.app.Activity; ++import android.content.Context; + import android.content.Intent; ++import android.content.pm.PackageManager; + import android.hardware.soundtrigger.IRecognitionStatusCallback; + import android.hardware.soundtrigger.KeyphraseEnrollmentInfo; + import android.hardware.soundtrigger.KeyphraseMetadata; +@@ -196,8 +199,10 @@ public class AlwaysOnHotwordDetector { + private final Callback mExternalCallback; + private final Object mLock = new Object(); + private final Handler mHandler; ++ private final Context mContext; + + private int mAvailability = STATE_NOT_READY; ++ private boolean mIsGrantedHotwordPermission; + + /** + * Additional payload for {@link Callback#onDetected}. +@@ -324,19 +329,32 @@ public class AlwaysOnHotwordDetector { + public abstract void onRecognitionResumed(); + } + ++ private static boolean hasHotwordPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ ++ private static boolean hasRecordAudioPermission(Context context) { ++ return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ + /** ++ * @param context The context to check permission + * @param text The keyphrase text to get the detector for. + * @param locale The java locale for the detector. + * @param callback A non-null Callback for receiving the recognition events. ++ * @param keyphraseEnrollmentInfo The Enrollment info of key phrase + * @param voiceInteractionService The current voice interaction service. + * @param modelManagementService A service that allows management of sound models. + * + * @hide + */ +- public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback, ++ public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback, + KeyphraseEnrollmentInfo keyphraseEnrollmentInfo, + IVoiceInteractionService voiceInteractionService, + IVoiceInteractionManagerService modelManagementService) { ++ mContext = context; + mText = text; + mLocale = locale; + mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo; +@@ -346,6 +364,7 @@ public class AlwaysOnHotwordDetector { + mInternalCallback = new SoundTriggerListener(mHandler); + mVoiceInteractionService = voiceInteractionService; + mModelManagementService = modelManagementService; ++ mIsGrantedHotwordPermission = hasHotwordPermission(mContext); + new RefreshAvailabiltyTask().execute(); + } + +@@ -402,6 +421,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean startRecognition(@RecognitionFlags int recognitionFlags) { + if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("startRecognition called on an invalid detector"); +@@ -430,6 +455,12 @@ public class AlwaysOnHotwordDetector { + */ + public boolean stopRecognition() { + if (DBG) Slog.d(TAG, "stopRecognition()"); ++ ++ if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) { ++ throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD " ++ + "permissions to access the detector."); ++ } ++ + synchronized (mLock) { + if (mAvailability == STATE_INVALID) { + throw new IllegalStateException("stopRecognition called on an invalid detector"); +@@ -546,7 +577,8 @@ public class AlwaysOnHotwordDetector { + synchronized (mLock) { + if (mAvailability == STATE_INVALID + || mAvailability == STATE_HARDWARE_UNAVAILABLE +- || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) { ++ || mAvailability == STATE_KEYPHRASE_UNSUPPORTED ++ || !hasRecordAudioPermission(mContext)) { + Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config"); + return; + } +@@ -717,6 +749,10 @@ public class AlwaysOnHotwordDetector { + * @return The initial availability without checking the enrollment status. + */ + private int internalGetInitialAvailability() { ++ if (!mIsGrantedHotwordPermission) { ++ return STATE_HARDWARE_UNAVAILABLE; ++ } ++ + synchronized (mLock) { + // This detector has already been invalidated. + if (mAvailability == STATE_INVALID) { +diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java +index 8f79bcffa776..409d8ddddc2d 100644 +--- a/core/java/android/service/voice/VoiceInteractionService.java ++++ b/core/java/android/service/voice/VoiceInteractionService.java +@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service { + synchronized (mLock) { + // Allow only one concurrent recognition via the APIs. + safelyShutdownHotwordDetector(); +- mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback, ++ mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback, + mKeyphraseEnrollmentInfo, mInterface, mSystemService); + } + return mHotwordDetector; +diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +index 1569ac32128b..734a4dcb58df 100644 +--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java ++++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java +@@ -874,6 +874,9 @@ public class VoiceInteractionManagerService extends SystemService { + + @Override + public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) { ++ // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD. ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -895,6 +898,9 @@ public class VoiceInteractionManagerService extends SystemService { + public int startRecognition(IVoiceInteractionService service, int keyphraseId, + String bcp47Locale, IRecognitionStatusCallback callback, + RecognitionConfig recognitionConfig) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -935,6 +941,9 @@ public class VoiceInteractionManagerService extends SystemService { + @Override + public int stopRecognition(IVoiceInteractionService service, int keyphraseId, + IRecognitionStatusCallback callback) { ++ // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD. ++ enforceAlwaysOnHotwordPermissions(); ++ + // Allow the call if this is the current voice interaction service. + synchronized (this) { + if (mImpl == null || mImpl.mService == null +@@ -1142,6 +1151,11 @@ public class VoiceInteractionManagerService extends SystemService { + mSoundTriggerInternal.dump(fd, pw, args); + } + ++ private void enforceAlwaysOnHotwordPermissions() { ++ enforceCallingPermission(Manifest.permission.RECORD_AUDIO); ++ enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD); ++ } ++ + private void enforceCallingPermission(String permission) { + if (mContext.checkCallingOrSelfPermission(permission) + != PackageManager.PERMISSION_GRANTED) { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/344174-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/344174-backport.patch new file mode 100644 index 00000000..1055793f --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/344174-backport.patch @@ -0,0 +1,365 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Matt Pietal +Date: Thu, 18 Aug 2022 12:04:43 +0000 +Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock + +After PUK unlock, multiple calls to +KeyguardSecurityContainerController#dismiss() were being called from +the KeyguardSimPukViewController, which begins the transition to the +next security screen, if any. At the same time, other parts of the +system, also listening to SIM events, recognize the PUK unlock and +call KeyguardSecurityContainer#showSecurityScreen, which updates which +security method comes next. After boot, this should be one of PIN, +Password, Pattern, assuming they have a security method. If one of the +first dismiss() calls comes AFTER the security method changes, this is +incorrectly recognized by the code as a successful +PIN/pattern/password unlock. This causes the keyguard to be marked as +done, causing screen flickers and incorrect system state. + +The solution: every call to dismiss() should include a new parameter +for the security method used. If there is a difference between this +parameter and the current value in KeyguardSecurityContainerCallback, +ignore the request, as the system state has changed. + +Bug: 218500036 +Test: atest KeyguardSecurityContainerTest + +Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243 +Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3) +Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8 +--- + .../keyguard/KeyguardAbsKeyInputView.java | 4 ++- + .../android/keyguard/KeyguardHostView.java | 13 +++++--- + .../com/android/keyguard/KeyguardPINView.java | 6 ++++ + .../keyguard/KeyguardPasswordView.java | 6 ++++ + .../android/keyguard/KeyguardPatternView.java | 3 +- + .../keyguard/KeyguardSecurityCallback.java | 5 ++- + .../keyguard/KeyguardSecurityContainer.java | 32 +++++++++++++++---- + .../android/keyguard/KeyguardSimPinView.java | 14 ++++++-- + .../android/keyguard/KeyguardSimPukView.java | 13 ++++++-- + 9 files changed, 77 insertions(+), 19 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java +index 8dc743d67189..42236155685b 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java +@@ -29,6 +29,7 @@ import android.view.KeyEvent; + import android.view.View; + import android.widget.LinearLayout; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; + +@@ -91,6 +92,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + + protected abstract int getPasswordTextViewId(); + protected abstract void resetState(); ++ protected abstract SecurityMode getSecurityMode(); + + @Override + protected void onFinishInflate() { +@@ -190,7 +192,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mDismissing = true; +- mCallback.dismiss(true, userId); ++ mCallback.dismiss(true, userId, getSecurityMode()); + } + } else { + if (isValidPassword) { +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java +index 27a3f7d44890..840483aa17a1 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java +@@ -88,7 +88,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + // the user proved presence via some other way to the trust agent. + Log.i(TAG, "TrustAgent dismissed Keyguard."); + } +- dismiss(false /* authenticated */, userId); ++ dismiss(false /* authenticated */, userId, SecurityMode.Invalid); + } else { + mViewMediatorCallback.playTrustedSound(); + } +@@ -181,12 +181,13 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + * @return True if the keyguard is done. + */ + public boolean dismiss(int targetUserId) { +- return dismiss(false, targetUserId); ++ return dismiss(false, targetUserId, getCurrentSecurityMode()); + } + + public boolean handleBackKey() { + if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) { +- mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser()); ++ mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser(), ++ getCurrentSecurityMode()); + return true; + } + return false; +@@ -207,8 +208,10 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback { + } + + @Override +- public boolean dismiss(boolean authenticated, int targetUserId) { +- return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId); ++ public boolean dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { ++ return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId, ++ expectedSecurityMode); + } + + /** +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java +index 2527bebd32c0..1b0e8751d28b 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java +@@ -23,6 +23,7 @@ import android.view.ViewGroup; + import android.view.animation.AnimationUtils; + import android.widget.LinearLayout; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; + +@@ -207,4 +208,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView { + public boolean hasOverlappingRendering() { + return false; + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.PIN; ++ } + } +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java +index 4f6d15165fcd..fbe943587ebf 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java +@@ -36,6 +36,7 @@ import android.widget.TextView; + import android.widget.TextView.OnEditorActionListener; + + import com.android.internal.widget.TextViewInputDisabler; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + import java.util.List; + /** +@@ -363,4 +364,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView + } + return false; + } ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.Password; ++ } + } +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java +index 8f98c781bd3d..7ddae99b973a 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java +@@ -36,6 +36,7 @@ import android.widget.LinearLayout; + import com.android.internal.widget.LockPatternChecker; + import com.android.internal.widget.LockPatternUtils; + import com.android.internal.widget.LockPatternView; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + import com.android.settingslib.animation.AppearAnimationCreator; + import com.android.settingslib.animation.AppearAnimationUtils; + import com.android.settingslib.animation.DisappearAnimationUtils; +@@ -311,7 +312,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit + mCallback.reportUnlockAttempt(userId, true, 0); + if (dismissKeyguard) { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct); +- mCallback.dismiss(true, userId); ++ mCallback.dismiss(true, userId, SecurityMode.Pattern); + } + } else { + mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong); +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java +index 5b743c1a20c5..c8eec6b80897 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java +@@ -15,14 +15,17 @@ + */ + package com.android.keyguard; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++ + public interface KeyguardSecurityCallback { + + /** + * Dismiss the given security screen. + * @param securityVerified true if the user correctly entered credentials for the given screen. + * @param targetUserId a user that needs to be the foreground user at the dismissal completion. ++ * @param expectedSecurityMode The security mode that is invoking this dismiss. + */ +- void dismiss(boolean securityVerified, int targetUserId); ++ void dismiss(boolean securityVerified, int targetUserId, SecurityMode expectedSecurityMode); + + /** + * Manually report user activity to keep the device awake. +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +index 27bc599f7f52..66fc523ad90e 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java +@@ -54,7 +54,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + + // Used to notify the container when something interesting happens. + public interface SecurityCallback { +- public boolean dismiss(boolean authenticated, int targetUserId); ++ public boolean dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode); + public void userActivity(); + public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput); + +@@ -315,10 +316,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + * @param authenticated true if the user entered the correct authentication + * @param targetUserId a user that needs to be the foreground user at the finish (if called) + * completion. ++ * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid ++ * indicates that no check should be done + * @return true if keyguard is done + */ +- boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId) { ++ boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { + if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")"); ++ if (expectedSecurityMode != SecurityMode.Invalid ++ && expectedSecurityMode != getCurrentSecurityMode()) { ++ Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode " ++ + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode()); ++ return false; ++ } ++ + boolean finish = false; + boolean strongAuth = false; + if (mUpdateMonitor.getUserCanSkipBouncer(targetUserId)) { +@@ -421,8 +432,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + } + } + +- public void dismiss(boolean authenticated, int targetId) { +- mSecurityCallback.dismiss(authenticated, targetId); ++ /** ++ * Potentially dismiss the current security screen, after validating that all device ++ * security has been unlocked. Otherwise show the next screen. ++ */ ++ public void dismiss(boolean authenticated, int targetId, ++ SecurityMode expectedSecurityMode) { ++ mSecurityCallback.dismiss(authenticated, targetId, expectedSecurityMode); + } + + public boolean isVerifyUnlockOnly() { +@@ -455,7 +471,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + @Override + public boolean isVerifyUnlockOnly() { return false; } + @Override +- public void dismiss(boolean securityVerified, int targetUserId) { } ++ public void dismiss(boolean securityVerified, int targetUserId, ++ SecurityMode expectedSecurityMode) { } + @Override + public void reset() {} + }; +@@ -501,8 +518,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe + return mCurrentSecuritySelection; + } + +- public void dismiss(boolean authenticated, int targetUserId) { +- mCallback.dismiss(authenticated, targetUserId); ++ public void dismiss(boolean authenticated, int targetUserId, ++ SecurityMode expectedSecurityMode) { ++ mCallback.dismiss(authenticated, targetUserId, expectedSecurityMode); + } + + public boolean needsInput() { +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java +index 432b4061b5d0..10adebeff90d 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java +@@ -42,6 +42,8 @@ import android.view.View; + import android.view.WindowManager; + import android.widget.ImageView; + ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; ++ + /** + * Displays a PIN pad for unlocking. + */ +@@ -69,7 +71,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + // onSimStateChanged callback can fire when the SIM PIN lock is not currently + // active and mCallback is null. + if (mCallback != null) { +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPin); + } + break; + } +@@ -296,7 +299,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + if (result == PhoneConstants.PIN_RESULT_SUCCESS) { + KeyguardUpdateMonitor.getInstance(getContext()) + .reportSimUnlocked(mSubId); +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPin); + } else { + if (result == PhoneConstants.PIN_PASSWORD_INCORRECT) { + if (attemptsRemaining <= 2) { +@@ -336,5 +340,11 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView { + public boolean startDisappearAnimation(Runnable finishRunnable) { + return false; + } ++ ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPin; ++ } + } + +diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java +index 7f79008b7c91..5ccae73babe4 100644 +--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java ++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java +@@ -40,6 +40,7 @@ import com.android.internal.telephony.ITelephony; + import com.android.internal.telephony.IccCardConstants; + import com.android.internal.telephony.PhoneConstants; + import com.android.internal.telephony.IccCardConstants.State; ++import com.android.keyguard.KeyguardSecurityModel.SecurityMode; + + + /** +@@ -75,7 +76,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + // mCallback can be null if onSimStateChanged callback is called when keyguard + // isn't active. + if (mCallback != null) { +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPuk); + } + break; + } +@@ -359,7 +361,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + if (result == PhoneConstants.PIN_RESULT_SUCCESS) { + KeyguardUpdateMonitor.getInstance(getContext()) + .reportSimUnlocked(mSubId); +- mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser()); ++ mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(), ++ SecurityMode.SimPuk); + } else { + if (result == PhoneConstants.PIN_PASSWORD_INCORRECT) { + if (attemptsRemaining <= 2) { +@@ -402,6 +405,12 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView { + public boolean startDisappearAnimation(Runnable finishRunnable) { + return false; + } ++ ++ ++ @Override ++ public SecurityMode getSecurityMode() { ++ return SecurityMode.SimPuk; ++ } + } + + diff --git a/Patches/LineageOS-15.1/android_packages_apps_PackageInstaller/344181.patch b/Patches/LineageOS-15.1/android_packages_apps_PackageInstaller/344181.patch new file mode 100644 index 00000000..6c7e9c44 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_PackageInstaller/344181.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Evan Severson +Date: Tue, 30 Nov 2021 18:19:18 -0800 +Subject: [PATCH] Hide overlays on ReviewPermissionsAtivity + +Test: atest PermissionReviewTapjackingTest +Bug: 176094367 +Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7 +Change-Id: I9f263b947853e14d081a73ce907917e9326b6ef7 +(cherry picked from commit 725244f010c9c5ed5b169c2ec00600864fce38ab) +Merged-In: I9f263b947853e14d081a73ce907917e9326b6ef7 +--- + .../permission/ui/ReviewPermissionsActivity.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java +index 4caf4ce8a..81d9d7c4c 100644 +--- a/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java ++++ b/src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java +@@ -24,6 +24,8 @@ import android.content.pm.PackageInfo; + import android.content.pm.PackageManager; + import android.os.Bundle; + import android.text.TextUtils; ++import android.view.WindowManager; ++ + import com.android.packageinstaller.DeviceUtils; + import com.android.packageinstaller.R; + import com.android.packageinstaller.permission.ui.handheld.ReviewPermissionsFragment; +@@ -37,6 +39,9 @@ public final class ReviewPermissionsActivity extends Activity + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + ++ getWindow().addPrivateFlags( ++ WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); ++ + PackageInfo packageInfo = getTargetPackageInfo(); + if (packageInfo == null) { + finish(); diff --git a/Patches/LineageOS-15.1/android_packages_providers_TelephonyProvider/344182.patch b/Patches/LineageOS-15.1/android_packages_providers_TelephonyProvider/344182.patch new file mode 100644 index 00000000..52c634b8 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_providers_TelephonyProvider/344182.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Aishwarya Mallampati +Date: Wed, 17 Aug 2022 23:21:18 +0000 +Subject: [PATCH] Check dir path before updating permissions. + +Bug: 240685104 +Test: atest android.telephonyprovider.cts.MmsPartTest + atest CtsTelephonyTestCases + Sanity check - sending and receiving sms and mms manually +Change-Id: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +(cherry picked from commit 0c3e2ce2810e4f5988b342f96bdd600c293c3187) +Merged-In: I2c60cc2cf8f1f6890678d3cd8c6cfdf31356349f +--- + .../providers/telephony/MmsProvider.java | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/com/android/providers/telephony/MmsProvider.java b/src/com/android/providers/telephony/MmsProvider.java +index 547b22e3..a804fa68 100644 +--- a/src/com/android/providers/telephony/MmsProvider.java ++++ b/src/com/android/providers/telephony/MmsProvider.java +@@ -42,7 +42,10 @@ import android.provider.Telephony.Mms.Part; + import android.provider.Telephony.Mms.Rate; + import android.provider.Telephony.MmsSms; + import android.provider.Telephony.Threads; ++import android.system.ErrnoException; ++import android.system.Os; + import android.text.TextUtils; ++import android.util.EventLog; + import android.util.Log; + + import com.google.android.mms.pdu.PduHeaders; +@@ -807,11 +810,21 @@ public class MmsProvider extends ContentProvider { + case MMS_PART_RESET_FILE_PERMISSION: + String path = getContext().getDir(PARTS_DIR_NAME, 0).getPath() + '/' + + uri.getPathSegments().get(1); +- // Reset the file permission back to read for everyone but me. +- int result = FileUtils.setPermissions(path, 0644, -1, -1); +- if (LOCAL_LOGV) { +- Log.d(TAG, "MmsProvider.update setPermissions result: " + result + +- " for path: " + path); ++ try { ++ String partsDirPath = getContext().getDir(PARTS_DIR_NAME, 0).getCanonicalPath(); ++ if (!new File(path).getCanonicalPath().startsWith(partsDirPath)) { ++ EventLog.writeEvent(0x534e4554, "240685104", ++ Binder.getCallingUid(), (TAG + " update: path " + path + ++ " does not start with " + partsDirPath)); ++ return 0; ++ } ++ // Reset the file permission back to read for everyone but me. ++ Os.chmod(path, 0644); ++ if (LOCAL_LOGV) { ++ Log.d(TAG, "MmsProvider.update chmod is successful for path: " + path); ++ } ++ } catch (ErrnoException | IOException e) { ++ Log.e(TAG, "Exception in chmod: " + e); + } + return 0; + diff --git a/Patches/LineageOS-15.1/android_packages_services_Telecomm/344183.patch b/Patches/LineageOS-15.1/android_packages_services_Telecomm/344183.patch new file mode 100644 index 00000000..bab04887 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_services_Telecomm/344183.patch @@ -0,0 +1,248 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Thu, 23 Jun 2022 14:20:30 -0700 +Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice + +It was shown that given a large phoneAccountHandles that are +over 1 mb, a TransactionTooLarge exception can be silently thrown +causing an empty list to be returned. + +In order to prevent this behavior, all Lists that return a +PhoneAccountHandle or PhoneAccount have been switched to +ParceledListSlice. + +bug: 236263294 +Test: atest android.telecom.cts.PhoneAccountRegistrarTest + #testRegisterPhoneAccountHandleWithFieldOverLimit +Change-Id: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +(cherry picked from commit 960147d4bba558c87a26df6f0328df637a30479b) +Merged-In: Ibc3814dabd59cf9f0f9505b88f2146a4c3c5e015 +--- + .../server/telecom/TelecomServiceImpl.java | 51 +++++++++++-------- + .../telecom/tests/TelecomServiceImplTest.java | 21 +++++--- + 2 files changed, 43 insertions(+), 29 deletions(-) + +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index d5fafdf5b..e3e0a8511 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -33,6 +33,8 @@ import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; + import android.content.res.Resources; ++import android.content.pm.ParceledListSlice; ++import android.content.pm.ResolveInfo; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -149,19 +151,20 @@ public class TelecomServiceImpl { + } + + @Override +- public List getCallCapablePhoneAccounts( ++ public ParceledListSlice getCallCapablePhoneAccounts( + boolean includeDisabledAccounts, String callingPackage) { + try { + Log.startSession("TSI.gCCPA"); + if (!canReadPhoneState(callingPackage, "getDefaultOutgoingPhoneAccount")) { +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, +- includeDisabledAccounts, callingUserHandle); ++ return new ParceledListSlice<>( ++ mPhoneAccountRegistrar.getCallCapablePhoneAccounts(null, ++ includeDisabledAccounts, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getCallCapablePhoneAccounts"); + throw e; +@@ -175,7 +178,8 @@ public class TelecomServiceImpl { + } + + @Override +- public List getSelfManagedPhoneAccounts(String callingPackage) { ++ public ParceledListSlice getSelfManagedPhoneAccounts( ++ String callingPackage) { + try { + Log.startSession("TSI.gSMPA"); + if (!canReadPhoneState(callingPackage, "Requires READ_PHONE_STATE permission.")) { +@@ -185,8 +189,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getSelfManagedPhoneAccounts( +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getSelfManagedPhoneAccounts(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getSelfManagedPhoneAccounts"); + throw e; +@@ -199,10 +203,11 @@ public class TelecomServiceImpl { + } + } + ++ + @Override +- public List getPhoneAccountsSupportingScheme(String uriScheme, +- String callingPackage) { +- try { ++ public ParceledListSlice getPhoneAccountsSupportingScheme( ++ String uriScheme, String callingPackage) { ++ try { + Log.startSession("TSI.gPASS"); + try { + enforceModifyPermission( +@@ -210,15 +215,16 @@ public class TelecomServiceImpl { + } catch (SecurityException e) { + EventLog.writeEvent(0x534e4554, "62347125", Binder.getCallingUid(), + "getPhoneAccountsSupportingScheme: " + callingPackage); +- return Collections.emptyList(); ++ return ParceledListSlice.emptyList(); + } + + synchronized (mLock) { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getCallCapablePhoneAccounts(uriScheme, false, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getCallCapablePhoneAccounts(uriScheme, false, ++ callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsSupportingScheme %s", uriScheme); + throw e; +@@ -232,7 +238,8 @@ public class TelecomServiceImpl { + } + + @Override +- public List getPhoneAccountsForPackage(String packageName) { ++ public ParceledListSlice getPhoneAccountsForPackage( ++ String packageName) { + //TODO: Deprecate this in S + try { + enforceCallingPackage(packageName); +@@ -255,8 +262,8 @@ public class TelecomServiceImpl { + long token = Binder.clearCallingIdentity(); + try { + Log.startSession("TSI.gPAFP"); +- return mPhoneAccountRegistrar.getPhoneAccountsForPackage(packageName, +- callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getPhoneAccountsForPackage(packageName, callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getPhoneAccountsForPackage %s", packageName); + throw e; +@@ -307,7 +314,7 @@ public class TelecomServiceImpl { + synchronized (mLock) { + try { + // This list is pre-filtered for the calling user. +- return getAllPhoneAccounts().size(); ++ return getAllPhoneAccounts().getList().size(); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccountsCount"); + throw e; +@@ -320,7 +327,7 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccounts() { ++ public ParceledListSlice getAllPhoneAccounts() { + synchronized (mLock) { + try { + Log.startSession("TSI.gAPA"); +@@ -336,7 +343,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getAllPhoneAccounts(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccounts(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +@@ -350,7 +358,7 @@ public class TelecomServiceImpl { + } + + @Override +- public List getAllPhoneAccountHandles() { ++ public ParceledListSlice getAllPhoneAccountHandles() { + try { + Log.startSession("TSI.gAPAH"); + try { +@@ -366,7 +374,8 @@ public class TelecomServiceImpl { + final UserHandle callingUserHandle = Binder.getCallingUserHandle(); + long token = Binder.clearCallingIdentity(); + try { +- return mPhoneAccountRegistrar.getAllPhoneAccountHandles(callingUserHandle); ++ return new ParceledListSlice<>(mPhoneAccountRegistrar ++ .getAllPhoneAccountHandles(callingUserHandle)); + } catch (Exception e) { + Log.e(this, e, "getAllPhoneAccounts"); + throw e; +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index 305475dbe..afeb7122b 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -286,9 +286,12 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(fullPHList, +- mTSIBinder.getCallCapablePhoneAccounts(true, DEFAULT_DIALER_PACKAGE)); +- assertEquals(smallPHList, +- mTSIBinder.getCallCapablePhoneAccounts(false, DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getCallCapablePhoneAccounts( ++ true, DEFAULT_DIALER_PACKAGE).getList()); ++ ++ assertEquals(smallPHList, ++ mTSIBinder.getCallCapablePhoneAccounts( ++ false, DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -302,7 +305,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + + List result = null; + try { +- result = mTSIBinder.getCallCapablePhoneAccounts(true, ""); ++ result = mTSIBinder.getCallCapablePhoneAccounts(true, "").getList(); + } catch (SecurityException e) { + // intended behavior + } +@@ -329,9 +332,11 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + + assertEquals(telPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("tel", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "tel", DEFAULT_DIALER_PACKAGE).getList()); + assertEquals(sipPHList, +- mTSIBinder.getPhoneAccountsSupportingScheme("sip", DEFAULT_DIALER_PACKAGE)); ++ mTSIBinder.getPhoneAccountsSupportingScheme( ++ "sip", DEFAULT_DIALER_PACKAGE).getList()); + } + + @SmallTest +@@ -346,7 +351,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + makeAccountsVisibleToAllUsers(TEL_PA_HANDLE_16, SIP_PA_HANDLE_17); + assertEquals(phoneAccountHandleList, + mTSIBinder.getPhoneAccountsForPackage( +- TEL_PA_HANDLE_16.getComponentName().getPackageName())); ++ TEL_PA_HANDLE_16.getComponentName().getPackageName()).getList()); + } + + @SmallTest +@@ -367,7 +372,7 @@ public class TelecomServiceImplTest extends TelecomTestCase { + when(mFakePhoneAccountRegistrar.getAllPhoneAccounts(any(UserHandle.class))) + .thenReturn(phoneAccountList); + +- assertEquals(2, mTSIBinder.getAllPhoneAccounts().size()); ++ assertEquals(2, mTSIBinder.getAllPhoneAccounts().getList().size()); + } + + @SmallTest diff --git a/Patches/LineageOS-15.1/android_system_bt/344184.patch b/Patches/LineageOS-15.1/android_system_bt/344184.patch new file mode 100644 index 00000000..3234d20e --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/344184.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Fri, 12 Aug 2022 17:26:19 +0000 +Subject: [PATCH] Add negative length check in process_service_search_rsp + +Bug: 225876506 +Test: run supplied POC (updated to Android T) +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +(cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f) +Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca +--- + stack/sdp/sdp_discovery.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc +index dcacda832..11491f790 100644 +--- a/stack/sdp/sdp_discovery.cc ++++ b/stack/sdp/sdp_discovery.cc +@@ -289,7 +289,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + + orig = p_ccb->num_handles; + p_ccb->num_handles += cur_handles; +- if (p_ccb->num_handles == 0) { ++ if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) { + SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches"); + sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH); + return; diff --git a/Patches/LineageOS-15.1/android_system_bt/344185.patch b/Patches/LineageOS-15.1/android_system_bt/344185.patch new file mode 100644 index 00000000..f45ac799 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/344185.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Sat, 13 Aug 2022 02:01:14 +0000 +Subject: [PATCH] Add buffer in pin_reply in bluetooth.cc + +Bug: 228602963 +Test: make +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +(cherry picked from commit 0dc1c1c34961822f2f3f0a1e8e0b4819c823951b) +Merged-In: I2a2c9a106a485c319841491f7acc2d667e4d0e75 +--- + btif/src/bluetooth.cc | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc +index 38f992b9c..1121a587d 100644 +--- a/btif/src/bluetooth.cc ++++ b/btif/src/bluetooth.cc +@@ -285,10 +285,12 @@ static int get_connection_state(const RawAddress* bd_addr) { + + static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, + bt_pin_code_t* pin_code) { ++ bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (interface_ready() == false) return BT_STATUS_NOT_READY; + +- return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code); ++ memcpy(&tmp_pin_code, pin_code, pin_len); ++ return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); + } + + static int ssp_reply(const RawAddress* bd_addr, bt_ssp_variant_t variant, diff --git a/Patches/LineageOS-15.1/android_system_nfc/332458-backport.patch b/Patches/LineageOS-15.1/android_system_nfc/332458-backport.patch new file mode 100644 index 00000000..13ab96a6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_nfc/332458-backport.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Thu, 17 Mar 2022 15:39:20 -0700 +Subject: [PATCH] Out of Bounds Read in nfa_dm_check_set_config + +Bug: 221216105 +Test: build ok +Change-Id: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +(cherry picked from commit 88c5c267e889699c71412022e3fcb03d20100e99) +Merged-In: I1930de8531f6c15e6be400a7b1ab3e7cf86b4229 +--- + src/nfa/dm/nfa_dm_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/nfa/dm/nfa_dm_main.c b/src/nfa/dm/nfa_dm_main.c +index dbc51ba..3d4114e 100644 +--- a/src/nfa/dm/nfa_dm_main.c ++++ b/src/nfa/dm/nfa_dm_main.c +@@ -27,6 +27,7 @@ + #include "nfa_dm_int.h" + #include "nfa_sys.h" + #include "nfa_sys_int.h" ++#include + + /***************************************************************************** + ** Constants and types +@@ -237,6 +238,14 @@ tNFA_STATUS nfa_dm_check_set_config(uint8_t tlv_list_len, uint8_t* p_tlv_list, + p_value = p_tlv_list + xx + 2; + p_cur_len = NULL; + ++ if (len > (tlv_list_len - xx - 2)) ++ { ++ NFA_TRACE_ERROR2 ("error: invalid TLV length: t:0x%x, l:%d", ++ type, len); ++ android_errorWriteLog(0x534e4554, "221216105"); ++ return NFA_STATUS_FAILED; ++ } ++ + switch (type) { + /* + ** Poll F Configuration diff --git a/Patches/LineageOS-15.1/android_system_nfc/344180-backport.patch b/Patches/LineageOS-15.1/android_system_nfc/344180-backport.patch new file mode 100644 index 00000000..fbaa9439 --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_nfc/344180-backport.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 3 Aug 2022 12:25:33 -0700 +Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked() + +Bug: 230356196 +Test: builds ok +Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581 +Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491) +Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +--- + halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c +index 0e9f2ae..ed996e0 100644 +--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c ++++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c +@@ -735,7 +735,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, + status = NFCSTATUS_FAILED; + } + // 2002 0904 3000 3100 3200 5000 +- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && ++ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) && ++ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && + ((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*|| + (p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/ + )) { diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch new file mode 100644 index 00000000..f92bbd07 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 3 Aug 2022 12:25:33 -0700 +Subject: [PATCH] OOBW in phNxpNciHal_write_unlocked() + +Bug: 230356196 +Test: builds ok +Merged-In: Ief580984ad58dbc7c57c2537c511d6b81c91b581 +Change-Id: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +(cherry picked from commit a0c461b91a67f6ee0e86f856bcea2bdac2318491) +Merged-In: I7f22b9ce4a7f101a9218de746b71def74a5efa8c +--- + halimpl/pn54x/hal/phNxpNciHal_ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/halimpl/pn54x/hal/phNxpNciHal_ext.c b/halimpl/pn54x/hal/phNxpNciHal_ext.c +index c0145500..efad26cc 100644 +--- a/halimpl/pn54x/hal/phNxpNciHal_ext.c ++++ b/halimpl/pn54x/hal/phNxpNciHal_ext.c +@@ -811,7 +811,8 @@ NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data, + status = NFCSTATUS_FAILED; + } + // 2002 0904 3000 3100 3200 5000 +- else if ((p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && ++ else if (*cmd_len <= (NCI_MAX_DATA_LEN - 1) && ++ (p_cmd_data[0] == 0x20 && p_cmd_data[1] == 0x02) && + ((p_cmd_data[2] == 0x09 && p_cmd_data[3] == 0x04) /*|| + (p_cmd_data[2] == 0x0D && p_cmd_data[3] == 0x04)*/ + )) { diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 2ae53251..c39211b1 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -166,6 +166,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/343956.patch"; #n-asb-2022-11 S applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 Check permission for VoiceInteraction applyPatch "$DOS_PATCHES/android_frameworks_base/344188.patch"; #n-asb-2022-11 Do not send new Intent to non-exported activity when navigateUpTo applyPatch "$DOS_PATCHES/android_frameworks_base/344189.patch"; #n-asb-2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/344217.patch"; #n-asb-2022-11 Do not dismiss keyguard after SIM PUK unlock git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 4805cc57..fa1f7445 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -77,7 +77,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2022-10-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -101,6 +101,7 @@ fi; if enterAndClear "external/dtc"; then applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings +applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation. fi; if enterAndClear "external/expat"; then @@ -143,6 +144,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/335121-backport.patch"; #P_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/337991.patch"; #Q_asb_2022-09 Parcel: recycle recycles applyPatch "$DOS_PATCHES/android_frameworks_base/337992-backport.patch"; #Q_asb_2022-09 IMMS: Make IMMS PendingIntents immutable #applyPatch "$DOS_PATCHES/android_frameworks_base/337993.patch"; #Q_asb_2022-09 Remove package name from SafetyNet logs #XXX: depends on 337990 +applyPatch "$DOS_PATCHES/android_frameworks_base/344168.patch"; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/344169.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice +applyPatch "$DOS_PATCHES/android_frameworks_base/344170-backport.patch"; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo +applyPatch "$DOS_PATCHES/android_frameworks_base/344171-backport.patch"; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user. +applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction +applyPatch "$DOS_PATCHES/android_frameworks_base/344174-backport.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) @@ -249,6 +257,10 @@ applyPatch "$DOS_PATCHES/android_packages_apps_LineageParts/0001-Remove_Analytic cp -f "$DOS_PATCHES_COMMON/contributors.db" assets/contributors.db; #Update contributors cloud fi; +if enterAndClear "packages/apps/PackageInstaller"; then +applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/344181.patch"; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity +fi; + if enterAndClear "packages/apps/Nfc"; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp() @@ -304,8 +316,13 @@ if enterAndClear "packages/providers/MediaProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/0001-External_Permission.patch"; #Fix permission denial (luca.stefani) fi; +if enterAndClear "packages/providers/TelephonyProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/344182.patch"; #P_asb_2022-11 Check dir path before updating permissions. +fi; + if enterAndClear "packages/services/Telecomm"; then applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice fi; if enterAndClear "packages/services/Telephony"; then @@ -323,6 +340,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/337995-backport.patch"; #Q_asb_2022-0 applyPatch "$DOS_PATCHES/android_system_bt/337996.patch"; #Q_asb_2022-09 Fix OOB in BNEP_Write applyPatch "$DOS_PATCHES/android_system_bt/337997.patch"; #Q_asb_2022-09 Fix OOB in reassemble_and_dispatch applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response +applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp +applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc fi; if enterAndClear "system/core"; then @@ -335,6 +354,8 @@ fi; if enterAndClear "system/nfc"; then applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback +applyPatch "$DOS_PATCHES/android_system_nfc/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config +applyPatch "$DOS_PATCHES/android_system_nfc/344180-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() fi; if enterAndClear "system/sepolicy"; then @@ -351,6 +372,7 @@ if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() fi; if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index 0442cd49..bf5cb19b 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -85,7 +85,7 @@ patchWorkspace() { repopick -it P_asb_2022-09 -e 342116; repopick -it P_asb_2022-10 -e 342119; repopick -it P_tzdata_2022; - repopick -it P_asb_2022-11; + repopick -it P_asb_2022-11 -e 344200; sh "$DOS_SCRIPTS/Patch.sh"; sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh"; diff --git a/Scripts/LineageOS-17.1/Functions.sh b/Scripts/LineageOS-17.1/Functions.sh index 5d689291..000ca459 100644 --- a/Scripts/LineageOS-17.1/Functions.sh +++ b/Scripts/LineageOS-17.1/Functions.sh @@ -81,9 +81,8 @@ patchWorkspace() { gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc"; gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview"; - source build/envsetup.sh; + #source build/envsetup.sh; #repopick -it ten-firewall; - repopick -it Q_asb_2022-11; repopick -it Q_tzdb2022f; sh "$DOS_SCRIPTS/Patch.sh"; diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 6c4fe460..35ac9e9a 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -442,6 +442,10 @@ sed -i '/PRODUCT_SYSTEM_VERITY_PARTITION/iPRODUCT_VENDOR_VERITY_PARTITION := /de awk -i inplace '!/vendor_sensors_dbg_prop/' sepolicy/vendor/hal_camera_default.te; #fixup fi; +#if enterAndClear "hardware/oplus"; then +#echo "allow update_engine_common vendor_custom_ab_block_device:blk_file rw_file_perms;" >> sepolicy/qti/vendor/update_engine_common.te; #fix firmware flash denial #TODO: VERIFY ME +#fi; + if enterAndClear "kernel/fairphone/sdm632"; then sed -i 's|/../../prebuilts/tools-lineage|/../../../prebuilts/tools-lineage|' lib/Makefile; #fixup typo fi;