16.0: Picks

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-16.0/android_frameworks_av/399771.patch

@@ -0,0 +1,38 @@
+From 27b0b9e4ea4019f315bdb424a36b3182708de29f Mon Sep 17 00:00:00 2001
+From: Rakesh Kumar <rakesh.kumar@ittiam.com>
+Date: Thu, 30 May 2024 11:17:48 +0000
+Subject: [PATCH] StagefrightRecoder: Disabling B-frame support
+
+Disabling b-frame support from stagefright recorder in case of
+audio source as mic and video source is surface use case only
+because screen recorder with microphone doesn't play in sync
+if b-frame is enabled.
+If the audio source selected is INTERNAL (i.e. device) or
+MIC_AND_INTERNAL with screen recorder then b frame is supported.
+
+Bug: 288549440
+Test: manually check screen recording with audio from mic has audio/video in synch
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:af685c66bab17b71fe1624f76b5d55628f79e6fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:da3407f7688f35eb2dce79f1405feeb182241a3c)
+Merged-In: I4098655eb9687fb633085333bc140634441566e6
+Change-Id: I4098655eb9687fb633085333bc140634441566e6
+---
+ media/libmediaplayerservice/StagefrightRecorder.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/media/libmediaplayerservice/StagefrightRecorder.cpp b/media/libmediaplayerservice/StagefrightRecorder.cpp
+index dfc4a2a5a9f..c81643e534d 100644
+--- a/media/libmediaplayerservice/StagefrightRecorder.cpp
++++ b/media/libmediaplayerservice/StagefrightRecorder.cpp
+@@ -1759,6 +1759,11 @@ status_t StagefrightRecorder::setupVideoEncoder(
+ 
+     if (tsLayers > 1) {
+         uint32_t bLayers = std::min(2u, tsLayers - 1); // use up-to 2 B-layers
++        // TODO(b/341121900): Remove this once B frames are handled correctly in screen recorder
++        // use case in case of mic only
++        if (mAudioSource == AUDIO_SOURCE_MIC && mVideoSource == VIDEO_SOURCE_SURFACE) {
++            bLayers = 0;
++        }
+         uint32_t pLayers = tsLayers - bLayers;
+         format->setString(
+                 "ts-schema", AStringPrintf("android.generic.%u+%u", pLayers, bLayers));

Patches/LineageOS-16.0/android_frameworks_base/399769.patch

@@ -0,0 +1,65 @@
+From 23b1d07217ab29a1f9a9c4d160b15976e00c867e Mon Sep 17 00:00:00 2001
+From: Kiran S <krns@google.com>
+Date: Mon, 13 May 2024 05:49:06 +0000
+Subject: [PATCH] Restrict USB poups while setup is in progress
+
+Test: Cherry pick of http://ag/27094197
+Bug: 294105066
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2ce2e54a040342373e401f9c2e70035ede4e63ad)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ec96cc3e3a81d21f2249db381c10638bb307cf39)
+Merged-In: I7d54534696fd73f3b94c5b4250142eed9341c5d8
+Change-Id: I7d54534696fd73f3b94c5b4250142eed9341c5d8
+---
+ .../usb/UsbProfileGroupSettingsManager.java   | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
+index 43f189b26dfa7..20a76bafb57bf 100644
+--- a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
++++ b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.server.usb;
+ 
++import static android.provider.Settings.Secure.USER_SETUP_COMPLETE;
++
+ import static com.android.internal.app.IntentForwarderActivity.FORWARD_INTENT_TO_MANAGED_PROFILE;
+ 
+ import android.annotation.NonNull;
+@@ -41,6 +43,7 @@
+ import android.os.Environment;
+ import android.os.UserHandle;
+ import android.os.UserManager;
++import android.provider.Settings;
+ import android.service.usb.UsbProfileGroupSettingsManagerProto;
+ import android.service.usb.UsbSettingsAccessoryPreferenceProto;
+ import android.service.usb.UsbSettingsDevicePreferenceProto;
+@@ -677,10 +680,28 @@ private void resolveActivity(Intent intent, UsbDevice device, boolean showMtpNot
+             return;
+         }
+ 
++        if (shouldRestrictOverlayActivities()) {
++            return;
++        }
++
+         // Start activity with registered intent
+         resolveActivity(intent, matches, defaultActivity, device, null);
+     }
+ 
++    private boolean shouldRestrictOverlayActivities() {
++        if (Settings.Secure.getIntForUser(
++                mContext.getContentResolver(),
++                USER_SETUP_COMPLETE,
++                /* defaultValue= */ 1,
++                UserHandle.CURRENT.getIdentifier())
++                == 0) {
++            Slog.d(TAG, "restricting usb overlay activities as setup is not complete");
++            return true;
++        }
++
++        return false;
++    }
++
+     public void deviceAttachedForFixedHandler(UsbDevice device, ComponentName component) {
+         final Intent intent = createDeviceAttachedIntent(device);
+ 

Patches/LineageOS-16.0/android_frameworks_base/399770.patch

@@ -0,0 +1,33 @@
+From fe760134bfa7c0950b3474a3e5abfa0a3b7e53a7 Mon Sep 17 00:00:00 2001
+From: Linus Tufvesson <lus@google.com>
+Date: Mon, 29 Apr 2024 16:32:15 +0200
+Subject: [PATCH] Hide SAW subwindows
+
+.. when top window is hidden through Window#setHideOverlayWindows
+
+Bug: 318683640
+Test: atest CtsWindowManagerDeviceWindow:HideOverlayWindowsTest
+Flag: EXEMPT securityfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c37bc9147086f497ac7b1595083836014f524d5f)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:89bc634cb534b8e0ffd798ac9f9f89ac1be0f785)
+Merged-In: If19240f5aec2e048de80d75cbbdc00be47622d7f
+Change-Id: If19240f5aec2e048de80d75cbbdc00be47622d7f
+---
+ services/core/java/com/android/server/wm/WindowState.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java
+index 087bd6a80c73d..74b2ef791ade6 100644
+--- a/services/core/java/com/android/server/wm/WindowState.java
++++ b/services/core/java/com/android/server/wm/WindowState.java
+@@ -2635,8 +2635,9 @@ boolean hideLw(boolean doAnimation, boolean requestAnim) {
+     }
+ 
+     void setForceHideNonSystemOverlayWindowIfNeeded(boolean forceHide) {
++        final int baseType = getBaseType();
+         if (mOwnerCanAddInternalSystemWindow
+-                || (!isSystemAlertWindowType(mAttrs.type) && mAttrs.type != TYPE_TOAST)) {
++                || (!isSystemAlertWindowType(baseType) && baseType != TYPE_TOAST)) {
+             return;
+         }
+         if (mForceHideNonSystemOverlayWindow == forceHide) {

Patches/LineageOS-16.0/android_system_bt/399772.patch

@@ -0,0 +1,60 @@
+From fdfd1f7d72871cef5f98eb6df11de7d677db6264 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 16:43:29 +0000
+Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc
+
+Fuzzer identifies a case where sdpu_compare_uuid_with_attr crashes with
+an out of bounds comparison.  Although the bug claims this is due to a
+comparison of a uuid with a smaller data field thana the discovery
+attribute, my research suggests that this instead stems from a
+comparison of a 128 bit UUID with a discovery attribute of some other,
+invalid size.
+
+Add checks for discovery attribute size.
+
+Bug: 287184435
+Test: atest bluetooth_test_gd_unit, net_test_stack_sdp
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:99210e2f251e2189c1eede15942c832e017404c2)
+Merged-In: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
+Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
+---
+ stack/sdp/sdp_utils.cc | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
+index c2c6b2763a9..a8ff41cae92 100644
+--- a/stack/sdp/sdp_utils.cc
++++ b/stack/sdp/sdp_utils.cc
+@@ -702,8 +702,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2,
+  ******************************************************************************/
+ bool sdpu_compare_uuid_with_attr(const Uuid& uuid, tSDP_DISC_ATTR* p_attr) {
+   int len = uuid.GetShortestRepresentationSize();
+-  if (len == 2) return uuid.As16Bit() == p_attr->attr_value.v.u16;
+-  if (len == 4) return uuid.As32Bit() == p_attr->attr_value.v.u32;
++  if (len == 2) {
++    if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes16) {
++      return uuid.As16Bit() == p_attr->attr_value.v.u16;
++    } else {
++      LOG(ERROR) << "invalid length for discovery attribute";
++      return (false);
++    }
++  }
++  if (len == 4) {
++    if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == Uuid::kNumBytes32) {
++      return uuid.As32Bit() == p_attr->attr_value.v.u32;
++    } else {
++      LOG(ERROR) << "invalid length for discovery attribute";
++      return (false);
++    }
++  }
++
++  if (SDP_DISC_ATTR_LEN(p_attr->attr_len_type) != Uuid::kNumBytes128) {
++    LOG(ERROR) << "invalid length for discovery attribute";
++    return (false);
++  }
++
+   if (memcmp(uuid.To128BitBE().data(), (void*)p_attr->attr_value.v.array,
+              Uuid::kNumBytes128) == 0)
+     return (true);

Scripts/LineageOS-16.0/Patch.sh

@@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2024-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-07 #XXX
+sed -i 's/2022-01-05/2024-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-08 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -200,6 +200,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/379788.patch"; #P_asb_2024-01 Fix
 applyPatch "$DOS_PATCHES/android_frameworks_av/383562.patch"; #P_asb_2024-02 Update mtp packet buffer
 applyPatch "$DOS_PATCHES/android_frameworks_av/385670.patch"; #P_asb_2024-03 Validate OMX Params for VPx encoders
 applyPatch "$DOS_PATCHES/android_frameworks_av/385671.patch"; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
+applyPatch "$DOS_PATCHES/android_frameworks_av/399771.patch"; #P_asb_2024-08 StagefrightRecoder: Disabling B-frame support
 applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; #(GrapheneOS)
 fi;
 
@@ -330,6 +331,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394881.patch"; #P_asb_2024-06 A
 applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 Check permissions for CDM shell commands
 applyPatch "$DOS_PATCHES/android_frameworks_base/397594.patch"; #P_asb_2024-07 Verify UID of incoming Zygote connections.
 applyPatch "$DOS_PATCHES/android_frameworks_base/397595.patch"; #P_asb_2024-07 Fix security vulnerability of non-dynamic permission removal
+applyPatch "$DOS_PATCHES/android_frameworks_base/399769.patch"; #P_asb_2024-08 Restrict USB poups while setup is in progress
+applyPatch "$DOS_PATCHES/android_frameworks_base/399770.patch"; #P_asb_2024-08 Hide SAW subwindows
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@@ -664,6 +667,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/385676.patch"; #P_asb_2024-03 Fix an
 applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
 applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES/android_system_bt/397596.patch"; #P_asb_2024-07 Fix an authentication bypass bug in SMP
+applyPatch "$DOS_PATCHES/android_system_bt/399772.patch"; #P_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;