From a8cc390c3d1949ea52f478089e4ebd3050fe43d1 Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 24 Nov 2019 20:14:23 -0500 Subject: [PATCH] 14.1: cherrypicks --- .../android_system_netd/244387.patch | 134 ------------------ .../android_system_netd/244388.patch | 52 ------- .../android_system_netd/245690.patch | 68 --------- .../android_system_netd/245691.patch | 32 ----- Scripts/LineageOS-14.1/Functions.sh | 3 + Scripts/LineageOS-14.1/Patch.sh | 8 -- 6 files changed, 3 insertions(+), 294 deletions(-) delete mode 100644 Patches/LineageOS-14.1/android_system_netd/244387.patch delete mode 100644 Patches/LineageOS-14.1/android_system_netd/244388.patch delete mode 100644 Patches/LineageOS-14.1/android_system_netd/245690.patch delete mode 100644 Patches/LineageOS-14.1/android_system_netd/245691.patch diff --git a/Patches/LineageOS-14.1/android_system_netd/244387.patch b/Patches/LineageOS-14.1/android_system_netd/244387.patch deleted file mode 100644 index 6859c614..00000000 --- a/Patches/LineageOS-14.1/android_system_netd/244387.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 5479a23bdb9fd2cbd92d7a1f35e5ecf193515d72 Mon Sep 17 00:00:00 2001 -From: Lorenzo Colitti -Date: Thu, 30 Mar 2017 02:50:09 +0900 -Subject: [PATCH] Really always allow networking on loopback. - -https://android-review.googlesource.com/#/c/294359/ attempted to -allow networking on loopback, but actually does not do anything -because no packet has both -i lo and -o lo: loopback packets have --i lo in INPUT and -o lo in OUTPUT. - -Test: bullhead builds, boots -Test: netd_{unit,integration}_test pass -Test: loopback traffic is matched by new "-i lo" and "-o lo" rules -Test: originated and received traffic is not matched by new rules -Bug: 34444781 -Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1 ---- - server/FirewallController.cpp | 3 ++- - server/FirewallControllerTest.cpp | 15 ++++++++++----- - tests/binder_test.cpp | 16 ++++++++-------- - 3 files changed, 20 insertions(+), 14 deletions(-) - -diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp -index 826cf758..ffc99e16 100644 ---- a/server/FirewallController.cpp -+++ b/server/FirewallController.cpp -@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char * - StringAppendF(&commands, "*filter\n:%s -\n", name); - - // Always allow networking on loopback. -- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name); -+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name); -+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name); - - // Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network - // access. Both incoming and outgoing RSTs are allowed. -diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp -index 7d96c61c..ba449db0 100644 ---- a/server/FirewallControllerTest.cpp -+++ b/server/FirewallControllerTest.cpp -@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) { - std::vector expectedRestore4 = { - "*filter", - ":fw_whitelist -", -- "-A fw_whitelist -i lo -o lo -j RETURN", -+ "-A fw_whitelist -i lo -j RETURN", -+ "-A fw_whitelist -o lo -j RETURN", - "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", - "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN", - "-A fw_whitelist -j DROP", -@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) { - std::vector expectedRestore6 = { - "*filter", - ":fw_whitelist -", -- "-A fw_whitelist -i lo -o lo -j RETURN", -+ "-A fw_whitelist -i lo -j RETURN", -+ "-A fw_whitelist -o lo -j RETURN", - "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", - "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN", - "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN", -@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) { - std::vector expectedRestore = { - "*filter", - ":fw_blacklist -", -- "-A fw_blacklist -i lo -o lo -j RETURN", -+ "-A fw_blacklist -i lo -j RETURN", -+ "-A fw_blacklist -o lo -j RETURN", - "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN", - "COMMIT\n\x04" - }; -@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) { - std::string expected = - "*filter\n" - ":FW_whitechain -\n" -- "-A FW_whitechain -i lo -o lo -j RETURN\n" -+ "-A FW_whitechain -i lo -j RETURN\n" -+ "-A FW_whitechain -o lo -j RETURN\n" - "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n" - "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n" - "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n" -@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) { - std::string expected = - "*filter\n" - ":FW_blackchain -\n" -- "-A FW_blackchain -i lo -o lo -j RETURN\n" -+ "-A FW_blackchain -i lo -j RETURN\n" -+ "-A FW_blackchain -o lo -j RETURN\n" - "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n" - "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n" - "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n" -diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp -index 5395f1d2..dcaf2302 100644 ---- a/tests/binder_test.cpp -+++ b/tests/binder_test.cpp -@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) { - mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret); - } - EXPECT_EQ(true, ret); -- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); -+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); - { - TimedOperation op("Clearing whitelist chain"); - mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret); - } - EXPECT_EQ(true, ret); -- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); -+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); - - { - TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids)); - mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret); - } - EXPECT_EQ(true, ret); -- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); -+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); - - { - TimedOperation op("Clearing blacklist chain"); - mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret); - } - EXPECT_EQ(true, ret); -- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); -+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str())); -+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str())); - - // Check that the call fails if iptables returns an error. - std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName"; diff --git a/Patches/LineageOS-14.1/android_system_netd/244388.patch b/Patches/LineageOS-14.1/android_system_netd/244388.patch deleted file mode 100644 index 68ea3d64..00000000 --- a/Patches/LineageOS-14.1/android_system_netd/244388.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 77894c5bfbafb8cacdefe9b60cff121e5fb88e3c Mon Sep 17 00:00:00 2001 -From: Joel Scherpelz -Date: Wed, 14 Jun 2017 10:27:47 +0900 -Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict - -NetlinkManager previously bound all netlink sockets with nl_pid = -getpid(). Unfortunately only the first such socket is allowed to claim -nl_pid = getpid(). The kernel is happy to assign this value -automatically if nl_pid = 0. For more information on nl_pid see "man 7 -netlink". - -When NFLogListener was added, it created a socket with a kernel assigned -nl_pid, unfortunately the kernel assigns getpid() to the first such -socket and listener was initialized earlier in the startup process than -NetlinkManager. - -This change alters NetlinkManager to request a kernel assigned nl_pid and -defensively moves the initialization of NFLogListener later in the -startup sequence to favor proper operation of existing code in -NetlinkManager. Error logging is also slightly improved. - -Test: as follows - - built - - flashed - - booted - - "runtest -x .../netd_unit_test.cpp" passes - - "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t - android.os.cts.StrictModeTest" passes -Bug: 62353125 - -[syphyr: Removed NFLogListener changes] -Signed-off-by: L.W. Reek - -Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72 ---- - server/NetlinkManager.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp -index 769a80ae..5e6eaba8 100644 ---- a/server/NetlinkManager.cpp -+++ b/server/NetlinkManager.cpp -@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily, - - memset(&nladdr, 0, sizeof(nladdr)); - nladdr.nl_family = AF_NETLINK; -- nladdr.nl_pid = getpid(); -+ // Kernel will assign a unique nl_pid if set to zero. -+ nladdr.nl_pid = 0; - nladdr.nl_groups = groups; - - if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) { diff --git a/Patches/LineageOS-14.1/android_system_netd/245690.patch b/Patches/LineageOS-14.1/android_system_netd/245690.patch deleted file mode 100644 index 1766b57f..00000000 --- a/Patches/LineageOS-14.1/android_system_netd/245690.patch +++ /dev/null @@ -1,68 +0,0 @@ -From d6f2d210fe3f1b8c2c798066bfb32e2c9ec96ef4 Mon Sep 17 00:00:00 2001 -From: Sehee Park -Date: Wed, 26 Dec 2018 07:28:23 +0900 -Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult() - -fd was checked at beginnig of DNSServiceProcessResult() -but fd was changed to -1. So, fortify_fatal was occured -when FD_SET() was called. -Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0' - -Test: Build -Bug: 120910016 -Bug: 121327565 -Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050 -Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050 -Signed-off-by: Sehee Park -(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b) ---- - server/MDnsSdListener.cpp | 10 +++++++++- - server/MDnsSdListener.h | 1 + - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp -index 883fe815..e3fd66a0 100644 ---- a/server/MDnsSdListener.cpp -+++ b/server/MDnsSdListener.cpp -@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con - return; - } - if (VDBG) ALOGD("Stopping %s with ref %p", str, ref); -- DNSServiceRefDeallocate(*ref); -+ mMonitor->deallocateServiceRef(ref); - mMonitor->freeServiceRef(requestId); - char *msg; - asprintf(&msg, "%s stopped", str); -@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() { - ALOGD("Monitor found [%d].revents = %d - calling ProcessResults", - i, mPollFds[i].revents); - } -+ pthread_mutex_lock(&mHeadMutex); - DNSServiceProcessResult(*(mPollRefs[i])); -+ pthread_mutex_unlock(&mHeadMutex); - mPollFds[i].revents = 0; - } - } -@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) { - } - pthread_mutex_unlock(&mHeadMutex); - } -+ -+void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) { -+ pthread_mutex_lock(&mHeadMutex); -+ DNSServiceRefDeallocate(*ref); -+ pthread_mutex_unlock(&mHeadMutex); -+} -\ No newline at end of file -diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h -index e9c6066a..a107d3b8 100644 ---- a/server/MDnsSdListener.h -+++ b/server/MDnsSdListener.h -@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener { - static void *threadStart(void *handler); - int startService(); - int stopService(); -+ void deallocateServiceRef(DNSServiceRef* ref); - private: - void run(); - int rescan(); // returns the number of elements in the poll diff --git a/Patches/LineageOS-14.1/android_system_netd/245691.patch b/Patches/LineageOS-14.1/android_system_netd/245691.patch deleted file mode 100644 index 9c9adf82..00000000 --- a/Patches/LineageOS-14.1/android_system_netd/245691.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 728b7617dc0ec0b017740f9a78e7dcefff1afc86 Mon Sep 17 00:00:00 2001 -From: Ken Chen -Date: Sat, 26 Jan 2019 19:17:00 +0800 -Subject: [PATCH] Clear Element.mRef immediately after deallocating it - -DNSServiceRefDeallocate() and pointer dereferencing in request handler -thread are protected by two separate lock/unlock pairs on mHeadMutex. -If rescan() runs between these, it could dereference mRef, causing -a heap-use-after-free bug. - -Solution: set mRef to null immediately after freeing it. - -Bug: 121327565 -Test: build -Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7 -(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615) ---- - server/MDnsSdListener.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp -index e3fd66a0..563e0207 100644 ---- a/server/MDnsSdListener.cpp -+++ b/server/MDnsSdListener.cpp -@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) { - void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) { - pthread_mutex_lock(&mHeadMutex); - DNSServiceRefDeallocate(*ref); -+ *ref = nullptr; - pthread_mutex_unlock(&mHeadMutex); - } -\ No newline at end of file diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index e8bc0ad8..ad1e7dbb 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -116,6 +116,9 @@ patchWorkspace() { #repopick 212799; #alt: 212827 flac extractor CVE-2017-0592 #repopick 214125; #spellchecker: enable more wordlists repopick -it n_asb_09-2018-qcom; + repopick -it ibss-mode-nougat; + repopick -it n-unzip; + repopick -it n-netd; export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 294c677b..6c783179 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -176,14 +176,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) -enterAndClear "system/netd"; -#loopback fixes -patch -p1 < "$DOS_PATCHES/android_system_netd/244387.patch"; #Really always allow networking on loopback. -patch -p1 < "$DOS_PATCHES/android_system_netd/244388.patch"; #Avoid netlink socket address conflict -#CVE-2019-2033 -patch -p1 < "$DOS_PATCHES/android_system_netd/245690.patch"; #Fix fortify_fatal issue during DNSServiceProcessResult() -patch -p1 < "$DOS_PATCHES/android_system_netd/245691.patch"; #Clear Element.mRef immediately after deallocating it - enterAndClear "system/sepolicy"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices