From ab4eceb830d8ebc5f0d16e7a6377cd171c0954a4 Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 28 Apr 2023 14:42:05 -0400 Subject: [PATCH] 17.1 April ASB work Signed-off-by: Tad --- .../0007-Always_Restict_Serial.patch | 2 +- .../0014-Special_Permissions.patch | 4 +- .../android_frameworks_base/353944.patch | 76 ++++ .../android_frameworks_base/353945.patch | 33 ++ .../android_frameworks_base/353946.patch | 71 +++ .../android_frameworks_base/353947.patch | 34 ++ .../353948-backport.patch | 430 ++++++++++++++++++ .../353950-backport.patch | 134 ++++++ .../353951-backport.patch | 217 +++++++++ .../353953-backport.patch | 138 ++++++ .../0002-Random_MAC.patch | 2 +- .../353956.patch | 42 ++ .../353957-backport.patch | 47 ++ .../353959.patch | 68 +++ .../android_system_bt/353960.patch | 54 +++ .../android_system_bt/353961.patch | 34 ++ .../android_system_nfc/353962.patch | 29 ++ .../353963.patch | 45 ++ .../353964.patch | 29 ++ .../353967.patch | 34 ++ .../353968.patch | 49 ++ Scripts/LineageOS-17.1/Patch.sh | 37 +- 22 files changed, 1603 insertions(+), 6 deletions(-) create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353944.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353945.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353946.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353947.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch create mode 100644 Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/353960.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/353961.patch create mode 100644 Patches/LineageOS-17.1/android_system_nfc/353962.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch index 86c6bd6e..0711cfab 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch @@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission. 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index bb78408617b8..9148a09271f4 100644 +index efbccb3b8f94..8d0498c0ca7f 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -4981,12 +4981,7 @@ public class ActivityManagerService extends IActivityManager.Stub diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch b/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch index 44031da8..78e47820 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Special_Permissions.patch @@ -11,10 +11,10 @@ need to be granted by default for all apps to maintain compatibility. 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 1bd1396c6d45..a3e1b685a3be 100644 +index ef97d61d26d7..6592c574c027 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java -@@ -20185,7 +20185,8 @@ public class PackageManagerService extends IPackageManager.Stub +@@ -20191,7 +20191,8 @@ public class PackageManagerService extends IPackageManager.Stub } // If this permission was granted by default, make sure it is. diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353944.patch b/Patches/LineageOS-17.1/android_frameworks_base/353944.patch new file mode 100644 index 00000000..a1ceb698 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353944.patch @@ -0,0 +1,76 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jing Ji +Date: Thu, 4 Aug 2022 11:36:26 -0700 +Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started + from SHELL only now. + +Or, if an instrumentation starts another instrumentation and so on, +and the original instrumentation is started from SHELL, allow all +Context#startInstrumentation calls in this chain. + +Otherwise, it'll throw a SecurityException. + +Bug: 237766679 +Test: atest CtsAppTestCases:InstrumentationTest +Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c +Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c +Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892 +Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1) +Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406 +--- + .../server/am/ActivityManagerService.java | 34 +++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index bb78408617b8..efbccb3b8f94 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -15761,6 +15761,17 @@ public class ActivityManagerService extends IActivityManager.Stub + reportStartInstrumentationFailureLocked(watcher, className, msg); + throw new SecurityException(msg); + } ++ if (!Build.IS_DEBUGGABLE && callingUid != ROOT_UID && callingUid != SHELL_UID ++ && callingUid != SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) { ++ // If it's not debug build and not called from root/shell/system uid, reject it. ++ final String msg = "Permission Denial: instrumentation test " ++ + className + " from pid=" + callingPid + ", uid=" + callingUid ++ + ", pkgName=" + getPackageNameByPid(callingPid) ++ + " not allowed because it's not started from SHELL"; ++ Slog.wtfQuiet(TAG, msg); ++ reportStartInstrumentationFailureLocked(watcher, className, msg); ++ throw new SecurityException(msg); ++ } + + ActiveInstrumentation activeInstr = new ActiveInstrumentation(this); + activeInstr.mClass = className; +@@ -15817,6 +15828,29 @@ public class ActivityManagerService extends IActivityManager.Stub + return true; + } + ++ @GuardedBy("this") ++ private boolean hasActiveInstrumentationLocked(int pid) { ++ if (pid == 0) { ++ return false; ++ } ++ synchronized (mPidsSelfLocked) { ++ ProcessRecord process = mPidsSelfLocked.get(pid); ++ return process != null && process.getActiveInstrumentation() != null; ++ } ++ } ++ ++ private String getPackageNameByPid(int pid) { ++ synchronized (mPidsSelfLocked) { ++ final ProcessRecord app = mPidsSelfLocked.get(pid); ++ ++ if (app != null && app.info != null) { ++ return app.info.packageName; ++ } ++ ++ return null; ++ } ++ } ++ + private boolean isCallerShell() { + final int callingUid = Binder.getCallingUid(); + return callingUid == SHELL_UID || callingUid == ROOT_UID; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353945.patch b/Patches/LineageOS-17.1/android_frameworks_base/353945.patch new file mode 100644 index 00000000..e8183dbd --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353945.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Mon, 7 Nov 2022 23:33:55 +0000 +Subject: [PATCH] Checking if package belongs to UID before registering + broadcast receiver + +Test: manual testing done on device by installing test APK and checking if receiver can register +Bug: 242040055 +Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0) +(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130) +Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d +--- + services/core/java/com/android/server/am/ActiveServices.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java +index 84702ddfe231..c6d94eb3b408 100644 +--- a/services/core/java/com/android/server/am/ActiveServices.java ++++ b/services/core/java/com/android/server/am/ActiveServices.java +@@ -2186,6 +2186,11 @@ public final class ActiveServices { + throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " + + className + " is not an isolatedProcess"); + } ++ if (AppGlobals.getPackageManager().getPackageUid(callingPackage, ++ 0, userId) != callingUid) { ++ throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " ++ + "calling package not owned by calling UID "); ++ } + // Run the service under the calling package's application. + ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo( + callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353946.patch b/Patches/LineageOS-17.1/android_frameworks_base/353946.patch new file mode 100644 index 00000000..2c2c9098 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353946.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hao Ke +Date: Mon, 12 Dec 2022 15:49:16 +0000 +Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass + +The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call. + +This CL did the following: + +- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null. + +Bug: 260567867 +Bug: 262230405 +Test: local test, see b/262230405 +Test: atest CtsAccountManagerTestCases +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477 +(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981) +Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477 +--- + .../server/accounts/AccountManagerService.java | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 58978a55a32a..b4edf94927b2 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -3434,8 +3434,7 @@ public class AccountManagerService + Bundle.setDefusable(result, true); + mNumResults++; + Intent intent = null; +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { +@@ -4800,8 +4799,10 @@ public class AccountManagerService + EventLog.writeEvent(0x534e4554, "250588548", authUid, ""); + return false; + } +- + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); ++ if (intent == null) { ++ return true; ++ } + // Explicitly set an empty ClipData to ensure that we don't offer to + // promote any Uris contained inside for granting purposes + if (intent.getClipData() == null) { +@@ -4854,7 +4855,10 @@ public class AccountManagerService + p.recycle(); + Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT); + Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT); +- return (intent.filterEquals(simulateIntent)); ++ if (intent == null) { ++ return (simulateIntent == null); ++ } ++ return intent.filterEquals(simulateIntent); + } + + private boolean isExportedSystemActivity(ActivityInfo activityInfo) { +@@ -4999,8 +5003,7 @@ public class AccountManagerService + } + } + } +- if (result != null +- && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { ++ if (result != null) { + if (!checkKeyIntent( + Binder.getCallingUid(), + result)) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353947.patch b/Patches/LineageOS-17.1/android_frameworks_base/353947.patch new file mode 100644 index 00000000..9908945c --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353947.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Winson Chiu +Date: Fri, 6 Jan 2023 21:26:24 +0000 +Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT + AUTOMERGE + +Avoids deserialization error when the scheme contains a +reserved character. + +Bug: 261858325 + +Test: atest android.content.cts.IntentTest#testEncoding + +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4) +Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470 +--- + core/java/android/content/Intent.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index d7898776965e..72e0fa615b09 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -10393,7 +10393,7 @@ public class Intent implements Parcelable, Cloneable { + private void toUriInner(StringBuilder uri, String scheme, String defAction, + String defPackage, int flags) { + if (scheme != null) { +- uri.append("scheme=").append(scheme).append(';'); ++ uri.append("scheme=").append(Uri.encode(scheme)).append(';'); + } + if (mAction != null && !mAction.equals(defAction)) { + uri.append("action=").append(Uri.encode(mAction)).append(';'); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch new file mode 100644 index 00000000..bd346f62 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353948-backport.patch @@ -0,0 +1,430 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Pinelli +Date: Tue, 27 Dec 2022 20:29:33 +0000 +Subject: [PATCH] Backport BAL restrictions from S to R, this blocks apps from + using Alarm Manager to bypass BAL restrictions. + +Test: atest BackgroundActivityLaunchTest +Bug: 195756028 +Change-Id: Ifa3f79bc74c10d0ac8322079f2e6e3e0ba476b0f +(cherry picked from commit 1d737c2fbdc71570bbcaca0f44da4ee132fa545f) +Merged-In: Ifa3f79bc74c10d0ac8322079f2e6e3e0ba476b0f +--- + core/java/android/app/ActivityOptions.java | 10 +-- + core/java/android/app/BroadcastOptions.java | 25 +++++- + core/java/android/app/ComponentOptions.java | 84 +++++++++++++++++++ + .../android/server/AlarmManagerService.java | 21 ++++- + .../server/am/PendingIntentRecord.java | 23 ++++- + .../android/server/wm/ActivityStarter.java | 22 +++-- + .../server/wm/ActivityTaskManagerService.java | 2 +- + .../com/android/server/wm/AppTaskImpl.java | 2 +- + 8 files changed, 169 insertions(+), 20 deletions(-) + create mode 100644 core/java/android/app/ComponentOptions.java + +diff --git a/core/java/android/app/ActivityOptions.java b/core/java/android/app/ActivityOptions.java +index 926044bffdd0..36ab62aedc09 100644 +--- a/core/java/android/app/ActivityOptions.java ++++ b/core/java/android/app/ActivityOptions.java +@@ -59,7 +59,7 @@ import java.util.ArrayList; + * {@link android.content.Context#startActivity(android.content.Intent, android.os.Bundle) + * Context.startActivity(Intent, Bundle)} and related methods. + */ +-public class ActivityOptions { ++public class ActivityOptions extends ComponentOptions { + private static final String TAG = "ActivityOptions"; + + /** +@@ -881,13 +881,12 @@ public class ActivityOptions { + } + + private ActivityOptions() { ++ super(); + } + + /** @hide */ + public ActivityOptions(Bundle opts) { +- // If the remote side sent us bad parcelables, they won't get the +- // results they want, which is their loss. +- opts.setDefusable(true); ++ super(opts); + + mPackageName = opts.getString(KEY_PACKAGE_NAME); + try { +@@ -1439,8 +1438,9 @@ public class ActivityOptions { + * object; you must not modify it, but can supply it to the startActivity + * methods that take an options Bundle. + */ ++ @Override + public Bundle toBundle() { +- Bundle b = new Bundle(); ++ Bundle b = super.toBundle(); + if (mPackageName != null) { + b.putString(KEY_PACKAGE_NAME, mPackageName); + } +diff --git a/core/java/android/app/BroadcastOptions.java b/core/java/android/app/BroadcastOptions.java +index 161e2ad06ec0..8947fb44b07b 100644 +--- a/core/java/android/app/BroadcastOptions.java ++++ b/core/java/android/app/BroadcastOptions.java +@@ -28,7 +28,7 @@ import android.os.Bundle; + * {@hide} + */ + @SystemApi +-public class BroadcastOptions { ++public class BroadcastOptions extends ComponentOptions { + private long mTemporaryAppWhitelistDuration; + private int mMinManifestReceiverApiLevel = 0; + private int mMaxManifestReceiverApiLevel = Build.VERSION_CODES.CUR_DEVELOPMENT; +@@ -72,10 +72,12 @@ public class BroadcastOptions { + } + + private BroadcastOptions() { ++ super(); + } + + /** @hide */ + public BroadcastOptions(Bundle opts) { ++ super(opts); + mTemporaryAppWhitelistDuration = opts.getLong(KEY_TEMPORARY_APP_WHITELIST_DURATION); + mMinManifestReceiverApiLevel = opts.getInt(KEY_MIN_MANIFEST_RECEIVER_API_LEVEL, 0); + mMaxManifestReceiverApiLevel = opts.getInt(KEY_MAX_MANIFEST_RECEIVER_API_LEVEL, +@@ -173,6 +175,24 @@ public class BroadcastOptions { + return mAllowBackgroundActivityStarts; + } + ++ /** ++ * Set PendingIntent activity is allowed to be started in the background if the caller ++ * can start background activities. ++ * @hide ++ */ ++ public void setPendingIntentBackgroundActivityLaunchAllowed(boolean allowed) { ++ super.setPendingIntentBackgroundActivityLaunchAllowed(allowed); ++ } ++ ++ /** ++ * Get PendingIntent activity is allowed to be started in the background if the caller ++ * can start background activities. ++ * @hide ++ */ ++ public boolean isPendingIntentBackgroundActivityLaunchAllowed() { ++ return super.isPendingIntentBackgroundActivityLaunchAllowed(); ++ } ++ + /** + * Returns the created options as a Bundle, which can be passed to + * {@link android.content.Context#sendBroadcast(android.content.Intent) +@@ -181,8 +201,9 @@ public class BroadcastOptions { + * object; you must not modify it, but can supply it to the sendBroadcast + * methods that take an options Bundle. + */ ++ @Override + public Bundle toBundle() { +- Bundle b = new Bundle(); ++ Bundle b = super.toBundle(); + if (mTemporaryAppWhitelistDuration > 0) { + b.putLong(KEY_TEMPORARY_APP_WHITELIST_DURATION, mTemporaryAppWhitelistDuration); + } +diff --git a/core/java/android/app/ComponentOptions.java b/core/java/android/app/ComponentOptions.java +new file mode 100644 +index 000000000000..34ee9138a364 +--- /dev/null ++++ b/core/java/android/app/ComponentOptions.java +@@ -0,0 +1,84 @@ ++/* ++ * Copyright (C) 2022 The Android Open Source Project ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package android.app; ++ ++import android.os.Bundle; ++ ++/** ++ * @hide ++ */ ++public class ComponentOptions { ++ ++ /** ++ * Default value for KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED. ++ * @hide ++ **/ ++ public static final boolean PENDING_INTENT_BAL_ALLOWED_DEFAULT = true; ++ ++ /** ++ * PendingIntent caller allows activity start even if PendingIntent creator is in background. ++ * This only works if the PendingIntent caller is allowed to start background activities, ++ * for example if it's in the foreground, or has BAL permission. ++ * @hide ++ */ ++ public static final String KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED = ++ "android.pendingIntent.backgroundActivityAllowed"; ++ ++ private boolean mPendingIntentBalAllowed = PENDING_INTENT_BAL_ALLOWED_DEFAULT; ++ ++ ComponentOptions() { ++ } ++ ++ ComponentOptions(Bundle opts) { ++ // If the remote side sent us bad parcelables, they won't get the ++ // results they want, which is their loss. ++ opts.setDefusable(true); ++ setPendingIntentBackgroundActivityLaunchAllowed( ++ opts.getBoolean(KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED, ++ PENDING_INTENT_BAL_ALLOWED_DEFAULT)); ++ } ++ ++ /** ++ * Set PendingIntent activity is allowed to be started in the background if the caller ++ * can start background activities. ++ * ++ * @hide ++ */ ++ public void setPendingIntentBackgroundActivityLaunchAllowed(boolean allowed) { ++ mPendingIntentBalAllowed = allowed; ++ } ++ ++ /** ++ * Get PendingIntent activity is allowed to be started in the background if the caller ++ * can start background activities. ++ * ++ * @hide ++ */ ++ public boolean isPendingIntentBackgroundActivityLaunchAllowed() { ++ return mPendingIntentBalAllowed; ++ } ++ ++ /** ++ * @hide ++ */ ++ public Bundle toBundle() { ++ Bundle bundle = new Bundle(); ++ bundle.putBoolean(KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED, ++ mPendingIntentBalAllowed); ++ return bundle; ++ } ++} +diff --git a/services/core/java/com/android/server/AlarmManagerService.java b/services/core/java/com/android/server/AlarmManagerService.java +index a65603cb4020..d82b435b4612 100644 +--- a/services/core/java/com/android/server/AlarmManagerService.java ++++ b/services/core/java/com/android/server/AlarmManagerService.java +@@ -26,6 +26,7 @@ import static android.app.AlarmManager.RTC_WAKEUP; + import android.annotation.UserIdInt; + import android.app.Activity; + import android.app.ActivityManager; ++import android.app.ActivityOptions; + import android.app.AlarmManager; + import android.app.AppOpsManager; + import android.app.BroadcastOptions; +@@ -272,6 +273,8 @@ class AlarmManagerService extends SystemService { + * Broadcast options to use for FLAG_ALLOW_WHILE_IDLE. + */ + Bundle mIdleOptions; ++ ActivityOptions mActivityOptsRestrictBal = ActivityOptions.makeBasic(); ++ BroadcastOptions mBroadcastOptsRestrictBal = BroadcastOptions.makeBasic(); + + private final SparseArray mNextAlarmClockForUser = + new SparseArray<>(); +@@ -497,6 +500,7 @@ class AlarmManagerService extends SystemService { + mLastAllowWhileIdleWhitelistDuration = ALLOW_WHILE_IDLE_WHITELIST_DURATION; + BroadcastOptions opts = BroadcastOptions.makeBasic(); + opts.setTemporaryAppWhitelistDuration(ALLOW_WHILE_IDLE_WHITELIST_DURATION); ++ opts.setPendingIntentBackgroundActivityLaunchAllowed(false); + mIdleOptions = opts.toBundle(); + } + } +@@ -1495,6 +1499,8 @@ class AlarmManagerService extends SystemService { + @Override + public void onStart() { + mInjector.init(); ++ mActivityOptsRestrictBal.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mBroadcastOptsRestrictBal.setPendingIntentBackgroundActivityLaunchAllowed(false); + + synchronized (mLock) { + mHandler = new AlarmHandler(); +@@ -4143,6 +4149,13 @@ class AlarmManagerService extends SystemService { + return alarm.creatorUid; + } + ++ private Bundle getAlarmOperationBundle(Alarm alarm) { ++ if (alarm.operation.isActivity()) { ++ return mActivityOptsRestrictBal.toBundle(); ++ } ++ return mBroadcastOptsRestrictBal.toBundle(); ++ } ++ + @VisibleForTesting + class AlarmHandler extends Handler { + public static final int ALARM_EVENT = 1; +@@ -4181,7 +4194,11 @@ class AlarmManagerService extends SystemService { + for (int i=0; i 0) { + // This IntentSender is no longer valid, but this +@@ -4696,7 +4713,7 @@ class AlarmManagerService extends SystemService { + mBackgroundIntent.putExtra( + Intent.EXTRA_ALARM_COUNT, alarm.count), + mDeliveryTracker, mHandler, null, +- allowWhileIdle ? mIdleOptions : null); ++ allowWhileIdle ? mIdleOptions : getAlarmOperationBundle(alarm)); + } catch (PendingIntent.CanceledException e) { + if (alarm.repeatInterval > 0) { + // This IntentSender is no longer valid, but this +diff --git a/services/core/java/com/android/server/am/PendingIntentRecord.java b/services/core/java/com/android/server/am/PendingIntentRecord.java +index 54504c3c1e24..20d87e6882ac 100644 +--- a/services/core/java/com/android/server/am/PendingIntentRecord.java ++++ b/services/core/java/com/android/server/am/PendingIntentRecord.java +@@ -20,6 +20,7 @@ import static android.app.ActivityManager.START_SUCCESS; + import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM; + import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME; + ++import android.annotation.Nullable; + import android.app.ActivityManager; + import android.app.ActivityOptions; + import android.content.IIntentSender; +@@ -277,6 +278,25 @@ public final class PendingIntentRecord extends IIntentSender.Stub { + requiredPermission, null, null, 0, 0, 0, options); + } + ++ /** ++ * Return true if the activity options allows PendingIntent to use caller's BAL permission. ++ */ ++ public static boolean isPendingIntentBalAllowedByCaller( ++ @Nullable ActivityOptions activityOptions) { ++ if (activityOptions == null) { ++ return ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT; ++ } ++ return isPendingIntentBalAllowedByCaller(activityOptions.toBundle()); ++ } ++ ++ private static boolean isPendingIntentBalAllowedByCaller(@Nullable Bundle options) { ++ if (options == null) { ++ return ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT; ++ } ++ return options.getBoolean(ActivityOptions.KEY_PENDING_INTENT_BACKGROUND_ACTIVITY_ALLOWED, ++ ActivityOptions.PENDING_INTENT_BAL_ALLOWED_DEFAULT); ++ } ++ + public int sendInner(int code, Intent intent, String resolvedType, IBinder whitelistToken, + IIntentReceiver finishedReceiver, String requiredPermission, IBinder resultTo, + String resultWho, int requestCode, int flagsMask, int flagsValues, Bundle options) { +@@ -389,7 +409,8 @@ public final class PendingIntentRecord extends IIntentSender.Stub { + // temporarily allow receivers and services to open activities from background if the + // PendingIntent.send() caller was foreground at the time of sendInner() call + final boolean allowTrampoline = uid != callingUid +- && controller.mAtmInternal.isUidForeground(callingUid); ++ && controller.mAtmInternal.isUidForeground(callingUid) ++ && isPendingIntentBalAllowedByCaller(options); + + // note: we on purpose don't pass in the information about the PendingIntent's creator, + // like pid or ProcessRecord, to the ActivityTaskManagerInternal calls below, because +diff --git a/services/core/java/com/android/server/wm/ActivityStarter.java b/services/core/java/com/android/server/wm/ActivityStarter.java +index f37698de34d5..44fef5427cc3 100644 +--- a/services/core/java/com/android/server/wm/ActivityStarter.java ++++ b/services/core/java/com/android/server/wm/ActivityStarter.java +@@ -767,6 +767,10 @@ class ActivityStarter { + abort |= !mService.getPermissionPolicyInternal().checkStartActivity(intent, callingUid, + callingPackage); + ++ // Merge the two options bundles, while realCallerOptions takes precedence. ++ ActivityOptions checkedOptions = options != null ++ ? options.getOptions(intent, aInfo, callerApp, mSupervisor) : null; ++ + boolean restrictedBgActivity = false; + if (!abort) { + try { +@@ -774,15 +778,12 @@ class ActivityStarter { + "shouldAbortBackgroundActivityStart"); + restrictedBgActivity = shouldAbortBackgroundActivityStart(callingUid, + callingPid, callingPackage, realCallingUid, realCallingPid, callerApp, +- originatingPendingIntent, allowBackgroundActivityStart, intent); ++ originatingPendingIntent, allowBackgroundActivityStart, intent, checkedOptions); + } finally { + Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER); + } + } + +- // Merge the two options bundles, while realCallerOptions takes precedence. +- ActivityOptions checkedOptions = options != null +- ? options.getOptions(intent, aInfo, callerApp, mSupervisor) : null; + if (allowPendingRemoteAnimationRegistryLookup) { + checkedOptions = mService.getActivityStartController() + .getPendingRemoteAnimationRegistry() +@@ -941,7 +942,7 @@ class ActivityStarter { + boolean shouldAbortBackgroundActivityStart(int callingUid, int callingPid, + final String callingPackage, int realCallingUid, int realCallingPid, + WindowProcessController callerApp, PendingIntentRecord originatingPendingIntent, +- boolean allowBackgroundActivityStart, Intent intent) { ++ boolean allowBackgroundActivityStart, Intent intent, ActivityOptions checkedOptions) { + // don't abort for the most important UIDs + final int callingAppId = UserHandle.getAppId(callingUid); + if (callingUid == Process.ROOT_UID || callingAppId == Process.SYSTEM_UID +@@ -976,7 +977,11 @@ class ActivityStarter { + ? isCallingUidPersistentSystemProcess + : (realCallingAppId == Process.SYSTEM_UID) + || realCallingUidProcState <= ActivityManager.PROCESS_STATE_PERSISTENT_UI; +- if (realCallingUid != callingUid) { ++ // Legacy behavior allows to use caller foreground state to bypass BAL restriction. ++ final boolean balAllowedByPiSender = ++ PendingIntentRecord.isPendingIntentBalAllowedByCaller(checkedOptions); ++ ++ if (balAllowedByPiSender && realCallingUid != callingUid) { + // don't abort if the realCallingUid has a visible window + if (realCallingUidHasAnyVisibleWindow) { + return false; +@@ -1013,9 +1018,10 @@ class ActivityStarter { + // If we don't have callerApp at this point, no caller was provided to startActivity(). + // That's the case for PendingIntent-based starts, since the creator's process might not be + // up and alive. If that's the case, we retrieve the WindowProcessController for the send() +- // caller, so that we can make the decision based on its foreground/whitelisted state. ++ // caller if caller allows, so that we can make the decision ++ // based on its foreground/whitelisted state. + int callerAppUid = callingUid; +- if (callerApp == null) { ++ if (callerApp == null && balAllowedByPiSender) { + callerApp = mService.getProcessController(realCallingPid, realCallingUid); + callerAppUid = realCallingUid; + } +diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java +index 5e2626b9a7dd..d0dad0a23729 100644 +--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java ++++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java +@@ -2398,7 +2398,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { + final ActivityStarter starter = getActivityStartController().obtainStarter( + null /* intent */, "moveTaskToFront"); + if (starter.shouldAbortBackgroundActivityStart(callingUid, callingPid, callingPackage, -1, +- -1, callerApp, null, false, null)) { ++ -1, callerApp, null, false, null, null)) { + if (!isBackgroundActivityStartsEnabled()) { + return; + } +diff --git a/services/core/java/com/android/server/wm/AppTaskImpl.java b/services/core/java/com/android/server/wm/AppTaskImpl.java +index 1eb7455135c7..f221c3a4573f 100644 +--- a/services/core/java/com/android/server/wm/AppTaskImpl.java ++++ b/services/core/java/com/android/server/wm/AppTaskImpl.java +@@ -117,7 +117,7 @@ class AppTaskImpl extends IAppTask.Stub { + final ActivityStarter starter = mService.getActivityStartController().obtainStarter( + null /* intent */, "moveToFront"); + if (starter.shouldAbortBackgroundActivityStart(callingUid, callingPid, +- callingPackage, -1, -1, callerApp, null, false, null)) { ++ callingPackage, -1, -1, callerApp, null, false, null, null)) { + if (!mService.isBackgroundActivityStartsEnabled()) { + return; + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch new file mode 100644 index 00000000..f65a8dc1 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353950-backport.patch @@ -0,0 +1,134 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Reynolds +Date: Tue, 18 Jan 2022 11:59:54 -0500 +Subject: [PATCH] Add a limit on channel group creation + +Same as exists for channels + +This is a backport of the fix in ag/16659457, including the adjustment from ag/20920023 (changed the max value from 50000 to 6000). + +Test: PreferencesHelperTest +Bug: 210114537 +Bug: 261723753 +Change-Id: Ic27efba4c54e22eebca16fc948879e652df4467b +(cherry picked from commit 37b3549807d15452ac334fae316e615c3b9b8e8b & I3f3a99765c161369e1b026686a0e5f0c83ed839e) +Merged-In: I3f3a99765c161369e1b026686a0e5f0c83ed839e +Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b +(cherry picked from commit 0f29716ab6fbf236e5d8f688bcdfdadf32429545) +Merged-In: Ic27efba4c54e22eebca16fc948879e652df4467b +--- + .../notification/PreferencesHelper.java | 16 ++++++- + .../notification/PreferencesHelperTest.java | 47 +++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/notification/PreferencesHelper.java b/services/core/java/com/android/server/notification/PreferencesHelper.java +index d4ba51cc3146..1a3779f7c607 100644 +--- a/services/core/java/com/android/server/notification/PreferencesHelper.java ++++ b/services/core/java/com/android/server/notification/PreferencesHelper.java +@@ -73,7 +73,9 @@ public class PreferencesHelper implements RankingConfig { + private static final String NON_BLOCKABLE_CHANNEL_DELIM = ":"; + + @VisibleForTesting +- static final int NOTIFICATION_CHANNEL_COUNT_LIMIT = 50000; ++ static final int NOTIFICATION_CHANNEL_COUNT_LIMIT = 5000; ++ @VisibleForTesting ++ static final int NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT = 6000; + + @VisibleForTesting + static final String TAG_RANKING = "ranking"; +@@ -184,6 +186,7 @@ public class PreferencesHelper implements RankingConfig { + } + } + boolean skipWarningLogged = false; ++ boolean skipGroupWarningLogged = false; + + PackagePreferences r = getOrCreatePackagePreferencesLocked(name, uid, + XmlUtils.readIntAttribute( +@@ -220,6 +223,14 @@ public class PreferencesHelper implements RankingConfig { + String tagName = parser.getName(); + // Channel groups + if (TAG_GROUP.equals(tagName)) { ++ if (r.groups.size() >= NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT) { ++ if (!skipGroupWarningLogged) { ++ Slog.w(TAG, "Skipping further groups for " + r.pkg ++ + "; app has too many"); ++ skipGroupWarningLogged = true; ++ } ++ continue; ++ } + String id = parser.getAttributeValue(null, ATT_ID); + CharSequence groupName = parser.getAttributeValue(null, + ATT_NAME); +@@ -610,6 +621,9 @@ public class PreferencesHelper implements RankingConfig { + } + if (fromTargetApp) { + group.setBlocked(false); ++ if (r.groups.size() >= NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT) { ++ throw new IllegalStateException("Limit exceed; cannot create more groups"); ++ } + } + final NotificationChannelGroup oldGroup = r.groups.get(group.getId()); + if (!group.equals(oldGroup)) { +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java +index 2cede07de257..dfb62999be5f 100644 +--- a/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/PreferencesHelperTest.java +@@ -23,6 +23,7 @@ import static android.app.NotificationManager.IMPORTANCE_NONE; + import static android.app.NotificationManager.IMPORTANCE_UNSPECIFIED; + + import static com.android.server.notification.PreferencesHelper.NOTIFICATION_CHANNEL_COUNT_LIMIT; ++import static com.android.server.notification.PreferencesHelper.NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT; + + import static junit.framework.Assert.assertNull; + import static junit.framework.Assert.fail; +@@ -2729,4 +2730,50 @@ public class PreferencesHelperTest extends UiServiceTestCase { + assertNull(mHelper.getNotificationChannel(PKG_O, UID_O, extraChannel, true)); + assertNull(mHelper.getNotificationChannel(PKG_O, UID_O, extraChannel1, true)); + } ++ ++ @Test ++ public void testTooManyGroups() { ++ for (int i = 0; i < NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT; i++) { ++ NotificationChannelGroup group = new NotificationChannelGroup(String.valueOf(i), ++ String.valueOf(i)); ++ mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true); ++ } ++ try { ++ NotificationChannelGroup group = new NotificationChannelGroup( ++ String.valueOf(NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT), ++ String.valueOf(NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT)); ++ mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true); ++ fail("Allowed to create too many notification channel groups"); ++ } catch (IllegalStateException e) { ++ // great ++ } ++ } ++ ++ @Test ++ public void testTooManyGroups_xml() throws Exception { ++ String extraGroup = "EXTRA"; ++ String extraGroup1 = "EXTRA1"; ++ ++ // create first... many... directly so we don't need a big xml blob in this test ++ for (int i = 0; i < NOTIFICATION_CHANNEL_GROUP_COUNT_LIMIT; i++) { ++ NotificationChannelGroup group = new NotificationChannelGroup(String.valueOf(i), ++ String.valueOf(i)); ++ mHelper.createNotificationChannelGroup(PKG_O, UID_O, group, true); ++ } ++ ++ final String xml = "\n" ++ + "\n" ++ + "" ++ + "" ++ + "" ++ + ""; ++ XmlPullParser parser = Xml.newPullParser(); ++ parser.setInput(new BufferedInputStream(new ByteArrayInputStream(xml.getBytes())), ++ null); ++ parser.nextTag(); ++ mHelper.readXml(parser, false, UserHandle.USER_ALL); ++ ++ assertNull(mHelper.getNotificationChannelGroup(extraGroup, PKG_O, UID_O)); ++ assertNull(mHelper.getNotificationChannelGroup(extraGroup1, PKG_O, UID_O)); ++ } + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch new file mode 100644 index 00000000..4a741e92 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/353951-backport.patch @@ -0,0 +1,217 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rhed Jao +Date: Wed, 11 Jan 2023 16:02:27 +0800 +Subject: [PATCH] Fix bypass BG-FGS and BAL via package manager APIs + +Opt-in for BAL of PendingIntent for following APIs: + +* PackageInstaller.uninstall() +* PackageInstaller.installExistingPackage() +* PackageInstaller.uninstallExistingPackage() +* PackageInstaller.Session.commit() +* PackageInstaller.Session.commitTransferred() +* PackageManager.freeStorage() + +Bug: 230492955 +Bug: 243377226 +Test: atest android.security.cts.PackageInstallerTest +Test: atest CtsStagedInstallHostTestCases +Change-Id: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf +(cherry picked from commit b0b1ddb4b4ba5db27f5616b02ae2cdca8b63496f) +Merged-In: I9b6f801d69ea6d2244a38dbe689e81afa4e798bf +--- + core/java/android/content/IntentSender.java | 42 ++++++++++++++++++- + .../server/pm/PackageInstallerService.java | 11 ++++- + .../server/pm/PackageInstallerSession.java | 19 +++++++-- + .../server/pm/PackageManagerService.java | 10 ++++- + 4 files changed, 73 insertions(+), 9 deletions(-) + +diff --git a/core/java/android/content/IntentSender.java b/core/java/android/content/IntentSender.java +index ec0bac486c65..0ef0a71fffe0 100644 +--- a/core/java/android/content/IntentSender.java ++++ b/core/java/android/content/IntentSender.java +@@ -16,8 +16,10 @@ + + package android.content; + ++import android.annotation.Nullable; + import android.annotation.UnsupportedAppUsage; + import android.app.ActivityManager; ++import android.app.ActivityOptions; + import android.os.Bundle; + import android.os.RemoteException; + import android.os.Handler; +@@ -154,7 +156,7 @@ public class IntentSender implements Parcelable { + */ + public void sendIntent(Context context, int code, Intent intent, + OnFinished onFinished, Handler handler) throws SendIntentException { +- sendIntent(context, code, intent, onFinished, handler, null); ++ sendIntent(context, code, intent, onFinished, handler, null, null /* options */); + } + + /** +@@ -186,6 +188,42 @@ public class IntentSender implements Parcelable { + public void sendIntent(Context context, int code, Intent intent, + OnFinished onFinished, Handler handler, String requiredPermission) + throws SendIntentException { ++ sendIntent(context, code, intent, onFinished, handler, requiredPermission, ++ null /* options */); ++ } ++ ++ /** ++ * Perform the operation associated with this IntentSender, allowing the ++ * caller to specify information about the Intent to use and be notified ++ * when the send has completed. ++ * ++ * @param context The Context of the caller. This may be null if ++ * intent is also null. ++ * @param code Result code to supply back to the IntentSender's target. ++ * @param intent Additional Intent data. See {@link Intent#fillIn ++ * Intent.fillIn()} for information on how this is applied to the ++ * original Intent. Use null to not modify the original Intent. ++ * @param onFinished The object to call back on when the send has ++ * completed, or null for no callback. ++ * @param handler Handler identifying the thread on which the callback ++ * should happen. If null, the callback will happen from the thread ++ * pool of the process. ++ * @param requiredPermission Name of permission that a recipient of the PendingIntent ++ * is required to hold. This is only valid for broadcast intents, and ++ * corresponds to the permission argument in ++ * {@link Context#sendBroadcast(Intent, String) Context.sendOrderedBroadcast(Intent, String)}. ++ * If null, no permission is required. ++ * @param options Additional options the caller would like to provide to modify the sending ++ * behavior. May be built from an {@link ActivityOptions} to apply to an activity start. ++ * ++ * @throws SendIntentException Throws CanceledIntentException if the IntentSender ++ * is no longer allowing more intents to be sent through it. ++ * @hide ++ */ ++ public void sendIntent(Context context, int code, Intent intent, ++ OnFinished onFinished, Handler handler, String requiredPermission, ++ @Nullable Bundle options) ++ throws SendIntentException { + try { + String resolvedType = intent != null ? + intent.resolveTypeIfNeeded(context.getContentResolver()) +@@ -195,7 +233,7 @@ public class IntentSender implements Parcelable { + onFinished != null + ? new FinishedDispatcher(this, onFinished, handler) + : null, +- requiredPermission, null); ++ requiredPermission, options); + if (res < 0) { + throw new SendIntentException(); + } +diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java +index c73f489cb143..ee0cd1f2ea23 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerService.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerService.java +@@ -23,6 +23,7 @@ import android.Manifest; + import android.app.ActivityManager; + import android.app.AppGlobals; + import android.app.AppOpsManager; ++import android.app.BroadcastOptions; + import android.app.Notification; + import android.app.NotificationManager; + import android.app.PackageDeleteObserver; +@@ -1046,7 +1047,10 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements + PackageManager.deleteStatusToString(returnCode, msg)); + fillIn.putExtra(PackageInstaller.EXTRA_LEGACY_STATUS, returnCode); + try { +- mTarget.sendIntent(mContext, 0, fillIn, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mTarget.sendIntent(mContext, 0, fillIn, null /* onFinished*/, ++ null /* handler */, null /* requiredPermission */, options.toBundle()); + } catch (SendIntentException ignored) { + } + } +@@ -1076,7 +1080,10 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements + PackageInstaller.STATUS_PENDING_USER_ACTION); + fillIn.putExtra(Intent.EXTRA_INTENT, intent); + try { +- mTarget.sendIntent(mContext, 0, fillIn, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mTarget.sendIntent(mContext, 0, fillIn, null /* onFinished*/, ++ null /* handler */, null /* requiredPermission */, options.toBundle()); + } catch (SendIntentException ignored) { + } + } +diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java +index 5a880cb5fa52..b03f06ffd859 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java +@@ -46,6 +46,7 @@ import android.annotation.NonNull; + import android.annotation.Nullable; + import android.app.admin.DevicePolicyEventLogger; + import android.app.admin.DevicePolicyManagerInternal; ++import android.app.BroadcastOptions; + import android.content.Context; + import android.content.IIntentReceiver; + import android.content.IIntentSender; +@@ -960,13 +961,21 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + try { + intent.putExtra(PackageInstaller.EXTRA_SESSION_ID, + PackageInstallerSession.this.sessionId); +- mStatusReceiver.sendIntent(mContext, 0, intent, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mStatusReceiver.sendIntent(mContext, 0, intent, ++ null /* onFinished*/, null /* handler */, ++ null /* requiredPermission */, options.toBundle()); + } catch (IntentSender.SendIntentException ignore) { + } + } + } else if (PackageInstaller.STATUS_PENDING_USER_ACTION == status) { + try { +- mStatusReceiver.sendIntent(mContext, 0, intent, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mStatusReceiver.sendIntent(mContext, 0, intent, ++ null /* onFinished*/, null /* handler */, ++ null /* requiredPermission */, options.toBundle()); + } catch (IntentSender.SendIntentException ignore) { + } + } else { +@@ -974,7 +983,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { + PackageInstallerSession.this.sessionId); + mChildSessionsRemaining.clear(); // we're done. Don't send any more. + try { +- mStatusReceiver.sendIntent(mContext, 0, intent, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ mStatusReceiver.sendIntent(mContext, 0, intent, ++ null /* onFinished*/, null /* handler */, ++ null /* requiredPermission */, options.toBundle()); + } catch (IntentSender.SendIntentException ignore) { + } + } +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 1bd1396c6d45..ef97d61d26d7 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -4893,7 +4893,10 @@ public class PackageManagerService extends IPackageManager.Stub + } + if (pi != null) { + try { +- pi.sendIntent(null, success ? 1 : 0, null, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ pi.sendIntent(null, success ? 1 : 0, null /* intent */, null /* onFinished*/, ++ null /* handler */, null /* requiredPermission */, options.toBundle()); + } catch (SendIntentException e) { + Slog.w(TAG, e); + } +@@ -13738,7 +13741,10 @@ public class PackageManagerService extends IPackageManager.Stub + fillIn.putExtra(PackageInstaller.EXTRA_STATUS, + PackageManager.installStatusToPublicStatus(returnCode)); + try { +- target.sendIntent(context, 0, fillIn, null, null); ++ final BroadcastOptions options = BroadcastOptions.makeBasic(); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); ++ target.sendIntent(context, 0, fillIn, null /* onFinished*/, ++ null /* handler */, null /* requiredPermission */, options.toBundle()); + } catch (SendIntentException ignored) { + } + } diff --git a/Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch b/Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch new file mode 100644 index 00000000..0fb70ca6 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_native/353953-backport.patch @@ -0,0 +1,138 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sally Qi +Date: Wed, 5 Oct 2022 11:42:30 -0700 +Subject: [PATCH] Mitigate the security vulnerability by sanitizing the + transaction flags. + +- This is part of fix of commit + Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df for backporting. +- Part of commit Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df which + sanitizes the transaction flags from DisplayState instead. +- In rvc, we only have ACCESS_SURFACE_FLINGER permission check passed as + `privileged` argument in SF::applyTransactionState. We can directly + utilize it for sanitization in DiaplyState. +- In rvc code base, SF::setTransactionState pass a const array of + displayState objects and then call SF::applyTransactionState. To + successfully sanitize the flags for each displayState object, we + convert this const array into non-const one before calling + SF::applyTransactionState. + +Bug: 248031255 +Test: test using displaytoken app manually on the phone, test shell +screenrecord during using displaytoken; atest +android.hardware.camera2.cts.FastBasicsTest + +Change-Id: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df +Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df +(cherry picked from commit 03d4458ea0cb00c28f695d99aae5e4c6b15fc237) +Merged-In: Id9d9012d4ede9c8330f0ce1096bcb78e51b7c5df +--- + libs/gui/LayerState.cpp | 21 +++++++++++++++++++++ + libs/gui/include/gui/LayerState.h | 1 + + services/surfaceflinger/SurfaceFlinger.cpp | 14 ++++++++++---- + services/surfaceflinger/SurfaceFlinger.h | 5 ++--- + 4 files changed, 34 insertions(+), 7 deletions(-) + +diff --git a/libs/gui/LayerState.cpp b/libs/gui/LayerState.cpp +index 6066421faf..293f042de2 100644 +--- a/libs/gui/LayerState.cpp ++++ b/libs/gui/LayerState.cpp +@@ -237,6 +237,27 @@ void DisplayState::merge(const DisplayState& other) { + } + } + ++void DisplayState::sanitize(bool privileged) { ++ if (what & DisplayState::eLayerStackChanged) { ++ if (!privileged) { ++ what &= ~DisplayState::eLayerStackChanged; ++ ALOGE("Stripped attempt to set eLayerStackChanged in sanitize"); ++ } ++ } ++ if (what & DisplayState::eDisplayProjectionChanged) { ++ if (!privileged) { ++ what &= ~DisplayState::eDisplayProjectionChanged; ++ ALOGE("Stripped attempt to set eDisplayProjectionChanged in sanitize"); ++ } ++ } ++ if (what & DisplayState::eSurfaceChanged) { ++ if (!privileged) { ++ what &= ~DisplayState::eSurfaceChanged; ++ ALOGE("Stripped attempt to set eSurfaceChanged in sanitize"); ++ } ++ } ++} ++ + void layer_state_t::merge(const layer_state_t& other) { + if (other.what & ePositionChanged) { + what |= ePositionChanged; +diff --git a/libs/gui/include/gui/LayerState.h b/libs/gui/include/gui/LayerState.h +index f438eb3d01..8a07602e41 100644 +--- a/libs/gui/include/gui/LayerState.h ++++ b/libs/gui/include/gui/LayerState.h +@@ -231,6 +231,7 @@ struct DisplayState { + + DisplayState(); + void merge(const DisplayState& other); ++ void sanitize(bool privileged); + + uint32_t what; + sp token; +diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp +index db26808cc2..21e9e8eb96 100644 +--- a/services/surfaceflinger/SurfaceFlinger.cpp ++++ b/services/surfaceflinger/SurfaceFlinger.cpp +@@ -3675,7 +3675,7 @@ bool SurfaceFlinger::flushTransactionQueues() { + auto& [applyToken, transactionQueue] = *it; + + while (!transactionQueue.empty()) { +- const auto& transaction = transactionQueue.front(); ++ auto& transaction = transactionQueue.front(); + if (!transactionIsReadyToBeApplied(transaction.desiredPresentTime, + transaction.states)) { + setTransactionFlags(eTransactionFlushNeeded); +@@ -3794,12 +3794,17 @@ void SurfaceFlinger::setTransactionState(const Vector& states, + return; + } + +- applyTransactionState(states, displays, flags, inputWindowCommands, desiredPresentTime, ++ Vector displaysList; ++ for (auto& d : displays) { ++ displaysList.add(d); ++ } ++ ++ applyTransactionState(states, displaysList, flags, inputWindowCommands, desiredPresentTime, + uncacheBuffer, listenerCallbacks, postTime, privileged); + } + + void SurfaceFlinger::applyTransactionState(const Vector& states, +- const Vector& displays, uint32_t flags, ++ Vector& displays, uint32_t flags, + const InputWindowCommands& inputWindowCommands, + const int64_t desiredPresentTime, + const client_cache_t& uncacheBuffer, +@@ -3824,7 +3829,8 @@ void SurfaceFlinger::applyTransactionState(const Vector& states, + } + } + +- for (const DisplayState& display : displays) { ++ for (DisplayState& display : displays) { ++ display.sanitize(privileged); + transactionFlags |= setDisplayStateLocked(display); + } + +diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h +index e58caa63b3..c4578d0dbb 100644 +--- a/services/surfaceflinger/SurfaceFlinger.h ++++ b/services/surfaceflinger/SurfaceFlinger.h +@@ -568,9 +568,8 @@ private: + /* ------------------------------------------------------------------------ + * Transactions + */ +- void applyTransactionState(const Vector& state, +- const Vector& displays, uint32_t flags, +- const InputWindowCommands& inputWindowCommands, ++ void applyTransactionState(const Vector& state, Vector& displays, ++ uint32_t flags, const InputWindowCommands& inputWindowCommands, + const int64_t desiredPresentTime, + const client_cache_t& uncacheBuffer, + const std::vector& listenerCallbacks, diff --git a/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch b/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch index 357e8dc3..769f6f7c 100644 --- a/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch +++ b/Patches/LineageOS-17.1/android_frameworks_opt_net_wifi/0002-Random_MAC.patch @@ -41,7 +41,7 @@ index d91b7f8b8..befc92fb4 100644 configureRandomizedMacAddress(config); } else { diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java -index 393a5c395..cb44fb4ab 100644 +index fce5758e1..817fb2958 100644 --- a/service/java/com/android/server/wifi/WifiConfigManager.java +++ b/service/java/com/android/server/wifi/WifiConfigManager.java @@ -1113,7 +1113,13 @@ public class WifiConfigManager { diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch new file mode 100644 index 00000000..f133290e --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/353956.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jack Yu +Date: Thu, 28 Jul 2022 19:42:27 +0800 +Subject: [PATCH] Only primary user is allowed to control secure nfc + +Bug: 238298970 +Test: manual +Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313 +Change-Id: I945490ef1e62af479a732c9a260ed94bdd8bc313 +(cherry picked from commit 0e57ff90cdae3575c243d21d490e2b6384d33397) +Merged-In: I945490ef1e62af479a732c9a260ed94bdd8bc313 +--- + src/com/android/settings/nfc/SecureNfcEnabler.java | 2 +- + src/com/android/settings/nfc/SecureNfcPreferenceController.java | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/settings/nfc/SecureNfcEnabler.java b/src/com/android/settings/nfc/SecureNfcEnabler.java +index f31a382a57..ad5c4ab7e8 100644 +--- a/src/com/android/settings/nfc/SecureNfcEnabler.java ++++ b/src/com/android/settings/nfc/SecureNfcEnabler.java +@@ -61,7 +61,7 @@ public class SecureNfcEnabler extends BaseNfcEnabler { + } + + private boolean isToggleable() { +- if (mUserManager.isGuestUser()) { ++ if (!mUserManager.isPrimaryUser()) { + return false; + } + return true; +diff --git a/src/com/android/settings/nfc/SecureNfcPreferenceController.java b/src/com/android/settings/nfc/SecureNfcPreferenceController.java +index 2ff685e5a0..ab87ddba34 100644 +--- a/src/com/android/settings/nfc/SecureNfcPreferenceController.java ++++ b/src/com/android/settings/nfc/SecureNfcPreferenceController.java +@@ -104,7 +104,7 @@ public class SecureNfcPreferenceController extends TogglePreferenceController + } + + private boolean isToggleable() { +- if (mUserManager.isGuestUser()) { ++ if (!mUserManager.isPrimaryUser()) { + return false; + } + return true; diff --git a/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch b/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch new file mode 100644 index 00000000..ec7c81f5 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_providers_MediaProvider/353957-backport.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Abhijeet Kaur +Date: Wed, 23 Nov 2022 08:47:27 +0000 +Subject: [PATCH] Canonicalise path before extracting relative path + +This helps us make accurate access checks on the given path. + +Bug: 228833816 +Bug: 228450832 +Test: atest FileUtilsTest +Test: atest LegacyStorageHostTest +Change-Id: Id620644ffdfe20e9281773e2e23851c56732dd11 +Merged-In: Id620644ffdfe20e9281773e2e23851c56732dd11 +(cherry picked from commit 93f5186e4b4a044e00a168c55e05fd3835033221) +(cherry picked from commit 0f59f42685f186fd207355c01c580038436713ba) +Merged-In: Id620644ffdfe20e9281773e2e23851c56732dd11 +--- + src/com/android/providers/media/MediaProvider.java | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java +index 9032644e7..f9ea135fd 100644 +--- a/src/com/android/providers/media/MediaProvider.java ++++ b/src/com/android/providers/media/MediaProvider.java +@@ -2308,8 +2308,22 @@ public class MediaProvider extends ContentProvider { + } + } + ++ @Nullable ++ private static String getCanonicalPath(@Nullable String path) { ++ if (path == null) return null; ++ ++ try { ++ return new File(path).getCanonicalPath(); ++ } catch (IOException e) { ++ Log.d(TAG, "Unable to get canonical path from invalid data path: " + path, e); ++ return null; ++ } ++ } ++ + private static @Nullable String extractRelativePath(@Nullable String data) { ++ data = getCanonicalPath(data); + if (data == null) return null; ++ + final Matcher matcher = PATTERN_RELATIVE_PATH.matcher(data); + if (matcher.find()) { + final int lastSlash = data.lastIndexOf('/'); diff --git a/Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch b/Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch new file mode 100644 index 00000000..9b2f6913 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_services_Telecomm/353959.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chinmay Dhodapkar +Date: Sun, 4 Dec 2022 09:46:34 -0800 +Subject: [PATCH] DO NOT MERGE do not process content uri in call Intents + +Add checks in Telecom so content uris are not processed + +Bug: 257030107 +Test: atest NewOutgoingCallIntentBroadcasterTest +Test: adb shell am start -a android.intent.action.CALL -d tel:xxx +Change-Id: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414 +Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414 +(cherry picked from commit 9636518478fb887dd1834c0433eb3a71eb72faaf) +Merged-In: Ic2c3014cecfd5db84dc2023b4c247d96ad1c3414 +--- + .../telecom/NewOutgoingCallIntentBroadcaster.java | 14 ++++++++++++-- + .../NewOutgoingCallIntentBroadcasterTest.java | 13 +++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java b/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java +index 7a641af3c..960be80a3 100644 +--- a/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java ++++ b/src/com/android/server/telecom/NewOutgoingCallIntentBroadcaster.java +@@ -313,8 +313,18 @@ public class NewOutgoingCallIntentBroadcaster { + } + + private String getNumberFromCallIntent(Intent intent) { +- String number; +- number = mPhoneNumberUtilsAdapter.getNumberFromIntent(intent, mContext); ++ String number = null; ++ ++ Uri uri = intent.getData(); ++ if (uri != null) { ++ String scheme = uri.getScheme(); ++ if (scheme != null) { ++ if (scheme.equals("tel") || scheme.equals("sip")) { ++ number = uri.getSchemeSpecificPart(); ++ } ++ } ++ } ++ + if (TextUtils.isEmpty(number)) { + Log.w(this, "Empty number obtained from the call intent."); + return null; +diff --git a/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java b/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java +index 81b43265f..b618bba1e 100644 +--- a/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java ++++ b/tests/src/com/android/server/telecom/tests/NewOutgoingCallIntentBroadcasterTest.java +@@ -186,6 +186,19 @@ public class NewOutgoingCallIntentBroadcasterTest extends TelecomTestCase { + verifyNoCallPlaced(); + } + ++ @Test ++ public void testNoCallsPlacedWithContentUri() { ++ Uri handle = Uri.parse("content://com.android.contacts/data/1"); ++ Intent intent = new Intent(Intent.ACTION_CALL, handle); ++ ++ int result = processIntent(intent, true).disconnectCause; ++ ++ assertEquals(DisconnectCause.NO_PHONE_NUMBER_SUPPLIED, result); ++ verify(mContext, never()).getContentResolver(); ++ verifyNoBroadcastSent(); ++ verifyNoCallPlaced(); ++ } ++ + @SmallTest + @Test + public void testEmergencyCallWithNonDefaultDialer() { diff --git a/Patches/LineageOS-17.1/android_system_bt/353960.patch b/Patches/LineageOS-17.1/android_system_bt/353960.patch new file mode 100644 index 00000000..fae2a270 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/353960.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 8 Dec 2022 01:08:11 +0000 +Subject: [PATCH] Fix OOB access in avdt_scb_hdl_pkt_no_frag + +This is a back port of the following 2 CLs: +- Id13b1ebde8f603123c8b7a49922b2f1378ab788f +- If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4 + +Regression test: I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54 + +Bug: 142546355 258057241 +Test: atest net_test_stack_avdtp +Ignore-AOSP-First: security +Change-Id: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +(cherry picked from commit b0b968e8c6214e20a5dc3617d66567225df0884f) +Merged-In: Ie1707385d6452ece47915c153f4faaa1c8a287c9 +--- + stack/avdt/avdt_scb_act.cc | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index ce53c45eb..f2de4ba35 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -255,19 +255,24 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { + if (offset > len) goto length_error; + p += 2; + BE_STREAM_TO_UINT16(ex_len, p); +- offset += ex_len * 4; + p += ex_len * 4; + } + ++ if ((p - p_start) >= len) { ++ AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__); ++ osi_free_and_reset((void**)&p_data->p_pkt); ++ return; ++ } ++ offset = p - p_start; ++ + /* adjust length for any padding at end of packet */ + if (o_p) { + /* padding length in last byte of packet */ +- pad_len = *(p_start + p_data->p_pkt->len); ++ pad_len = *(p_start + len - 1); + } + + /* do sanity check */ +- if ((offset > p_data->p_pkt->len) || +- ((pad_len + offset) > p_data->p_pkt->len)) { ++ if (pad_len >= (len - offset)) { + AVDT_TRACE_WARNING("Got bad media packet"); + osi_free_and_reset((void**)&p_data->p_pkt); + } diff --git a/Patches/LineageOS-17.1/android_system_bt/353961.patch b/Patches/LineageOS-17.1/android_system_bt/353961.patch new file mode 100644 index 00000000..3cabca42 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/353961.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 20 Jan 2023 19:39:30 +0000 +Subject: [PATCH] Fix an OOB bug in register_notification_rsp + +This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f +to rvc-dev. + +Bug: 245916076 +Test: manual +Ignore-AOSP-First: security +Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765 +(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf) +Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765 +--- + btif/src/btif_rc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc +index 575d83e37..be29e559b 100644 +--- a/btif/src/btif_rc.cc ++++ b/btif/src/btif_rc.cc +@@ -1892,6 +1892,11 @@ static bt_status_t register_notification_rsp( + dump_rc_notification_event_id(event_id)); + std::unique_lock lock(btif_rc_cb.lock); + ++ if (event_id > MAX_RC_NOTIFICATIONS) { ++ BTIF_TRACE_ERROR("Invalid event id"); ++ return BT_STATUS_PARM_INVALID; ++ } ++ + memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP)); + + avrc_rsp.reg_notif.event_id = event_id; diff --git a/Patches/LineageOS-17.1/android_system_nfc/353962.patch b/Patches/LineageOS-17.1/android_system_nfc/353962.patch new file mode 100644 index 00000000..94fb53c4 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_nfc/353962.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + src/nfc/nci/nci_hmsgs.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc +index 885ebaa..c191c26 100644 +--- a/src/nfc/nci/nci_hmsgs.cc ++++ b/src/nfc/nci/nci_hmsgs.cc +@@ -630,6 +630,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=FALSE and num routing entries=0) */ diff --git a/Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch new file mode 100644 index 00000000..664fc967 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + SN100x/src/nfc/nci/nci_hmsgs.cc | 4 ++++ + src/nfc/nci/nci_hmsgs.cc | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/SN100x/src/nfc/nci/nci_hmsgs.cc b/SN100x/src/nfc/nci/nci_hmsgs.cc +index 99a40a1f..e37a82b6 100755 +--- a/SN100x/src/nfc/nci/nci_hmsgs.cc ++++ b/SN100x/src/nfc/nci/nci_hmsgs.cc +@@ -673,6 +673,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=FALSE and num routing entries=0) */ +diff --git a/src/nfc/nci/nci_hmsgs.cc b/src/nfc/nci/nci_hmsgs.cc +index eedfc084..898d1446 100755 +--- a/src/nfc/nci/nci_hmsgs.cc ++++ b/src/nfc/nci/nci_hmsgs.cc +@@ -727,6 +727,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t* pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=false and num routing entries=0) */ diff --git a/Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch new file mode 100644 index 00000000..928a8fb6 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 31 Jan 2023 19:04:09 -0800 +Subject: [PATCH] OOBW in nci_snd_set_routing_cmd() + +Bug: 264879662 +Test: read a tag, nfc on/off +Change-Id: I408cf611fb35e9467d7484165ce48759970b158a +(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78) +Merged-In: I408cf611fb35e9467d7484165ce48759970b158a +--- + halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc b/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc +index a76ba5a..34d1d07 100755 +--- a/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc ++++ b/halimpl/src/halLibnfc/src/nfc/nci/nci_hmsgs.cc +@@ -672,6 +672,10 @@ uint8_t nci_snd_set_routing_cmd(bool more, uint8_t num_tlv, uint8_t tlv_size, + uint8_t *pp; + uint8_t size = tlv_size + 2; + ++ if (size < tlv_size) { ++ return (NCI_STATUS_FAILED); ++ } ++ + if (tlv_size == 0) { + /* just to terminate routing table + * 2 bytes (more=false and num routing entries=0) */ diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch new file mode 100644 index 00000000..397b2703 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353967.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Fri, 20 Jan 2023 19:39:30 +0000 +Subject: [PATCH] Fix an OOB bug in register_notification_rsp + +This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f +to rvc-dev. + +Bug: 245916076 +Test: manual +Ignore-AOSP-First: security +Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765 +(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf) +Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765 +--- + btif/src/btif_rc.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc +index a0e38998f..41fd73485 100644 +--- a/btif/src/btif_rc.cc ++++ b/btif/src/btif_rc.cc +@@ -3137,6 +3137,11 @@ static bt_status_t register_notification_rsp( + dump_rc_notification_event_id(event_id)); + std::unique_lock lock(btif_rc_cb.lock); + ++ if (event_id > MAX_RC_NOTIFICATIONS) { ++ BTIF_TRACE_ERROR("Invalid event id"); ++ return BT_STATUS_PARM_INVALID; ++ } ++ + memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP)); + + avrc_rsp.reg_notif.event_id = event_id; diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch new file mode 100644 index 00000000..77f2869a --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/353968.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mayank Madhukar +Date: Thu, 14 Jul 2022 15:33:53 +0530 +Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload + offset + +This variable is uint16, and is possible to overflow when the length of +header extension is larger. Here we compare with the data length to +prevent any exceptions. + +Change-Id: If55d77132e893d6856c9f4ccc42d24a6e7cafe29 +CRs-Fixed: 3237187 +--- + stack/avdt/avdt_scb_act.cc | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc +index 130f44ab1..568575458 100644 +--- a/stack/avdt/avdt_scb_act.cc ++++ b/stack/avdt/avdt_scb_act.cc +@@ -277,19 +277,24 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) { + if (offset > len) goto length_error; + p += 2; + BE_STREAM_TO_UINT16(ex_len, p); +- offset += ex_len * 4; + p += ex_len * 4; + } + ++ if ((p - p_start) > len) { ++ android_errorWriteLog(0x534e4554, "142546355"); ++ osi_free_and_reset((void**)&p_data->p_pkt); ++ return; ++ } ++ offset = p - p_start; ++ + /* adjust length for any padding at end of packet */ + if (o_p) { + /* padding length in last byte of packet */ +- pad_len = *(p_start + p_data->p_pkt->len); ++ pad_len = *(p_start + len); + } + + /* do sanity check */ +- if ((offset > p_data->p_pkt->len) || +- ((pad_len + offset) > p_data->p_pkt->len)) { ++ if (pad_len > (len - offset)) { + AVDT_TRACE_WARNING("Got bad media packet"); + osi_free_and_reset((void**)&p_data->p_pkt); + } diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 06ec9da4..5f908e8e 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig -sed -i 's/2023-02-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-03 #XXX +sed -i 's/2023-02-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-04 #XXX fi; if enterAndClear "build/soong"; then @@ -145,6 +145,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/351415.patch"; #R_asb_2023-03 R applyPatch "$DOS_PATCHES/android_frameworks_base/351436.patch"; #R_asb_2023-03 Revert "Ensure that only SysUI can override pending intent launch flags" applyPatch "$DOS_PATCHES/android_frameworks_base/352555.patch"; #Q_asb_2023-03 Revert "[RESTRICT AUTOMERGE] Trim the activity info of another uid if no privilege" applyPatch "$DOS_PATCHES/android_frameworks_base/353117.patch"; #Q_asb_2023-03 Fix sharing to another profile where an app has multiple targets +applyPatch "$DOS_PATCHES/android_frameworks_base/353944.patch"; #R_asb_2023-04 Context#startInstrumentation could be started from SHELL only now. +applyPatch "$DOS_PATCHES/android_frameworks_base/353945.patch"; #R_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver +applyPatch "$DOS_PATCHES/android_frameworks_base/353946.patch"; #R_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass +applyPatch "$DOS_PATCHES/android_frameworks_base/353947.patch"; #R_asb_2023-04 Encode Intent scheme when serializing to URI string +applyPatch "$DOS_PATCHES/android_frameworks_base/353948-backport.patch"; #R_asb_2023-04 Backport BAL restrictions from S to R, this blocks apps from using AlarmManager to bypass BAL restrictions. +applyPatch "$DOS_PATCHES/android_frameworks_base/353950-backport.patch"; #R_asb_2023-04 Add a limit on channel group creation +applyPatch "$DOS_PATCHES/android_frameworks_base/353951-backport.patch"; #R_asb_2023-04 Fix bypass BG-FGS and BAL via package manager APIs #XXX #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -204,6 +211,7 @@ rm -rf packages/PrintRecommendationService; #Creates popups to install proprieta fi; if enterAndClear "frameworks/native"; then +applyPatch "$DOS_PATCHES/android_frameworks_native/353953-backport.patch"; #R_asb_2023-04 Mitigate the security vulnerability by sanitizing the transaction flags. applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS) fi; @@ -214,7 +222,7 @@ fi; fi; if enterAndClear "frameworks/opt/net/wifi"; then -applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/351437-backport.patch"; #R_asb_2023-03 Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset" +#applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/351437-backport.patch"; #R_asb_2023-03 Revert "[DO NOT MERGE] wifi: remove certificates for network factory reset" #XXX: reverted in R_asb_2023-04 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) applyPatch "$DOS_PATCHES/android_frameworks_opt_net_wifi/0002-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS) fi; @@ -319,6 +327,7 @@ if enterAndClear "packages/apps/Settings"; then git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/353956.patch"; #R_asb_2023-04 Only primary user is allowed to control secure nfc #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work @@ -366,10 +375,18 @@ if enterAndClear "packages/providers/DownloadProvider"; then applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) fi; +if enterAndClear "packages/providers/MediaProvider"; then +applyPatch "$DOS_PATCHES/android_packages_providers_MediaProvider/353957-backport.patch"; #R_asb_2023-04 Canonicalise path before extracting relative path +fi; + #if enterAndClear "packages/providers/TelephonyProvider"; then #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; #fi; +if enterAndClear "packages/services/Telecomm"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353959.patch"; #R_asb_2023-04 Do not process content uri in call Intents +fi; + if enterAndClear "prebuilts/abi-dumps/vndk"; then applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS) fi; @@ -378,6 +395,8 @@ if enterAndClear "system/bt"; then applyPatch "$DOS_PATCHES/android_system_bt/351443.patch"; #R_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate applyPatch "$DOS_PATCHES/android_system_bt/351444.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute +applyPatch "$DOS_PATCHES/android_system_bt/353960.patch"; #R_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag +applyPatch "$DOS_PATCHES/android_system_bt/353961.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -403,6 +422,18 @@ applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Ex applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS) fi; +if enterAndClear "system/nfc"; then +applyPatch "$DOS_PATCHES/android_system_nfc/353962.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +fi; + +if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/353963.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +fi; + +if enterAndClear "vendor/nxp/opensource/pn5xx/halimpl"; then +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_pn5xx_halimpl/353964.patch"; #R_asb_2023-04 OOBW in nci_snd_set_routing_cmd() +fi; + if enterAndClear "system/sepolicy"; then applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS) @@ -448,6 +479,8 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351448.patch"; applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351449.patch"; #R_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351450.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353967.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353968.patch"; #R_asb_2023-04 AVDTP: Fix a potential overflow about the media payload offset fi; # #END OF ROM CHANGES