Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-06-26 14:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

20.0: October ASB picks

Browse Source 
wget c873988898.patch -O telecomm-01.patch
wget 0fb5786dbf.patch -O mediaprovider-01.patch
wget 1a4b9ef510.patch -O wifi-01.patch
wget 364a1d9962.patch -O bluetooth-01.patch
wget 87a06448b9.patch -O settings-01.patch
wget aaba724a68.patch -O settings-02.patch
wget 507304e1f5.patch -O native-01.patch
wget 89489ff5dd.patch -O base-01.patch
wget d1765c4715.patch -O base-02.patch
wget cbb1a0ecd6.patch -O base-03.patch
wget 4725772c0b.patch -O base-04.patch
wget 19747f6923.patch -O base-05.patch
wget e7a1aa9ed0.patch -O base-06.patch
wget 922a7860b1.patch -O base-07.patch
wget ed183ed912.patch -O base-08.patch
wget c6fbe1330a.patch -O base-09.patch
wget 9141cac175.patch -O base-10.patch
wget 41235bcc67.patch -O av-01.patch
wget a89f704701.patch -O av-02.patch
wget 6d7cd80d77.patch -O av-03.patch
wget 75fc175a08.patch -O av-04.patch
wget b023ec300f.patch -O av-05.patch
wget c8117d1539.patch -O av-06.patch
wget f06d23d824.patch -O av-07.patch
wget 9c7408ab07.patch -O av-08.patch
wget cfbfcefb3c.patch -O launcher-01.patch
wget 4a27a7f162.patch -O libxml-01.patch

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-10-03 14:30:46 -04:00
parent d80f272b54
commit af360bc9ea
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
29 changed files with 4063 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Manifests/Manifest_LAOS-20.0.xml
View File

@ -50,7 +50,7 @@
<!-- START OF ADDITIONAL REPOS -->
<!-- GrapheneOS -->
<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="d3152b8e8ff5070f69e7c991d34f32a429e6a894" />
<project path="external/hardened_malloc" name="GrapheneOS/hardened_malloc" remote="github" revision="8d5c63122499169df5fd9ed6e91fb116512a4745" />
<!-- OpenEUICC -->
<project path="packages/apps/OpenEUICC" name="PeterCxy/OpenEUICC" remote="angry" revision="6add8c89ac141f177cd8d124a0a955232f4222f9" />

49
Patches/LineageOS-20.0/ASB-2023-10/av-01.patch Normal file
View File

@ -0,0 +1,49 @@
From 41235bcc67a2122bc1d6a4d19e8356b3d1ada91e Mon Sep 17 00:00:00 2001
From: Kyle Zhang <kelzhan@google.com>
Date: Fri, 10 Mar 2023 00:06:16 +0000
Subject: [PATCH] Fix mSession NULL dereference
Bug: 230793853
Test: clearkeyV1.4_fuzzer
Change-Id: I3f11b133a4854a9ef896c9f5042bd719527c3fa6
---
drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp | 3 +++
drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
index afc9b6a9a4..a63471fd53 100644
--- a/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp
@@ -137,6 +137,8 @@ ::ndk::ScopedAStatus CryptoPlugin::decrypt(const DecryptArgs& in_args, int32_t*
*_aidl_return = static_cast<ssize_t>(offset);
return toNdkScopedAStatus(Status::OK);
} else if (in_args.mode == Mode::AES_CTR) {
+ if (!mSession) return toNdkScopedAStatus(Status::ERROR_DRM_CANNOT_HANDLE,
+ "session not found");
size_t bytesDecrypted{};
std::vector<int32_t> clearDataLengths;
std::vector<int32_t> encryptedDataLengths;
@@ -149,6 +151,7 @@ ::ndk::ScopedAStatus CryptoPlugin::decrypt(const DecryptArgs& in_args, int32_t*
detailedError = "invalid decrypt parameter size";
return toNdkScopedAStatus(Status::ERROR_DRM_CANNOT_HANDLE, detailedError);
}
+
auto res =
mSession->decrypt(in_args.keyId.data(), in_args.iv.data(),
srcPtr, static_cast<uint8_t*>(destPtr),
diff --git a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
index 7bc320db6b..64a43b0af7 100644
--- a/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
+++ b/drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp
@@ -211,6 +211,10 @@ Return<void> CryptoPlugin::decrypt_1_2(
_hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "invalid decrypt parameter size");
return Void();
}
+ if (!mSession) {
+ _hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "session not found");
+ return Void();
+ }
Status_V1_2 res = mSession->decrypt(keyId.data(), iv.data(), srcPtr,
static_cast<uint8_t*>(destPtr), toVector(subSamples), &bytesDecrypted);
if (res == Status_V1_2::OK) {

26
Patches/LineageOS-20.0/ASB-2023-10/av-02.patch Normal file
View File

@ -0,0 +1,26 @@
From a89f704701e6af4a4809f4bb4911af88a023226f Mon Sep 17 00:00:00 2001
From: Kyle Zhang <kelzhan@google.com>
Date: Wed, 22 Feb 2023 20:14:34 +0000
Subject: [PATCH] Fix null pointer derefernce AMediaDrm_setPropertyByteArray
Bug: 234798181
Test: ndkDrmFuzzer
Change-Id: I0d2d92ce7be108a904e811048f90a93571862ebc
---
media/ndk/NdkMediaDrm.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/media/ndk/NdkMediaDrm.cpp b/media/ndk/NdkMediaDrm.cpp
index f4674dea63..170506168f 100644
--- a/media/ndk/NdkMediaDrm.cpp
+++ b/media/ndk/NdkMediaDrm.cpp
@@ -758,6 +758,9 @@ media_status_t AMediaDrm_setPropertyString(AMediaDrm *mObj,
EXPORT
media_status_t AMediaDrm_setPropertyByteArray(AMediaDrm *mObj,
const char *propertyName, const uint8_t *value, size_t valueSize) {
+ if (!mObj || mObj->mDrm == NULL) {
+ return AMEDIA_ERROR_INVALID_OBJECT;
+ }
Vector<uint8_t> byteArray;
byteArray.appendArray(value, valueSize);

30
Patches/LineageOS-20.0/ASB-2023-10/av-03.patch Normal file
View File

@ -0,0 +1,30 @@
From 6d7cd80d77ed35efbe168f627dda021a5d8dd766 Mon Sep 17 00:00:00 2001
From: Kwangkyu Park <kk48.park@samsung.com>
Date: Thu, 9 Feb 2023 16:29:10 +0900
Subject: [PATCH] Fix an issue that a free memory is accessed
In error state, request thread join is not executed. And,
Camera3Device's mId can be accessed from String& after being freed with
CLOGE().
This fix will address by changing reference type to normal variable.
Bug: 268437033
Change-Id: Iad3fcd0fbbaf1e18a2b95093aba08015a933374c
---
services/camera/libcameraservice/device3/Camera3Device.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/camera/libcameraservice/device3/Camera3Device.h b/services/camera/libcameraservice/device3/Camera3Device.h
index e6073a94d4..5187a96f59 100644
--- a/services/camera/libcameraservice/device3/Camera3Device.h
+++ b/services/camera/libcameraservice/device3/Camera3Device.h
@@ -1010,7 +1010,7 @@ class Camera3Device :
wp<NotificationListener> mListener;
- const String8& mId; // The camera ID
+ const String8 mId; // The camera ID
int mStatusId; // The RequestThread's component ID for
// status tracking

300
Patches/LineageOS-20.0/ASB-2023-10/av-04.patch Normal file
View File

@ -0,0 +1,300 @@
From 75fc175a08c1a8e86d4649c19fd3136121518b96 Mon Sep 17 00:00:00 2001
From: Ray Essick <essick@google.com>
Date: Mon, 22 Aug 2022 15:58:51 -0500
Subject: [PATCH] NdkMediaFormat_*() parameter checking
verify non-null format and name fields in the NdkMediaFormat_set/get
functions. Update unit tests to verify fixes are in place.
Bug: 243204176
Test: atest libmediandk_test
Change-Id: I551b61c96dce71310bcd1d057abad0fde021cc55
---
media/ndk/NdkMediaFormat.cpp | 97 ++++++++++++++++++++++++-
media/ndk/tests/NdkMediaFormat_test.cpp | 45 ++++++++++++
2 files changed, 141 insertions(+), 1 deletion(-)
diff --git a/media/ndk/NdkMediaFormat.cpp b/media/ndk/NdkMediaFormat.cpp
index 923453ac1b..a95e87419a 100644
--- a/media/ndk/NdkMediaFormat.cpp
+++ b/media/ndk/NdkMediaFormat.cpp
@@ -147,38 +147,80 @@ const char* AMediaFormat_toString(AMediaFormat *mData) {
EXPORT
bool AMediaFormat_getInt32(AMediaFormat* format, const char *name, int32_t *out) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findInt32(name, out);
}
EXPORT
bool AMediaFormat_getInt64(AMediaFormat* format, const char *name, int64_t *out) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findInt64(name, out);
}
EXPORT
bool AMediaFormat_getFloat(AMediaFormat* format, const char *name, float *out) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findFloat(name, out);
}
EXPORT
bool AMediaFormat_getDouble(AMediaFormat* format, const char *name, double *out) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findDouble(name, out);
}
EXPORT
bool AMediaFormat_getSize(AMediaFormat* format, const char *name, size_t *out) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findSize(name, out);
}
EXPORT
bool AMediaFormat_getRect(AMediaFormat* format, const char *name,
int32_t *left, int32_t *top, int32_t *right, int32_t *bottom) {
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
return format->mFormat->findRect(name, left, top, right, bottom);
}
EXPORT
bool AMediaFormat_getBuffer(AMediaFormat* format, const char *name, void** data, size_t *outsize) {
sp<ABuffer> buf;
+ if (format == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
if (format->mFormat->findBuffer(name, &buf)) {
*data = buf->data() + buf->offset();
*outsize = buf->size();
@@ -189,7 +231,12 @@ bool AMediaFormat_getBuffer(AMediaFormat* format, const char *name, void** data,
EXPORT
bool AMediaFormat_getString(AMediaFormat* mData, const char *name, const char **out) {
-
+ if (mData == nullptr) {
+ return false;
+ }
+ if (name == nullptr) {
+ return false;
+ }
for (size_t i = 0; i < mData->mStringCache.size(); i++) {
if (strcmp(mData->mStringCache.keyAt(i).string(), name) == 0) {
mData->mStringCache.removeItemsAt(i, 1);
@@ -212,43 +259,91 @@ bool AMediaFormat_getString(AMediaFormat* mData, const char *name, const char **
EXPORT
void AMediaFormat_setInt32(AMediaFormat* format, const char *name, int32_t value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setInt32(name, value);
}
EXPORT
void AMediaFormat_setInt64(AMediaFormat* format, const char *name, int64_t value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setInt64(name, value);
}
EXPORT
void AMediaFormat_setFloat(AMediaFormat* format, const char* name, float value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setFloat(name, value);
}
EXPORT
void AMediaFormat_setDouble(AMediaFormat* format, const char* name, double value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setDouble(name, value);
}
EXPORT
void AMediaFormat_setSize(AMediaFormat* format, const char* name, size_t value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setSize(name, value);
}
EXPORT
void AMediaFormat_setRect(AMediaFormat* format, const char *name,
int32_t left, int32_t top, int32_t right, int32_t bottom) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
format->mFormat->setRect(name, left, top, right, bottom);
}
EXPORT
void AMediaFormat_setString(AMediaFormat* format, const char* name, const char* value) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
// AMessage::setString() makes a copy of the string
format->mFormat->setString(name, value, strlen(value));
}
EXPORT
void AMediaFormat_setBuffer(AMediaFormat* format, const char* name, const void* data, size_t size) {
+ if (format == nullptr) {
+ return;
+ }
+ if (name == nullptr) {
+ return;
+ }
// the ABuffer(void*, size_t) constructor doesn't take ownership of the data, so create
// a new buffer and copy the data into it
sp<ABuffer> buf = new ABuffer(size);
diff --git a/media/ndk/tests/NdkMediaFormat_test.cpp b/media/ndk/tests/NdkMediaFormat_test.cpp
index 668d0a4463..18690b8782 100644
--- a/media/ndk/tests/NdkMediaFormat_test.cpp
+++ b/media/ndk/tests/NdkMediaFormat_test.cpp
@@ -51,6 +51,13 @@ TEST(NdkMediaFormat_tests, test_int32) {
EXPECT_FALSE(AMediaFormat_getInt64(fmt1, "five", &i64));
EXPECT_EQ(i32, 5);
+ // verify detecting some bad parameters.
+ AMediaFormat_setInt32(nullptr, "whatever", 6);
+ AMediaFormat_setInt32(fmt1, nullptr, 6);
+
+ EXPECT_FALSE(AMediaFormat_getInt32(nullptr, "whatever", &i32));
+ EXPECT_FALSE(AMediaFormat_getInt32(fmt1, nullptr, &i32));
+
AMediaFormat_delete(fmt1);
}
@@ -67,6 +74,13 @@ TEST(NdkMediaFormat_tests, test_int64) {
EXPECT_FALSE(AMediaFormat_getInt64(fmt1, "five", &i64));
EXPECT_EQ(i64, -1);
+ // verify detecting some bad parameters.
+ AMediaFormat_setInt64(nullptr, "whatever", 6);
+ AMediaFormat_setInt64(fmt1, nullptr, 6);
+
+ EXPECT_FALSE(AMediaFormat_getInt64(nullptr, "whatever", &i64));
+ EXPECT_FALSE(AMediaFormat_getInt64(fmt1, nullptr, &i64));
+
AMediaFormat_delete(fmt1);
}
@@ -80,6 +94,13 @@ TEST(NdkMediaFormat_tests, test_size) {
EXPECT_TRUE(AMediaFormat_getSize(fmt1, "medium", &size));
EXPECT_EQ(size, 10);
+ // verify detecting some bad parameters.
+ AMediaFormat_setSize(nullptr, "whatever", 6);
+ AMediaFormat_setSize(fmt1, nullptr, 6);
+
+ EXPECT_FALSE(AMediaFormat_getSize(nullptr, "whatever", &size));
+ EXPECT_FALSE(AMediaFormat_getSize(fmt1, nullptr, &size));
+
AMediaFormat_delete(fmt1);
}
@@ -90,6 +111,14 @@ TEST(NdkMediaFormat_tests, test_float) {
AMediaFormat_setFloat(fmt1, "ship", 0.5);
EXPECT_TRUE(AMediaFormat_getFloat(fmt1, "boat", &f));
EXPECT_EQ(f, 1.5);
+
+ // verify detecting some bad parameters.
+ AMediaFormat_setFloat(nullptr, "whatever", 1.5);
+ AMediaFormat_setFloat(fmt1, nullptr, 1.5);
+
+ EXPECT_FALSE(AMediaFormat_getFloat(nullptr, "whatever", &f));
+ EXPECT_FALSE(AMediaFormat_getFloat(fmt1, nullptr, &f));
+
AMediaFormat_delete(fmt1);
}
@@ -100,6 +129,14 @@ TEST(NdkMediaFormat_tests, test_double) {
AMediaFormat_setDouble(fmt1, "dip", 0.5);
EXPECT_TRUE(AMediaFormat_getDouble(fmt1, "trouble", &d));
EXPECT_EQ(d, 100.5);
+
+ // verify detecting some bad parameters.
+ AMediaFormat_setDouble(nullptr, "whatever", 1.5);
+ AMediaFormat_setDouble(fmt1, nullptr, 1.5);
+
+ EXPECT_FALSE(AMediaFormat_getDouble(nullptr, "whatever", &d));
+ EXPECT_FALSE(AMediaFormat_getDouble(fmt1, nullptr, &d));
+
AMediaFormat_delete(fmt1);
}
@@ -111,8 +148,16 @@ TEST(NdkMediaFormat_tests, test_string) {
AMediaFormat_setString(fmt1, "stringtheory", content);
EXPECT_TRUE(AMediaFormat_getString(fmt1, "stringtheory", &out));
EXPECT_NE(out, nullptr);
+ EXPECT_NE(out, content); // should not be the original
EXPECT_EQ(strcmp(out,content), 0);
+ // verify detecting some bad parameters.
+ AMediaFormat_setString(nullptr, "whatever", content);
+ AMediaFormat_setString(fmt1, nullptr, content);
+
+ EXPECT_FALSE(AMediaFormat_getString(nullptr, "whatever", &out));
+ EXPECT_FALSE(AMediaFormat_getString(fmt1, nullptr, &out));
+
AMediaFormat_delete(fmt1);
}

33
Patches/LineageOS-20.0/ASB-2023-10/av-05.patch Normal file
View File

@ -0,0 +1,33 @@
From b023ec300f437494d6d6b23b03607e308dae43d2 Mon Sep 17 00:00:00 2001
From: Jiajia Cong <jcong@codeaurora.org>
Date: Wed, 2 Dec 2020 12:00:49 +0800
Subject: [PATCH] codec2: fix issue in allocating too many 8k buffers
default output delay is too large, in 8k use case, framework doesn't
allow to use so much memory to allocate those 8k buffers.
if exceeds max capacity and underlying buffer alloc fail. do not
create MediaCodecBuffer holds a null underlying ABuffer. Otherwise,
some MediaCodecBuffer APIs may access ABuffer (nullptr).
Bug: b/208481412
Change-Id: Ic8e33f6c27ee1c435bf0dc4bc09df87cb0ad3c3a
---
media/codec2/sfplugin/Codec2Buffer.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/media/codec2/sfplugin/Codec2Buffer.cpp b/media/codec2/sfplugin/Codec2Buffer.cpp
index 55e0c45fad..876c96d484 100644
--- a/media/codec2/sfplugin/Codec2Buffer.cpp
+++ b/media/codec2/sfplugin/Codec2Buffer.cpp
@@ -843,6 +843,10 @@ sp<ConstGraphicBlockBuffer> ConstGraphicBlockBuffer::AllocateEmpty(
}
}
sp<ABuffer> aBuffer(alloc(align(width, 16) * align(height, 16) * bpp / 8));
+ if (aBuffer == nullptr) {
+ ALOGD("%s: failed to allocate buffer", __func__);
+ return nullptr;
+ }
return new ConstGraphicBlockBuffer(
format,
aBuffer,

29
Patches/LineageOS-20.0/ASB-2023-10/av-06.patch Normal file
View File

@ -0,0 +1,29 @@
From c8117d1539078bb3339b5d5fffe063a9135c2c21 Mon Sep 17 00:00:00 2001
From: Arun Johnson <arunjohnson@google.com>
Date: Mon, 18 Jul 2022 19:16:04 +0000
Subject: [PATCH] Adding null check for IResourceManagerClient in dump()
bug: 191613308
Change-Id: I1694f2d1c13163a9b8162630377de71303bc517f
---
services/mediaresourcemanager/ResourceManagerService.cpp | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/services/mediaresourcemanager/ResourceManagerService.cpp b/services/mediaresourcemanager/ResourceManagerService.cpp
index b4610bc71e..4d18876bfc 100644
--- a/services/mediaresourcemanager/ResourceManagerService.cpp
+++ b/services/mediaresourcemanager/ResourceManagerService.cpp
@@ -271,10 +271,9 @@ binder_status_t ResourceManagerService::dump(int fd, const char** /*args*/, uint
snprintf(buffer, SIZE, " Id: %lld\n", (long long)infos[j].clientId);
result.append(buffer);
- std::string clientName;
- Status status = infos[j].client->getName(&clientName);
- if (!status.isOk()) {
- clientName = "<unknown client>";
+ std::string clientName = "<unknown client>";
+ if (infos[j].client != nullptr) {
+ Status status = infos[j].client->getName(&clientName);
}
snprintf(buffer, SIZE, " Name: %s\n", clientName.c_str());
result.append(buffer);

49
Patches/LineageOS-20.0/ASB-2023-10/av-07.patch Normal file
View File

@ -0,0 +1,49 @@
From f06d23d824f60e98299d03f21c0715477666936d Mon Sep 17 00:00:00 2001
From: Jeffrey Kardatzke <jkardatzke@google.com>
Date: Tue, 21 Mar 2023 11:38:33 -0700
Subject: [PATCH] Fix incorrect buffer size in NuPlayer
This was discovered from running GTS tests that were failing because the
DRM implementation was receiving media packets of incorrect sizes for
decryption. The problem is that it was copying content using the size of
the underlying MediaBuffer object rather than the range that was set in
it. That was leading to lots of trailing garbage in media packets.
Generally this was fine and decoders would ignore them, but recent
changes in decryption handling for AMD platforms exposed this problem.
The fix is very straightforward in that we should be using the
range_length rather than the size when copying them. This doesn't impact
non-DRM content as those buffer sizes appear to be correct already based
on testing.
Bug: b:268158584
Test: gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V1_ASYNC
no longer shows corruption on guybrush and packet sizes now match
up as expected
Change-Id: I14eda495fa76621436b212f2bd3ae9f7093137fe
---
media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp b/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
index 52b2041ea8..8da09c434a 100644
--- a/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
+++ b/media/libmediaplayerservice/nuplayer/NuPlayerDecoder.cpp
@@ -1104,14 +1104,14 @@ bool NuPlayer::Decoder::onInputBufferFetched(const sp<AMessage> &msg) {
static_cast<MediaBufferHolder*>(holder.get())->mediaBuffer() : nullptr;
}
if (mediaBuf != NULL) {
- if (mediaBuf->size() > codecBuffer->capacity()) {
+ if (mediaBuf->range_length() > codecBuffer->capacity()) {
handleError(ERROR_BUFFER_TOO_SMALL);
mDequeuedInputBuffers.push_back(bufferIx);
return false;
}
- codecBuffer->setRange(0, mediaBuf->size());
- memcpy(codecBuffer->data(), mediaBuf->data(), mediaBuf->size());
+ codecBuffer->setRange(0, mediaBuf->range_length());
+ memcpy(codecBuffer->data(), mediaBuf->data(), mediaBuf->range_length());
MetaDataBase &meta_data = mediaBuf->meta_data();
cryptInfo = NuPlayerDrm::getSampleCryptoInfo(meta_data);

75
Patches/LineageOS-20.0/ASB-2023-10/av-08.patch Normal file
View File

@ -0,0 +1,75 @@
From 9c7408ab0710a9e36fd2a258098afde863cb6544 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Wed, 19 Oct 2022 18:17:07 -0700
Subject: [PATCH] Codec2 decoders: Invalidate allocated graphic buffer in
stop()
Bug: 243583691
Test: atest CtsMediaV2TestCases -- --module-arg \
CtsMediaV2TestCases:instrumentation-arg:codec-prefix:=c2.android.
Change-Id: I312c106350b2eb072f0e6f2f9a83f16eb8424cb2
---
media/codec2/components/avc/C2SoftAvcDec.cpp | 3 +++
media/codec2/components/hevc/C2SoftHevcDec.cpp | 3 +++
media/codec2/components/mpeg2/C2SoftMpeg2Dec.cpp | 3 +++
media/codec2/components/mpeg4_h263/C2SoftMpeg4Dec.cpp | 4 +++-
4 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/media/codec2/components/avc/C2SoftAvcDec.cpp b/media/codec2/components/avc/C2SoftAvcDec.cpp
index 953afc57cd..96a4c4a756 100644
--- a/media/codec2/components/avc/C2SoftAvcDec.cpp
+++ b/media/codec2/components/avc/C2SoftAvcDec.cpp
@@ -671,6 +671,9 @@ status_t C2SoftAvcDec::resetDecoder() {
void C2SoftAvcDec::resetPlugin() {
mSignalledOutputEos = false;
mTimeStart = mTimeEnd = systemTime();
+ if (mOutBlock) {
+ mOutBlock.reset();
+ }
}
status_t C2SoftAvcDec::deleteDecoder() {
diff --git a/media/codec2/components/hevc/C2SoftHevcDec.cpp b/media/codec2/components/hevc/C2SoftHevcDec.cpp
index 5a660c5ca1..7d3b9d9399 100644
--- a/media/codec2/components/hevc/C2SoftHevcDec.cpp
+++ b/media/codec2/components/hevc/C2SoftHevcDec.cpp
@@ -664,6 +664,9 @@ status_t C2SoftHevcDec::resetDecoder() {
void C2SoftHevcDec::resetPlugin() {
mSignalledOutputEos = false;
mTimeStart = mTimeEnd = systemTime();
+ if (mOutBlock) {
+ mOutBlock.reset();
+ }
}
status_t C2SoftHevcDec::deleteDecoder() {
diff --git a/media/codec2/components/mpeg2/C2SoftMpeg2Dec.cpp b/media/codec2/components/mpeg2/C2SoftMpeg2Dec.cpp
index 9a4191025f..439323c76e 100644
--- a/media/codec2/components/mpeg2/C2SoftMpeg2Dec.cpp
+++ b/media/codec2/components/mpeg2/C2SoftMpeg2Dec.cpp
@@ -732,6 +732,9 @@ status_t C2SoftMpeg2Dec::resetDecoder() {
void C2SoftMpeg2Dec::resetPlugin() {
mSignalledOutputEos = false;
mTimeStart = mTimeEnd = systemTime();
+ if (mOutBlock) {
+ mOutBlock.reset();
+ }
}
status_t C2SoftMpeg2Dec::deleteDecoder() {
diff --git a/media/codec2/components/mpeg4_h263/C2SoftMpeg4Dec.cpp b/media/codec2/components/mpeg4_h263/C2SoftMpeg4Dec.cpp
index 54a1d0e354..3bf9c48dc3 100644
--- a/media/codec2/components/mpeg4_h263/C2SoftMpeg4Dec.cpp
+++ b/media/codec2/components/mpeg4_h263/C2SoftMpeg4Dec.cpp
@@ -256,7 +256,9 @@ c2_status_t C2SoftMpeg4Dec::onStop() {
mFramesConfigured = false;
mSignalledOutputEos = false;
mSignalledError = false;
-
+ if (mOutBlock) {
+ mOutBlock.reset();
+ }
return C2_OK;
}

60
Patches/LineageOS-20.0/ASB-2023-10/base-01.patch Normal file
View File

@ -0,0 +1,60 @@
From 89489ff5dd9b7717f0421ca4e90bc060af1ba8b7 Mon Sep 17 00:00:00 2001
From: Jean-Michel Trivi <jmtrivi@google.com>
Date: Wed, 7 Dec 2022 04:36:46 +0000
Subject: [PATCH] RingtoneManager: verify default ringtone is audio
When a ringtone picker tries to set a ringtone through
RingtoneManager.setActualDefaultRingtoneUri (also
called by com.android.settings.DefaultRingtonePreference),
verify the mimeType can be obtained (not found when caller
doesn't have access to it) and it is an audio resource.
Bug: 205837340
Test: atest android.media.audio.cts.RingtoneManagerTest
(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b8c2d03b720f0cc200ac59f6cfb411fddc3b119c)
Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
---
media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
index 27db41cb9f4e..d3c3c370a641 100644
--- a/media/java/android/media/RingtoneManager.java
+++ b/media/java/android/media/RingtoneManager.java
@@ -814,10 +814,10 @@ public static Uri getActualDefaultRingtoneUri(Context context, int type) {
return ringtoneUri;
}
-
+
/**
* Sets the {@link Uri} of the default sound for a given sound type.
- *
+ *
* @param context A context used for querying.
* @param type The type whose default sound should be set. One of
* {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or
@@ -833,6 +833,21 @@ public static void setActualDefaultRingtoneUri(Context context, int type, Uri ri
if(!isInternalRingtoneUri(ringtoneUri)) {
ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId());
}
+
+ if (ringtoneUri != null) {
+ final String mimeType = resolver.getType(ringtoneUri);
+ if (mimeType == null) {
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+ + " ignored: failure to find mimeType (no access from this context?)");
+ return;
+ }
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
+ Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+ + " ignored: associated mimeType:" + mimeType + " is not an audio type");
+ return;
+ }
+ }
+
Settings.System.putStringForUser(resolver, setting,
ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId());

1168
Patches/LineageOS-20.0/ASB-2023-10/base-02.patch Normal file
View File

File diff suppressed because it is too large Load Diff

53
Patches/LineageOS-20.0/ASB-2023-10/base-03.patch.disabled Normal file
View File

@ -0,0 +1,53 @@
From cbb1a0ecd6b67735bdb735d76606bc03f6b955bf Mon Sep 17 00:00:00 2001
From: Ioana Alexandru <aioana@google.com>
Date: Mon, 8 May 2023 18:39:35 +0000
Subject: [PATCH] Verify URI permissions for EXTRA_REMOTE_INPUT_HISTORY_ITEMS.
Also added a step to serialize & deserialize the notification in the
test, to prevent exceptions about not being able to cast e.g.
Parcelable[] to RemoteInputHistoryItem[].
Test: atest NotificationManagerServiceTest & tested with POC from bug
Bug: 276729064
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4e19431a60300c6ea6c7f7dd64299916e4eb09bc)
Merged-In: I7053ca59f9c7f1df5226418594109cfb8b609b1e
Change-Id: I7053ca59f9c7f1df5226418594109cfb8b609b1e
---
core/java/android/app/Notification.java | 5 +++--
.../notification/NotificationManagerServiceTest.java | 7 +++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
index 8a730fb0deaa..01528ae06cf5 100644
--- a/core/java/android/app/Notification.java
+++ b/core/java/android/app/Notification.java
@@ -2858,8 +2858,9 @@ public void visitUris(@NonNull Consumer<Uri> visitor) {
visitor.accept(person.getIconUri());
}
- final RemoteInputHistoryItem[] history = (RemoteInputHistoryItem[])
- extras.getParcelableArray(Notification.EXTRA_REMOTE_INPUT_HISTORY_ITEMS);
+ final RemoteInputHistoryItem[] history = extras.getParcelableArray(
+ Notification.EXTRA_REMOTE_INPUT_HISTORY_ITEMS,
+ RemoteInputHistoryItem.class);
if (history != null) {
for (int i = 0; i < history.length; i++) {
RemoteInputHistoryItem item = history[i];
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
index dcaca51c176b..cf33eb5b3647 100755
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
@@ -5439,6 +5439,13 @@ public void testVisitUris() throws Exception {
.addExtras(extras)
.build();
+ // Serialize and deserialize the notification to make sure nothing breaks in the process,
+ // since that's what will usually happen before we get to call visitUris.
+ Parcel parcel = Parcel.obtain();
+ n.writeToParcel(parcel, 0);
+ parcel.setDataPosition(0);
+ n = new Notification(parcel);
+
Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
n.visitUris(visitor);
verify(visitor, times(1)).accept(eq(audioContents));

47
Patches/LineageOS-20.0/ASB-2023-10/base-04.patch Normal file
View File

@ -0,0 +1,47 @@
From 4725772c0b3f0db2940e70851e145ec4ec71768b Mon Sep 17 00:00:00 2001
From: Josep del Rio <joseprio@google.com>
Date: Mon, 26 Jun 2023 09:30:06 +0000
Subject: [PATCH] Do not share key mappings with JNI object
The key mapping information between the native key mappings and
the KeyCharacterMap object available in Java is currently shared,
which means that a read can be attempted while it's being modified.
Bug: 274058082
Test: Patch tested by Oppo
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d993de0d1ada8065d1fe561f690c8f82b6a7d4b)
Merged-In: I745008a0a8ea30830660c45dcebee917b3913d13
Change-Id: I745008a0a8ea30830660c45dcebee917b3913d13
---
core/jni/android_view_InputDevice.cpp | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/core/jni/android_view_InputDevice.cpp b/core/jni/android_view_InputDevice.cpp
index 9cc72437a023..f7c770e0bffb 100644
--- a/core/jni/android_view_InputDevice.cpp
+++ b/core/jni/android_view_InputDevice.cpp
@@ -42,6 +42,13 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
return NULL;
}
+ // b/274058082: Pass a copy of the key character map to avoid concurrent
+ // access
+ std::shared_ptr<KeyCharacterMap> map = deviceInfo.getKeyCharacterMap();
+ if (map != nullptr) {
+ map = std::make_shared<KeyCharacterMap>(*map);
+ }
+
ScopedLocalRef<jstring> descriptorObj(env,
env->NewStringUTF(deviceInfo.getIdentifier().descriptor.c_str()));
if (!descriptorObj.get()) {
@@ -49,8 +56,8 @@ jobject android_view_InputDevice_create(JNIEnv* env, const InputDeviceInfo& devi
}
ScopedLocalRef<jobject> kcmObj(env,
- android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
- deviceInfo.getKeyCharacterMap()));
+ android_view_KeyCharacterMap_create(env, deviceInfo.getId(),
+ map));
if (!kcmObj.get()) {
return NULL;
}

197
Patches/LineageOS-20.0/ASB-2023-10/base-05.patch Normal file
View File

@ -0,0 +1,197 @@
From 19747f69235d208e3d61099c76fa47aa792fe3a7 Mon Sep 17 00:00:00 2001
From: Tim Yu <yunicorn@google.com>
Date: Tue, 20 Jun 2023 21:24:36 +0000
Subject: [PATCH] [DO NOT MERGE] Verify URI Permissions in Autofill RemoteViews
Check permissions of URI inside of FillResponse's RemoteViews. If the
current user does not have the required permissions to view the URI, the
RemoteView is dropped from displaying.
This fixes a security spill in which a user can view content of another
user through a malicious Autofill provider.
Bug: 283137865
Fixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566
b/281534749 b/283101289
Test: Verified by POC app attached in bugs
Test: atest CtsAutoFillServiceTestCases (added new tests)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)
Merged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a
Change-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a
---
.../com/android/server/autofill/Helper.java | 43 +++++++++++++++++++
.../server/autofill/ui/DialogFillUi.java | 12 ++++--
.../android/server/autofill/ui/FillUi.java | 11 +++--
.../android/server/autofill/ui/SaveUi.java | 3 +-
4 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/services/autofill/java/com/android/server/autofill/Helper.java b/services/autofill/java/com/android/server/autofill/Helper.java
index bc5d6457c945..48113a81cca5 100644
--- a/services/autofill/java/com/android/server/autofill/Helper.java
+++ b/services/autofill/java/com/android/server/autofill/Helper.java
@@ -18,6 +18,8 @@
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.annotation.UserIdInt;
+import android.app.ActivityManager;
import android.app.assist.AssistStructure;
import android.app.assist.AssistStructure.ViewNode;
import android.app.assist.AssistStructure.WindowNode;
@@ -34,6 +36,7 @@
import android.view.WindowManager;
import android.view.autofill.AutofillId;
import android.view.autofill.AutofillValue;
+import android.widget.RemoteViews;
import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
import com.android.internal.util.ArrayUtils;
@@ -42,6 +45,8 @@
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicBoolean;
+
public final class Helper {
@@ -75,6 +80,44 @@ private Helper() {
throw new UnsupportedOperationException("contains static members only");
}
+ private static boolean checkRemoteViewUriPermissions(
+ @UserIdInt int userId, @NonNull RemoteViews rView) {
+ final AtomicBoolean permissionsOk = new AtomicBoolean(true);
+
+ rView.visitUris(uri -> {
+ int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri);
+ boolean allowed = uriOwnerId == userId;
+ permissionsOk.set(allowed && permissionsOk.get());
+ });
+
+ return permissionsOk.get();
+ }
+
+ /**
+ * Checks the URI permissions of the remote view,
+ * to see if the current userId is able to access it.
+ *
+ * Returns the RemoteView that is passed if user is able, null otherwise.
+ *
+ * TODO: instead of returning a null remoteview when
+ * the current userId cannot access an URI,
+ * return a new RemoteView with the URI removed.
+ */
+ public static @Nullable RemoteViews sanitizeRemoteView(RemoteViews rView) {
+ if (rView == null) return null;
+
+ int userId = ActivityManager.getCurrentUser();
+
+ boolean ok = checkRemoteViewUriPermissions(userId, rView);
+ if (!ok) {
+ Slog.w(TAG,
+ "sanitizeRemoteView() user: " + userId
+ + " tried accessing resource that does not belong to them");
+ }
+ return (ok ? rView : null);
+ }
+
+
@Nullable
static AutofillId[] toArray(@Nullable ArraySet<AutofillId> set) {
if (set == null) return null;
diff --git a/services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java b/services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java
index c2c630e01bee..59184e9ed288 100644
--- a/services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java
@@ -52,6 +52,7 @@
import com.android.internal.R;
import com.android.server.autofill.AutofillManagerService;
+import com.android.server.autofill.Helper;
import java.io.PrintWriter;
import java.util.ArrayList;
@@ -197,7 +198,8 @@ private void setServiceIcon(View decor, Drawable serviceIcon) {
}
private void setHeader(View decor, FillResponse response) {
- final RemoteViews presentation = response.getDialogHeader();
+ final RemoteViews presentation =
+ Helper.sanitizeRemoteView(response.getDialogHeader());
if (presentation == null) {
return;
}
@@ -232,9 +234,10 @@ private void setContinueButton(View decor, View.OnClickListener listener) {
}
private void initialAuthenticationLayout(View decor, FillResponse response) {
- RemoteViews presentation = response.getDialogPresentation();
+ RemoteViews presentation = Helper.sanitizeRemoteView(
+ response.getDialogPresentation());
if (presentation == null) {
- presentation = response.getPresentation();
+ presentation = Helper.sanitizeRemoteView(response.getPresentation());
}
if (presentation == null) {
throw new RuntimeException("No presentation for fill dialog authentication");
@@ -278,7 +281,8 @@ private ArrayList<ViewItem> createDatasetItems(FillResponse response,
final Dataset dataset = response.getDatasets().get(i);
final int index = dataset.getFieldIds().indexOf(focusedViewId);
if (index >= 0) {
- RemoteViews presentation = dataset.getFieldDialogPresentation(index);
+ RemoteViews presentation = Helper.sanitizeRemoteView(
+ dataset.getFieldDialogPresentation(index));
if (presentation == null) {
if (sDebug) {
Slog.w(TAG, "not displaying UI on field " + focusedViewId + " because "
diff --git a/services/autofill/java/com/android/server/autofill/ui/FillUi.java b/services/autofill/java/com/android/server/autofill/ui/FillUi.java
index 8fbdd81cc4cc..76fa258734cc 100644
--- a/services/autofill/java/com/android/server/autofill/ui/FillUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/FillUi.java
@@ -144,8 +144,9 @@ public static boolean isFullScreen(Context context) {
final LayoutInflater inflater = LayoutInflater.from(mContext);
- final RemoteViews headerPresentation = response.getHeader();
- final RemoteViews footerPresentation = response.getFooter();
+ final RemoteViews headerPresentation = Helper.sanitizeRemoteView(response.getHeader());
+ final RemoteViews footerPresentation = Helper.sanitizeRemoteView(response.getFooter());
+
final ViewGroup decor;
if (mFullScreen) {
decor = (ViewGroup) inflater.inflate(R.layout.autofill_dataset_picker_fullscreen, null);
@@ -223,6 +224,9 @@ public static boolean isFullScreen(Context context) {
ViewGroup container = decor.findViewById(R.id.autofill_dataset_picker);
final View content;
try {
+ if (Helper.sanitizeRemoteView(response.getPresentation()) == null) {
+ throw new RuntimeException("Permission error accessing RemoteView");
+ }
content = response.getPresentation().applyWithTheme(
mContext, decor, interceptionHandler, mThemeId);
container.addView(content);
@@ -302,7 +306,8 @@ public static boolean isFullScreen(Context context) {
final Dataset dataset = response.getDatasets().get(i);
final int index = dataset.getFieldIds().indexOf(focusedViewId);
if (index >= 0) {
- final RemoteViews presentation = dataset.getFieldPresentation(index);
+ final RemoteViews presentation = Helper.sanitizeRemoteView(
+ dataset.getFieldPresentation(index));
if (presentation == null) {
Slog.w(TAG, "not displaying UI on field " + focusedViewId + " because "
+ "service didn't provide a presentation for it on " + dataset);
diff --git a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
index 677871f6c85f..533a7b69a650 100644
--- a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
@@ -368,8 +368,7 @@ private boolean applyCustomDescription(@NonNull Context context, @NonNull View s
return false;
}
writeLog(MetricsEvent.AUTOFILL_SAVE_CUSTOM_DESCRIPTION);
-
- final RemoteViews template = customDescription.getPresentation();
+ final RemoteViews template = Helper.sanitizeRemoteView(customDescription.getPresentation());
if (template == null) {
Slog.w(TAG, "No remote view on custom description");
return false;

53
Patches/LineageOS-20.0/ASB-2023-10/base-06.patch Normal file
View File

@ -0,0 +1,53 @@
From e7a1aa9ed0bc69853bc83d098e15b8fa3b1881b4 Mon Sep 17 00:00:00 2001
From: Hongwei Wang <hwwang@google.com>
Date: Thu, 25 May 2023 12:18:44 -0700
Subject: [PATCH] Disallow loading icon from content URI to PipMenu
Bug: 278246904
Test: manually, with the PoC app attached to the bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1aee65603e262affd815fa53dcc5416c605e4037)
Merged-In: Ib3f5b8b6b9ce644fdf1173548d9078e4d969ae2e
Change-Id: Ib3f5b8b6b9ce644fdf1173548d9078e4d969ae2e
---
.../wm/shell/pip/phone/PipMenuView.java | 21 ++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/phone/PipMenuView.java b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/phone/PipMenuView.java
index 167c0321d3ad..779c539a2097 100644
--- a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/phone/PipMenuView.java
+++ b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/phone/PipMenuView.java
@@ -45,6 +45,7 @@
import android.graphics.Color;
import android.graphics.Rect;
import android.graphics.drawable.Drawable;
+import android.graphics.drawable.Icon;
import android.net.Uri;
import android.os.Bundle;
import android.os.Handler;
@@ -513,13 +514,19 @@ private void updateActionViews(int menuState, Rect stackBounds) {
final boolean isCloseAction = mCloseAction != null && Objects.equals(
mCloseAction.getActionIntent(), action.getActionIntent());
- // TODO: Check if the action drawable has changed before we reload it
- action.getIcon().loadDrawableAsync(mContext, d -> {
- if (d != null) {
- d.setTint(Color.WHITE);
- actionView.setImageDrawable(d);
- }
- }, mMainHandler);
+ final int iconType = action.getIcon().getType();
+ if (iconType == Icon.TYPE_URI || iconType == Icon.TYPE_URI_ADAPTIVE_BITMAP) {
+ // Disallow loading icon from content URI
+ actionView.setImageDrawable(null);
+ } else {
+ // TODO: Check if the action drawable has changed before we reload it
+ action.getIcon().loadDrawableAsync(mContext, d -> {
+ if (d != null) {
+ d.setTint(Color.WHITE);
+ actionView.setImageDrawable(d);
+ }
+ }, mMainHandler);
+ }
actionView.setCustomCloseBackgroundVisibility(
isCloseAction ? View.VISIBLE : View.GONE);
actionView.setContentDescription(action.getContentDescription());

59
Patches/LineageOS-20.0/ASB-2023-10/base-07.patch Normal file
View File

@ -0,0 +1,59 @@
From 922a7860b1baf29ff5cb53a31d01c341cd2b9ecb Mon Sep 17 00:00:00 2001
From: Kunal Malhotra <malhk@google.com>
Date: Fri, 2 Jun 2023 23:32:02 +0000
Subject: [PATCH] Fixing DatabaseUtils to detect malformed UTF-16 strings
Test: tested with POC in bug, also using atest
Bug: 224771621
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)
Merged-In: Ide65205b83063801971c5778af3154bcf3f0e530
Change-Id: Ide65205b83063801971c5778af3154bcf3f0e530
---
core/java/android/database/DatabaseUtils.java | 32 +++++++++++++------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/core/java/android/database/DatabaseUtils.java b/core/java/android/database/DatabaseUtils.java
index 6c8a8500e4e3..d41df4f49d48 100644
--- a/core/java/android/database/DatabaseUtils.java
+++ b/core/java/android/database/DatabaseUtils.java
@@ -511,17 +511,31 @@ public static void cursorFillWindow(final Cursor cursor,
*/
public static void appendEscapedSQLString(StringBuilder sb, String sqlString) {
sb.append('\'');
- if (sqlString.indexOf('\'') != -1) {
- int length = sqlString.length();
- for (int i = 0; i < length; i++) {
- char c = sqlString.charAt(i);
- if (c == '\'') {
- sb.append('\'');
+ int length = sqlString.length();
+ for (int i = 0; i < length; i++) {
+ char c = sqlString.charAt(i);
+ if (Character.isHighSurrogate(c)) {
+ if (i == length - 1) {
+ continue;
+ }
+ if (Character.isLowSurrogate(sqlString.charAt(i + 1))) {
+ // add them both
+ sb.append(c);
+ sb.append(sqlString.charAt(i + 1));
+ continue;
+ } else {
+ // this is a lone surrogate, skip it
+ continue;
}
- sb.append(c);
}
- } else
- sb.append(sqlString);
+ if (Character.isLowSurrogate(c)) {
+ continue;
+ }
+ if (c == '\'') {
+ sb.append('\'');
+ }
+ sb.append(c);
+ }
sb.append('\'');
}

455
Patches/LineageOS-20.0/ASB-2023-10/base-08.patch Normal file
View File

@ -0,0 +1,455 @@
From ed183ed9122416026ed27d4877f96a545fe42316 Mon Sep 17 00:00:00 2001
From: Anton Potapov <apotapov@google.com>
Date: Tue, 4 Jul 2023 12:15:41 +0100
Subject: [PATCH] Add userId check before loading icon in Device Controls
Test: manual with the steps from the bug
Test: manual with a normal icon
Test: atest CanUseIconPredicate
Test: atest ControlViewHolderTest
Bug: 272025416
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:22f97f081ccc6f6a7230b15447a6c885dfe4fa59)
Merged-In: Ib0e677f7ccbed6299ea07939519c7dcf6d371bec
Change-Id: Ib0e677f7ccbed6299ea07939519c7dcf6d371bec
---
.../controls/management/ControlAdapter.kt | 15 +++-
.../management/ControlsEditingActivity.kt | 2 +-
.../management/ControlsFavoritingActivity.kt | 4 +-
.../controls/management/StructureAdapter.kt | 11 ++-
.../controls/ui/CanUseIconPredicate.kt | 30 +++++++
.../systemui/controls/ui/ControlViewHolder.kt | 50 ++++++------
.../controls/ui/ControlsUiControllerImpl.kt | 3 +-
.../controls/ui/TemperatureControlBehavior.kt | 2 +-
.../systemui/controls/ui/ThumbnailBehavior.kt | 12 ++-
.../controls/ui/CanUseIconPredicateTest.kt | 81 +++++++++++++++++++
.../controls/ui/ControlViewHolderTest.kt | 3 +-
11 files changed, 173 insertions(+), 40 deletions(-)
create mode 100644 packages/SystemUI/src/com/android/systemui/controls/ui/CanUseIconPredicate.kt
create mode 100644 packages/SystemUI/tests/src/com/android/systemui/controls/ui/CanUseIconPredicateTest.kt
diff --git a/packages/SystemUI/src/com/android/systemui/controls/management/ControlAdapter.kt b/packages/SystemUI/src/com/android/systemui/controls/management/ControlAdapter.kt
index 3eb58bba1ca4..ec76f433b23b 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/management/ControlAdapter.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/management/ControlAdapter.kt
@@ -38,6 +38,7 @@ import androidx.core.view.accessibility.AccessibilityNodeInfoCompat
import androidx.recyclerview.widget.RecyclerView
import com.android.systemui.R
import com.android.systemui.controls.ControlInterface
+import com.android.systemui.controls.ui.CanUseIconPredicate
import com.android.systemui.controls.ui.RenderInfo
private typealias ModelFavoriteChanger = (String, Boolean) -> Unit
@@ -51,7 +52,8 @@ private typealias ModelFavoriteChanger = (String, Boolean) -> Unit
* @property elevation elevation of each control view
*/
class ControlAdapter(
- private val elevation: Float
+ private val elevation: Float,
+ private val currentUserId: Int,
) : RecyclerView.Adapter<Holder>() {
companion object {
@@ -107,7 +109,8 @@ class ControlAdapter(
background = parent.context.getDrawable(
R.drawable.control_background_ripple)
},
- model?.moveHelper // Indicates that position information is needed
+ currentUserId,
+ model?.moveHelper, // Indicates that position information is needed
) { id, favorite ->
model?.changeFavoriteStatus(id, favorite)
}
@@ -212,8 +215,9 @@ private class ZoneHolder(view: View) : Holder(view) {
*/
internal class ControlHolder(
view: View,
+ currentUserId: Int,
val moveHelper: ControlsModel.MoveHelper?,
- val favoriteCallback: ModelFavoriteChanger
+ val favoriteCallback: ModelFavoriteChanger,
) : Holder(view) {
private val favoriteStateDescription =
itemView.context.getString(R.string.accessibility_control_favorite)
@@ -228,6 +232,7 @@ internal class ControlHolder(
visibility = View.VISIBLE
}
+ private val canUseIconPredicate = CanUseIconPredicate(currentUserId)
private val accessibilityDelegate = ControlHolderAccessibilityDelegate(
this::stateDescription,
this::getLayoutPosition,
@@ -287,7 +292,9 @@ internal class ControlHolder(
val fg = context.getResources().getColorStateList(ri.foreground, context.getTheme())
icon.imageTintList = null
- ci.customIcon?.let {
+ ci.customIcon
+ ?.takeIf(canUseIconPredicate)
+ ?.let {
icon.setImageIcon(it)
} ?: run {
icon.setImageDrawable(ri.icon)
diff --git a/packages/SystemUI/src/com/android/systemui/controls/management/ControlsEditingActivity.kt b/packages/SystemUI/src/com/android/systemui/controls/management/ControlsEditingActivity.kt
index 7df08651d5ab..8843349da2b5 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/management/ControlsEditingActivity.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/management/ControlsEditingActivity.kt
@@ -205,7 +205,7 @@ open class ControlsEditingActivity @Inject constructor(
val elevation = resources.getFloat(R.dimen.control_card_elevation)
val recyclerView = requireViewById<RecyclerView>(R.id.list)
recyclerView.alpha = 0.0f
- val adapter = ControlAdapter(elevation).apply {
+ val adapter = ControlAdapter(elevation, controller.currentUserId).apply {
registerAdapterDataObserver(object : RecyclerView.AdapterDataObserver() {
var hasAnimated = false
override fun onChanged() {
diff --git a/packages/SystemUI/src/com/android/systemui/controls/management/ControlsFavoritingActivity.kt b/packages/SystemUI/src/com/android/systemui/controls/management/ControlsFavoritingActivity.kt
index 3e97d3132bc7..efc3fb662f1a 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/management/ControlsFavoritingActivity.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/management/ControlsFavoritingActivity.kt
@@ -175,7 +175,7 @@ open class ControlsFavoritingActivity @Inject constructor(
}
executor.execute {
- structurePager.adapter = StructureAdapter(listOfStructures)
+ structurePager.adapter = StructureAdapter(listOfStructures, controller.currentUserId)
structurePager.setCurrentItem(structureIndex)
if (error) {
statusText.text = resources.getString(R.string.controls_favorite_load_error,
@@ -221,7 +221,7 @@ open class ControlsFavoritingActivity @Inject constructor(
structurePager.alpha = 0.0f
pageIndicator.alpha = 0.0f
structurePager.apply {
- adapter = StructureAdapter(emptyList())
+ adapter = StructureAdapter(emptyList(), controller.currentUserId)
registerOnPageChangeCallback(object : ViewPager2.OnPageChangeCallback() {
override fun onPageSelected(position: Int) {
super.onPageSelected(position)
diff --git a/packages/SystemUI/src/com/android/systemui/controls/management/StructureAdapter.kt b/packages/SystemUI/src/com/android/systemui/controls/management/StructureAdapter.kt
index 747bcbe1c229..5977d379acde 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/management/StructureAdapter.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/management/StructureAdapter.kt
@@ -24,13 +24,15 @@ import androidx.recyclerview.widget.RecyclerView
import com.android.systemui.R
class StructureAdapter(
- private val models: List<StructureContainer>
+ private val models: List<StructureContainer>,
+ private val currentUserId: Int,
) : RecyclerView.Adapter<StructureAdapter.StructureHolder>() {
override fun onCreateViewHolder(parent: ViewGroup, p1: Int): StructureHolder {
val layoutInflater = LayoutInflater.from(parent.context)
return StructureHolder(
- layoutInflater.inflate(R.layout.controls_structure_page, parent, false)
+ layoutInflater.inflate(R.layout.controls_structure_page, parent, false),
+ currentUserId,
)
}
@@ -40,7 +42,8 @@ class StructureAdapter(
holder.bind(models[index].model)
}
- class StructureHolder(view: View) : RecyclerView.ViewHolder(view) {
+ class StructureHolder(view: View, currentUserId: Int) :
+ RecyclerView.ViewHolder(view) {
private val recyclerView: RecyclerView
private val controlAdapter: ControlAdapter
@@ -48,7 +51,7 @@ class StructureAdapter(
init {
recyclerView = itemView.requireViewById<RecyclerView>(R.id.listAll)
val elevation = itemView.context.resources.getFloat(R.dimen.control_card_elevation)
- controlAdapter = ControlAdapter(elevation)
+ controlAdapter = ControlAdapter(elevation, currentUserId)
setUpRecyclerView()
}
diff --git a/packages/SystemUI/src/com/android/systemui/controls/ui/CanUseIconPredicate.kt b/packages/SystemUI/src/com/android/systemui/controls/ui/CanUseIconPredicate.kt
new file mode 100644
index 000000000000..61c21237144d
--- /dev/null
+++ b/packages/SystemUI/src/com/android/systemui/controls/ui/CanUseIconPredicate.kt
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.systemui.controls.ui
+
+import android.content.ContentProvider
+import android.graphics.drawable.Icon
+
+class CanUseIconPredicate(private val currentUserId: Int) : (Icon) -> Boolean {
+
+ override fun invoke(icon: Icon): Boolean =
+ if (icon.type == Icon.TYPE_URI || icon.type == Icon.TYPE_URI_ADAPTIVE_BITMAP) {
+ ContentProvider.getUserIdFromUri(icon.uri, currentUserId) == currentUserId
+ } else {
+ true
+ }
+}
diff --git a/packages/SystemUI/src/com/android/systemui/controls/ui/ControlViewHolder.kt b/packages/SystemUI/src/com/android/systemui/controls/ui/ControlViewHolder.kt
index 6a9aaf865251..931062865c64 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/ui/ControlViewHolder.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/ui/ControlViewHolder.kt
@@ -68,7 +68,8 @@ class ControlViewHolder(
val bgExecutor: DelayableExecutor,
val controlActionCoordinator: ControlActionCoordinator,
val controlsMetricsLogger: ControlsMetricsLogger,
- val uid: Int
+ val uid: Int,
+ val currentUserId: Int,
) {
companion object {
@@ -85,29 +86,9 @@ class ControlViewHolder(
private val ATTR_DISABLED = intArrayOf(-android.R.attr.state_enabled)
const val MIN_LEVEL = 0
const val MAX_LEVEL = 10000
-
- fun findBehaviorClass(
- status: Int,
- template: ControlTemplate,
- deviceType: Int
- ): Supplier<out Behavior> {
- return when {
- status != Control.STATUS_OK -> Supplier { StatusBehavior() }
- template == ControlTemplate.NO_TEMPLATE -> Supplier { TouchBehavior() }
- template is ThumbnailTemplate -> Supplier { ThumbnailBehavior() }
-
- // Required for legacy support, or where cameras do not use the new template
- deviceType == DeviceTypes.TYPE_CAMERA -> Supplier { TouchBehavior() }
- template is ToggleTemplate -> Supplier { ToggleBehavior() }
- template is StatelessTemplate -> Supplier { TouchBehavior() }
- template is ToggleRangeTemplate -> Supplier { ToggleRangeBehavior() }
- template is RangeTemplate -> Supplier { ToggleRangeBehavior() }
- template is TemperatureControlTemplate -> Supplier { TemperatureControlBehavior() }
- else -> Supplier { DefaultBehavior() }
- }
- }
}
+ private val canUseIconPredicate = CanUseIconPredicate(currentUserId)
private val toggleBackgroundIntensity: Float = layout.context.resources
.getFraction(R.fraction.controls_toggle_bg_intensity, 1, 1)
private var stateAnimator: ValueAnimator? = null
@@ -147,6 +128,27 @@ class ControlViewHolder(
status.setSelected(true)
}
+ fun findBehaviorClass(
+ status: Int,
+ template: ControlTemplate,
+ deviceType: Int
+ ): Supplier<out Behavior> {
+ return when {
+ status != Control.STATUS_OK -> Supplier { StatusBehavior() }
+ template == ControlTemplate.NO_TEMPLATE -> Supplier { TouchBehavior() }
+ template is ThumbnailTemplate -> Supplier { ThumbnailBehavior(currentUserId) }
+
+ // Required for legacy support, or where cameras do not use the new template
+ deviceType == DeviceTypes.TYPE_CAMERA -> Supplier { TouchBehavior() }
+ template is ToggleTemplate -> Supplier { ToggleBehavior() }
+ template is StatelessTemplate -> Supplier { TouchBehavior() }
+ template is ToggleRangeTemplate -> Supplier { ToggleRangeBehavior() }
+ template is RangeTemplate -> Supplier { ToggleRangeBehavior() }
+ template is TemperatureControlTemplate -> Supplier { TemperatureControlBehavior() }
+ else -> Supplier { DefaultBehavior() }
+ }
+ }
+
fun bindData(cws: ControlWithState, isLocked: Boolean) {
// If an interaction is in progress, the update may visually interfere with the action the
// action the user wants to make. Don't apply the update, and instead assume a new update
@@ -473,7 +475,9 @@ class ControlViewHolder(
status.setTextColor(color)
- control?.getCustomIcon()?.let {
+ control?.customIcon
+ ?.takeIf(canUseIconPredicate)
+ ?.let {
icon.setImageIcon(it)
icon.imageTintList = it.tintList
} ?: run {
diff --git a/packages/SystemUI/src/com/android/systemui/controls/ui/ControlsUiControllerImpl.kt b/packages/SystemUI/src/com/android/systemui/controls/ui/ControlsUiControllerImpl.kt
index 554391649548..1c1f7702c4bd 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/ui/ControlsUiControllerImpl.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/ui/ControlsUiControllerImpl.kt
@@ -685,7 +685,8 @@ class ControlsUiControllerImpl @Inject constructor (
bgExecutor,
controlActionCoordinator,
controlsMetricsLogger,
- selected.uid
+ selected.uid,
+ controlsController.get().currentUserId,
)
cvh.bindData(it, false /* isLocked, will be ignored on initial load */)
controlViewsById.put(key, cvh)
diff --git a/packages/SystemUI/src/com/android/systemui/controls/ui/TemperatureControlBehavior.kt b/packages/SystemUI/src/com/android/systemui/controls/ui/TemperatureControlBehavior.kt
index a7dc09bb17e5..39d69704d817 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/ui/TemperatureControlBehavior.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/ui/TemperatureControlBehavior.kt
@@ -63,7 +63,7 @@ class TemperatureControlBehavior : Behavior {
// interactions (touch, range)
subBehavior = cvh.bindBehavior(
subBehavior,
- ControlViewHolder.findBehaviorClass(
+ cvh.findBehaviorClass(
control.status,
subTemplate,
control.deviceType
diff --git a/packages/SystemUI/src/com/android/systemui/controls/ui/ThumbnailBehavior.kt b/packages/SystemUI/src/com/android/systemui/controls/ui/ThumbnailBehavior.kt
index c2168aa8d9d9..0b57e792f9f7 100644
--- a/packages/SystemUI/src/com/android/systemui/controls/ui/ThumbnailBehavior.kt
+++ b/packages/SystemUI/src/com/android/systemui/controls/ui/ThumbnailBehavior.kt
@@ -33,7 +33,7 @@ import com.android.systemui.controls.ui.ControlViewHolder.Companion.MIN_LEVEL
* Supports display of static images on the background of the tile. When marked active, the title
* and subtitle will not be visible. To be used with {@link Thumbnailtemplate} only.
*/
-class ThumbnailBehavior : Behavior {
+class ThumbnailBehavior(currentUserId: Int) : Behavior {
lateinit var template: ThumbnailTemplate
lateinit var control: Control
lateinit var cvh: ControlViewHolder
@@ -42,6 +42,7 @@ class ThumbnailBehavior : Behavior {
private var shadowRadius: Float = 0f
private var shadowColor: Int = 0
+ private val canUseIconPredicate = CanUseIconPredicate(currentUserId)
private val enabled: Boolean
get() = template.isActive()
@@ -80,11 +81,16 @@ class ThumbnailBehavior : Behavior {
cvh.status.setShadowLayer(shadowOffsetX, shadowOffsetY, shadowRadius, shadowColor)
cvh.bgExecutor.execute {
- val drawable = template.getThumbnail().loadDrawable(cvh.context)
+ val drawable = template.thumbnail
+ ?.takeIf(canUseIconPredicate)
+ ?.loadDrawable(cvh.context)
cvh.uiExecutor.execute {
val radius = cvh.context.getResources()
.getDimensionPixelSize(R.dimen.control_corner_radius).toFloat()
- clipLayer.setDrawable(CornerDrawable(drawable, radius))
+ // TODO(b/290037843): Add a placeholder
+ drawable?.let {
+ clipLayer.drawable = CornerDrawable(it, radius)
+ }
clipLayer.setColorFilter(BlendModeColorFilter(cvh.context.resources
.getColor(R.color.control_thumbnail_tint), BlendMode.LUMINOSITY))
cvh.applyRenderInfo(enabled, colorOffset)
diff --git a/packages/SystemUI/tests/src/com/android/systemui/controls/ui/CanUseIconPredicateTest.kt b/packages/SystemUI/tests/src/com/android/systemui/controls/ui/CanUseIconPredicateTest.kt
new file mode 100644
index 000000000000..bfdb9231a9f8
--- /dev/null
+++ b/packages/SystemUI/tests/src/com/android/systemui/controls/ui/CanUseIconPredicateTest.kt
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.systemui.controls.ui
+
+import android.content.ContentProvider
+import android.graphics.Bitmap
+import android.graphics.drawable.Icon
+import android.net.Uri
+import android.os.UserHandle
+import android.testing.AndroidTestingRunner
+import androidx.test.filters.SmallTest
+import com.android.systemui.SysuiTestCase
+import com.google.common.truth.Truth.assertThat
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@SmallTest
+@RunWith(AndroidTestingRunner::class)
+class CanUseIconPredicateTest : SysuiTestCase() {
+
+ private companion object {
+ const val USER_ID_1 = 1
+ const val USER_ID_2 = 2
+ }
+
+ val underTest: CanUseIconPredicate = CanUseIconPredicate(USER_ID_1)
+
+ @Test
+ fun testReturnsFalseForDifferentUser() {
+ val user2Icon =
+ Icon.createWithContentUri(
+ ContentProvider.createContentUriForUser(
+ Uri.parse("content://test"),
+ UserHandle.of(USER_ID_2)
+ )
+ )
+
+ assertThat(underTest.invoke(user2Icon)).isFalse()
+ }
+
+ @Test
+ fun testReturnsTrueForCorrectUser() {
+ val user1Icon =
+ Icon.createWithContentUri(
+ ContentProvider.createContentUriForUser(
+ Uri.parse("content://test"),
+ UserHandle.of(USER_ID_1)
+ )
+ )
+
+ assertThat(underTest.invoke(user1Icon)).isTrue()
+ }
+
+ @Test
+ fun testReturnsTrueForUriWithoutUser() {
+ val uriIcon = Icon.createWithContentUri(Uri.parse("content://test"))
+
+ assertThat(underTest.invoke(uriIcon)).isTrue()
+ }
+
+ @Test
+ fun testReturnsTrueForNonUriIcon() {
+ val bitmapIcon = Icon.createWithBitmap(Bitmap.createBitmap(1, 1, Bitmap.Config.ARGB_8888))
+
+ assertThat(underTest.invoke(bitmapIcon)).isTrue()
+ }
+}
diff --git a/packages/SystemUI/tests/src/com/android/systemui/controls/ui/ControlViewHolderTest.kt b/packages/SystemUI/tests/src/com/android/systemui/controls/ui/ControlViewHolderTest.kt
index d3c465dab438..42f28c8c6043 100644
--- a/packages/SystemUI/tests/src/com/android/systemui/controls/ui/ControlViewHolderTest.kt
+++ b/packages/SystemUI/tests/src/com/android/systemui/controls/ui/ControlViewHolderTest.kt
@@ -66,7 +66,8 @@ class ControlViewHolderTest : SysuiTestCase() {
FakeExecutor(clock),
mock(ControlActionCoordinator::class.java),
mock(ControlsMetricsLogger::class.java),
- uid = 100
+ uid = 100,
+ 0,
)
val cws = ControlWithState(

135
Patches/LineageOS-20.0/ASB-2023-10/base-09.patch Normal file
View File

@ -0,0 +1,135 @@
From c6fbe1330a77c479ea3e29b54523682d0f248420 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Fri, 28 Jul 2023 22:03:03 +0000
Subject: [PATCH] RESTRICT AUTOMERGE: SettingsProvider: exclude secure_frp_mode
from resets
When RescueParty detects that a system process is crashing frequently,
it tries to recover in various ways, such as by resetting all settings.
Unfortunately, this included resetting the secure_frp_mode setting,
which is the means by which the system keeps track of whether the
Factory Reset Protection (FRP) challenge has been passed yet. With this
setting reset, some FRP restrictions went away and it became possible to
bypass FRP by setting a new lockscreen credential.
Fix this by excluding secure_frp_mode from resets.
Note: currently this bug isn't reproducible on 'main' due to ag/23727749
disabling much of RescueParty, but that is a temporary change.
Bug: 253043065
Test: With ag/23727749 reverted and with my fix to prevent
com.android.settings from crashing *not* applied, tried repeatedly
setting lockscreen credential while in FRP mode, using the
smartlock setup activity launched by intent via adb. Verified
that although RescueParty is still triggered after 5 attempts,
secure_frp_mode is no longer reset (its value remains "1").
Test: Verified that secure_frp_mode still gets changed from 1 to 0 when
FRP is passed legitimately.
Test: atest com.android.providers.settings.SettingsProviderTest
Test: atest android.provider.SettingsProviderTest
(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)
(changed Global.SECURE_FRP_MODE to Secure.SECURE_FRP_MODE,
needed because this setting was moved in U)
(removed static keyword from shouldExcludeSettingFromReset(),
needed for compatibility with Java 15 and earlier)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)
Merged-In: Id95ed43b9cc2208090064392bcd5dc012710af93
Change-Id: Id95ed43b9cc2208090064392bcd5dc012710af93
---
.../providers/settings/SettingsProvider.java | 17 ++++++++++---
.../settings/SettingsProviderTest.java | 25 +++++++++++++++++++
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index c51f19510f40..31e64196d3b5 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -3102,6 +3102,15 @@ public Setting getSettingLocked(int type, int userId, String name) {
return settingsState.getSettingLocked(name);
}
+ private boolean shouldExcludeSettingFromReset(Setting setting, String prefix) {
+ // If a prefix was specified, exclude settings whose names don't start with it.
+ if (prefix != null && !setting.getName().startsWith(prefix)) {
+ return true;
+ }
+ // Never reset SECURE_FRP_MODE, as it could be abused to bypass FRP via RescueParty.
+ return Secure.SECURE_FRP_MODE.equals(setting.getName());
+ }
+
public void resetSettingsLocked(int type, int userId, String packageName, int mode,
String tag) {
resetSettingsLocked(type, userId, packageName, mode, tag, /*prefix=*/
@@ -3124,7 +3133,7 @@ public void resetSettingsLocked(int type, int userId, String packageName, int mo
Setting setting = settingsState.getSettingLocked(name);
if (packageName.equals(setting.getPackageName())) {
if ((tag != null && !tag.equals(setting.getTag()))
- || (prefix != null && !setting.getName().startsWith(prefix))) {
+ || shouldExcludeSettingFromReset(setting, prefix)) {
continue;
}
if (settingsState.resetSettingLocked(name)) {
@@ -3144,7 +3153,7 @@ public void resetSettingsLocked(int type, int userId, String packageName, int mo
Setting setting = settingsState.getSettingLocked(name);
if (!SettingsState.isSystemPackage(getContext(),
setting.getPackageName())) {
- if (prefix != null && !setting.getName().startsWith(prefix)) {
+ if (shouldExcludeSettingFromReset(setting, prefix)) {
continue;
}
if (settingsState.resetSettingLocked(name)) {
@@ -3164,7 +3173,7 @@ public void resetSettingsLocked(int type, int userId, String packageName, int mo
Setting setting = settingsState.getSettingLocked(name);
if (!SettingsState.isSystemPackage(getContext(),
setting.getPackageName())) {
- if (prefix != null && !setting.getName().startsWith(prefix)) {
+ if (shouldExcludeSettingFromReset(setting, prefix)) {
continue;
}
if (setting.isDefaultFromSystem()) {
@@ -3187,7 +3196,7 @@ public void resetSettingsLocked(int type, int userId, String packageName, int mo
for (String name : settingsState.getSettingNamesLocked()) {
Setting setting = settingsState.getSettingLocked(name);
boolean someSettingChanged = false;
- if (prefix != null && !setting.getName().startsWith(prefix)) {
+ if (shouldExcludeSettingFromReset(setting, prefix)) {
continue;
}
if (setting.isDefaultFromSystem()) {
diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java
index eaf0dcb9b4e7..1c6d2b08136c 100644
--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java
+++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java
@@ -464,6 +464,31 @@ private void testResetModeTrustedDefaultsCommon(int type) throws Exception {
}
}
+ // To prevent FRP bypasses, the SECURE_FRP_MODE setting should not be reset when all other
+ // settings are reset. But it should still be possible to explicitly set its value.
+ @Test
+ public void testSecureFrpModeSettingCannotBeReset() throws Exception {
+ final String name = Settings.Secure.SECURE_FRP_MODE;
+ final String origValue = getSetting(SETTING_TYPE_GLOBAL, name);
+ setSettingViaShell(SETTING_TYPE_GLOBAL, name, "1", false);
+ try {
+ assertEquals("1", getSetting(SETTING_TYPE_GLOBAL, name));
+ for (int type : new int[] { SETTING_TYPE_GLOBAL, SETTING_TYPE_SECURE }) {
+ resetSettingsViaShell(type, Settings.RESET_MODE_UNTRUSTED_DEFAULTS);
+ resetSettingsViaShell(type, Settings.RESET_MODE_UNTRUSTED_CHANGES);
+ resetSettingsViaShell(type, Settings.RESET_MODE_TRUSTED_DEFAULTS);
+ }
+ // The value should still be "1". It should not have been reset to null.
+ assertEquals("1", getSetting(SETTING_TYPE_GLOBAL, name));
+ // It should still be possible to explicitly set the value to "0".
+ setSettingViaShell(SETTING_TYPE_GLOBAL, name, "0", false);
+ assertEquals("0", getSetting(SETTING_TYPE_GLOBAL, name));
+ } finally {
+ setSettingViaShell(SETTING_TYPE_GLOBAL, name, origValue, false);
+ assertEquals(origValue, getSetting(SETTING_TYPE_GLOBAL, name));
+ }
+ }
+
private void doTestQueryStringInBracketsViaProviderApiForType(int type) {
// Make sure we have a clean slate.
deleteStringViaProviderApi(type, FAKE_SETTING_NAME);

32
Patches/LineageOS-20.0/ASB-2023-10/base-10.patch Normal file
View File

@ -0,0 +1,32 @@
From 9141cac175caaf176377d088e334d0991482fd6a Mon Sep 17 00:00:00 2001
From: Aaron Liu <aaronjli@google.com>
Date: Thu, 10 Aug 2023 15:38:08 +0000
Subject: [PATCH] Revert "Dismiss keyguard when simpin auth'd and..."
Revert submission 22621774-cherrypicker-L22000000959901080:N28400001357657640
Reason for revert: causing a partner bug
Fixes: 295205456
Bug: 222446076
Reverted changes: /q/submissionid:22621774-cherrypicker-L22000000959901080:N28400001357657640
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0afa6707fa632c1f5fba5dff46a94b5d734e2ab2)
Merged-In: Icb27b4d897696b4fbb4e4a878751d925f5205dfd
Change-Id: Icb27b4d897696b4fbb4e4a878751d925f5205dfd
---
.../android/keyguard/KeyguardSecurityContainerController.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
index 16299c7aff7b..061bab8a7006 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
@@ -752,7 +752,7 @@ public boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetU
case SimPuk:
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+ if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
KeyguardUpdateMonitor.getCurrentUser())) {
finish = true;
eventSubtype = BOUNCER_DISMISS_SIM;

90
Patches/LineageOS-20.0/ASB-2023-10/bluetooth-01.patch Normal file
View File

@ -0,0 +1,90 @@
From 364a1d99624e8dca6501d98166efbb8061362970 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 16 May 2023 02:09:38 +0000
Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.
```
len = p_rsp->attr_value.len - (total_len - mtu);
```
Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
---
system/stack/gatt/gatt_sr.cc | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc
index f2a3e22414..ce00ef7428 100644
--- a/system/stack/gatt/gatt_sr.cc
+++ b/system/stack/gatt/gatt_sr.cc
@@ -21,6 +21,7 @@
* this file contains the GATT server functions
*
******************************************************************************/
+#include <algorithm>
#include <string.h>
#include "bt_target.h"
@@ -178,37 +179,38 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
}
if (p_rsp != NULL) {
- total_len = (p_buf->len + p_rsp->attr_value.len);
+ total_len = p_buf->len;
if (p_cmd->multi_req.variable_len) {
total_len += 2;
}
if (total_len > mtu) {
- /* just send the partial response for the overflow case */
- len = p_rsp->attr_value.len - (total_len - mtu);
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+ if (len == 0) {
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ if (len < p_rsp->attr_value.len) {
is_overflow = true;
VLOG(1) << StringPrintf(
"multi read overflow available len=%zu val_len=%d", len,
p_rsp->attr_value.len);
- } else {
- len = p_rsp->attr_value.len;
}
if (p_cmd->multi_req.variable_len) {
- UINT16_TO_STREAM(p, len);
+ UINT16_TO_STREAM(p, (uint16_t) len);
p_buf->len += 2;
}
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
- // check for possible integer overflow
- if (p_buf->len + len <= UINT16_MAX) {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow) p += len;
- p_buf->len += len;
- } else {
- p_cmd->status = GATT_NOT_FOUND;
- break;
- }
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+ p_buf->len += (uint16_t) len;
} else {
p_cmd->status = GATT_NOT_FOUND;
break;

30
Patches/LineageOS-20.0/ASB-2023-10/launcher-01.patch Normal file
View File

@ -0,0 +1,30 @@
From cfbfcefb3ce6bcd4d099cba4f45a8c6a0c02e6e6 Mon Sep 17 00:00:00 2001
From: Shen Lin <shhenlin@gmail.com>
Date: Tue, 20 Dec 2022 11:29:51 +0800
Subject: [PATCH] Fix NPE in FallbackSwipeHandler when getRunningTask() returns
null
mGestureState.getRunningTask() is probably null in this situation, we
need to add a null check here refer to the usage in TaskAnimationManager.
Bug: 263041039
Test: manual
Change-Id: I7707bf204190ff506f40640ff764f07cb98aab68
---
quickstep/src/com/android/quickstep/FallbackSwipeHandler.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/quickstep/src/com/android/quickstep/FallbackSwipeHandler.java b/quickstep/src/com/android/quickstep/FallbackSwipeHandler.java
index d4bebea55f..1913091695 100644
--- a/quickstep/src/com/android/quickstep/FallbackSwipeHandler.java
+++ b/quickstep/src/com/android/quickstep/FallbackSwipeHandler.java
@@ -108,7 +108,8 @@ public FallbackSwipeHandler(Context context, RecentsAnimationDeviceState deviceS
super(context, deviceState, taskAnimationManager, gestureState, touchTimeMs,
continuingLastGesture, inputConsumer);
- mRunningOverHome = mGestureState.getRunningTask().isHomeTask();
+ mRunningOverHome = mGestureState.getRunningTask() != null
+ && mGestureState.getRunningTask().isHomeTask();
if (mRunningOverHome) {
runActionOnRemoteHandles(remoteTargetHandle ->
remoteTargetHandle.getTransformParams().setHomeBuilderProxy(

123
Patches/LineageOS-20.0/ASB-2023-10/libxml-01.patch Normal file
View File

@ -0,0 +1,123 @@
From 4a27a7f162907facfbeddf2d4ae4c6ab7c6eb15a Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 17 Feb 2023 15:53:07 +0100
Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter
Found with libFuzzer, see #344.
(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
I also copied the error label from
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
Bug: http://b/274231102
Test: TreeHugger
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e6ed17dfe8e36e5618a592a600720bd61e015cc)
Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
---
xmlregexp.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/xmlregexp.c b/xmlregexp.c
index 984c7ac6e..ce09b2216 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -1673,6 +1673,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
return(-1);
inter = ctxt->state;
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -1691,6 +1693,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
* epsilon transition.
*/
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -6015,6 +6019,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@@ -6034,6 +6040,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**
@@ -6081,6 +6091,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@@ -6100,6 +6112,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**
@@ -6167,6 +6183,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;
@@ -6179,6 +6197,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
@@ -6226,6 +6248,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;
@@ -6238,6 +6262,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}
/**

452
Patches/LineageOS-20.0/ASB-2023-10/mediaprovider-01.patch Normal file
View File

@ -0,0 +1,452 @@
From 0fb5786dbf8b462eb106df912a7f65ab240f0d6a Mon Sep 17 00:00:00 2001
From: Sergey Nikolaienkov <sergeynv@google.com>
Date: Tue, 28 Mar 2023 12:22:31 +0200
Subject: [PATCH] Fix path traversal vulnerabilities in MediaProvider
Canonicalize filepath provided by the caller when hanling SCAN_FILE_CALL
method call in MediaProvider.
Additionally, make sure to check access permission in SCAN_FILE_CALL
(using enforceCallingPermissionInternal()).
Preemptively canonicalize Files provided as an arguments to the public
API methods in ModernMediaScanner (scanFile(), scanDirectory() and
onDirectoryDirty()) to prevent path traversal attacks.
Bug: 262244882
Test: atest MediaProviderTests
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bb32d7fba00b9e53c7e20ae8acaf6f84a8b2e8d)
Merged-In: I61e77d69ae857984b819fa0ea27bec5c26a34842
Change-Id: I61e77d69ae857984b819fa0ea27bec5c26a34842
---
.../providers/media/MediaProvider.java | 61 +++++++++++--------
.../media/scan/LegacyMediaScanner.java | 7 ---
.../providers/media/scan/MediaScanner.java | 25 ++++----
.../media/scan/ModernMediaScanner.java | 56 +++++++++++------
.../media/scan/NullMediaScanner.java | 6 --
.../providers/media/util/FileUtils.java | 47 ++++++++++----
.../media/scan/LegacyMediaScannerTest.java | 6 --
.../media/scan/ModernMediaScannerTest.java | 18 ------
.../media/scan/NullMediaScannerTest.java | 2 -
9 files changed, 117 insertions(+), 111 deletions(-)
diff --git a/src/com/android/providers/media/MediaProvider.java b/src/com/android/providers/media/MediaProvider.java
index 21eeed7f3..8c1df561b 100644
--- a/src/com/android/providers/media/MediaProvider.java
+++ b/src/com/android/providers/media/MediaProvider.java
@@ -1692,11 +1692,7 @@ public void scanDirectory(File file, int reason) {
}
public Uri scanFile(File file, int reason) {
- return scanFile(file, reason, null);
- }
-
- public Uri scanFile(File file, int reason, String ownerPackage) {
- return mMediaScanner.scanFile(file, reason, ownerPackage);
+ return mMediaScanner.scanFile(file, reason);
}
private Uri scanFileAsMediaProvider(File file, int reason) {
@@ -6197,38 +6193,51 @@ private Bundle callInternal(String method, String arg, Bundle extras) {
}
return null;
}
- case MediaStore.SCAN_FILE_CALL:
+ case MediaStore.SCAN_FILE_CALL: {
+ final LocalCallingIdentity token = clearLocalCallingIdentity();
+ final CallingIdentity providerToken = clearCallingIdentity();
+
+ final String filePath = arg;
+ final Uri uri;
+ try {
+ File file;
+ try {
+ file = FileUtils.getCanonicalFile(filePath);
+ } catch (IOException e) {
+ file = null;
+ }
+
+ uri = file != null ? scanFile(file, REASON_DEMAND) : null;
+ } finally {
+ restoreCallingIdentity(providerToken);
+ restoreLocalCallingIdentity(token);
+ }
+
+ // TODO(b/262244882): maybe enforceCallingPermissionInternal(uri, ...)
+
+ final Bundle res = new Bundle();
+ res.putParcelable(Intent.EXTRA_STREAM, uri);
+ return res;
+ }
case MediaStore.SCAN_VOLUME_CALL: {
final int userId = uidToUserId(Binder.getCallingUid());
final LocalCallingIdentity token = clearLocalCallingIdentity();
final CallingIdentity providerToken = clearCallingIdentity();
+
+ final String volumeName = arg;
try {
- final Bundle res = new Bundle();
- switch (method) {
- case MediaStore.SCAN_FILE_CALL: {
- final File file = new File(arg);
- res.putParcelable(Intent.EXTRA_STREAM, scanFile(file, REASON_DEMAND));
- break;
- }
- case MediaStore.SCAN_VOLUME_CALL: {
- final String volumeName = arg;
- try {
- MediaVolume volume = mVolumeCache.findVolume(volumeName,
- UserHandle.of(userId));
- MediaService.onScanVolume(getContext(), volume, REASON_DEMAND);
- } catch (FileNotFoundException e) {
- Log.w(TAG, "Failed to find volume " + volumeName, e);
- }
- break;
- }
- }
- return res;
+ final MediaVolume volume = mVolumeCache.findVolume(volumeName,
+ UserHandle.of(userId));
+ MediaService.onScanVolume(getContext(), volume, REASON_DEMAND);
+ } catch (FileNotFoundException e) {
+ Log.w(TAG, "Failed to find volume " + volumeName, e);
} catch (IOException e) {
throw new RuntimeException(e);
} finally {
restoreCallingIdentity(providerToken);
restoreLocalCallingIdentity(token);
}
+ return Bundle.EMPTY;
}
case MediaStore.GET_VERSION_CALL: {
final String volumeName = extras.getString(Intent.EXTRA_TEXT);
diff --git a/src/com/android/providers/media/scan/LegacyMediaScanner.java b/src/com/android/providers/media/scan/LegacyMediaScanner.java
index d8d3bed41..d73dda584 100644
--- a/src/com/android/providers/media/scan/LegacyMediaScanner.java
+++ b/src/com/android/providers/media/scan/LegacyMediaScanner.java
@@ -19,8 +19,6 @@
import android.content.Context;
import android.net.Uri;
-import androidx.annotation.Nullable;
-
import com.android.providers.media.MediaVolume;
import java.io.File;
@@ -48,11 +46,6 @@ public Uri scanFile(File file, int reason) {
throw new UnsupportedOperationException();
}
- @Override
- public Uri scanFile(File file, int reason, @Nullable String ownerPackage) {
- throw new UnsupportedOperationException();
- }
-
@Override
public void onDetachVolume(MediaVolume volume) {
throw new UnsupportedOperationException();
diff --git a/src/com/android/providers/media/scan/MediaScanner.java b/src/com/android/providers/media/scan/MediaScanner.java
index 45d2a2436..eb5e4d6c7 100644
--- a/src/com/android/providers/media/scan/MediaScanner.java
+++ b/src/com/android/providers/media/scan/MediaScanner.java
@@ -24,23 +24,20 @@
import android.content.Context;
import android.net.Uri;
-import androidx.annotation.Nullable;
-
import com.android.providers.media.MediaVolume;
import java.io.File;
public interface MediaScanner {
- public static final int REASON_UNKNOWN = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__UNKNOWN;
- public static final int REASON_MOUNTED = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__MOUNTED;
- public static final int REASON_DEMAND = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__DEMAND;
- public static final int REASON_IDLE = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__IDLE;
-
- public Context getContext();
- public void scanDirectory(File file, int reason);
- public Uri scanFile(File file, int reason);
- public Uri scanFile(File file, int reason, @Nullable String ownerPackage);
- public void onDetachVolume(MediaVolume volume);
- public void onIdleScanStopped();
- public void onDirectoryDirty(File file);
+ int REASON_UNKNOWN = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__UNKNOWN;
+ int REASON_MOUNTED = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__MOUNTED;
+ int REASON_DEMAND = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__DEMAND;
+ int REASON_IDLE = MEDIA_PROVIDER_SCAN_OCCURRED__REASON__IDLE;
+
+ Context getContext();
+ void scanDirectory(File file, int reason);
+ Uri scanFile(File file, int reason);
+ void onDetachVolume(MediaVolume volume);
+ void onIdleScanStopped();
+ void onDirectoryDirty(File file);
}
diff --git a/src/com/android/providers/media/scan/ModernMediaScanner.java b/src/com/android/providers/media/scan/ModernMediaScanner.java
index 41f53d57a..81133f7aa 100644
--- a/src/com/android/providers/media/scan/ModernMediaScanner.java
+++ b/src/com/android/providers/media/scan/ModernMediaScanner.java
@@ -50,6 +50,8 @@
import static com.android.providers.media.util.Metrics.translateReason;
+import static java.util.Objects.requireNonNull;
+
import android.content.ContentProviderClient;
import android.content.ContentProviderOperation;
import android.content.ContentProviderResult;
@@ -236,23 +238,36 @@ public Context getContext() {
}
@Override
- public void scanDirectory(File file, int reason) {
- try (Scan scan = new Scan(file, reason, /*ownerPackage*/ null)) {
+ public void scanDirectory(@NonNull File file, int reason) {
+ requireNonNull(file);
+ try {
+ file = file.getCanonicalFile();
+ } catch (IOException e) {
+ Log.e(TAG, "Couldn't canonicalize directory to scan" + file, e);
+ return;
+ }
+
+ try (Scan scan = new Scan(file, reason)) {
scan.run();
- } catch (OperationCanceledException ignored) {
} catch (FileNotFoundException e) {
- Log.e(TAG, "Couldn't find directory to scan", e) ;
+ Log.e(TAG, "Couldn't find directory to scan", e);
+ } catch (OperationCanceledException ignored) {
+ // No-op.
}
}
@Override
- public Uri scanFile(File file, int reason) {
- return scanFile(file, reason, /*ownerPackage*/ null);
- }
+ @Nullable
+ public Uri scanFile(@NonNull File file, int reason) {
+ requireNonNull(file);
+ try {
+ file = file.getCanonicalFile();
+ } catch (IOException e) {
+ Log.e(TAG, "Couldn't canonicalize file to scan" + file, e);
+ return null;
+ }
- @Override
- public Uri scanFile(File file, int reason, @Nullable String ownerPackage) {
- try (Scan scan = new Scan(file, reason, ownerPackage)) {
+ try (Scan scan = new Scan(file, reason)) {
scan.run();
return scan.getFirstResult();
} catch (OperationCanceledException ignored) {
@@ -286,10 +301,18 @@ public void onIdleScanStopped() {
}
@Override
- public void onDirectoryDirty(File dir) {
+ public void onDirectoryDirty(@NonNull File dir) {
+ requireNonNull(dir);
+ try {
+ dir = dir.getCanonicalFile();
+ } catch (IOException e) {
+ Log.e(TAG, "Couldn't canonicalize directory" + dir, e);
+ return;
+ }
+
synchronized (mPendingCleanDirectories) {
mPendingCleanDirectories.remove(dir.getPath());
- FileUtils.setDirectoryDirty(dir, /*isDirty*/ true);
+ FileUtils.setDirectoryDirty(dir, /* isDirty */ true);
}
}
@@ -320,7 +343,6 @@ private class Scan implements Runnable, FileVisitor<Path>, AutoCloseable {
private final String mVolumeName;
private final Uri mFilesUri;
private final CancellationSignal mSignal;
- private final String mOwnerPackage;
private final List<String> mExcludeDirs;
private final long mStartGeneration;
@@ -349,7 +371,7 @@ private class Scan implements Runnable, FileVisitor<Path>, AutoCloseable {
*/
private boolean mIsDirectoryTreeDirty;
- public Scan(File root, int reason, @Nullable String ownerPackage)
+ public Scan(File root, int reason)
throws FileNotFoundException {
Trace.beginSection("ctor");
@@ -371,7 +393,6 @@ public Scan(File root, int reason, @Nullable String ownerPackage)
mStartGeneration = MediaStore.getGeneration(mResolver, mVolumeName);
mSingleFile = mRoot.isFile();
- mOwnerPackage = ownerPackage;
mExcludeDirs = new ArrayList<>();
Trace.endSection();
@@ -800,10 +821,7 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
}
if (op != null) {
op.withValue(FileColumns._MODIFIER, FileColumns._MODIFIER_MEDIA_SCAN);
- // Add owner package name to new insertions when package name is provided.
- if (op.build().isInsert() && !attrs.isDirectory() && mOwnerPackage != null) {
- op.withValue(MediaColumns.OWNER_PACKAGE_NAME, mOwnerPackage);
- }
+
// Force DRM files to be marked as DRM, since the lower level
// stack may not set this correctly
if (isDrm) {
diff --git a/src/com/android/providers/media/scan/NullMediaScanner.java b/src/com/android/providers/media/scan/NullMediaScanner.java
index 7a1a39610..e53f96468 100644
--- a/src/com/android/providers/media/scan/NullMediaScanner.java
+++ b/src/com/android/providers/media/scan/NullMediaScanner.java
@@ -56,12 +56,6 @@ public Uri scanFile(File file, int reason) {
return null;
}
- @Override
- public Uri scanFile(File file, int reason, @Nullable String ownerPackage) {
- Log.w(TAG, "Ignoring scan request for " + file);
- return null;
- }
-
@Override
public void onDetachVolume(MediaVolume volume) {
// Ignored
diff --git a/src/com/android/providers/media/util/FileUtils.java b/src/com/android/providers/media/util/FileUtils.java
index 097eca8c9..6c2695c78 100644
--- a/src/com/android/providers/media/util/FileUtils.java
+++ b/src/com/android/providers/media/util/FileUtils.java
@@ -1110,18 +1110,25 @@ public static int extractUserId(@Nullable String data) {
}
public static @Nullable String extractRelativePath(@Nullable String data) {
- data = getCanonicalPath(data);
if (data == null) return null;
- final Matcher matcher = PATTERN_RELATIVE_PATH.matcher(data);
+ final String path;
+ try {
+ path = getCanonicalPath(data);
+ } catch (IOException e) {
+ Log.d(TAG, "Unable to get canonical path from invalid data path: " + data, e);
+ return null;
+ }
+
+ final Matcher matcher = PATTERN_RELATIVE_PATH.matcher(path);
if (matcher.find()) {
- final int lastSlash = data.lastIndexOf('/');
+ final int lastSlash = path.lastIndexOf('/');
if (lastSlash == -1 || lastSlash < matcher.end()) {
// This is a file in the top-level directory, so relative path is "/"
// which is different than null, which means unknown path
return "/";
} else {
- return data.substring(matcher.end(), lastSlash + 1);
+ return path.substring(matcher.end(), lastSlash + 1);
}
} else {
return null;
@@ -1769,15 +1776,29 @@ public static File fromFuseFile(File file) {
return new File(file.getPath().replaceFirst(FUSE_FS_PREFIX, LOWER_FS_PREFIX));
}
- @Nullable
- private static String getCanonicalPath(@Nullable String path) {
- if (path == null) return null;
+ /**
+ * Returns the canonical {@link File} for the provided abstract pathname.
+ *
+ * @return The canonical pathname string denoting the same file or directory as this abstract
+ * pathname
+ * @see File#getCanonicalFile()
+ */
+ @NonNull
+ public static File getCanonicalFile(@NonNull String path) throws IOException {
+ Objects.requireNonNull(path);
+ return new File(path).getCanonicalFile();
+ }
- try {
- return new File(path).getCanonicalPath();
- } catch (IOException e) {
- Log.d(TAG, "Unable to get canonical path from invalid data path: " + path, e);
- return null;
- }
+ /**
+ * Returns the canonical pathname string of the provided abstract pathname.
+ *
+ * @return The canonical pathname string denoting the same file or directory as this abstract
+ * pathname.
+ * @see File#getCanonicalPath()
+ */
+ @NonNull
+ public static String getCanonicalPath(@NonNull String path) throws IOException {
+ Objects.requireNonNull(path);
+ return new File(path).getCanonicalPath();
}
}
diff --git a/tests/src/com/android/providers/media/scan/LegacyMediaScannerTest.java b/tests/src/com/android/providers/media/scan/LegacyMediaScannerTest.java
index cf9cb395d..2831e963e 100644
--- a/tests/src/com/android/providers/media/scan/LegacyMediaScannerTest.java
+++ b/tests/src/com/android/providers/media/scan/LegacyMediaScannerTest.java
@@ -47,12 +47,6 @@ public void testSimple() throws Exception {
fail();
} catch (UnsupportedOperationException expected) {
}
- try {
- scanner.scanFile(new File("/dev/null"), MediaScanner.REASON_UNKNOWN,
- InstrumentationRegistry.getContext().getPackageName());
- fail();
- } catch (UnsupportedOperationException expected) {
- }
try {
scanner.onDetachVolume(null);
fail();
diff --git a/tests/src/com/android/providers/media/scan/ModernMediaScannerTest.java b/tests/src/com/android/providers/media/scan/ModernMediaScannerTest.java
index 0450c1cee..06f10ed21 100644
--- a/tests/src/com/android/providers/media/scan/ModernMediaScannerTest.java
+++ b/tests/src/com/android/providers/media/scan/ModernMediaScannerTest.java
@@ -779,24 +779,6 @@ public void testScan_missingFile() throws Exception {
assertThat(mModern.scanFile(image, REASON_UNKNOWN)).isNull();
}
- @Test
- public void testScanFileAndUpdateOwnerPackageName() throws Exception {
- final File image = new File(mDir, "image.jpg");
- final String thisPackageName = InstrumentationRegistry.getContext().getPackageName();
- stage(R.raw.test_image, image);
-
- assertQueryCount(0, MediaStore.Images.Media.EXTERNAL_CONTENT_URI);
- // scanning the image file inserts new database entry with OWNER_PACKAGE_NAME as
- // thisPackageName.
- assertNotNull(mModern.scanFile(image, REASON_UNKNOWN, thisPackageName));
- try (Cursor cursor = mIsolatedResolver.query(MediaStore.Images.Media.EXTERNAL_CONTENT_URI,
- new String[] {MediaColumns.OWNER_PACKAGE_NAME}, null, null, null)) {
- assertEquals(1, cursor.getCount());
- cursor.moveToNext();
- assertEquals(thisPackageName, cursor.getString(0));
- }
- }
-
/**
* Verify fix for obscure bug which would cause us to delete files outside a
* directory that share a common prefix.
diff --git a/tests/src/com/android/providers/media/scan/NullMediaScannerTest.java b/tests/src/com/android/providers/media/scan/NullMediaScannerTest.java
index 063f1b7a3..265d1a97a 100644
--- a/tests/src/com/android/providers/media/scan/NullMediaScannerTest.java
+++ b/tests/src/com/android/providers/media/scan/NullMediaScannerTest.java
@@ -38,8 +38,6 @@ public void testSimple() throws Exception {
scanner.scanDirectory(new File("/dev/null"), MediaScanner.REASON_UNKNOWN);
scanner.scanFile(new File("/dev/null"), MediaScanner.REASON_UNKNOWN);
- scanner.scanFile(new File("/dev/null"), MediaScanner.REASON_UNKNOWN,
- InstrumentationRegistry.getContext().getPackageName());
scanner.onDetachVolume(null);
}

214
Patches/LineageOS-20.0/ASB-2023-10/native-01.patch Normal file
View File

@ -0,0 +1,214 @@
From 507304e1f59236675bfd820290b329f5f7334ec0 Mon Sep 17 00:00:00 2001
From: sergiuferentz <sergiuferentz@google.com>
Date: Mon, 26 Jun 2023 18:01:47 +0000
Subject: [PATCH] Fix for heap-use-after-free in GPUService.cpp
This adds a unit test and fix for the bug reported by libfuzzer.
Changes made:
* Expose GPUService as testable code.
* Update main_gpuservice.cpp to use the new GpuService now located at
gpuservice/GpuService.h
* Make initializer threads members of GpuService
* Join the threads in destructor to prevent heap-use-after-free.
* Add unit test that waits 3 seconds after deallocation to ensure no
wrong access is made.
Bug: 282919145
Test: Added unit test and ran on device with ASAN
(cherry picked from commit 3c00cbc0f119c3f59325aa6d5061529feb58462b)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7fb707802ee4c667d1ee6065ae2845d835b47aeb)
Merged-In: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
Change-Id: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
---
services/gpuservice/Android.bp | 1 +
services/gpuservice/GpuService.cpp | 14 +++--
.../{ => include/gpuservice}/GpuService.h | 4 ++
services/gpuservice/main_gpuservice.cpp | 2 +-
.../gpuservice/tests/unittests/Android.bp | 2 +
.../tests/unittests/GpuServiceTest.cpp | 52 +++++++++++++++++++
6 files changed, 69 insertions(+), 6 deletions(-)
rename services/gpuservice/{ => include/gpuservice}/GpuService.h (94%)
create mode 100644 services/gpuservice/tests/unittests/GpuServiceTest.cpp
diff --git a/services/gpuservice/Android.bp b/services/gpuservice/Android.bp
index 5b4ee21b42..020940f04e 100644
--- a/services/gpuservice/Android.bp
+++ b/services/gpuservice/Android.bp
@@ -71,6 +71,7 @@ filegroup {
cc_library_shared {
name: "libgpuservice",
defaults: ["libgpuservice_production_defaults"],
+ export_include_dirs: ["include"],
srcs: [
":libgpuservice_sources",
],
diff --git a/services/gpuservice/GpuService.cpp b/services/gpuservice/GpuService.cpp
index 7b9782f4e8..5643940a6e 100644
--- a/services/gpuservice/GpuService.cpp
+++ b/services/gpuservice/GpuService.cpp
@@ -16,7 +16,7 @@
#define ATRACE_TAG ATRACE_TAG_GRAPHICS
-#include "GpuService.h"
+#include "gpuservice/GpuService.h"
#include <android-base/stringprintf.h>
#include <binder/IPCThreadState.h>
@@ -34,6 +34,7 @@
#include <vkjson.h>
#include <thread>
+#include <memory>
namespace android {
@@ -55,18 +56,21 @@ GpuService::GpuService()
mGpuStats(std::make_unique<GpuStats>()),
mGpuMemTracer(std::make_unique<GpuMemTracer>()) {
- std::thread gpuMemAsyncInitThread([this]() {
+ mGpuMemAsyncInitThread = std::make_unique<std::thread>([this] (){
mGpuMem->initialize();
mGpuMemTracer->initialize(mGpuMem);
});
- gpuMemAsyncInitThread.detach();
- std::thread gpuWorkAsyncInitThread([this]() {
+ mGpuWorkAsyncInitThread = std::make_unique<std::thread>([this]() {
mGpuWork->initialize();
});
- gpuWorkAsyncInitThread.detach();
};
+GpuService::~GpuService() {
+ mGpuWorkAsyncInitThread->join();
+ mGpuMemAsyncInitThread->join();
+}
+
void GpuService::setGpuStats(const std::string& driverPackageName,
const std::string& driverVersionName, uint64_t driverVersionCode,
int64_t driverBuildTime, const std::string& appPackageName,
diff --git a/services/gpuservice/GpuService.h b/services/gpuservice/include/gpuservice/GpuService.h
similarity index 94%
rename from services/gpuservice/GpuService.h
rename to services/gpuservice/include/gpuservice/GpuService.h
index d7313d165e..3e0ae66f39 100644
--- a/services/gpuservice/GpuService.h
+++ b/services/gpuservice/include/gpuservice/GpuService.h
@@ -24,6 +24,7 @@
#include <serviceutils/PriorityDumper.h>
#include <mutex>
+#include <thread>
#include <vector>
namespace android {
@@ -41,6 +42,7 @@ class GpuService : public BnGpuService, public PriorityDumper {
static const char* const SERVICE_NAME ANDROID_API;
GpuService() ANDROID_API;
+ ~GpuService();
protected:
status_t shellCommand(int in, int out, int err, std::vector<String16>& args) override;
@@ -86,6 +88,8 @@ class GpuService : public BnGpuService, public PriorityDumper {
std::unique_ptr<GpuMemTracer> mGpuMemTracer;
std::mutex mLock;
std::string mDeveloperDriverPath;
+ std::unique_ptr<std::thread> mGpuMemAsyncInitThread;
+ std::unique_ptr<std::thread> mGpuWorkAsyncInitThread;
};
} // namespace android
diff --git a/services/gpuservice/main_gpuservice.cpp b/services/gpuservice/main_gpuservice.cpp
index 64aafcab6a..200237219e 100644
--- a/services/gpuservice/main_gpuservice.cpp
+++ b/services/gpuservice/main_gpuservice.cpp
@@ -18,7 +18,7 @@
#include <binder/IServiceManager.h>
#include <binder/ProcessState.h>
#include <sys/resource.h>
-#include "GpuService.h"
+#include "gpuservice/GpuService.h"
using namespace android;
diff --git a/services/gpuservice/tests/unittests/Android.bp b/services/gpuservice/tests/unittests/Android.bp
index 4fb0d2e734..808c86bcae 100644
--- a/services/gpuservice/tests/unittests/Android.bp
+++ b/services/gpuservice/tests/unittests/Android.bp
@@ -31,6 +31,7 @@ cc_test {
"GpuMemTest.cpp",
"GpuMemTracerTest.cpp",
"GpuStatsTest.cpp",
+ "GpuServiceTest.cpp",
],
header_libs: ["bpf_headers"],
shared_libs: [
@@ -47,6 +48,7 @@ cc_test {
"libstatslog",
"libstatspull",
"libutils",
+ "libgpuservice",
],
static_libs: [
"libgmock",
diff --git a/services/gpuservice/tests/unittests/GpuServiceTest.cpp b/services/gpuservice/tests/unittests/GpuServiceTest.cpp
new file mode 100644
index 0000000000..62b3e53f53
--- /dev/null
+++ b/services/gpuservice/tests/unittests/GpuServiceTest.cpp
@@ -0,0 +1,52 @@
+#undef LOG_TAG
+#define LOG_TAG "gpuservice_unittest"
+
+#include "gpuservice/GpuService.h"
+
+#include <gtest/gtest.h>
+#include <log/log_main.h>
+
+#include <chrono>
+#include <thread>
+
+namespace android {
+namespace {
+
+class GpuServiceTest : public testing::Test {
+public:
+ GpuServiceTest() {
+ const ::testing::TestInfo* const test_info =
+ ::testing::UnitTest::GetInstance()->current_test_info();
+ ALOGD("**** Setting up for %s.%s\n", test_info->test_case_name(), test_info->name());
+ }
+
+ ~GpuServiceTest() {
+ const ::testing::TestInfo* const test_info =
+ ::testing::UnitTest::GetInstance()->current_test_info();
+ ALOGD("**** Tearing down after %s.%s\n", test_info->test_case_name(), test_info->name());
+ }
+
+};
+
+
+/*
+* The behaviour before this test + fixes was UB caused by threads accessing deallocated memory.
+*
+* This test creates the service (which initializes the culprit threads),
+* deallocates it immediately and sleeps.
+*
+* GpuService's destructor gets called and joins the threads.
+* If we haven't crashed by the time the sleep time has elapsed, we're good
+* Let the test pass.
+*/
+TEST_F(GpuServiceTest, onInitializeShouldNotCauseUseAfterFree) {
+ sp<GpuService> service = new GpuService();
+ service.clear();
+ std::this_thread::sleep_for(std::chrono::seconds(3));
+
+ // If we haven't crashed yet due to threads accessing freed up memory, let the test pass
+ EXPECT_TRUE(true);
+}
+
+} // namespace
+} // namespace android

67
Patches/LineageOS-20.0/ASB-2023-10/settings-01.patch Normal file
View File

@ -0,0 +1,67 @@
From 87a06448b96e1ccd2403ae5c90b15efdd8585444 Mon Sep 17 00:00:00 2001
From: Weng Su <wengsu@google.com>
Date: Fri, 7 Jul 2023 19:52:04 +0800
Subject: [PATCH] [RESTRICT AUTOMERGE] Restrict ApnEditor settings
- Finish ApnEditor settings if user is not an admin
- Finish ApnEditor settings if user has DISALLOW_CONFIG_MOBILE_NETWORKS restriction
Bug: 279902472
Test: manual test
atest -c ApnEditorTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ef2fd5b7cd74426568e8e82fb0dcddbfdaa943bf)
Merged-In: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
Change-Id: Iecdbbff7e21dfb11e3ba385858747a220cfd3e04
---
.../settings/network/apn/ApnEditor.java | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/com/android/settings/network/apn/ApnEditor.java b/src/com/android/settings/network/apn/ApnEditor.java
index bfb49434378..afaf9bc3f8b 100644
--- a/src/com/android/settings/network/apn/ApnEditor.java
+++ b/src/com/android/settings/network/apn/ApnEditor.java
@@ -25,6 +25,7 @@
import android.net.Uri;
import android.os.Bundle;
import android.os.PersistableBundle;
+import android.os.UserManager;
import android.provider.Telephony;
import android.telephony.CarrierConfigManager;
import android.telephony.SubscriptionInfo;
@@ -281,6 +282,11 @@ public class ApnEditor extends SettingsPreferenceFragment
@Override
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
+ if (isUserRestricted()) {
+ Log.e(TAG, "This setting isn't available due to user restriction.");
+ finish();
+ return;
+ }
setLifecycleForAllControllers();
@@ -1453,6 +1459,23 @@ ApnData getApnDataFromUri(Uri uri) {
return apnData;
}
+ @VisibleForTesting
+ boolean isUserRestricted() {
+ UserManager userManager = getContext().getSystemService(UserManager.class);
+ if (userManager == null) {
+ return false;
+ }
+ if (!userManager.isAdminUser()) {
+ Log.e(TAG, "User is not an admin");
+ return true;
+ }
+ if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS)) {
+ Log.e(TAG, "User is not allowed to configure mobile network");
+ return true;
+ }
+ return false;
+ }
+
@VisibleForTesting
static class ApnData {
/**

65
Patches/LineageOS-20.0/ASB-2023-10/settings-02.patch Normal file
View File

@ -0,0 +1,65 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Thu, 27 Jul 2023 21:45:05 +0000
Subject: [PATCH] RESTRICT AUTOMERGE: Catch exceptions from setLockCredential()
When LockPatternUtils#setLockCredential() fails, it can either return
false or throw an exception. Catch the exception and treat it the same
way as a false return value, to prevent crashing com.android.settings.
Bug: 253043065
Test: Tried setting lockscreen credential while in secure FRP mode using
smartlock setup activity launched by intent via adb. Verified
that com.android.settings no longer crashes due to the exception
from LockPatternUtils#setLockCredential().
(cherry picked from commit 05f1eff1c9c3f82797f1a0f92ff7665b9f463488)
(moved change into ChooseLockPassword.java and ChooseLockPattern.java,
which are merged into SaveAndFinishWorker.java on udc-qpr-dev and main)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e0b5a793a19198370d479401101cea97c2f1d835)
Merged-In: I48b9119c19fb6378b1f88d36433ee4f4c8501d76
Change-Id: I48b9119c19fb6378b1f88d36433ee4f4c8501d76
---
.../android/settings/password/ChooseLockPassword.java | 9 +++++++--
src/com/android/settings/password/ChooseLockPattern.java | 9 +++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/com/android/settings/password/ChooseLockPassword.java b/src/com/android/settings/password/ChooseLockPassword.java
index c4a3159e00..613388b21f 100644
--- a/src/com/android/settings/password/ChooseLockPassword.java
+++ b/src/com/android/settings/password/ChooseLockPassword.java
@@ -1048,8 +1048,13 @@ public class ChooseLockPassword extends SettingsActivity {
@Override
protected Pair<Boolean, Intent> saveAndVerifyInBackground() {
- final boolean success = mUtils.setLockCredential(
- mChosenPassword, mCurrentCredential, mUserId);
+ boolean success;
+ try {
+ success = mUtils.setLockCredential(mChosenPassword, mCurrentCredential, mUserId);
+ } catch (RuntimeException e) {
+ Log.e(TAG, "Failed to set lockscreen credential", e);
+ success = false;
+ }
if (success) {
unifyProfileCredentialIfRequested();
}
diff --git a/src/com/android/settings/password/ChooseLockPattern.java b/src/com/android/settings/password/ChooseLockPattern.java
index e54568060a..964a268510 100644
--- a/src/com/android/settings/password/ChooseLockPattern.java
+++ b/src/com/android/settings/password/ChooseLockPattern.java
@@ -925,8 +925,13 @@ public class ChooseLockPattern extends SettingsActivity {
protected Pair<Boolean, Intent> saveAndVerifyInBackground() {
final int userId = mUserId;
mUtils.setLockPatternSize(mPatternSize, userId);
- final boolean success = mUtils.setLockCredential(mChosenPattern, mCurrentCredential,
- userId);
+ boolean success;
+ try {
+ success = mUtils.setLockCredential(mChosenPattern, mCurrentCredential, userId);
+ } catch (RuntimeException e) {
+ Log.e(TAG, "Failed to set lockscreen credential", e);
+ success = false;
+ }
if (success) {
unifyProfileCredentialIfRequested();
}

48
Patches/LineageOS-20.0/ASB-2023-10/telecomm-01.patch Normal file
View File

@ -0,0 +1,48 @@
From c873988898e1b520e0e4cfda77e26ec4377a4ce9 Mon Sep 17 00:00:00 2001
From: Grace Jia <xiaotonj@google.com>
Date: Thu, 20 Jul 2023 13:42:50 -0700
Subject: [PATCH] Fix vulnerability in CallRedirectionService.
Currently when the CallRedirectionService binding died, we didn't do
anything, which cause malicious app start activities even not run in the
background by implementing a CallRedirectionService and overriding the
onPlaceCall method to schedule a activity start job in an independent
process and then kill itself. In that way, the activity can still
start after the CallRedirectionService died. Fix this by unbinding the
service when the binding died.
Bug: b/289809991
Test: Using testapp provided in bug to make sure the test activity can't
be started
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)
Merged-In: I065d361b83700474a1efab2a75928427ee0a14ba
Change-Id: I065d361b83700474a1efab2a75928427ee0a14ba
---
.../callredirection/CallRedirectionProcessor.java | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
index 226382bde..02debcd6c 100644
--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
@@ -175,6 +175,20 @@ public void onNullBinding(ComponentName componentName) {
Log.endSession();
}
}
+
+ @Override
+ public void onBindingDied(ComponentName componentName) {
+ // Make sure we unbind the service if binding died to avoid background stating
+ // activity leaks
+ Log.startSession("CRSC.oBD");
+ try {
+ synchronized (mTelecomLock) {
+ finishCallRedirection();
+ }
+ } finally {
+ Log.endSession();
+ }
+ }
}
private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {

96
Patches/LineageOS-20.0/ASB-2023-10/wifi-01.patch Normal file
View File

@ -0,0 +1,96 @@
From 1a4b9ef510410a8d8c90e80352357f08c49f10c5 Mon Sep 17 00:00:00 2001
From: Oscar Shu <xshu@google.com>
Date: Fri, 7 Jul 2023 02:21:41 +0000
Subject: [PATCH] Update password check for WAPI
Do not allow arbitrarily large passwords.
Bug: 275339978
Test: compile
(cherry picked from commit 38707fb4ff1405663cc24affc95244f4cc830499)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36deae20de1a8905e6cc72764e449b2d6e469f9e)
Merged-In: I15f3aff373af56c253a50c308d886a7acf661e59
Change-Id: I15f3aff373af56c253a50c308d886a7acf661e59
---
.../server/wifi/WifiConfigurationUtil.java | 22 +++++++++++++------
.../wifi/WifiConfigurationUtilTest.java | 3 ++-
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/service/java/com/android/server/wifi/WifiConfigurationUtil.java b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
index 9e8b660374..40837ff703 100644
--- a/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+++ b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
@@ -467,7 +467,8 @@ private static boolean validateBssid(String bssid) {
return true;
}
- private static boolean validatePassword(String password, boolean isAdd, boolean isSae) {
+ private static boolean validatePassword(String password, boolean isAdd, boolean isSae,
+ boolean isWapi) {
if (isAdd) {
if (password == null) {
Log.e(TAG, "validatePassword: null string");
@@ -509,7 +510,14 @@ private static boolean validatePassword(String password, boolean isAdd, boolean
}
} else {
// HEX PSK string
- if (password.length() != PSK_SAE_HEX_LEN) {
+ if (isWapi) {
+ // Protect system against malicious actors injecting arbitrarily large passwords.
+ if (password.length() > 100) {
+ Log.e(TAG, "validatePassword failed: WAPI hex string too long: "
+ + password.length());
+ return false;
+ }
+ } else if (password.length() != PSK_SAE_HEX_LEN) {
Log.e(TAG, "validatePassword failed: hex string size mismatch: "
+ password.length());
return false;
@@ -713,15 +721,15 @@ public static boolean validate(WifiConfiguration config, long supportedFeatureSe
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_PSK)
- && !validatePassword(config.preSharedKey, isAdd, false)) {
+ && !validatePassword(config.preSharedKey, isAdd, false, false)) {
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_SAE)
- && !validatePassword(config.preSharedKey, isAdd, true)) {
+ && !validatePassword(config.preSharedKey, isAdd, true, false)) {
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_WAPI_PSK)
- && !validatePassword(config.preSharedKey, isAdd, false)) {
+ && !validatePassword(config.preSharedKey, isAdd, false, true)) {
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_DPP)
@@ -880,11 +888,11 @@ public static boolean validateNetworkSpecifier(WifiNetworkSpecifier specifier) {
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_PSK)
- && !validatePassword(config.preSharedKey, true, false)) {
+ && !validatePassword(config.preSharedKey, true, false, false)) {
return false;
}
if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_SAE)
- && !validatePassword(config.preSharedKey, true, true)) {
+ && !validatePassword(config.preSharedKey, true, true, false)) {
return false;
}
// TBD: Validate some enterprise params as well in the future here.
diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
index 7cabcd873a..b505c0c0d3 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
@@ -466,7 +466,8 @@ public void testValidateNegativeCases_BadHexPskLengthWapi() {
assertTrue(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
WifiConfigurationUtil.VALIDATE_FOR_ADD));
- config.preSharedKey = "abcd123456788990013453445345465465476546";
+ config.preSharedKey = "01234567890123456789012345678901234567890123456789012345678901234567"
+ + "890123456789012345678901234567890";
assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
WifiConfigurationUtil.VALIDATE_FOR_ADD));
config.preSharedKey = "";

28
Scripts/LineageOS-20.0/Patch.sh
View File

@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES/android_build/0004-Selective_APEX.patch"; #Only enable
sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_util.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
sed -i 's/2023-08-05/2023-09-01/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2023-09-05/2023-10-01/' core/version_defaults.mk; #Bump Security String #XXX ASB-2023-10
fi;
if enterAndClear "build/soong"; then
@ -127,7 +127,16 @@ if enterAndClear "external/libvpx"; then
applyPatch "$DOS_PATCHES_COMMON/android_external_libvpx/CVE-2023-5217.patch"; #VP8: disallow thread count changes
fi;
if enterAndClear "external/libxml2"; then
git am $DOS_PATCHES/ASB-2023-10/libxml-*.patch;
fi;
if enterAndClear "frameworks/av"; then
git am $DOS_PATCHES/ASB-2023-10/av-*.patch;
fi;
if enterAndClear "frameworks/base"; then
git am $DOS_PATCHES/ASB-2023-10/base-*.patch;
git revert --no-edit d36faad3267522c6d3ff91ba9dcca8f6274bccd1; #Reverts "JobScheduler: Respect allow-in-power-save perm" in favor of below patch
git revert --no-edit 90d6826548189ca850d91692e71fcc1be426f453; #Reverts "Remove sensitive info from SUPL requests" in favor of below patch
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
@ -218,6 +227,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_libs_systemui/0001-Icon_Cache.patch"
fi;
if enterAndClear "frameworks/native"; then
git am $DOS_PATCHES/ASB-2023-10/native-*.patch;
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission.patch"; #Require OTHER_SENSORS permission for sensors (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors_Permission-a1.patch"; #Protect step sensors with OTHER_SENSORS permission for targetSdk<29 apps (GrapheneOS)
fi;
@ -306,6 +316,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_OpenEUICC/0001-hacky-fix.patch";
fi;
if enterAndClear "packages/apps/Settings"; then
git am $DOS_PATCHES/ASB-2023-10/settings-*.patch;
git revert --no-edit 41b4ed345a91da1dd46c00ee11a151c2b5ff4f43;
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0004-Private_DNS.patch"; #More 'Private DNS' options (heavily based off of a CalyxOS patch)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0005-Automatic_Reboot.patch"; #Timeout for reboot (GrapheneOS)
@ -334,6 +345,7 @@ git revert --no-edit fcf658d2005dc557a95d5a7fb89cb90d06b31d33; #grant permission
fi;
if enterAndClear "packages/apps/Trebuchet"; then
git am $DOS_PATCHES/ASB-2023-10/launcher-*.patch;
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
fi;
@ -349,6 +361,10 @@ applyPatch "$DOS_PATCHES/android_packages_inputmethods_LatinIME/0001-Voice.patch
applyPatch "$DOS_PATCHES/android_packages_inputmethods_LatinIME/0002-Disable_Personalization.patch"; #Disable personalization dictionary by default (GrapheneOS)
fi;
if enterAndClear "packages/modules/Bluetooth"; then
git am $DOS_PATCHES/ASB-2023-10/bluetooth-*.patch;
fi;
if enterAndClear "packages/modules/Connectivity"; then
applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-1.patch"; #Skip reportNetworkConnectivity() when permission is revoked (GrapheneOS)
applyPatch "$DOS_PATCHES/android_packages_modules_Connectivity/0001-Network_Permission-2.patch"; #Enforce INTERNET permission per-uid instead of per-appId (GrapheneOS)
@ -375,6 +391,7 @@ applyPatch "$DOS_PATCHES/android_packages_modules_Permission/0006-Location_Indic
fi;
if enterAndClear "packages/modules/Wifi"; then
git am $DOS_PATCHES/ASB-2023-10/wifi-*.patch;
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/344228.patch"; #wifi: resurrect mWifiLinkLayerStatsSupported counter (sassmann)
applyPatch "$DOS_PATCHES/android_packages_modules_Wifi/0001-Random_MAC.patch"; #Add support for always generating new random MAC (GrapheneOS)
fi;
@ -383,10 +400,19 @@ if enterAndClear "packages/providers/DownloadProvider"; then
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
if enterAndClear "packages/providers/MediaProvider"; then
git am $DOS_PATCHES/ASB-2023-10/mediaprovider-*.patch;
fi;
#if enterAndClear "packages/providers/TelephonyProvider"; then
#cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/latest_carrier_id/;
#fi;
if enterAndClear "packages/services/Telecomm"; then
git am $DOS_PATCHES/ASB-2023-10/telecomm-*.patch;
fi;
if enterAndClear "system/ca-certificates"; then
rm -rf files; #Remove old certs
cp -r "$DOS_PATCHES_COMMON/android_system_ca-certificates/files" .; #Copy the new ones into place