15.1: February ASB work

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-02-09 00:44:27 -05:00
parent d90b84321d
commit af57acc085
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
5 changed files with 232 additions and 1 deletions

View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ashish Kumar Gupta <kumarashishg@google.com>
Date: Tue, 21 Nov 2023 08:48:43 +0530
Subject: [PATCH] Update mtp packet buffer
Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
Bug: 300007708
Test: build and flash the device. Check MTP works
Test: run fuzzer locally
(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
---
media/mtp/MtpPacket.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
index 917967cf17..d7567141d6 100644
--- a/media/mtp/MtpPacket.cpp
+++ b/media/mtp/MtpPacket.cpp
@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
return;
}
int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
- if (mPacketSize < offset + sizeof(uint32_t))
+ if (mPacketSize < offset + sizeof(uint32_t)) {
mPacketSize = offset + sizeof(uint32_t);
+ allocate(mPacketSize);
+ }
putUInt32(offset, value);
}

View File

@ -0,0 +1,110 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
Date: Fri, 13 Oct 2023 16:19:27 -0400
Subject: [PATCH] Unbind TileService onNullBinding
Test: atest TileLifecycleManagerTest
Test: manual: adb shell dumpsys activity service
Test: sts test
Bug: 300903792
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
---
.../qs/external/TileLifecycleManager.java | 5 +++
.../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
2 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
index 867f3b43d2af..3ed0d9d65d0e 100644
--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
@@ -193,6 +193,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
handlePendingMessages();
}
+ @Override
+ public void onNullBinding(ComponentName name) {
+ setBindService(false);
+ }
+
@Override
public void onServiceDisconnected(ComponentName name) {
if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
index 66ec7dd3f270..36f0a48374d4 100644
--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.any;
import static org.mockito.Mockito.anyInt;
import static org.mockito.Mockito.anyString;
+import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import android.content.ComponentName;
+import android.content.Context;
import android.content.Intent;
+import android.content.ServiceConnection;
import android.content.pm.PackageInfo;
import android.content.pm.ServiceInfo;
import android.net.Uri;
@@ -49,7 +52,7 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.mockito.Mockito;
+import org.mockito.ArgumentCaptor;
@SmallTest
@RunWith(AndroidJUnit4.class)
@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
private static final int TEST_FAIL_TIMEOUT = 5000;
private final PackageManagerAdapter mMockPackageManagerAdapter =
- Mockito.mock(PackageManagerAdapter.class);
- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
+ mock(PackageManagerAdapter.class);
+ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
private ComponentName mTileServiceComponentName;
private Intent mTileServiceIntent;
private UserHandle mUser;
@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
mThread.start();
mHandler = new Handler(mThread.getLooper());
mStateManager = new TileLifecycleManager(mHandler, mContext,
- Mockito.mock(IQSService.class), new Tile(),
+ mock(IQSService.class), new Tile(),
mTileServiceIntent,
mUser,
mMockPackageManagerAdapter);
@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
verifyBind(2);
verify(mMockTileService, times(2)).onStartListening();
}
+
+ @Test
+ public void testNullBindingCallsUnbind() {
+ Context mockContext = mock(Context.class);
+ // Binding has to succeed
+ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
+ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
+ mock(IQSService.class),
+ new Tile(),
+ mTileServiceIntent,
+ mUser,
+ mMockPackageManagerAdapter,
+ mMockBroadcastDispatcher);
+
+ manager.setBindService(true);
+
+ ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
+ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
+
+ captor.getValue().onNullBinding(mTileServiceComponentName);
+ verify(mockContext).unbindService(captor.getValue());
+ }
}

View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 00:53:33 +0000
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
attp_build_value_cmd
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
---
btif/src/btif_gatt_util.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
index 97459179b..9127069ff 100644
--- a/btif/src/btif_gatt_util.cc
+++ b/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@
#define LOG_TAG "bt_btif_gatt"
+#include <algorithm>
+
#include "btif_gatt_util.h"
#include <errno.h>
@@ -99,9 +101,9 @@ void btif_to_bta_uuid(tBT_UUID* p_dest, const bt_uuid_t* p_src) {
void btif_to_bta_response(tBTA_GATTS_RSP* p_dest, btgatt_response_t* p_src) {
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
p_dest->attr_value.handle = p_src->attr_value.handle;
- p_dest->attr_value.len = p_src->attr_value.len;
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
p_dest->attr_value.offset = p_src->attr_value.offset;
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
}
void btif_to_bta_uuid_mask(tBTM_BLE_PF_COND_MASK* p_mask,

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 18:23:53 +0000
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
---
stack/gatt/att_protocol.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index ce809d04e..35be063ee 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -156,8 +156,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
tGATT_FIND_TYPE_VALUE* p_value_type) {
uint8_t* p;
uint16_t len = p_value_type->value_len;
- BT_HDR* p_buf =
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ BT_HDR* p_buf = nullptr;
+
+ if (payload_size < 5) {
+ return nullptr;
+ }
+
+ p_buf =
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
p_buf->offset = L2CAP_MIN_OFFSET;

View File

@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -151,6 +151,7 @@ if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
applyPatch "$DOS_PATCHES/android_frameworks_av/373949.patch"; #R_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
fi;
if enterAndClear "frameworks/base"; then
@ -233,6 +234,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
#applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding #XXX: TileLifecycleManager.java:197.17: The method onNullBinding(ComponentName) of type TileLifecycleManager must override or implement a supertype method
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@ -500,6 +502,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fix
applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-1.patch"; #R_asb_2024-01 Fix addr_type overriding by btm_ble_process_adv_addr().
applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-2.patch"; #R_asb_2024-01 LE Advertising Report parsing enhancements
applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
applyPatch "$DOS_PATCHES/android_system_bt/381894-backport.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
fi;
if enterAndClear "system/ca-certificates"; then