15.1: February ASB work

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-15.1/android_frameworks_av/381886.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Gupta <kumarashishg@google.com>
+Date: Tue, 21 Nov 2023 08:48:43 +0530
+Subject: [PATCH] Update mtp packet buffer
+
+Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
+
+Bug: 300007708
+Test: build and flash the device. Check MTP works
+Test: run fuzzer locally
+(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
+Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+---
+ media/mtp/MtpPacket.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
+index 917967cf17..d7567141d6 100644
+--- a/media/mtp/MtpPacket.cpp
++++ b/media/mtp/MtpPacket.cpp
+@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
+         return;
+     }
+     int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
+-    if (mPacketSize < offset + sizeof(uint32_t))
++    if (mPacketSize < offset + sizeof(uint32_t)) {
+         mPacketSize = offset + sizeof(uint32_t);
++        allocate(mPacketSize);
++    }
+     putUInt32(offset, value);
+ }
+ 

Patches/LineageOS-15.1/android_frameworks_base/381889-backport.patch

@@ -0,0 +1,110 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
+Date: Fri, 13 Oct 2023 16:19:27 -0400
+Subject: [PATCH] Unbind TileService onNullBinding
+
+Test: atest TileLifecycleManagerTest
+Test: manual: adb shell dumpsys activity service
+Test: sts test
+Bug: 300903792
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
+Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
+Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
+---
+ .../qs/external/TileLifecycleManager.java     |  5 +++
+ .../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
+ 2 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
+index 867f3b43d2af..3ed0d9d65d0e 100644
+--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
++++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
+@@ -193,6 +193,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
+         handlePendingMessages();
+     }
+ 
++    @Override
++    public void onNullBinding(ComponentName name) {
++        setBindService(false);
++    }
++
+     @Override
+     public void onServiceDisconnected(ComponentName name) {
+         if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
+diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
+index 66ec7dd3f270..36f0a48374d4 100644
+--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
++++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
+@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
+ import static org.mockito.Mockito.any;
+ import static org.mockito.Mockito.anyInt;
+ import static org.mockito.Mockito.anyString;
++import static org.mockito.Mockito.mock;
+ import static org.mockito.Mockito.never;
+ import static org.mockito.Mockito.times;
+ import static org.mockito.Mockito.verify;
+ import static org.mockito.Mockito.when;
+ 
+ import android.content.ComponentName;
++import android.content.Context;
+ import android.content.Intent;
++import android.content.ServiceConnection;
+ import android.content.pm.PackageInfo;
+ import android.content.pm.ServiceInfo;
+ import android.net.Uri;
+@@ -49,7 +52,7 @@ import org.junit.After;
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
+-import org.mockito.Mockito;
++import org.mockito.ArgumentCaptor;
+ 
+ @SmallTest
+ @RunWith(AndroidJUnit4.class)
+@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
+     private static final int TEST_FAIL_TIMEOUT = 5000;
+ 
+     private final PackageManagerAdapter mMockPackageManagerAdapter =
+-            Mockito.mock(PackageManagerAdapter.class);
+-    private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
++            mock(PackageManagerAdapter.class);
++    private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
+     private ComponentName mTileServiceComponentName;
+     private Intent mTileServiceIntent;
+     private UserHandle mUser;
+@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
+         mThread.start();
+         mHandler = new Handler(mThread.getLooper());
+         mStateManager = new TileLifecycleManager(mHandler, mContext,
+-                Mockito.mock(IQSService.class), new Tile(),
++                mock(IQSService.class), new Tile(),
+                 mTileServiceIntent,
+                 mUser,
+                 mMockPackageManagerAdapter);
+@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
+         verifyBind(2);
+         verify(mMockTileService, times(2)).onStartListening();
+     }
++
++    @Test
++    public void testNullBindingCallsUnbind() {
++        Context mockContext = mock(Context.class);
++        // Binding has to succeed
++        when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
++        TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
++                mock(IQSService.class),
++                new Tile(),
++                mTileServiceIntent,
++                mUser,
++                mMockPackageManagerAdapter,
++                mMockBroadcastDispatcher);
++
++        manager.setBindService(true);
++
++        ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
++        verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
++
++        captor.getValue().onNullBinding(mTileServiceComponentName);
++        verify(mockContext).unbindService(captor.getValue());
++    }
+ }

Patches/LineageOS-15.1/android_system_bt/381894-backport.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 29 Nov 2023 00:53:33 +0000
+Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
+ attp_build_value_cmd
+
+this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
+
+Bug: 276898739
+Test: manual
+Tag: #security
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
+Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
+Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
+---
+ btif/src/btif_gatt_util.cc | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
+index 97459179b..9127069ff 100644
+--- a/btif/src/btif_gatt_util.cc
++++ b/btif/src/btif_gatt_util.cc
+@@ -18,6 +18,8 @@
+ 
+ #define LOG_TAG "bt_btif_gatt"
+ 
++#include <algorithm>
++
+ #include "btif_gatt_util.h"
+ 
+ #include <errno.h>
+@@ -99,9 +101,9 @@ void btif_to_bta_uuid(tBT_UUID* p_dest, const bt_uuid_t* p_src) {
+ void btif_to_bta_response(tBTA_GATTS_RSP* p_dest, btgatt_response_t* p_src) {
+   p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
+   p_dest->attr_value.handle = p_src->attr_value.handle;
+-  p_dest->attr_value.len = p_src->attr_value.len;
++  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
+   p_dest->attr_value.offset = p_src->attr_value.offset;
+-  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
++  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
+ }
+ 
+ void btif_to_bta_uuid_mask(tBTM_BLE_PF_COND_MASK* p_mask,

Patches/LineageOS-15.1/android_system_bt/381895.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Wed, 29 Nov 2023 18:23:53 +0000
+Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
+
+This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
+
+Bug: 297524203
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
+Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
+Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
+---
+ stack/gatt/att_protocol.cc | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
+index ce809d04e..35be063ee 100644
+--- a/stack/gatt/att_protocol.cc
++++ b/stack/gatt/att_protocol.cc
+@@ -156,8 +156,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
+                                           tGATT_FIND_TYPE_VALUE* p_value_type) {
+   uint8_t* p;
+   uint16_t len = p_value_type->value_len;
+-  BT_HDR* p_buf =
+-      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
++  BT_HDR* p_buf = nullptr;
++
++  if (payload_size < 5) {
++    return nullptr;
++  }
++
++  p_buf =
++  (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ 
+   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
+   p_buf->offset = L2CAP_MIN_OFFSET;

Scripts/LineageOS-15.1/Patch.sh

@@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -151,6 +151,7 @@ if enterAndClear "frameworks/av"; then
 applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
 applyPatch "$DOS_PATCHES/android_frameworks_av/365962.patch"; #R_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
 applyPatch "$DOS_PATCHES/android_frameworks_av/373949.patch"; #R_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
+applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -233,6 +234,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
 applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
 applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
+#applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding #XXX: TileLifecycleManager.java:197.17: The method onNullBinding(ComponentName) of type TileLifecycleManager must override or implement a supertype method
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@@ -500,6 +502,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fix
 applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-1.patch"; #R_asb_2024-01 Fix addr_type overriding by btm_ble_process_adv_addr().
 applyPatch "$DOS_PATCHES/android_system_bt/379154-prereq-2.patch"; #R_asb_2024-01 LE Advertising Report parsing enhancements
 applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
+applyPatch "$DOS_PATCHES/android_system_bt/381894-backport.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
 fi;
 
 if enterAndClear "system/ca-certificates"; then