Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-06-26 06:32:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

15.1 January ASB work

Browse Source 
+ a missing patch from 2019-08

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-01-08 15:36:00 -05:00
parent 57d951ccb5
commit b143ffcd8b
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
15 changed files with 1335 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
Patches/LineageOS-15.1/android_frameworks_base/346949.patch Normal file
View File

@ -0,0 +1,68 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Wed, 5 Oct 2022 16:28:20 -0700
Subject: [PATCH] RESTRICT AUTOMERGE Disable all A11yServices from an
uninstalled package.
Previous logic would exit the loop after removing the first service
matching the uninstalled package.
Bug: 243378132
Test: atest AccessibilityEndToEndTest
Test: m sts;
sts-tradefed run sts-dynamic-develop -m \
CtsAccessibilityServiceTestCases
Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
(cherry picked from commit 37966299859153377e61a6a97b036388d231c2d0)
Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
---
.../AccessibilityManagerService.java | 30 ++++++++++---------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
index 4859ffea870b..620db7345fab 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
@@ -345,26 +345,28 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
}
UserState userState = getUserStateLocked(userId);
Iterator<ComponentName> it = userState.mEnabledServices.iterator();
+ boolean anyServiceRemoved = false;
while (it.hasNext()) {
ComponentName comp = it.next();
String compPkg = comp.getPackageName();
if (compPkg.equals(packageName)) {
it.remove();
- // Update the enabled services setting.
- persistComponentNamesToSettingLocked(
- Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
- userState.mEnabledServices, userId);
- // Update the touch exploration granted services setting.
userState.mTouchExplorationGrantedServices.remove(comp);
- persistComponentNamesToSettingLocked(
- Settings.Secure.
- TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
- userState.mTouchExplorationGrantedServices, userId);
- // We will update when the automation service dies.
- if (!userState.isUiAutomationSuppressingOtherServices()) {
- onUserStateChangedLocked(userState);
- }
- return;
+ anyServiceRemoved = true;
+ }
+ }
+ if (anyServiceRemoved) {
+ // Update the enabled services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
+ userState.mEnabledServices, userId);
+ // Update the touch exploration granted services setting.
+ persistComponentNamesToSettingLocked(
+ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
+ userState.mTouchExplorationGrantedServices, userId);
+ // We will update when the automation service dies.
+ if (!userState.isUiAutomationSuppressingOtherServices()) {
+ onUserStateChangedLocked(userState);
}
}
}

86
Patches/LineageOS-15.1/android_frameworks_base/347044.patch Normal file
View File

@ -0,0 +1,86 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yuri Lin <yurilin@google.com>
Date: Tue, 13 Sep 2022 12:53:19 -0400
Subject: [PATCH] Limit lengths of fields in Condition to a max length.
This app-generated input needs to not be too long to avoid errors in the process of writing to disk.
Bug: 242846316
Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK
Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
(cherry picked from commit 81352c3775949c622441e10b468766441e35edc7)
(cherry picked from commit 5cb217fff3bc7184bd776a9dc2991e7fce5e25bd)
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
---
.../service/notification/Condition.java | 38 +++++++++++++++++--
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/core/java/android/service/notification/Condition.java b/core/java/android/service/notification/Condition.java
index 447afe62fd1a..5f65d401600a 100644
--- a/core/java/android/service/notification/Condition.java
+++ b/core/java/android/service/notification/Condition.java
@@ -94,6 +94,12 @@ public final class Condition implements Parcelable {
@SystemApi
public final int icon;
+ /**
+ * The maximum string length for any string contained in this condition.
+ * @hide
+ */
+ public static final int MAX_STRING_LENGTH = 1000;
+
/**
* An object representing the current state of a {@link android.app.AutomaticZenRule}.
* @param id the {@link android.app.AutomaticZenRule#getConditionId()} of the zen rule
@@ -109,16 +115,19 @@ public final class Condition implements Parcelable {
if (id == null) throw new IllegalArgumentException("id is required");
if (summary == null) throw new IllegalArgumentException("summary is required");
if (!isValidState(state)) throw new IllegalArgumentException("state is invalid: " + state);
- this.id = id;
- this.summary = summary;
- this.line1 = line1;
- this.line2 = line2;
+ this.id = getTrimmedUri(id);
+ this.summary = getTrimmedString(summary);
+ this.line1 = getTrimmedString(line1);
+ this.line2 = getTrimmedString(line2);
this.icon = icon;
this.state = state;
this.flags = flags;
}
public Condition(Parcel source) {
+ // This constructor passes all fields directly into the constructor that takes all the
+ // fields as arguments; that constructor will trim each of the input strings to
+ // max length if necessary.
this((Uri)source.readParcelable(Condition.class.getClassLoader()),
source.readString(),
source.readString(),
@@ -234,4 +243,25 @@ public final class Condition implements Parcelable {
return new Condition[size];
}
};
+
+ /**
+ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH.
+ */
+ private static String getTrimmedString(String input) {
+ if (input != null && input.length() > MAX_STRING_LENGTH) {
+ return input.substring(0, MAX_STRING_LENGTH);
+ }
+ return input;
+ }
+
+ /**
+ * Returns a truncated copy of the Uri by trimming the string representation to the maximum
+ * string length.
+ */
+ private static Uri getTrimmedUri(Uri input) {
+ if (input != null && input.toString().length() > MAX_STRING_LENGTH) {
+ return Uri.parse(getTrimmedString(input.toString()));
+ }
+ return input;
+ }
}

35
Patches/LineageOS-15.1/android_frameworks_base/347046.patch Normal file
View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yuri Lin <yurilin@google.com>
Date: Wed, 12 Oct 2022 14:27:46 +0000
Subject: [PATCH] Fix conditionId string trimming in AutomaticZenRule
This change only applies to S branches and earlier.
Bug: 253085433
Bug: 242703460
Bug: 242703505
Bug: 242703780
Bug: 242704043
Bug: 243794204
Test: AutomaticZenRuleTest
Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
(cherry picked from commit 303f6bde896877793370c1697fa8c8331b808e56)
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
---
core/java/android/app/AutomaticZenRule.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java
index 29dd91ec1ad6..5998ab6fdaf4 100644
--- a/core/java/android/app/AutomaticZenRule.java
+++ b/core/java/android/app/AutomaticZenRule.java
@@ -80,7 +80,7 @@ public final class AutomaticZenRule implements Parcelable {
name = getTrimmedString(source.readString());
}
interruptionFilter = source.readInt();
- conditionId = source.readParcelable(null);
+ conditionId = getTrimmedUri(source.readParcelable(null));
owner = getTrimmedComponentName(source.readParcelable(null));
creationTime = source.readLong();
}

234
Patches/LineageOS-15.1/android_frameworks_base/347047-backport.patch Normal file
View File

@ -0,0 +1,234 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Songchun Fan <schfan@google.com>
Date: Wed, 17 Aug 2022 09:37:18 -0700
Subject: [PATCH] mem limit should be checked before settings are updated
Previously, a setting is updated before the memory usage limit
check, which can be exploited by malicious apps and cause OoM DoS.
This CL changes the logic to checkMemLimit -> update -> updateMemUsage.
BUG: 239415861
Test: atest com.android.providers.settings.SettingsStateTest
(cherry picked from commit 8eeb92950f4a7012d4cf282106a1418fd211f475)
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4
(cherry picked from commit d85a42821075ad80b931d904bdc9c1d4c3129456)
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
---
.../providers/settings/SettingsState.java | 75 ++++++++++++-------
.../providers/settings/SettingsStateTest.java | 43 ++++++++++-
2 files changed, 90 insertions(+), 28 deletions(-)
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
index 4151ada9ce80..0e94ea85919b 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
@@ -306,9 +306,11 @@ final class SettingsState {
Setting newSetting = new Setting(name, oldSetting.getValue(), null,
oldSetting.getPackageName(), oldSetting.getTag(), false,
oldSetting.getId());
- mSettings.put(name, newSetting);
- updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
+ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
+ checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
+ mSettings.put(name, newSetting);
+ updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
scheduleWriteIfNeededLocked();
}
}
@@ -323,6 +325,12 @@ final class SettingsState {
Setting oldState = mSettings.get(name);
String oldValue = (oldState != null) ? oldState.value : null;
String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
+ String newDefaultValue = makeDefault ? value : oldDefaultValue;
+
+ int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
+ oldDefaultValue, newDefaultValue);
+ checkNewMemoryUsagePerPackageLocked(packageName, newSize);
+
Setting newState;
if (oldState != null) {
@@ -337,8 +345,7 @@ final class SettingsState {
addHistoricalOperationLocked(HISTORICAL_OPERATION_UPDATE, newState);
- updateMemoryUsagePerPackageLocked(packageName, oldValue, value,
- oldDefaultValue, newState.getDefaultValue());
+ updateMemoryUsagePerPackageLocked(packageName, newSize);
scheduleWriteIfNeededLocked();
@@ -358,10 +365,11 @@ final class SettingsState {
}
Setting oldState = mSettings.remove(name);
-
- updateMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
+ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
null, oldState.defaultValue, null);
+ updateMemoryUsagePerPackageLocked(oldState.packageName, newSize);
+
addHistoricalOperationLocked(HISTORICAL_OPERATION_DELETE, oldState);
scheduleWriteIfNeededLocked();
@@ -380,16 +388,18 @@ final class SettingsState {
Setting oldSetting = new Setting(setting);
String oldValue = setting.getValue();
String oldDefaultValue = setting.getDefaultValue();
+ String newValue = oldDefaultValue;
+ String newDefaultValue = oldDefaultValue;
+
+ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
+ newValue, oldDefaultValue, newDefaultValue);
+ checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
if (!setting.reset()) {
return false;
}
- String newValue = setting.getValue();
- String newDefaultValue = setting.getDefaultValue();
-
- updateMemoryUsagePerPackageLocked(setting.packageName, oldValue,
- newValue, oldDefaultValue, newDefaultValue);
+ updateMemoryUsagePerPackageLocked(setting.packageName, newSize);
addHistoricalOperationLocked(HISTORICAL_OPERATION_RESET, oldSetting);
@@ -492,38 +502,49 @@ final class SettingsState {
}
}
- private void updateMemoryUsagePerPackageLocked(String packageName, String oldValue,
- String newValue, String oldDefaultValue, String newDefaultValue) {
- if (mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED) {
- return;
- }
+ private boolean isExemptFromMemoryUsageCap(String packageName) {
+ return mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED
+ || SYSTEM_PACKAGE_NAME.equals(packageName);
+ }
- if (SYSTEM_PACKAGE_NAME.equals(packageName)) {
+ @GuardedBy("mLock")
+ private void checkNewMemoryUsagePerPackageLocked(String packageName, int newSize)
+ throws IllegalStateException {
+ if (isExemptFromMemoryUsageCap(packageName)) {
return;
}
+ if (newSize > mMaxBytesPerAppPackage) {
+ throw new IllegalStateException("You are adding too many system settings. "
+ + "You should stop using system settings for app specific data"
+ + " package: " + packageName);
+ }
+ }
+ @GuardedBy("mLock")
+ private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
+ String newValue, String oldDefaultValue, String newDefaultValue) {
+ if (isExemptFromMemoryUsageCap(packageName)) {
+ return 0;
+ }
+ final Integer currentSize = mPackageToMemoryUsage.get(packageName);
final int oldValueSize = (oldValue != null) ? oldValue.length() : 0;
final int newValueSize = (newValue != null) ? newValue.length() : 0;
final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
final int deltaSize = newValueSize + newDefaultValueSize
- oldValueSize - oldDefaultValueSize;
+ return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
+ }
- Integer currentSize = mPackageToMemoryUsage.get(packageName);
- final int newSize = Math.max((currentSize != null)
- ? currentSize + deltaSize : deltaSize, 0);
-
- if (newSize > mMaxBytesPerAppPackage) {
- throw new IllegalStateException("You are adding too many system settings. "
- + "You should stop using system settings for app specific data"
- + " package: " + packageName);
+ @GuardedBy("mLock")
+ private void updateMemoryUsagePerPackageLocked(String packageName, int newSize) {
+ if (isExemptFromMemoryUsageCap(packageName)) {
+ return;
}
-
if (DEBUG) {
Slog.i(LOG_TAG, "Settings for package: " + packageName
+ " size: " + newSize + " bytes.");
}
-
mPackageToMemoryUsage.put(packageName, newSize);
}
diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
index 3f68554ffe87..6f45adef91f7 100644
--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
@@ -21,6 +21,8 @@ import android.util.Xml;
import org.xmlpull.v1.XmlSerializer;
+import com.google.common.base.Strings;
+
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
@@ -46,7 +48,6 @@ public class SettingsStateTest extends AndroidTestCase {
"\uD800ab\uDC00 " + // broken surrogate pairs
"日本語";
-
public void testIsBinary() {
assertFalse(SettingsState.isBinary(" abc 日本語"));
@@ -182,4 +183,44 @@ public class SettingsStateTest extends AndroidTestCase {
assertEquals("p2", s.getPackageName());
}
}
+
+ public void testInsertSetting_memoryUsage() {
+ final Object lock = new Object();
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
+ final String settingName = "test_setting";
+
+ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
+ // No exception should be thrown when there is no cap
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
+ null, false, "p1");
+ settingsState.deleteSettingLocked(settingName);
+
+ settingsState = new SettingsState(getContext(), lock, file, 1,
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
+ // System package doesn't have memory usage limit
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
+ null, false, "android");
+ settingsState.deleteSettingLocked(settingName);
+
+ // Should not throw if usage is under the cap
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
+ null, false, "p1");
+ settingsState.deleteSettingLocked(settingName);
+ try {
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
+ null, false, "p1");
+ fail("Should throw because it exceeded per package memory usage");
+ } catch (IllegalStateException ex) {
+ assertTrue(ex.getMessage().contains("p1"));
+ }
+ try {
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
+ null, false, "p1");
+ fail("Should throw because it exceeded per package memory usage");
+ } catch (IllegalStateException ex) {
+ assertTrue(ex.getMessage().contains("p1"));
+ }
+ assertTrue(settingsState.getSettingLocked(settingName).isNull());
+ }
}

34
Patches/LineageOS-15.1/android_frameworks_base/347048-backport.patch Normal file
View File

@ -0,0 +1,34 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nate Myren <ntmyren@google.com>
Date: Wed, 26 Oct 2022 17:37:26 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Revert "Revert "RESTRICT AUTOMERGE
Validate permission tree size..."
Revert submission 20285709-revert-20103164-permTree-qt-dev-QWIEBZIWEA
Reason for revert: resubmission
Reverted Changes:
I0a3b68aff:Revert "RESTRICT AUTOMERGE Add PermissionMemoryFoo...
I4e8ec8b1a:Revert "RESTRICT AUTOMERGE Validate permission tre...
Change-Id: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
(cherry picked from commit 4e83e59b27f7d6232ee9fe96f789e32debc19772)
Merged-In: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
---
.../core/java/com/android/server/pm/PackageManagerService.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 9c59ecddee96..3a1f83e00da2 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -5662,8 +5662,8 @@ public class PackageManagerService extends IPackageManager.Stub
boolean added = bp == null;
boolean changed = true;
int fixedLevel = PermissionInfo.fixProtectionLevel(info.protectionLevel);
+ enforcePermissionCapLocked(info, tree);
if (added) {
- enforcePermissionCapLocked(info, tree);
bp = new BasePermission(info.name, tree.sourcePackage,
BasePermission.TYPE_DYNAMIC);
} else if (bp.type != BasePermission.TYPE_DYNAMIC) {

249
Patches/LineageOS-15.1/android_frameworks_base/347049-backport.patch Normal file
View File

@ -0,0 +1,249 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Songchun Fan <schfan@google.com>
Date: Tue, 11 Oct 2022 18:08:11 -0700
Subject: [PATCH] key size limit for mutating settings
Prior to targetSdk 22, apps could add random system settings keys which
opens an opportunity for OOM attacks. This CL adds a key size limit.
BUG: 239415997
Test: manual; will add cts test
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
(cherry picked from commit 783bcba343c480f6ccedaaff41ba7171a1082e0c)
(cherry picked from commit f1831c87122e56951c04e1f62f647ab156ca71e3)
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
---
.../providers/settings/SettingsState.java | 40 ++++---
.../providers/settings/SettingsStateTest.java | 102 +++++++++++++++++-
2 files changed, 126 insertions(+), 16 deletions(-)
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
index 0e94ea85919b..11b4c9eb1c1d 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
@@ -46,6 +46,7 @@ import android.util.Xml;
import android.util.proto.ProtoOutputStream;
import com.android.internal.annotations.GuardedBy;
+import com.android.internal.annotations.VisibleForTesting;
import com.android.server.LocalServices;
import libcore.io.IoUtils;
@@ -306,8 +307,8 @@ final class SettingsState {
Setting newSetting = new Setting(name, oldSetting.getValue(), null,
oldSetting.getPackageName(), oldSetting.getTag(), false,
oldSetting.getId());
- int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
- newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
+ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), 0,
+ oldValue, newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
mSettings.put(name, newSetting);
updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
@@ -327,8 +328,9 @@ final class SettingsState {
String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
String newDefaultValue = makeDefault ? value : oldDefaultValue;
- int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
- oldDefaultValue, newDefaultValue);
+ int newSize = getNewMemoryUsagePerPackageLocked(packageName,
+ oldValue == null ? name.length() : 0 /* deltaKeySize */,
+ oldValue, value, oldDefaultValue, newDefaultValue);
checkNewMemoryUsagePerPackageLocked(packageName, newSize);
Setting newState;
@@ -365,8 +367,12 @@ final class SettingsState {
}
Setting oldState = mSettings.remove(name);
- int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
- null, oldState.defaultValue, null);
+ if (oldState == null) {
+ return false;
+ }
+ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName,
+ -name.length() /* deltaKeySize */,
+ oldState.value, null, oldState.defaultValue, null);
updateMemoryUsagePerPackageLocked(oldState.packageName, newSize);
@@ -384,15 +390,16 @@ final class SettingsState {
}
Setting setting = mSettings.get(name);
+ if (setting == null) {
+ return false;
+ }
Setting oldSetting = new Setting(setting);
String oldValue = setting.getValue();
String oldDefaultValue = setting.getDefaultValue();
- String newValue = oldDefaultValue;
- String newDefaultValue = oldDefaultValue;
- int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
- newValue, oldDefaultValue, newDefaultValue);
+ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, 0, oldValue,
+ oldDefaultValue, oldDefaultValue, oldDefaultValue);
checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
if (!setting.reset()) {
@@ -521,8 +528,8 @@ final class SettingsState {
}
@GuardedBy("mLock")
- private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
- String newValue, String oldDefaultValue, String newDefaultValue) {
+ private int getNewMemoryUsagePerPackageLocked(String packageName, int deltaKeySize,
+ String oldValue, String newValue, String oldDefaultValue, String newDefaultValue) {
if (isExemptFromMemoryUsageCap(packageName)) {
return 0;
}
@@ -531,7 +538,7 @@ final class SettingsState {
final int newValueSize = (newValue != null) ? newValue.length() : 0;
final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
- final int deltaSize = newValueSize + newDefaultValueSize
+ final int deltaSize = deltaKeySize + newValueSize + newDefaultValueSize
- oldValueSize - oldDefaultValueSize;
return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
}
@@ -1140,4 +1147,11 @@ final class SettingsState {
return false;
}
}
+
+ @VisibleForTesting
+ public int getMemoryUsage(String packageName) {
+ synchronized (mLock) {
+ return mPackageToMemoryUsage.getOrDefault(packageName, 0);
+ }
+ }
}
diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
index 6f45adef91f7..adb356726eec 100644
--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
@@ -186,8 +186,8 @@ public class SettingsStateTest extends AndroidTestCase {
public void testInsertSetting_memoryUsage() {
final Object lock = new Object();
- final File file = new File(getContext().getCacheDir(), "setting.xml");
- final String settingName = "test_setting";
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
+ final String settingName = "test_setting";
SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
@@ -204,7 +204,7 @@ public class SettingsStateTest extends AndroidTestCase {
settingsState.deleteSettingLocked(settingName);
// Should not throw if usage is under the cap
- settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19975),
null, false, "p1");
settingsState.deleteSettingLocked(settingName);
try {
@@ -222,5 +222,101 @@ public class SettingsStateTest extends AndroidTestCase {
assertTrue(ex.getMessage().contains("p1"));
}
assertTrue(settingsState.getSettingLocked(settingName).isNull());
+ try {
+ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "",
+ null, false, "p1");
+ fail("Should throw because it exceeded per package memory usage");
+ } catch (IllegalStateException ex) {
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
+ }
+ }
+
+ public void testMemoryUsagePerPackage() {
+ final Object lock = new Object();
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
+ final String testPackage = "package";
+ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
+
+ // Test inserting one key with default
+ final String settingName = "test_setting";
+ final String testKey1 = settingName;
+ final String testValue1 = Strings.repeat("A", 100);
+ settingsState.insertSettingLocked(testKey1, testValue1, null, true, testPackage);
+ int expectedMemUsage = testKey1.length() + testValue1.length()
+ + testValue1.length() /* size for default */;
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test inserting another key
+ final String testKey2 = settingName + "2";
+ settingsState.insertSettingLocked(testKey2, testValue1, null, false, testPackage);
+ expectedMemUsage += testKey2.length() + testValue1.length();
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test updating first key with new default
+ final String testValue2 = Strings.repeat("A", 300);
+ settingsState.insertSettingLocked(testKey1, testValue2, null, true, testPackage);
+ expectedMemUsage += (testValue2.length() - testValue1.length()) * 2;
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test updating first key without new default
+ final String testValue3 = Strings.repeat("A", 50);
+ settingsState.insertSettingLocked(testKey1, testValue3, null, false, testPackage);
+ expectedMemUsage -= testValue2.length() - testValue3.length();
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test updating second key
+ settingsState.insertSettingLocked(testKey2, testValue2, null, false, testPackage);
+ expectedMemUsage -= testValue1.length() - testValue2.length();
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test resetting key
+ settingsState.resetSettingLocked(testKey1);
+ expectedMemUsage += testValue2.length() - testValue3.length();
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test resetting default value
+ settingsState.resetSettingDefaultValueLocked(testKey1);
+ expectedMemUsage -= testValue2.length();
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test deletion
+ settingsState.deleteSettingLocked(testKey2);
+ expectedMemUsage -= testValue2.length() + testKey2.length() /* key is deleted too */;
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test another package with a different key
+ final String testPackage2 = testPackage + "2";
+ final String testKey3 = settingName + "3";
+ settingsState.insertSettingLocked(testKey3, testValue1, null, true, testPackage2);
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+ final int expectedMemUsage2 = testKey3.length() + testValue1.length() * 2;
+ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
+
+ // Test system package
+ settingsState.insertSettingLocked(testKey1, testValue1, null, true, "android");
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
+ assertEquals(0, settingsState.getMemoryUsage("android"));
+
+ // Test invalid value
+ try {
+ settingsState.insertSettingLocked(testKey1, Strings.repeat("A", 20001), null, false,
+ testPackage);
+ fail("Should throw because it exceeded per package memory usage");
+ } catch (IllegalStateException ex) {
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
+ }
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+
+ // Test invalid key
+ try {
+ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", null, false,
+ testPackage);
+ fail("Should throw because it exceeded per package memory usage");
+ } catch (IllegalStateException ex) {
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
+ }
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
}
}

240
Patches/LineageOS-15.1/android_frameworks_base/347051-backport.patch Normal file
View File

@ -0,0 +1,240 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Khoa Hong <khoahong@google.com>
Date: Wed, 19 Oct 2022 16:29:18 +0800
Subject: [PATCH] Add protections agains use-after-free issues if cancel() or
queue() is called after a device connection has been closed.
This is a backport of ag/7528082 and ag/20033068.
Bug: 132319116
Bug: 130571162
Bug: 204584366
Test: CTS Verifier: USB Accessory Test & USB Device Test
Change-Id: I952ab566e26a808997e362dc85ebd1d8eb4574b9
(cherry picked from commit 7a8d56b2fe3496f7717ad1afe45d2ef523b7e252)
Merged-In: I952ab566e26a808997e362dc85ebd1d8eb4574b9
---
.../hardware/usb/UsbDeviceConnection.java | 71 ++++++++++++++--
.../java/android/hardware/usb/UsbRequest.java | 82 +++++++++++++++++--
2 files changed, 141 insertions(+), 12 deletions(-)
diff --git a/core/java/android/hardware/usb/UsbDeviceConnection.java b/core/java/android/hardware/usb/UsbDeviceConnection.java
index 5b15c0d2fd9c..43a1b39d6be4 100644
--- a/core/java/android/hardware/usb/UsbDeviceConnection.java
+++ b/core/java/android/hardware/usb/UsbDeviceConnection.java
@@ -50,6 +50,8 @@ public class UsbDeviceConnection {
private final CloseGuard mCloseGuard = CloseGuard.get();
+ private final Object mLock = new Object();
+
/**
* UsbDevice should only be instantiated by UsbService implementation
* @hide
@@ -60,13 +62,23 @@ public class UsbDeviceConnection {
/* package */ boolean open(String name, ParcelFileDescriptor pfd, @NonNull Context context) {
mContext = context.getApplicationContext();
- boolean wasOpened = native_open(name, pfd.getFileDescriptor());
- if (wasOpened) {
- mCloseGuard.open("close");
+ synchronized (mLock) {
+ boolean wasOpened = native_open(name, pfd.getFileDescriptor());
+
+ if (wasOpened) {
+ mCloseGuard.open("close");
+ }
+
+ return wasOpened;
}
+ }
- return wasOpened;
+ /***
+ * @return If this connection is currently open and usable.
+ */
+ boolean isOpen() {
+ return mNativeContext != 0;
}
/**
@@ -78,6 +90,49 @@ public class UsbDeviceConnection {
return mContext;
}
+ /**
+ * Cancel a request which relates to this connection.
+ *
+ * @return true if the request was successfully cancelled.
+ */
+ /* package */ boolean cancelRequest(UsbRequest request) {
+ synchronized (mLock) {
+ if (!isOpen()) {
+ return false;
+ }
+
+ return request.cancelIfOpen();
+ }
+ }
+
+ /**
+ * This is meant to be called by UsbRequest's queue() in order to synchronize on
+ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
+ */
+ /* package */ boolean queueRequest(UsbRequest request, ByteBuffer buffer, int length) {
+ synchronized (mLock) {
+ if (!isOpen()) {
+ return false;
+ }
+
+ return request.queueIfConnectionOpen(buffer, length);
+ }
+ }
+
+ /**
+ * This is meant to be called by UsbRequest's queue() in order to synchronize on
+ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
+ */
+ /* package */ boolean queueRequest(UsbRequest request, @Nullable ByteBuffer buffer) {
+ synchronized (mLock) {
+ if (!isOpen()) {
+ return false;
+ }
+
+ return request.queueIfConnectionOpen(buffer);
+ }
+ }
+
/**
* Releases all system resources related to the device.
* Once the object is closed it cannot be used again.
@@ -85,9 +140,11 @@ public class UsbDeviceConnection {
* to retrieve a new instance to reestablish communication with the device.
*/
public void close() {
- if (mNativeContext != 0) {
- native_close();
- mCloseGuard.close();
+ synchronized (mLock) {
+ if (isOpen()) {
+ native_close();
+ mCloseGuard.close();
+ }
}
}
diff --git a/core/java/android/hardware/usb/UsbRequest.java b/core/java/android/hardware/usb/UsbRequest.java
index 2e8f8e12b508..2c77647a26be 100644
--- a/core/java/android/hardware/usb/UsbRequest.java
+++ b/core/java/android/hardware/usb/UsbRequest.java
@@ -107,11 +107,13 @@ public class UsbRequest {
* Releases all resources related to this request.
*/
public void close() {
- if (mNativeContext != 0) {
- mEndpoint = null;
- mConnection = null;
- native_close();
- mCloseGuard.close();
+ synchronized (mLock) {
+ if (mNativeContext != 0) {
+ mEndpoint = null;
+ mConnection = null;
+ native_close();
+ mCloseGuard.close();
+ }
}
}
@@ -183,6 +185,28 @@ public class UsbRequest {
*/
@Deprecated
public boolean queue(ByteBuffer buffer, int length) {
+ UsbDeviceConnection connection = mConnection;
+ if (connection == null) {
+ // The expected exception by CTS Verifier - USB Device test
+ throw new NullPointerException("invalid connection");
+ }
+
+ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
+ // the connection being closed while queueing.
+ return connection.queueRequest(this, buffer, length);
+ }
+
+ /**
+ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
+ * there, to prevent the connection being closed while queueing.
+ */
+ /* package */ boolean queueIfConnectionOpen(ByteBuffer buffer, int length) {
+ UsbDeviceConnection connection = mConnection;
+ if (connection == null || !connection.isOpen()) {
+ // The expected exception by CTS Verifier - USB Device test
+ throw new NullPointerException("invalid connection");
+ }
+
boolean out = (mEndpoint.getDirection() == UsbConstants.USB_DIR_OUT);
boolean result;
@@ -227,6 +251,28 @@ public class UsbRequest {
* @return true if the queueing operation succeeded
*/
public boolean queue(@Nullable ByteBuffer buffer) {
+ UsbDeviceConnection connection = mConnection;
+ if (connection == null) {
+ // The expected exception by CTS Verifier - USB Device test
+ throw new IllegalStateException("invalid connection");
+ }
+
+ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
+ // the connection being closed while queueing.
+ return connection.queueRequest(this, buffer);
+ }
+
+ /**
+ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
+ * there, to prevent the connection being closed while queueing.
+ */
+ /* package */ boolean queueIfConnectionOpen(@Nullable ByteBuffer buffer) {
+ UsbDeviceConnection connection = mConnection;
+ if (connection == null || !connection.isOpen()) {
+ // The expected exception by CTS Verifier - USB Device test
+ throw new IllegalStateException("invalid connection");
+ }
+
// Request need to be initialized
Preconditions.checkState(mNativeContext != 0, "request is not initialized");
@@ -344,6 +390,32 @@ public class UsbRequest {
* @return true if cancelling succeeded
*/
public boolean cancel() {
+ UsbDeviceConnection connection = mConnection;
+ if (connection == null) {
+ return false;
+ }
+
+ return connection.cancelRequest(this);
+ }
+
+ /**
+ * Cancels a pending queue operation (for use when the UsbDeviceConnection associated
+ * with this request is synchronized). This ensures we don't have a race where the
+ * device is closed and then the request is canceled which would lead to a
+ * use-after-free because the cancel operation uses the device connection
+ * information freed in the when UsbDeviceConnection is closed.<br/>
+ *
+ * This method assumes the connected is not closed while this method is executed.
+ *
+ * @return true if cancelling succeeded.
+ */
+ /* package */ boolean cancelIfOpen() {
+ UsbDeviceConnection connection = mConnection;
+ if (mNativeContext == 0 || (connection != null && !connection.isOpen())) {
+ Log.w(TAG,
+ "Detected attempt to cancel a request on a connection which isn't open");
+ return false;
+ }
return native_cancel();
}

31
Patches/LineageOS-15.1/android_packages_apps_Nfc/346953-backport.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 26 Oct 2022 14:03:48 -0700
Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive()
Bug: 241387741
Test: build ok
Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0)
Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 86657d53..cf5aafb6 100755
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1077,6 +1077,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
return status;
}
+ if (len > (MAX_BUFF_SIZE * 2))
+ {
+ android_errorWriteLog(0x534e4554, "241387741");
+ return status;
+ }
+
gphNxpExtns_Context.RawWriteCallBack = false;
gphNxpExtns_Context.CallBackMifare = NULL;
gphNxpExtns_Context.CallBackCtxt = NdefMap;

61
Patches/LineageOS-15.1/android_packages_services_Telecomm/347042.patch Normal file
View File

@ -0,0 +1,61 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Grace Jia <xiaotonj@google.com>
Date: Thu, 22 Sep 2022 14:20:57 -0700
Subject: [PATCH] Fix security vulnerability when register phone accounts.
Currently if the registered self-managed phone account updated to a call
provider phone account, the enable state will be directly copied to the
updated one so that malicious app can perform call spoofing attack
without any permission requirements. Fix this by disallowing change a
self-managed phone account to a managed phone account.
Bug: 246930197
Test: CtsTelecomTestCases:SelfManagedConnectionSreviceTest
Change-Id: I8f7984cd491632b3219133044438b82ca4dec80e
Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e
(cherry picked from commit 833dd8480adc773e36d388521a14fd8cd11d6a30)
Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e
---
.../server/telecom/PhoneAccountRegistrar.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java
index 5323a9669..4bcd2e5c3 100644
--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java
+++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java
@@ -48,6 +48,7 @@ import android.telephony.TelephonyManager;
import android.text.TextUtils;
import android.util.AtomicFile;
import android.util.Base64;
+import android.util.EventLog;
import android.util.Xml;
// TODO: Needed for move to system service: import com.android.internal.R;
@@ -680,6 +681,7 @@ public class PhoneAccountRegistrar {
PhoneAccount oldAccount = getPhoneAccountUnchecked(account.getAccountHandle());
if (oldAccount != null) {
+ enforceSelfManagedAccountUnmodified(account, oldAccount);
mState.accounts.remove(oldAccount);
isEnabled = oldAccount.isEnabled();
Log.i(this, "Modify account: %s", getAccountDiffString(account, oldAccount));
@@ -738,6 +740,19 @@ public class PhoneAccountRegistrar {
}
}
+ private void enforceSelfManagedAccountUnmodified(PhoneAccount newAccount,
+ PhoneAccount oldAccount) {
+ if (oldAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED) &&
+ (!newAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED))) {
+ EventLog.writeEvent(0x534e4554, "246930197");
+ Log.w(this, "Self-managed phone account %s replaced by a non self-managed one",
+ newAccount.getAccountHandle());
+ throw new IllegalArgumentException("Error, cannot change a self-managed "
+ + "phone account " + newAccount.getAccountHandle()
+ + " to other kinds of phone account");
+ }
+ }
+
/**
* Un-registers all phone accounts associated with a specified package.
*

100
Patches/LineageOS-15.1/android_packages_services_Telephony/347041-backport.patch Normal file
View File

@ -0,0 +1,100 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Stuart <tjstuart@google.com>
Date: Wed, 28 Sep 2022 09:40:14 -0700
Subject: [PATCH] prevent overlays on the phone settings
A report came in showing a 3rd party app could overlay a button
on the phone settings causing unwanted behavior. In order to prevent
this, a new system flag has been added that only allows system overlays.
bug: 246933785
Test: manual
Change-Id: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
(cherry picked from commit e827d8f13c1c92622474fa2bf9e41a1f4ce21e2c)
Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
---
AndroidManifest.xml | 3 +++
.../phone/settings/AccessibilitySettingsActivity.java | 6 ++++--
.../phone/settings/PhoneAccountSettingsActivity.java | 5 ++++-
.../android/phone/settings/VoicemailSettingsActivity.java | 4 ++++
4 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 810e7bca0..766572164 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -176,6 +176,9 @@
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
<uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
+ <!-- Needed to block unwanted malicious pop up overlays -->
+ <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
+
<application android:name="PhoneApp"
android:persistent="true"
android:label="@string/phoneAppLabel"
diff --git a/src/com/android/phone/settings/AccessibilitySettingsActivity.java b/src/com/android/phone/settings/AccessibilitySettingsActivity.java
index 769ef615f..c65aa3273 100644
--- a/src/com/android/phone/settings/AccessibilitySettingsActivity.java
+++ b/src/com/android/phone/settings/AccessibilitySettingsActivity.java
@@ -24,10 +24,12 @@ import com.android.phone.R;
public class AccessibilitySettingsActivity extends PreferenceActivity {
- @Override
+ @Override
protected void onCreate(Bundle icicle) {
super.onCreate(icicle);
-
+ getWindow().addPrivateFlags(
+ android.view.WindowManager.LayoutParams
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
getActionBar().setTitle(R.string.accessibility_settings_activity_title);
getFragmentManager().beginTransaction().replace(
android.R.id.content, new AccessibilitySettingsFragment()).commit();
diff --git a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
index 71ae8cfa4..14321d0c6 100644
--- a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
+++ b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
@@ -19,6 +19,7 @@ package com.android.phone.settings;
import android.os.Bundle;
import android.preference.PreferenceActivity;
import android.view.MenuItem;
+import android.view.WindowManager;
import com.android.phone.R;
@@ -27,7 +28,9 @@ public class PhoneAccountSettingsActivity extends PreferenceActivity {
@Override
protected void onCreate(Bundle icicle) {
super.onCreate(icicle);
-
+ getWindow().addPrivateFlags(
+ android.view.WindowManager.LayoutParams
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
getActionBar().setTitle(R.string.phone_accounts);
getFragmentManager().beginTransaction().replace(
android.R.id.content, new PhoneAccountSettingsFragment()).commit();
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
index 04e8bf502..7c5dbf20c 100644
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
@@ -37,6 +37,7 @@ import android.text.TextDirectionHeuristics;
import android.text.TextUtils;
import android.util.Log;
import android.view.MenuItem;
+import android.view.WindowManager;
import android.widget.ListAdapter;
import android.widget.Toast;
@@ -207,6 +208,9 @@ public class VoicemailSettingsActivity extends PreferenceActivity
@Override
protected void onCreate(Bundle icicle) {
super.onCreate(icicle);
+ getWindow().addPrivateFlags(
+ android.view.WindowManager.LayoutParams
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
// Make sure we are running as the primary user only
UserManager userManager = getApplicationContext().getSystemService(UserManager.class);
if (!userManager.isPrimaryUser()) {

40
Patches/LineageOS-15.1/android_system_bt/347127.patch Normal file
View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raghavender Reddy Bujala <c-bujalr@codeaurora.org>
Date: Thu, 2 Dec 2021 16:04:19 +0530
Subject: [PATCH] BT: Once AT command is retrieved, return from method.
- Observed SIGSEV issue in Defensics, when received
buf is more than BTA_HF_CLIENT_AT_PARSER_MAX_LEN.
- Commented recover cut data, after AT command is
retrieved because leftover data/buf is more than
BTA_HF_CLIENT_AT_PARSER_MAX_LEN and leading to
offset corruption.
CRs-Fixed: 3052411
Change-Id: I6375d00eebfbf97ffc40456622a6d39e4388f4b2
---
bta/hf_client/bta_hf_client_at.cc | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
index 6c52edadc..dd3ea6846 100644
--- a/bta/hf_client/bta_hf_client_at.cc
+++ b/bta/hf_client/bta_hf_client_at.cc
@@ -1615,9 +1615,13 @@ void bta_hf_client_at_parse(tBTA_HF_CLIENT_CB* client_cb, char* buf,
bta_hf_client_at_parse_start(client_cb);
bta_hf_client_at_clear_buf(client_cb);
- /* recover cut data */
- memcpy(client_cb->at_cb.buf, tmp_buff, tmp);
- client_cb->at_cb.offset += tmp;
+ /* TODO: recover cut data */
+ // memcpy(client_cb->at_cb.buf, tmp_buff, tmp);
+ // client_cb->at_cb.offset += tmp;
+ // Observed SIGSEV issue in Defensics, when received buf is more than
+ // BTA_HF_CLIENT_AT_PARSER_MAX_LEN.
+ // Assuming to return from here, Once AT command is retrieved.
+ return;
}
memcpy(client_cb->at_cb.buf + client_cb->at_cb.offset, buf, len);

78
Patches/LineageOS-15.1/android_system_bt/347128.patch Normal file
View File

@ -0,0 +1,78 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sagar Verma <quic_sagarv@quicinc.com>
Date: Sun, 12 Jun 2022 00:05:07 +0530
Subject: [PATCH] AVRC: Validating msg size before accessing fields
This change adds buffer length validation during the parsing of AVRCP
browse commands.
Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba
---
stack/avrc/avrc_pars_tg.cc | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 7042f4da7..38c0ca385 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -407,6 +407,12 @@ tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) {
return status;
}
+#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \
+ if (!(_b_)) { \
+ AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__); \
+ return _status_; \
+ }
+
/*******************************************************************************
*
* Function avrc_pars_browsing_cmd
@@ -425,6 +431,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
tAVRC_STS status = AVRC_STS_NO_ERROR;
uint8_t* p = p_msg->p_browse_data;
int count;
+ uint16_t min_len = 3;
p_result->pdu = *p++;
AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu);
@@ -438,6 +445,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
break;
case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */
+ min_len += 10;
STREAM_TO_UINT8(p_result->get_items.scope, p);
// To be modified later here (Scope) when all browsing commands are
// supported
@@ -458,6 +466,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
if (buf_len < (count << 2))
p_result->get_items.attr_count = count = (buf_len >> 2);
for (int idx = 0; idx < count; idx++) {
+ min_len += 4;
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
+ (p_msg->browse_len >= min_len),
+ "msg too short");
+
BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p);
}
}
@@ -474,6 +487,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
break;
case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */
+ min_len += 12;
BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p);
if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) {
status = AVRC_STS_BAD_SCOPE;
@@ -490,6 +504,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
p_result->get_attrs.attr_count = count = (buf_len >> 2);
for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count;
idx++) {
+ min_len += 4;
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
+ (p_msg->browse_len >= min_len),
+ "msg too short");
+
BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p);
if (AVRC_IS_VALID_MEDIA_ATTRIBUTE(
p_result->get_attrs.p_attr_list[count])) {

31
Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Wed, 5 Jun 2019 15:57:56 +0800
Subject: [PATCH] Prevent OOB write in Mfc_Transceive
Bug: 132082342
Test: Manual test/ Mifare Tag Read/Write
Merged-In: I3e1977514ba924655d42be4782244c6ef1cf7619
Change-Id: I3e1977514ba924655d42be4782244c6ef1cf7619
(cherry picked from commit edda944f0d84216e57846ae9a6799a90b875b427)
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 34caef21..282ffc1a 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1094,6 +1094,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
NFCSTATUS status = NFCSTATUS_FAILED;
uint8_t i = 0x00;
+ if( len == 0 )
+ {
+ android_errorWriteLog(0x534e4554, "132082342");
+ return status;
+ }
+
gphNxpExtns_Context.RawWriteCallBack = false;
gphNxpExtns_Context.CallBackMifare = NULL;
gphNxpExtns_Context.CallBackCtxt = NdefMap;

31
Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Wed, 26 Oct 2022 14:03:48 -0700
Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive()
Bug: 241387741
Test: build ok
Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0)
Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
---
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
index 282ffc1a..8e9399ef 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
@@ -1100,6 +1100,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
return status;
}
+ if (len > (MAX_BUFF_SIZE * 2))
+ {
+ android_errorWriteLog(0x534e4554, "241387741");
+ return status;
+ }
+
gphNxpExtns_Context.RawWriteCallBack = false;
gphNxpExtns_Context.CallBackMifare = NULL;
gphNxpExtns_Context.CallBackCtxt = NdefMap;

20
Scripts/LineageOS-15.1/Patch.sh
View File

@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
sed -i 's/2021-10-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #XXX
sed -i 's/2021-10-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #XXX
fi;
if enterAndClear "build/soong"; then
@ -157,6 +157,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/345898-backport.patch"; #P_asb_
applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts
applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
applyPatch "$DOS_PATCHES/android_frameworks_base/345902-backport.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length.
applyPatch "$DOS_PATCHES/android_frameworks_base/346949.patch"; #n-asb-2023-01 Disable all A11yServices from an uninstalled package.
applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule
applyPatch "$DOS_PATCHES/android_frameworks_base/347047-backport.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated
#applyPatch "$DOS_PATCHES/android_frameworks_base/347048-backport.patch"; #P_asb_2023-01 Revert "Revert "RESTRICT AUTOMERGE Validate permission tree size..." #XXX: uncertain backport
applyPatch "$DOS_PATCHES/android_frameworks_base/347049-backport.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
applyPatch "$DOS_PATCHES/android_frameworks_base/347051-backport.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@ -276,6 +283,7 @@ fi;
if enterAndClear "packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
fi;
if enterAndClear "packages/apps/Settings"; then
@ -338,9 +346,11 @@ if enterAndClear "packages/services/Telecomm"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
fi;
if enterAndClear "packages/services/Telephony"; then
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
fi;
@ -362,6 +372,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added m
applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc
applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response
applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT command is retrieved, return from method.
applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
fi;
if enterAndClear "system/core"; then
@ -388,15 +400,17 @@ if enterAndClear "system/vold"; then
applyPatch "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption (DivestOS)
fi;
if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then
if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then #keep in sync with system/nfc
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
fi;
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch"; #n-asb-2019-08 Prevent OOB write in Mfc_Transceive
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
fi;
if enterAndClear "vendor/lineage"; then