From b143ffcd8b3e58aaf29f72362949b31016ad413a Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 8 Jan 2023 15:36:00 -0500 Subject: [PATCH] 15.1 January ASB work + a missing patch from 2019-08 Signed-off-by: Tad --- .../android_frameworks_base/346949.patch | 68 +++++ .../android_frameworks_base/347044.patch | 86 ++++++ .../android_frameworks_base/347046.patch | 35 +++ .../347047-backport.patch | 234 ++++++++++++++++ .../347048-backport.patch | 34 +++ .../347049-backport.patch | 249 ++++++++++++++++++ .../347051-backport.patch | 240 +++++++++++++++++ .../346953-backport.patch | 31 +++ .../347042.patch | 61 +++++ .../347041-backport.patch | 100 +++++++ .../android_system_bt/347127.patch | 40 +++ .../android_system_bt/347128.patch | 78 ++++++ .../252808-backport.patch | 31 +++ .../346953-backport.patch | 31 +++ Scripts/LineageOS-15.1/Patch.sh | 20 +- 15 files changed, 1335 insertions(+), 3 deletions(-) create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/346949.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347044.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347046.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347047-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347048-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347049-backport.patch create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/347051-backport.patch create mode 100644 Patches/LineageOS-15.1/android_packages_apps_Nfc/346953-backport.patch create mode 100644 Patches/LineageOS-15.1/android_packages_services_Telecomm/347042.patch create mode 100644 Patches/LineageOS-15.1/android_packages_services_Telephony/347041-backport.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/347127.patch create mode 100644 Patches/LineageOS-15.1/android_system_bt/347128.patch create mode 100644 Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch create mode 100644 Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch diff --git a/Patches/LineageOS-15.1/android_frameworks_base/346949.patch b/Patches/LineageOS-15.1/android_frameworks_base/346949.patch new file mode 100644 index 00000000..a4b6e8cb --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/346949.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Norman +Date: Wed, 5 Oct 2022 16:28:20 -0700 +Subject: [PATCH] RESTRICT AUTOMERGE Disable all A11yServices from an + uninstalled package. + +Previous logic would exit the loop after removing the first service +matching the uninstalled package. + +Bug: 243378132 +Test: atest AccessibilityEndToEndTest +Test: m sts; + sts-tradefed run sts-dynamic-develop -m \ + CtsAccessibilityServiceTestCases +Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3 +(cherry picked from commit 37966299859153377e61a6a97b036388d231c2d0) +Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3 +--- + .../AccessibilityManagerService.java | 30 ++++++++++--------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 4859ffea870b..620db7345fab 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -345,26 +345,28 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { + } + UserState userState = getUserStateLocked(userId); + Iterator it = userState.mEnabledServices.iterator(); ++ boolean anyServiceRemoved = false; + while (it.hasNext()) { + ComponentName comp = it.next(); + String compPkg = comp.getPackageName(); + if (compPkg.equals(packageName)) { + it.remove(); +- // Update the enabled services setting. +- persistComponentNamesToSettingLocked( +- Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, +- userState.mEnabledServices, userId); +- // Update the touch exploration granted services setting. + userState.mTouchExplorationGrantedServices.remove(comp); +- persistComponentNamesToSettingLocked( +- Settings.Secure. +- TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, +- userState.mTouchExplorationGrantedServices, userId); +- // We will update when the automation service dies. +- if (!userState.isUiAutomationSuppressingOtherServices()) { +- onUserStateChangedLocked(userState); +- } +- return; ++ anyServiceRemoved = true; ++ } ++ } ++ if (anyServiceRemoved) { ++ // Update the enabled services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, ++ userState.mEnabledServices, userId); ++ // Update the touch exploration granted services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, ++ userState.mTouchExplorationGrantedServices, userId); ++ // We will update when the automation service dies. ++ if (!userState.isUiAutomationSuppressingOtherServices()) { ++ onUserStateChangedLocked(userState); + } + } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347044.patch b/Patches/LineageOS-15.1/android_frameworks_base/347044.patch new file mode 100644 index 00000000..f83677b2 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347044.patch @@ -0,0 +1,86 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Tue, 13 Sep 2022 12:53:19 -0400 +Subject: [PATCH] Limit lengths of fields in Condition to a max length. + +This app-generated input needs to not be too long to avoid errors in the process of writing to disk. + +Bug: 242846316 +Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK + +Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +(cherry picked from commit 81352c3775949c622441e10b468766441e35edc7) +(cherry picked from commit 5cb217fff3bc7184bd776a9dc2991e7fce5e25bd) +Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9 +--- + .../service/notification/Condition.java | 38 +++++++++++++++++-- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/core/java/android/service/notification/Condition.java b/core/java/android/service/notification/Condition.java +index 447afe62fd1a..5f65d401600a 100644 +--- a/core/java/android/service/notification/Condition.java ++++ b/core/java/android/service/notification/Condition.java +@@ -94,6 +94,12 @@ public final class Condition implements Parcelable { + @SystemApi + public final int icon; + ++ /** ++ * The maximum string length for any string contained in this condition. ++ * @hide ++ */ ++ public static final int MAX_STRING_LENGTH = 1000; ++ + /** + * An object representing the current state of a {@link android.app.AutomaticZenRule}. + * @param id the {@link android.app.AutomaticZenRule#getConditionId()} of the zen rule +@@ -109,16 +115,19 @@ public final class Condition implements Parcelable { + if (id == null) throw new IllegalArgumentException("id is required"); + if (summary == null) throw new IllegalArgumentException("summary is required"); + if (!isValidState(state)) throw new IllegalArgumentException("state is invalid: " + state); +- this.id = id; +- this.summary = summary; +- this.line1 = line1; +- this.line2 = line2; ++ this.id = getTrimmedUri(id); ++ this.summary = getTrimmedString(summary); ++ this.line1 = getTrimmedString(line1); ++ this.line2 = getTrimmedString(line2); + this.icon = icon; + this.state = state; + this.flags = flags; + } + + public Condition(Parcel source) { ++ // This constructor passes all fields directly into the constructor that takes all the ++ // fields as arguments; that constructor will trim each of the input strings to ++ // max length if necessary. + this((Uri)source.readParcelable(Condition.class.getClassLoader()), + source.readString(), + source.readString(), +@@ -234,4 +243,25 @@ public final class Condition implements Parcelable { + return new Condition[size]; + } + }; ++ ++ /** ++ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH. ++ */ ++ private static String getTrimmedString(String input) { ++ if (input != null && input.length() > MAX_STRING_LENGTH) { ++ return input.substring(0, MAX_STRING_LENGTH); ++ } ++ return input; ++ } ++ ++ /** ++ * Returns a truncated copy of the Uri by trimming the string representation to the maximum ++ * string length. ++ */ ++ private static Uri getTrimmedUri(Uri input) { ++ if (input != null && input.toString().length() > MAX_STRING_LENGTH) { ++ return Uri.parse(getTrimmedString(input.toString())); ++ } ++ return input; ++ } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347046.patch b/Patches/LineageOS-15.1/android_frameworks_base/347046.patch new file mode 100644 index 00000000..57dfb7c6 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347046.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yuri Lin +Date: Wed, 12 Oct 2022 14:27:46 +0000 +Subject: [PATCH] Fix conditionId string trimming in AutomaticZenRule + +This change only applies to S branches and earlier. + +Bug: 253085433 +Bug: 242703460 +Bug: 242703505 +Bug: 242703780 +Bug: 242704043 +Bug: 243794204 +Test: AutomaticZenRuleTest +Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec +Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec +(cherry picked from commit 303f6bde896877793370c1697fa8c8331b808e56) +Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec +--- + core/java/android/app/AutomaticZenRule.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java +index 29dd91ec1ad6..5998ab6fdaf4 100644 +--- a/core/java/android/app/AutomaticZenRule.java ++++ b/core/java/android/app/AutomaticZenRule.java +@@ -80,7 +80,7 @@ public final class AutomaticZenRule implements Parcelable { + name = getTrimmedString(source.readString()); + } + interruptionFilter = source.readInt(); +- conditionId = source.readParcelable(null); ++ conditionId = getTrimmedUri(source.readParcelable(null)); + owner = getTrimmedComponentName(source.readParcelable(null)); + creationTime = source.readLong(); + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347047-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/347047-backport.patch new file mode 100644 index 00000000..c7941474 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347047-backport.patch @@ -0,0 +1,234 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Wed, 17 Aug 2022 09:37:18 -0700 +Subject: [PATCH] mem limit should be checked before settings are updated + +Previously, a setting is updated before the memory usage limit +check, which can be exploited by malicious apps and cause OoM DoS. + +This CL changes the logic to checkMemLimit -> update -> updateMemUsage. + +BUG: 239415861 +Test: atest com.android.providers.settings.SettingsStateTest + +(cherry picked from commit 8eeb92950f4a7012d4cf282106a1418fd211f475) +Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +(cherry picked from commit d85a42821075ad80b931d904bdc9c1d4c3129456) +Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4 +--- + .../providers/settings/SettingsState.java | 75 ++++++++++++------- + .../providers/settings/SettingsStateTest.java | 43 ++++++++++- + 2 files changed, 90 insertions(+), 28 deletions(-) + +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +index 4151ada9ce80..0e94ea85919b 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +@@ -306,9 +306,11 @@ final class SettingsState { + Setting newSetting = new Setting(name, oldSetting.getValue(), null, + oldSetting.getPackageName(), oldSetting.getTag(), false, + oldSetting.getId()); +- mSettings.put(name, newSetting); +- updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, ++ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, + newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); ++ checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); ++ mSettings.put(name, newSetting); ++ updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); + scheduleWriteIfNeededLocked(); + } + } +@@ -323,6 +325,12 @@ final class SettingsState { + Setting oldState = mSettings.get(name); + String oldValue = (oldState != null) ? oldState.value : null; + String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null; ++ String newDefaultValue = makeDefault ? value : oldDefaultValue; ++ ++ int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value, ++ oldDefaultValue, newDefaultValue); ++ checkNewMemoryUsagePerPackageLocked(packageName, newSize); ++ + Setting newState; + + if (oldState != null) { +@@ -337,8 +345,7 @@ final class SettingsState { + + addHistoricalOperationLocked(HISTORICAL_OPERATION_UPDATE, newState); + +- updateMemoryUsagePerPackageLocked(packageName, oldValue, value, +- oldDefaultValue, newState.getDefaultValue()); ++ updateMemoryUsagePerPackageLocked(packageName, newSize); + + scheduleWriteIfNeededLocked(); + +@@ -358,10 +365,11 @@ final class SettingsState { + } + + Setting oldState = mSettings.remove(name); +- +- updateMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, ++ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, + null, oldState.defaultValue, null); + ++ updateMemoryUsagePerPackageLocked(oldState.packageName, newSize); ++ + addHistoricalOperationLocked(HISTORICAL_OPERATION_DELETE, oldState); + + scheduleWriteIfNeededLocked(); +@@ -380,16 +388,18 @@ final class SettingsState { + Setting oldSetting = new Setting(setting); + String oldValue = setting.getValue(); + String oldDefaultValue = setting.getDefaultValue(); ++ String newValue = oldDefaultValue; ++ String newDefaultValue = oldDefaultValue; ++ ++ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue, ++ newValue, oldDefaultValue, newDefaultValue); ++ checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize); + + if (!setting.reset()) { + return false; + } + +- String newValue = setting.getValue(); +- String newDefaultValue = setting.getDefaultValue(); +- +- updateMemoryUsagePerPackageLocked(setting.packageName, oldValue, +- newValue, oldDefaultValue, newDefaultValue); ++ updateMemoryUsagePerPackageLocked(setting.packageName, newSize); + + addHistoricalOperationLocked(HISTORICAL_OPERATION_RESET, oldSetting); + +@@ -492,38 +502,49 @@ final class SettingsState { + } + } + +- private void updateMemoryUsagePerPackageLocked(String packageName, String oldValue, +- String newValue, String oldDefaultValue, String newDefaultValue) { +- if (mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED) { +- return; +- } ++ private boolean isExemptFromMemoryUsageCap(String packageName) { ++ return mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED ++ || SYSTEM_PACKAGE_NAME.equals(packageName); ++ } + +- if (SYSTEM_PACKAGE_NAME.equals(packageName)) { ++ @GuardedBy("mLock") ++ private void checkNewMemoryUsagePerPackageLocked(String packageName, int newSize) ++ throws IllegalStateException { ++ if (isExemptFromMemoryUsageCap(packageName)) { + return; + } ++ if (newSize > mMaxBytesPerAppPackage) { ++ throw new IllegalStateException("You are adding too many system settings. " ++ + "You should stop using system settings for app specific data" ++ + " package: " + packageName); ++ } ++ } + ++ @GuardedBy("mLock") ++ private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue, ++ String newValue, String oldDefaultValue, String newDefaultValue) { ++ if (isExemptFromMemoryUsageCap(packageName)) { ++ return 0; ++ } ++ final Integer currentSize = mPackageToMemoryUsage.get(packageName); + final int oldValueSize = (oldValue != null) ? oldValue.length() : 0; + final int newValueSize = (newValue != null) ? newValue.length() : 0; + final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0; + final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0; + final int deltaSize = newValueSize + newDefaultValueSize + - oldValueSize - oldDefaultValueSize; ++ return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0); ++ } + +- Integer currentSize = mPackageToMemoryUsage.get(packageName); +- final int newSize = Math.max((currentSize != null) +- ? currentSize + deltaSize : deltaSize, 0); +- +- if (newSize > mMaxBytesPerAppPackage) { +- throw new IllegalStateException("You are adding too many system settings. " +- + "You should stop using system settings for app specific data" +- + " package: " + packageName); ++ @GuardedBy("mLock") ++ private void updateMemoryUsagePerPackageLocked(String packageName, int newSize) { ++ if (isExemptFromMemoryUsageCap(packageName)) { ++ return; + } +- + if (DEBUG) { + Slog.i(LOG_TAG, "Settings for package: " + packageName + + " size: " + newSize + " bytes."); + } +- + mPackageToMemoryUsage.put(packageName, newSize); + } + +diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +index 3f68554ffe87..6f45adef91f7 100644 +--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java ++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +@@ -21,6 +21,8 @@ import android.util.Xml; + + import org.xmlpull.v1.XmlSerializer; + ++import com.google.common.base.Strings; ++ + import java.io.ByteArrayOutputStream; + import java.io.File; + import java.io.FileOutputStream; +@@ -46,7 +48,6 @@ public class SettingsStateTest extends AndroidTestCase { + "\uD800ab\uDC00 " + // broken surrogate pairs + "日本語"; + +- + public void testIsBinary() { + assertFalse(SettingsState.isBinary(" abc 日本語")); + +@@ -182,4 +183,44 @@ public class SettingsStateTest extends AndroidTestCase { + assertEquals("p2", s.getPackageName()); + } + } ++ ++ public void testInsertSetting_memoryUsage() { ++ final Object lock = new Object(); ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String settingName = "test_setting"; ++ ++ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper()); ++ // No exception should be thrown when there is no cap ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ settingsState.deleteSettingLocked(settingName); ++ ++ settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper()); ++ // System package doesn't have memory usage limit ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "android"); ++ settingsState.deleteSettingLocked(settingName); ++ ++ // Should not throw if usage is under the cap ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999), ++ null, false, "p1"); ++ settingsState.deleteSettingLocked(settingName); ++ try { ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("p1")); ++ } ++ try { ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001), ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("p1")); ++ } ++ assertTrue(settingsState.getSettingLocked(settingName).isNull()); ++ } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347048-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/347048-backport.patch new file mode 100644 index 00000000..249945d3 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347048-backport.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nate Myren +Date: Wed, 26 Oct 2022 17:37:26 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Revert "Revert "RESTRICT AUTOMERGE + Validate permission tree size..." + +Revert submission 20285709-revert-20103164-permTree-qt-dev-QWIEBZIWEA + +Reason for revert: resubmission +Reverted Changes: +I0a3b68aff:Revert "RESTRICT AUTOMERGE Add PermissionMemoryFoo... +I4e8ec8b1a:Revert "RESTRICT AUTOMERGE Validate permission tre... + +Change-Id: I3cd1aa270373bb32f95dfbe8422faa783ee49dca +(cherry picked from commit 4e83e59b27f7d6232ee9fe96f789e32debc19772) +Merged-In: I3cd1aa270373bb32f95dfbe8422faa783ee49dca +--- + .../core/java/com/android/server/pm/PackageManagerService.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index 9c59ecddee96..3a1f83e00da2 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -5662,8 +5662,8 @@ public class PackageManagerService extends IPackageManager.Stub + boolean added = bp == null; + boolean changed = true; + int fixedLevel = PermissionInfo.fixProtectionLevel(info.protectionLevel); ++ enforcePermissionCapLocked(info, tree); + if (added) { +- enforcePermissionCapLocked(info, tree); + bp = new BasePermission(info.name, tree.sourcePackage, + BasePermission.TYPE_DYNAMIC); + } else if (bp.type != BasePermission.TYPE_DYNAMIC) { diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347049-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/347049-backport.patch new file mode 100644 index 00000000..921e70e8 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347049-backport.patch @@ -0,0 +1,249 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Songchun Fan +Date: Tue, 11 Oct 2022 18:08:11 -0700 +Subject: [PATCH] key size limit for mutating settings + +Prior to targetSdk 22, apps could add random system settings keys which +opens an opportunity for OOM attacks. This CL adds a key size limit. + +BUG: 239415997 +Test: manual; will add cts test +Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +(cherry picked from commit 783bcba343c480f6ccedaaff41ba7171a1082e0c) +(cherry picked from commit f1831c87122e56951c04e1f62f647ab156ca71e3) +Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc +--- + .../providers/settings/SettingsState.java | 40 ++++--- + .../providers/settings/SettingsStateTest.java | 102 +++++++++++++++++- + 2 files changed, 126 insertions(+), 16 deletions(-) + +diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +index 0e94ea85919b..11b4c9eb1c1d 100644 +--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java ++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java +@@ -46,6 +46,7 @@ import android.util.Xml; + import android.util.proto.ProtoOutputStream; + + import com.android.internal.annotations.GuardedBy; ++import com.android.internal.annotations.VisibleForTesting; + import com.android.server.LocalServices; + + import libcore.io.IoUtils; +@@ -306,8 +307,8 @@ final class SettingsState { + Setting newSetting = new Setting(name, oldSetting.getValue(), null, + oldSetting.getPackageName(), oldSetting.getTag(), false, + oldSetting.getId()); +- int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue, +- newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); ++ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), 0, ++ oldValue, newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue()); + checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); + mSettings.put(name, newSetting); + updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize); +@@ -327,8 +328,9 @@ final class SettingsState { + String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null; + String newDefaultValue = makeDefault ? value : oldDefaultValue; + +- int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value, +- oldDefaultValue, newDefaultValue); ++ int newSize = getNewMemoryUsagePerPackageLocked(packageName, ++ oldValue == null ? name.length() : 0 /* deltaKeySize */, ++ oldValue, value, oldDefaultValue, newDefaultValue); + checkNewMemoryUsagePerPackageLocked(packageName, newSize); + + Setting newState; +@@ -365,8 +367,12 @@ final class SettingsState { + } + + Setting oldState = mSettings.remove(name); +- int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value, +- null, oldState.defaultValue, null); ++ if (oldState == null) { ++ return false; ++ } ++ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, ++ -name.length() /* deltaKeySize */, ++ oldState.value, null, oldState.defaultValue, null); + + updateMemoryUsagePerPackageLocked(oldState.packageName, newSize); + +@@ -384,15 +390,16 @@ final class SettingsState { + } + + Setting setting = mSettings.get(name); ++ if (setting == null) { ++ return false; ++ } + + Setting oldSetting = new Setting(setting); + String oldValue = setting.getValue(); + String oldDefaultValue = setting.getDefaultValue(); +- String newValue = oldDefaultValue; +- String newDefaultValue = oldDefaultValue; + +- int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue, +- newValue, oldDefaultValue, newDefaultValue); ++ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, 0, oldValue, ++ oldDefaultValue, oldDefaultValue, oldDefaultValue); + checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize); + + if (!setting.reset()) { +@@ -521,8 +528,8 @@ final class SettingsState { + } + + @GuardedBy("mLock") +- private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue, +- String newValue, String oldDefaultValue, String newDefaultValue) { ++ private int getNewMemoryUsagePerPackageLocked(String packageName, int deltaKeySize, ++ String oldValue, String newValue, String oldDefaultValue, String newDefaultValue) { + if (isExemptFromMemoryUsageCap(packageName)) { + return 0; + } +@@ -531,7 +538,7 @@ final class SettingsState { + final int newValueSize = (newValue != null) ? newValue.length() : 0; + final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0; + final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0; +- final int deltaSize = newValueSize + newDefaultValueSize ++ final int deltaSize = deltaKeySize + newValueSize + newDefaultValueSize + - oldValueSize - oldDefaultValueSize; + return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0); + } +@@ -1140,4 +1147,11 @@ final class SettingsState { + return false; + } + } ++ ++ @VisibleForTesting ++ public int getMemoryUsage(String packageName) { ++ synchronized (mLock) { ++ return mPackageToMemoryUsage.getOrDefault(packageName, 0); ++ } ++ } + } +diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +index 6f45adef91f7..adb356726eec 100644 +--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java ++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java +@@ -186,8 +186,8 @@ public class SettingsStateTest extends AndroidTestCase { + + public void testInsertSetting_memoryUsage() { + final Object lock = new Object(); +- final File file = new File(getContext().getCacheDir(), "setting.xml"); +- final String settingName = "test_setting"; ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String settingName = "test_setting"; + + SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, + SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper()); +@@ -204,7 +204,7 @@ public class SettingsStateTest extends AndroidTestCase { + settingsState.deleteSettingLocked(settingName); + + // Should not throw if usage is under the cap +- settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999), ++ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19975), + null, false, "p1"); + settingsState.deleteSettingLocked(settingName); + try { +@@ -222,5 +222,101 @@ public class SettingsStateTest extends AndroidTestCase { + assertTrue(ex.getMessage().contains("p1")); + } + assertTrue(settingsState.getSettingLocked(settingName).isNull()); ++ try { ++ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", ++ null, false, "p1"); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ } ++ ++ public void testMemoryUsagePerPackage() { ++ final Object lock = new Object(); ++ final File file = new File(getContext().getCacheDir(), "setting.xml"); ++ final String testPackage = "package"; ++ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1, ++ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper()); ++ ++ // Test inserting one key with default ++ final String settingName = "test_setting"; ++ final String testKey1 = settingName; ++ final String testValue1 = Strings.repeat("A", 100); ++ settingsState.insertSettingLocked(testKey1, testValue1, null, true, testPackage); ++ int expectedMemUsage = testKey1.length() + testValue1.length() ++ + testValue1.length() /* size for default */; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test inserting another key ++ final String testKey2 = settingName + "2"; ++ settingsState.insertSettingLocked(testKey2, testValue1, null, false, testPackage); ++ expectedMemUsage += testKey2.length() + testValue1.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating first key with new default ++ final String testValue2 = Strings.repeat("A", 300); ++ settingsState.insertSettingLocked(testKey1, testValue2, null, true, testPackage); ++ expectedMemUsage += (testValue2.length() - testValue1.length()) * 2; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating first key without new default ++ final String testValue3 = Strings.repeat("A", 50); ++ settingsState.insertSettingLocked(testKey1, testValue3, null, false, testPackage); ++ expectedMemUsage -= testValue2.length() - testValue3.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test updating second key ++ settingsState.insertSettingLocked(testKey2, testValue2, null, false, testPackage); ++ expectedMemUsage -= testValue1.length() - testValue2.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test resetting key ++ settingsState.resetSettingLocked(testKey1); ++ expectedMemUsage += testValue2.length() - testValue3.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test resetting default value ++ settingsState.resetSettingDefaultValueLocked(testKey1); ++ expectedMemUsage -= testValue2.length(); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test deletion ++ settingsState.deleteSettingLocked(testKey2); ++ expectedMemUsage -= testValue2.length() + testKey2.length() /* key is deleted too */; ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test another package with a different key ++ final String testPackage2 = testPackage + "2"; ++ final String testKey3 = settingName + "3"; ++ settingsState.insertSettingLocked(testKey3, testValue1, null, true, testPackage2); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ final int expectedMemUsage2 = testKey3.length() + testValue1.length() * 2; ++ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2)); ++ ++ // Test system package ++ settingsState.insertSettingLocked(testKey1, testValue1, null, true, "android"); ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2)); ++ assertEquals(0, settingsState.getMemoryUsage("android")); ++ ++ // Test invalid value ++ try { ++ settingsState.insertSettingLocked(testKey1, Strings.repeat("A", 20001), null, false, ++ testPackage); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); ++ ++ // Test invalid key ++ try { ++ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", null, false, ++ testPackage); ++ fail("Should throw because it exceeded per package memory usage"); ++ } catch (IllegalStateException ex) { ++ assertTrue(ex.getMessage().contains("You are adding too many system settings")); ++ } ++ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage)); + } + } diff --git a/Patches/LineageOS-15.1/android_frameworks_base/347051-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/347051-backport.patch new file mode 100644 index 00000000..eb3d3904 --- /dev/null +++ b/Patches/LineageOS-15.1/android_frameworks_base/347051-backport.patch @@ -0,0 +1,240 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Khoa Hong +Date: Wed, 19 Oct 2022 16:29:18 +0800 +Subject: [PATCH] Add protections agains use-after-free issues if cancel() or + queue() is called after a device connection has been closed. + +This is a backport of ag/7528082 and ag/20033068. + +Bug: 132319116 +Bug: 130571162 +Bug: 204584366 +Test: CTS Verifier: USB Accessory Test & USB Device Test +Change-Id: I952ab566e26a808997e362dc85ebd1d8eb4574b9 +(cherry picked from commit 7a8d56b2fe3496f7717ad1afe45d2ef523b7e252) +Merged-In: I952ab566e26a808997e362dc85ebd1d8eb4574b9 +--- + .../hardware/usb/UsbDeviceConnection.java | 71 ++++++++++++++-- + .../java/android/hardware/usb/UsbRequest.java | 82 +++++++++++++++++-- + 2 files changed, 141 insertions(+), 12 deletions(-) + +diff --git a/core/java/android/hardware/usb/UsbDeviceConnection.java b/core/java/android/hardware/usb/UsbDeviceConnection.java +index 5b15c0d2fd9c..43a1b39d6be4 100644 +--- a/core/java/android/hardware/usb/UsbDeviceConnection.java ++++ b/core/java/android/hardware/usb/UsbDeviceConnection.java +@@ -50,6 +50,8 @@ public class UsbDeviceConnection { + + private final CloseGuard mCloseGuard = CloseGuard.get(); + ++ private final Object mLock = new Object(); ++ + /** + * UsbDevice should only be instantiated by UsbService implementation + * @hide +@@ -60,13 +62,23 @@ public class UsbDeviceConnection { + + /* package */ boolean open(String name, ParcelFileDescriptor pfd, @NonNull Context context) { + mContext = context.getApplicationContext(); +- boolean wasOpened = native_open(name, pfd.getFileDescriptor()); + +- if (wasOpened) { +- mCloseGuard.open("close"); ++ synchronized (mLock) { ++ boolean wasOpened = native_open(name, pfd.getFileDescriptor()); ++ ++ if (wasOpened) { ++ mCloseGuard.open("close"); ++ } ++ ++ return wasOpened; + } ++ } + +- return wasOpened; ++ /*** ++ * @return If this connection is currently open and usable. ++ */ ++ boolean isOpen() { ++ return mNativeContext != 0; + } + + /** +@@ -78,6 +90,49 @@ public class UsbDeviceConnection { + return mContext; + } + ++ /** ++ * Cancel a request which relates to this connection. ++ * ++ * @return true if the request was successfully cancelled. ++ */ ++ /* package */ boolean cancelRequest(UsbRequest request) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.cancelIfOpen(); ++ } ++ } ++ ++ /** ++ * This is meant to be called by UsbRequest's queue() in order to synchronize on ++ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueRequest(UsbRequest request, ByteBuffer buffer, int length) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.queueIfConnectionOpen(buffer, length); ++ } ++ } ++ ++ /** ++ * This is meant to be called by UsbRequest's queue() in order to synchronize on ++ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueRequest(UsbRequest request, @Nullable ByteBuffer buffer) { ++ synchronized (mLock) { ++ if (!isOpen()) { ++ return false; ++ } ++ ++ return request.queueIfConnectionOpen(buffer); ++ } ++ } ++ + /** + * Releases all system resources related to the device. + * Once the object is closed it cannot be used again. +@@ -85,9 +140,11 @@ public class UsbDeviceConnection { + * to retrieve a new instance to reestablish communication with the device. + */ + public void close() { +- if (mNativeContext != 0) { +- native_close(); +- mCloseGuard.close(); ++ synchronized (mLock) { ++ if (isOpen()) { ++ native_close(); ++ mCloseGuard.close(); ++ } + } + } + +diff --git a/core/java/android/hardware/usb/UsbRequest.java b/core/java/android/hardware/usb/UsbRequest.java +index 2e8f8e12b508..2c77647a26be 100644 +--- a/core/java/android/hardware/usb/UsbRequest.java ++++ b/core/java/android/hardware/usb/UsbRequest.java +@@ -107,11 +107,13 @@ public class UsbRequest { + * Releases all resources related to this request. + */ + public void close() { +- if (mNativeContext != 0) { +- mEndpoint = null; +- mConnection = null; +- native_close(); +- mCloseGuard.close(); ++ synchronized (mLock) { ++ if (mNativeContext != 0) { ++ mEndpoint = null; ++ mConnection = null; ++ native_close(); ++ mCloseGuard.close(); ++ } + } + } + +@@ -183,6 +185,28 @@ public class UsbRequest { + */ + @Deprecated + public boolean queue(ByteBuffer buffer, int length) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new NullPointerException("invalid connection"); ++ } ++ ++ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent ++ // the connection being closed while queueing. ++ return connection.queueRequest(this, buffer, length); ++ } ++ ++ /** ++ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over ++ * there, to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueIfConnectionOpen(ByteBuffer buffer, int length) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null || !connection.isOpen()) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new NullPointerException("invalid connection"); ++ } ++ + boolean out = (mEndpoint.getDirection() == UsbConstants.USB_DIR_OUT); + boolean result; + +@@ -227,6 +251,28 @@ public class UsbRequest { + * @return true if the queueing operation succeeded + */ + public boolean queue(@Nullable ByteBuffer buffer) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new IllegalStateException("invalid connection"); ++ } ++ ++ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent ++ // the connection being closed while queueing. ++ return connection.queueRequest(this, buffer); ++ } ++ ++ /** ++ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over ++ * there, to prevent the connection being closed while queueing. ++ */ ++ /* package */ boolean queueIfConnectionOpen(@Nullable ByteBuffer buffer) { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null || !connection.isOpen()) { ++ // The expected exception by CTS Verifier - USB Device test ++ throw new IllegalStateException("invalid connection"); ++ } ++ + // Request need to be initialized + Preconditions.checkState(mNativeContext != 0, "request is not initialized"); + +@@ -344,6 +390,32 @@ public class UsbRequest { + * @return true if cancelling succeeded + */ + public boolean cancel() { ++ UsbDeviceConnection connection = mConnection; ++ if (connection == null) { ++ return false; ++ } ++ ++ return connection.cancelRequest(this); ++ } ++ ++ /** ++ * Cancels a pending queue operation (for use when the UsbDeviceConnection associated ++ * with this request is synchronized). This ensures we don't have a race where the ++ * device is closed and then the request is canceled which would lead to a ++ * use-after-free because the cancel operation uses the device connection ++ * information freed in the when UsbDeviceConnection is closed.
++ * ++ * This method assumes the connected is not closed while this method is executed. ++ * ++ * @return true if cancelling succeeded. ++ */ ++ /* package */ boolean cancelIfOpen() { ++ UsbDeviceConnection connection = mConnection; ++ if (mNativeContext == 0 || (connection != null && !connection.isOpen())) { ++ Log.w(TAG, ++ "Detected attempt to cancel a request on a connection which isn't open"); ++ return false; ++ } + return native_cancel(); + } + diff --git a/Patches/LineageOS-15.1/android_packages_apps_Nfc/346953-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Nfc/346953-backport.patch new file mode 100644 index 00000000..63c39054 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_apps_Nfc/346953-backport.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 26 Oct 2022 14:03:48 -0700 +Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive() + +Bug: 241387741 +Test: build ok +Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0) +Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +index 86657d53..cf5aafb6 100755 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +@@ -1077,6 +1077,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len) + return status; + } + ++ if (len > (MAX_BUFF_SIZE * 2)) ++ { ++ android_errorWriteLog(0x534e4554, "241387741"); ++ return status; ++ } ++ + gphNxpExtns_Context.RawWriteCallBack = false; + gphNxpExtns_Context.CallBackMifare = NULL; + gphNxpExtns_Context.CallBackCtxt = NdefMap; diff --git a/Patches/LineageOS-15.1/android_packages_services_Telecomm/347042.patch b/Patches/LineageOS-15.1/android_packages_services_Telecomm/347042.patch new file mode 100644 index 00000000..18017c14 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_services_Telecomm/347042.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Grace Jia +Date: Thu, 22 Sep 2022 14:20:57 -0700 +Subject: [PATCH] Fix security vulnerability when register phone accounts. + +Currently if the registered self-managed phone account updated to a call +provider phone account, the enable state will be directly copied to the +updated one so that malicious app can perform call spoofing attack +without any permission requirements. Fix this by disallowing change a +self-managed phone account to a managed phone account. + +Bug: 246930197 +Test: CtsTelecomTestCases:SelfManagedConnectionSreviceTest +Change-Id: I8f7984cd491632b3219133044438b82ca4dec80e +Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e +(cherry picked from commit 833dd8480adc773e36d388521a14fd8cd11d6a30) +Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e +--- + .../server/telecom/PhoneAccountRegistrar.java | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java +index 5323a9669..4bcd2e5c3 100644 +--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java ++++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java +@@ -48,6 +48,7 @@ import android.telephony.TelephonyManager; + import android.text.TextUtils; + import android.util.AtomicFile; + import android.util.Base64; ++import android.util.EventLog; + import android.util.Xml; + + // TODO: Needed for move to system service: import com.android.internal.R; +@@ -680,6 +681,7 @@ public class PhoneAccountRegistrar { + + PhoneAccount oldAccount = getPhoneAccountUnchecked(account.getAccountHandle()); + if (oldAccount != null) { ++ enforceSelfManagedAccountUnmodified(account, oldAccount); + mState.accounts.remove(oldAccount); + isEnabled = oldAccount.isEnabled(); + Log.i(this, "Modify account: %s", getAccountDiffString(account, oldAccount)); +@@ -738,6 +740,19 @@ public class PhoneAccountRegistrar { + } + } + ++ private void enforceSelfManagedAccountUnmodified(PhoneAccount newAccount, ++ PhoneAccount oldAccount) { ++ if (oldAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED) && ++ (!newAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED))) { ++ EventLog.writeEvent(0x534e4554, "246930197"); ++ Log.w(this, "Self-managed phone account %s replaced by a non self-managed one", ++ newAccount.getAccountHandle()); ++ throw new IllegalArgumentException("Error, cannot change a self-managed " ++ + "phone account " + newAccount.getAccountHandle() ++ + " to other kinds of phone account"); ++ } ++ } ++ + /** + * Un-registers all phone accounts associated with a specified package. + * diff --git a/Patches/LineageOS-15.1/android_packages_services_Telephony/347041-backport.patch b/Patches/LineageOS-15.1/android_packages_services_Telephony/347041-backport.patch new file mode 100644 index 00000000..947b2ee5 --- /dev/null +++ b/Patches/LineageOS-15.1/android_packages_services_Telephony/347041-backport.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Stuart +Date: Wed, 28 Sep 2022 09:40:14 -0700 +Subject: [PATCH] prevent overlays on the phone settings + +A report came in showing a 3rd party app could overlay a button +on the phone settings causing unwanted behavior. In order to prevent +this, a new system flag has been added that only allows system overlays. + +bug: 246933785 +Test: manual +Change-Id: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +(cherry picked from commit e827d8f13c1c92622474fa2bf9e41a1f4ce21e2c) +Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0 +--- + AndroidManifest.xml | 3 +++ + .../phone/settings/AccessibilitySettingsActivity.java | 6 ++++-- + .../phone/settings/PhoneAccountSettingsActivity.java | 5 ++++- + .../android/phone/settings/VoicemailSettingsActivity.java | 4 ++++ + 4 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 810e7bca0..766572164 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -176,6 +176,9 @@ + + + ++ ++ ++ + +Date: Thu, 2 Dec 2021 16:04:19 +0530 +Subject: [PATCH] BT: Once AT command is retrieved, return from method. + +- Observed SIGSEV issue in Defensics, when received +buf is more than BTA_HF_CLIENT_AT_PARSER_MAX_LEN. + +- Commented recover cut data, after AT command is +retrieved because leftover data/buf is more than +BTA_HF_CLIENT_AT_PARSER_MAX_LEN and leading to +offset corruption. + +CRs-Fixed: 3052411 +Change-Id: I6375d00eebfbf97ffc40456622a6d39e4388f4b2 +--- + bta/hf_client/bta_hf_client_at.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc +index 6c52edadc..dd3ea6846 100644 +--- a/bta/hf_client/bta_hf_client_at.cc ++++ b/bta/hf_client/bta_hf_client_at.cc +@@ -1615,9 +1615,13 @@ void bta_hf_client_at_parse(tBTA_HF_CLIENT_CB* client_cb, char* buf, + bta_hf_client_at_parse_start(client_cb); + bta_hf_client_at_clear_buf(client_cb); + +- /* recover cut data */ +- memcpy(client_cb->at_cb.buf, tmp_buff, tmp); +- client_cb->at_cb.offset += tmp; ++ /* TODO: recover cut data */ ++ // memcpy(client_cb->at_cb.buf, tmp_buff, tmp); ++ // client_cb->at_cb.offset += tmp; ++ // Observed SIGSEV issue in Defensics, when received buf is more than ++ // BTA_HF_CLIENT_AT_PARSER_MAX_LEN. ++ // Assuming to return from here, Once AT command is retrieved. ++ return; + } + + memcpy(client_cb->at_cb.buf + client_cb->at_cb.offset, buf, len); diff --git a/Patches/LineageOS-15.1/android_system_bt/347128.patch b/Patches/LineageOS-15.1/android_system_bt/347128.patch new file mode 100644 index 00000000..e0297cfc --- /dev/null +++ b/Patches/LineageOS-15.1/android_system_bt/347128.patch @@ -0,0 +1,78 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sagar Verma +Date: Sun, 12 Jun 2022 00:05:07 +0530 +Subject: [PATCH] AVRC: Validating msg size before accessing fields + +This change adds buffer length validation during the parsing of AVRCP +browse commands. + +Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba +--- + stack/avrc/avrc_pars_tg.cc | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc +index 7042f4da7..38c0ca385 100644 +--- a/stack/avrc/avrc_pars_tg.cc ++++ b/stack/avrc/avrc_pars_tg.cc +@@ -407,6 +407,12 @@ tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) { + return status; + } + ++#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \ ++ if (!(_b_)) { \ ++ AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__); \ ++ return _status_; \ ++ } ++ + /******************************************************************************* + * + * Function avrc_pars_browsing_cmd +@@ -425,6 +431,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + tAVRC_STS status = AVRC_STS_NO_ERROR; + uint8_t* p = p_msg->p_browse_data; + int count; ++ uint16_t min_len = 3; + + p_result->pdu = *p++; + AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu); +@@ -438,6 +445,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + break; + + case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */ ++ min_len += 10; + STREAM_TO_UINT8(p_result->get_items.scope, p); + // To be modified later here (Scope) when all browsing commands are + // supported +@@ -458,6 +466,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + if (buf_len < (count << 2)) + p_result->get_items.attr_count = count = (buf_len >> 2); + for (int idx = 0; idx < count; idx++) { ++ min_len += 4; ++ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, ++ (p_msg->browse_len >= min_len), ++ "msg too short"); ++ + BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p); + } + } +@@ -474,6 +487,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + break; + + case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */ ++ min_len += 12; + BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p); + if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) { + status = AVRC_STS_BAD_SCOPE; +@@ -490,6 +504,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, + p_result->get_attrs.attr_count = count = (buf_len >> 2); + for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count; + idx++) { ++ min_len += 4; ++ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, ++ (p_msg->browse_len >= min_len), ++ "msg too short"); ++ + BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p); + if (AVRC_IS_VALID_MEDIA_ATTRIBUTE( + p_result->get_attrs.p_attr_list[count])) { diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch new file mode 100644 index 00000000..464e6b60 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: George Chang +Date: Wed, 5 Jun 2019 15:57:56 +0800 +Subject: [PATCH] Prevent OOB write in Mfc_Transceive + +Bug: 132082342 +Test: Manual test/ Mifare Tag Read/Write +Merged-In: I3e1977514ba924655d42be4782244c6ef1cf7619 +Change-Id: I3e1977514ba924655d42be4782244c6ef1cf7619 +(cherry picked from commit edda944f0d84216e57846ae9a6799a90b875b427) +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +index 34caef21..282ffc1a 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +@@ -1094,6 +1094,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len) + NFCSTATUS status = NFCSTATUS_FAILED; + uint8_t i = 0x00; + ++ if( len == 0 ) ++ { ++ android_errorWriteLog(0x534e4554, "132082342"); ++ return status; ++ } ++ + gphNxpExtns_Context.RawWriteCallBack = false; + gphNxpExtns_Context.CallBackMifare = NULL; + gphNxpExtns_Context.CallBackCtxt = NdefMap; diff --git a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch new file mode 100644 index 00000000..6c775504 --- /dev/null +++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Wed, 26 Oct 2022 14:03:48 -0700 +Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive() + +Bug: 241387741 +Test: build ok +Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0) +Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55 +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +index 282ffc1a..8e9399ef 100644 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +@@ -1100,6 +1100,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len) + return status; + } + ++ if (len > (MAX_BUFF_SIZE * 2)) ++ { ++ android_errorWriteLog(0x534e4554, "241387741"); ++ return status; ++ } ++ + gphNxpExtns_Context.RawWriteCallBack = false; + gphNxpExtns_Context.CallBackMifare = NULL; + gphNxpExtns_Context.CallBackCtxt = NdefMap; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 2de185c7..5edc4b28 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email -sed -i 's/2021-10-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #XXX +sed -i 's/2021-10-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #XXX fi; if enterAndClear "build/soong"; then @@ -157,6 +157,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/345898-backport.patch"; #P_asb_ applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting applyPatch "$DOS_PATCHES/android_frameworks_base/345902-backport.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch. +applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length. +applyPatch "$DOS_PATCHES/android_frameworks_base/346949.patch"; #n-asb-2023-01 Disable all A11yServices from an uninstalled package. +applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/347047-backport.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated +#applyPatch "$DOS_PATCHES/android_frameworks_base/347048-backport.patch"; #P_asb_2023-01 Revert "Revert "RESTRICT AUTOMERGE Validate permission tree size..." #XXX: uncertain backport +applyPatch "$DOS_PATCHES/android_frameworks_base/347049-backport.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings +applyPatch "$DOS_PATCHES/android_frameworks_base/347051-backport.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed. applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969) applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS) @@ -276,6 +283,7 @@ fi; if enterAndClear "packages/apps/Nfc"; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp() +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive() fi; if enterAndClear "packages/apps/Settings"; then @@ -338,9 +346,11 @@ if enterAndClear "packages/services/Telecomm"; then applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen. +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts. fi; if enterAndClear "packages/services/Telephony"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS) applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch"; fi; @@ -362,6 +372,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added m applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response +applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT command is retrieved, return from method. +applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields fi; if enterAndClear "system/core"; then @@ -388,15 +400,17 @@ if enterAndClear "system/vold"; then applyPatch "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption (DivestOS) fi; -if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then +if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then #keep in sync with system/nfc applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req() applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked() fi; -if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then +if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch"; #n-asb-2019-08 Prevent OOB write in Mfc_Transceive applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction +applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive() fi; if enterAndClear "vendor/lineage"; then