mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-02-02 18:34:46 -05:00
15.1 January ASB work
+ a missing patch from 2019-08 Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad
parent
57d951ccb5
commit
b143ffcd8b
68
Patches/LineageOS-15.1/android_frameworks_base/346949.patch
Normal file
68
Patches/LineageOS-15.1/android_frameworks_base/346949.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Norman <danielnorman@google.com>
|
||||
Date: Wed, 5 Oct 2022 16:28:20 -0700
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE Disable all A11yServices from an
|
||||
uninstalled package.
|
||||
|
||||
Previous logic would exit the loop after removing the first service
|
||||
matching the uninstalled package.
|
||||
|
||||
Bug: 243378132
|
||||
Test: atest AccessibilityEndToEndTest
|
||||
Test: m sts;
|
||||
sts-tradefed run sts-dynamic-develop -m \
|
||||
CtsAccessibilityServiceTestCases
|
||||
Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
|
||||
(cherry picked from commit 37966299859153377e61a6a97b036388d231c2d0)
|
||||
Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
|
||||
---
|
||||
.../AccessibilityManagerService.java | 30 ++++++++++---------
|
||||
1 file changed, 16 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
index 4859ffea870b..620db7345fab 100644
|
||||
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
|
||||
@@ -345,26 +345,28 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
|
||||
}
|
||||
UserState userState = getUserStateLocked(userId);
|
||||
Iterator<ComponentName> it = userState.mEnabledServices.iterator();
|
||||
+ boolean anyServiceRemoved = false;
|
||||
while (it.hasNext()) {
|
||||
ComponentName comp = it.next();
|
||||
String compPkg = comp.getPackageName();
|
||||
if (compPkg.equals(packageName)) {
|
||||
it.remove();
|
||||
- // Update the enabled services setting.
|
||||
- persistComponentNamesToSettingLocked(
|
||||
- Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
|
||||
- userState.mEnabledServices, userId);
|
||||
- // Update the touch exploration granted services setting.
|
||||
userState.mTouchExplorationGrantedServices.remove(comp);
|
||||
- persistComponentNamesToSettingLocked(
|
||||
- Settings.Secure.
|
||||
- TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
|
||||
- userState.mTouchExplorationGrantedServices, userId);
|
||||
- // We will update when the automation service dies.
|
||||
- if (!userState.isUiAutomationSuppressingOtherServices()) {
|
||||
- onUserStateChangedLocked(userState);
|
||||
- }
|
||||
- return;
|
||||
+ anyServiceRemoved = true;
|
||||
+ }
|
||||
+ }
|
||||
+ if (anyServiceRemoved) {
|
||||
+ // Update the enabled services setting.
|
||||
+ persistComponentNamesToSettingLocked(
|
||||
+ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
|
||||
+ userState.mEnabledServices, userId);
|
||||
+ // Update the touch exploration granted services setting.
|
||||
+ persistComponentNamesToSettingLocked(
|
||||
+ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
|
||||
+ userState.mTouchExplorationGrantedServices, userId);
|
||||
+ // We will update when the automation service dies.
|
||||
+ if (!userState.isUiAutomationSuppressingOtherServices()) {
|
||||
+ onUserStateChangedLocked(userState);
|
||||
}
|
||||
}
|
||||
}
|
||||
86
Patches/LineageOS-15.1/android_frameworks_base/347044.patch
Normal file
86
Patches/LineageOS-15.1/android_frameworks_base/347044.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Yuri Lin <yurilin@google.com>
|
||||
Date: Tue, 13 Sep 2022 12:53:19 -0400
|
||||
Subject: [PATCH] Limit lengths of fields in Condition to a max length.
|
||||
|
||||
This app-generated input needs to not be too long to avoid errors in the process of writing to disk.
|
||||
|
||||
Bug: 242846316
|
||||
Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK
|
||||
|
||||
Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
|
||||
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
|
||||
(cherry picked from commit 81352c3775949c622441e10b468766441e35edc7)
|
||||
(cherry picked from commit 5cb217fff3bc7184bd776a9dc2991e7fce5e25bd)
|
||||
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
|
||||
---
|
||||
.../service/notification/Condition.java | 38 +++++++++++++++++--
|
||||
1 file changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/service/notification/Condition.java b/core/java/android/service/notification/Condition.java
|
||||
index 447afe62fd1a..5f65d401600a 100644
|
||||
--- a/core/java/android/service/notification/Condition.java
|
||||
+++ b/core/java/android/service/notification/Condition.java
|
||||
@@ -94,6 +94,12 @@ public final class Condition implements Parcelable {
|
||||
@SystemApi
|
||||
public final int icon;
|
||||
|
||||
+ /**
|
||||
+ * The maximum string length for any string contained in this condition.
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static final int MAX_STRING_LENGTH = 1000;
|
||||
+
|
||||
/**
|
||||
* An object representing the current state of a {@link android.app.AutomaticZenRule}.
|
||||
* @param id the {@link android.app.AutomaticZenRule#getConditionId()} of the zen rule
|
||||
@@ -109,16 +115,19 @@ public final class Condition implements Parcelable {
|
||||
if (id == null) throw new IllegalArgumentException("id is required");
|
||||
if (summary == null) throw new IllegalArgumentException("summary is required");
|
||||
if (!isValidState(state)) throw new IllegalArgumentException("state is invalid: " + state);
|
||||
- this.id = id;
|
||||
- this.summary = summary;
|
||||
- this.line1 = line1;
|
||||
- this.line2 = line2;
|
||||
+ this.id = getTrimmedUri(id);
|
||||
+ this.summary = getTrimmedString(summary);
|
||||
+ this.line1 = getTrimmedString(line1);
|
||||
+ this.line2 = getTrimmedString(line2);
|
||||
this.icon = icon;
|
||||
this.state = state;
|
||||
this.flags = flags;
|
||||
}
|
||||
|
||||
public Condition(Parcel source) {
|
||||
+ // This constructor passes all fields directly into the constructor that takes all the
|
||||
+ // fields as arguments; that constructor will trim each of the input strings to
|
||||
+ // max length if necessary.
|
||||
this((Uri)source.readParcelable(Condition.class.getClassLoader()),
|
||||
source.readString(),
|
||||
source.readString(),
|
||||
@@ -234,4 +243,25 @@ public final class Condition implements Parcelable {
|
||||
return new Condition[size];
|
||||
}
|
||||
};
|
||||
+
|
||||
+ /**
|
||||
+ * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH.
|
||||
+ */
|
||||
+ private static String getTrimmedString(String input) {
|
||||
+ if (input != null && input.length() > MAX_STRING_LENGTH) {
|
||||
+ return input.substring(0, MAX_STRING_LENGTH);
|
||||
+ }
|
||||
+ return input;
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Returns a truncated copy of the Uri by trimming the string representation to the maximum
|
||||
+ * string length.
|
||||
+ */
|
||||
+ private static Uri getTrimmedUri(Uri input) {
|
||||
+ if (input != null && input.toString().length() > MAX_STRING_LENGTH) {
|
||||
+ return Uri.parse(getTrimmedString(input.toString()));
|
||||
+ }
|
||||
+ return input;
|
||||
+ }
|
||||
}
|
||||
35
Patches/LineageOS-15.1/android_frameworks_base/347046.patch
Normal file
35
Patches/LineageOS-15.1/android_frameworks_base/347046.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Yuri Lin <yurilin@google.com>
|
||||
Date: Wed, 12 Oct 2022 14:27:46 +0000
|
||||
Subject: [PATCH] Fix conditionId string trimming in AutomaticZenRule
|
||||
|
||||
This change only applies to S branches and earlier.
|
||||
|
||||
Bug: 253085433
|
||||
Bug: 242703460
|
||||
Bug: 242703505
|
||||
Bug: 242703780
|
||||
Bug: 242704043
|
||||
Bug: 243794204
|
||||
Test: AutomaticZenRuleTest
|
||||
Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec
|
||||
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
|
||||
(cherry picked from commit 303f6bde896877793370c1697fa8c8331b808e56)
|
||||
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
|
||||
---
|
||||
core/java/android/app/AutomaticZenRule.java | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java
|
||||
index 29dd91ec1ad6..5998ab6fdaf4 100644
|
||||
--- a/core/java/android/app/AutomaticZenRule.java
|
||||
+++ b/core/java/android/app/AutomaticZenRule.java
|
||||
@@ -80,7 +80,7 @@ public final class AutomaticZenRule implements Parcelable {
|
||||
name = getTrimmedString(source.readString());
|
||||
}
|
||||
interruptionFilter = source.readInt();
|
||||
- conditionId = source.readParcelable(null);
|
||||
+ conditionId = getTrimmedUri(source.readParcelable(null));
|
||||
owner = getTrimmedComponentName(source.readParcelable(null));
|
||||
creationTime = source.readLong();
|
||||
}
|
||||
@ -0,0 +1,234 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Songchun Fan <schfan@google.com>
|
||||
Date: Wed, 17 Aug 2022 09:37:18 -0700
|
||||
Subject: [PATCH] mem limit should be checked before settings are updated
|
||||
|
||||
Previously, a setting is updated before the memory usage limit
|
||||
check, which can be exploited by malicious apps and cause OoM DoS.
|
||||
|
||||
This CL changes the logic to checkMemLimit -> update -> updateMemUsage.
|
||||
|
||||
BUG: 239415861
|
||||
Test: atest com.android.providers.settings.SettingsStateTest
|
||||
|
||||
(cherry picked from commit 8eeb92950f4a7012d4cf282106a1418fd211f475)
|
||||
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
|
||||
Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4
|
||||
(cherry picked from commit d85a42821075ad80b931d904bdc9c1d4c3129456)
|
||||
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
|
||||
---
|
||||
.../providers/settings/SettingsState.java | 75 ++++++++++++-------
|
||||
.../providers/settings/SettingsStateTest.java | 43 ++++++++++-
|
||||
2 files changed, 90 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
index 4151ada9ce80..0e94ea85919b 100644
|
||||
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
@@ -306,9 +306,11 @@ final class SettingsState {
|
||||
Setting newSetting = new Setting(name, oldSetting.getValue(), null,
|
||||
oldSetting.getPackageName(), oldSetting.getTag(), false,
|
||||
oldSetting.getId());
|
||||
- mSettings.put(name, newSetting);
|
||||
- updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
|
||||
newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
|
||||
+ checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
|
||||
+ mSettings.put(name, newSetting);
|
||||
+ updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
|
||||
scheduleWriteIfNeededLocked();
|
||||
}
|
||||
}
|
||||
@@ -323,6 +325,12 @@ final class SettingsState {
|
||||
Setting oldState = mSettings.get(name);
|
||||
String oldValue = (oldState != null) ? oldState.value : null;
|
||||
String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
|
||||
+ String newDefaultValue = makeDefault ? value : oldDefaultValue;
|
||||
+
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
|
||||
+ oldDefaultValue, newDefaultValue);
|
||||
+ checkNewMemoryUsagePerPackageLocked(packageName, newSize);
|
||||
+
|
||||
Setting newState;
|
||||
|
||||
if (oldState != null) {
|
||||
@@ -337,8 +345,7 @@ final class SettingsState {
|
||||
|
||||
addHistoricalOperationLocked(HISTORICAL_OPERATION_UPDATE, newState);
|
||||
|
||||
- updateMemoryUsagePerPackageLocked(packageName, oldValue, value,
|
||||
- oldDefaultValue, newState.getDefaultValue());
|
||||
+ updateMemoryUsagePerPackageLocked(packageName, newSize);
|
||||
|
||||
scheduleWriteIfNeededLocked();
|
||||
|
||||
@@ -358,10 +365,11 @@ final class SettingsState {
|
||||
}
|
||||
|
||||
Setting oldState = mSettings.remove(name);
|
||||
-
|
||||
- updateMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
|
||||
null, oldState.defaultValue, null);
|
||||
|
||||
+ updateMemoryUsagePerPackageLocked(oldState.packageName, newSize);
|
||||
+
|
||||
addHistoricalOperationLocked(HISTORICAL_OPERATION_DELETE, oldState);
|
||||
|
||||
scheduleWriteIfNeededLocked();
|
||||
@@ -380,16 +388,18 @@ final class SettingsState {
|
||||
Setting oldSetting = new Setting(setting);
|
||||
String oldValue = setting.getValue();
|
||||
String oldDefaultValue = setting.getDefaultValue();
|
||||
+ String newValue = oldDefaultValue;
|
||||
+ String newDefaultValue = oldDefaultValue;
|
||||
+
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
|
||||
+ newValue, oldDefaultValue, newDefaultValue);
|
||||
+ checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
|
||||
|
||||
if (!setting.reset()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- String newValue = setting.getValue();
|
||||
- String newDefaultValue = setting.getDefaultValue();
|
||||
-
|
||||
- updateMemoryUsagePerPackageLocked(setting.packageName, oldValue,
|
||||
- newValue, oldDefaultValue, newDefaultValue);
|
||||
+ updateMemoryUsagePerPackageLocked(setting.packageName, newSize);
|
||||
|
||||
addHistoricalOperationLocked(HISTORICAL_OPERATION_RESET, oldSetting);
|
||||
|
||||
@@ -492,38 +502,49 @@ final class SettingsState {
|
||||
}
|
||||
}
|
||||
|
||||
- private void updateMemoryUsagePerPackageLocked(String packageName, String oldValue,
|
||||
- String newValue, String oldDefaultValue, String newDefaultValue) {
|
||||
- if (mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED) {
|
||||
- return;
|
||||
- }
|
||||
+ private boolean isExemptFromMemoryUsageCap(String packageName) {
|
||||
+ return mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED
|
||||
+ || SYSTEM_PACKAGE_NAME.equals(packageName);
|
||||
+ }
|
||||
|
||||
- if (SYSTEM_PACKAGE_NAME.equals(packageName)) {
|
||||
+ @GuardedBy("mLock")
|
||||
+ private void checkNewMemoryUsagePerPackageLocked(String packageName, int newSize)
|
||||
+ throws IllegalStateException {
|
||||
+ if (isExemptFromMemoryUsageCap(packageName)) {
|
||||
return;
|
||||
}
|
||||
+ if (newSize > mMaxBytesPerAppPackage) {
|
||||
+ throw new IllegalStateException("You are adding too many system settings. "
|
||||
+ + "You should stop using system settings for app specific data"
|
||||
+ + " package: " + packageName);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
+ @GuardedBy("mLock")
|
||||
+ private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
|
||||
+ String newValue, String oldDefaultValue, String newDefaultValue) {
|
||||
+ if (isExemptFromMemoryUsageCap(packageName)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ final Integer currentSize = mPackageToMemoryUsage.get(packageName);
|
||||
final int oldValueSize = (oldValue != null) ? oldValue.length() : 0;
|
||||
final int newValueSize = (newValue != null) ? newValue.length() : 0;
|
||||
final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
|
||||
final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
|
||||
final int deltaSize = newValueSize + newDefaultValueSize
|
||||
- oldValueSize - oldDefaultValueSize;
|
||||
+ return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
|
||||
+ }
|
||||
|
||||
- Integer currentSize = mPackageToMemoryUsage.get(packageName);
|
||||
- final int newSize = Math.max((currentSize != null)
|
||||
- ? currentSize + deltaSize : deltaSize, 0);
|
||||
-
|
||||
- if (newSize > mMaxBytesPerAppPackage) {
|
||||
- throw new IllegalStateException("You are adding too many system settings. "
|
||||
- + "You should stop using system settings for app specific data"
|
||||
- + " package: " + packageName);
|
||||
+ @GuardedBy("mLock")
|
||||
+ private void updateMemoryUsagePerPackageLocked(String packageName, int newSize) {
|
||||
+ if (isExemptFromMemoryUsageCap(packageName)) {
|
||||
+ return;
|
||||
}
|
||||
-
|
||||
if (DEBUG) {
|
||||
Slog.i(LOG_TAG, "Settings for package: " + packageName
|
||||
+ " size: " + newSize + " bytes.");
|
||||
}
|
||||
-
|
||||
mPackageToMemoryUsage.put(packageName, newSize);
|
||||
}
|
||||
|
||||
diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
index 3f68554ffe87..6f45adef91f7 100644
|
||||
--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
+++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
@@ -21,6 +21,8 @@ import android.util.Xml;
|
||||
|
||||
import org.xmlpull.v1.XmlSerializer;
|
||||
|
||||
+import com.google.common.base.Strings;
|
||||
+
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileOutputStream;
|
||||
@@ -46,7 +48,6 @@ public class SettingsStateTest extends AndroidTestCase {
|
||||
"\uD800ab\uDC00 " + // broken surrogate pairs
|
||||
"日本語";
|
||||
|
||||
-
|
||||
public void testIsBinary() {
|
||||
assertFalse(SettingsState.isBinary(" abc 日本語"));
|
||||
|
||||
@@ -182,4 +183,44 @@ public class SettingsStateTest extends AndroidTestCase {
|
||||
assertEquals("p2", s.getPackageName());
|
||||
}
|
||||
}
|
||||
+
|
||||
+ public void testInsertSetting_memoryUsage() {
|
||||
+ final Object lock = new Object();
|
||||
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
|
||||
+ final String settingName = "test_setting";
|
||||
+
|
||||
+ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
|
||||
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
|
||||
+ // No exception should be thrown when there is no cap
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
|
||||
+ null, false, "p1");
|
||||
+ settingsState.deleteSettingLocked(settingName);
|
||||
+
|
||||
+ settingsState = new SettingsState(getContext(), lock, file, 1,
|
||||
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
|
||||
+ // System package doesn't have memory usage limit
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
|
||||
+ null, false, "android");
|
||||
+ settingsState.deleteSettingLocked(settingName);
|
||||
+
|
||||
+ // Should not throw if usage is under the cap
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
|
||||
+ null, false, "p1");
|
||||
+ settingsState.deleteSettingLocked(settingName);
|
||||
+ try {
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
|
||||
+ null, false, "p1");
|
||||
+ fail("Should throw because it exceeded per package memory usage");
|
||||
+ } catch (IllegalStateException ex) {
|
||||
+ assertTrue(ex.getMessage().contains("p1"));
|
||||
+ }
|
||||
+ try {
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
|
||||
+ null, false, "p1");
|
||||
+ fail("Should throw because it exceeded per package memory usage");
|
||||
+ } catch (IllegalStateException ex) {
|
||||
+ assertTrue(ex.getMessage().contains("p1"));
|
||||
+ }
|
||||
+ assertTrue(settingsState.getSettingLocked(settingName).isNull());
|
||||
+ }
|
||||
}
|
||||
@ -0,0 +1,34 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Nate Myren <ntmyren@google.com>
|
||||
Date: Wed, 26 Oct 2022 17:37:26 +0000
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE Revert "Revert "RESTRICT AUTOMERGE
|
||||
Validate permission tree size..."
|
||||
|
||||
Revert submission 20285709-revert-20103164-permTree-qt-dev-QWIEBZIWEA
|
||||
|
||||
Reason for revert: resubmission
|
||||
Reverted Changes:
|
||||
I0a3b68aff:Revert "RESTRICT AUTOMERGE Add PermissionMemoryFoo...
|
||||
I4e8ec8b1a:Revert "RESTRICT AUTOMERGE Validate permission tre...
|
||||
|
||||
Change-Id: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
|
||||
(cherry picked from commit 4e83e59b27f7d6232ee9fe96f789e32debc19772)
|
||||
Merged-In: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
|
||||
---
|
||||
.../core/java/com/android/server/pm/PackageManagerService.java | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
index 9c59ecddee96..3a1f83e00da2 100644
|
||||
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
|
||||
@@ -5662,8 +5662,8 @@ public class PackageManagerService extends IPackageManager.Stub
|
||||
boolean added = bp == null;
|
||||
boolean changed = true;
|
||||
int fixedLevel = PermissionInfo.fixProtectionLevel(info.protectionLevel);
|
||||
+ enforcePermissionCapLocked(info, tree);
|
||||
if (added) {
|
||||
- enforcePermissionCapLocked(info, tree);
|
||||
bp = new BasePermission(info.name, tree.sourcePackage,
|
||||
BasePermission.TYPE_DYNAMIC);
|
||||
} else if (bp.type != BasePermission.TYPE_DYNAMIC) {
|
||||
@ -0,0 +1,249 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Songchun Fan <schfan@google.com>
|
||||
Date: Tue, 11 Oct 2022 18:08:11 -0700
|
||||
Subject: [PATCH] key size limit for mutating settings
|
||||
|
||||
Prior to targetSdk 22, apps could add random system settings keys which
|
||||
opens an opportunity for OOM attacks. This CL adds a key size limit.
|
||||
|
||||
BUG: 239415997
|
||||
Test: manual; will add cts test
|
||||
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
|
||||
Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
|
||||
(cherry picked from commit 783bcba343c480f6ccedaaff41ba7171a1082e0c)
|
||||
(cherry picked from commit f1831c87122e56951c04e1f62f647ab156ca71e3)
|
||||
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
|
||||
---
|
||||
.../providers/settings/SettingsState.java | 40 ++++---
|
||||
.../providers/settings/SettingsStateTest.java | 102 +++++++++++++++++-
|
||||
2 files changed, 126 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
index 0e94ea85919b..11b4c9eb1c1d 100644
|
||||
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
|
||||
@@ -46,6 +46,7 @@ import android.util.Xml;
|
||||
import android.util.proto.ProtoOutputStream;
|
||||
|
||||
import com.android.internal.annotations.GuardedBy;
|
||||
+import com.android.internal.annotations.VisibleForTesting;
|
||||
import com.android.server.LocalServices;
|
||||
|
||||
import libcore.io.IoUtils;
|
||||
@@ -306,8 +307,8 @@ final class SettingsState {
|
||||
Setting newSetting = new Setting(name, oldSetting.getValue(), null,
|
||||
oldSetting.getPackageName(), oldSetting.getTag(), false,
|
||||
oldSetting.getId());
|
||||
- int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
|
||||
- newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), 0,
|
||||
+ oldValue, newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
|
||||
checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
|
||||
mSettings.put(name, newSetting);
|
||||
updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
|
||||
@@ -327,8 +328,9 @@ final class SettingsState {
|
||||
String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
|
||||
String newDefaultValue = makeDefault ? value : oldDefaultValue;
|
||||
|
||||
- int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
|
||||
- oldDefaultValue, newDefaultValue);
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(packageName,
|
||||
+ oldValue == null ? name.length() : 0 /* deltaKeySize */,
|
||||
+ oldValue, value, oldDefaultValue, newDefaultValue);
|
||||
checkNewMemoryUsagePerPackageLocked(packageName, newSize);
|
||||
|
||||
Setting newState;
|
||||
@@ -365,8 +367,12 @@ final class SettingsState {
|
||||
}
|
||||
|
||||
Setting oldState = mSettings.remove(name);
|
||||
- int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
|
||||
- null, oldState.defaultValue, null);
|
||||
+ if (oldState == null) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName,
|
||||
+ -name.length() /* deltaKeySize */,
|
||||
+ oldState.value, null, oldState.defaultValue, null);
|
||||
|
||||
updateMemoryUsagePerPackageLocked(oldState.packageName, newSize);
|
||||
|
||||
@@ -384,15 +390,16 @@ final class SettingsState {
|
||||
}
|
||||
|
||||
Setting setting = mSettings.get(name);
|
||||
+ if (setting == null) {
|
||||
+ return false;
|
||||
+ }
|
||||
|
||||
Setting oldSetting = new Setting(setting);
|
||||
String oldValue = setting.getValue();
|
||||
String oldDefaultValue = setting.getDefaultValue();
|
||||
- String newValue = oldDefaultValue;
|
||||
- String newDefaultValue = oldDefaultValue;
|
||||
|
||||
- int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
|
||||
- newValue, oldDefaultValue, newDefaultValue);
|
||||
+ int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, 0, oldValue,
|
||||
+ oldDefaultValue, oldDefaultValue, oldDefaultValue);
|
||||
checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
|
||||
|
||||
if (!setting.reset()) {
|
||||
@@ -521,8 +528,8 @@ final class SettingsState {
|
||||
}
|
||||
|
||||
@GuardedBy("mLock")
|
||||
- private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
|
||||
- String newValue, String oldDefaultValue, String newDefaultValue) {
|
||||
+ private int getNewMemoryUsagePerPackageLocked(String packageName, int deltaKeySize,
|
||||
+ String oldValue, String newValue, String oldDefaultValue, String newDefaultValue) {
|
||||
if (isExemptFromMemoryUsageCap(packageName)) {
|
||||
return 0;
|
||||
}
|
||||
@@ -531,7 +538,7 @@ final class SettingsState {
|
||||
final int newValueSize = (newValue != null) ? newValue.length() : 0;
|
||||
final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
|
||||
final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
|
||||
- final int deltaSize = newValueSize + newDefaultValueSize
|
||||
+ final int deltaSize = deltaKeySize + newValueSize + newDefaultValueSize
|
||||
- oldValueSize - oldDefaultValueSize;
|
||||
return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
|
||||
}
|
||||
@@ -1140,4 +1147,11 @@ final class SettingsState {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ @VisibleForTesting
|
||||
+ public int getMemoryUsage(String packageName) {
|
||||
+ synchronized (mLock) {
|
||||
+ return mPackageToMemoryUsage.getOrDefault(packageName, 0);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
index 6f45adef91f7..adb356726eec 100644
|
||||
--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
+++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
|
||||
@@ -186,8 +186,8 @@ public class SettingsStateTest extends AndroidTestCase {
|
||||
|
||||
public void testInsertSetting_memoryUsage() {
|
||||
final Object lock = new Object();
|
||||
- final File file = new File(getContext().getCacheDir(), "setting.xml");
|
||||
- final String settingName = "test_setting";
|
||||
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
|
||||
+ final String settingName = "test_setting";
|
||||
|
||||
SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
|
||||
SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
|
||||
@@ -204,7 +204,7 @@ public class SettingsStateTest extends AndroidTestCase {
|
||||
settingsState.deleteSettingLocked(settingName);
|
||||
|
||||
// Should not throw if usage is under the cap
|
||||
- settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
|
||||
+ settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19975),
|
||||
null, false, "p1");
|
||||
settingsState.deleteSettingLocked(settingName);
|
||||
try {
|
||||
@@ -222,5 +222,101 @@ public class SettingsStateTest extends AndroidTestCase {
|
||||
assertTrue(ex.getMessage().contains("p1"));
|
||||
}
|
||||
assertTrue(settingsState.getSettingLocked(settingName).isNull());
|
||||
+ try {
|
||||
+ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "",
|
||||
+ null, false, "p1");
|
||||
+ fail("Should throw because it exceeded per package memory usage");
|
||||
+ } catch (IllegalStateException ex) {
|
||||
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ public void testMemoryUsagePerPackage() {
|
||||
+ final Object lock = new Object();
|
||||
+ final File file = new File(getContext().getCacheDir(), "setting.xml");
|
||||
+ final String testPackage = "package";
|
||||
+ SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
|
||||
+ SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
|
||||
+
|
||||
+ // Test inserting one key with default
|
||||
+ final String settingName = "test_setting";
|
||||
+ final String testKey1 = settingName;
|
||||
+ final String testValue1 = Strings.repeat("A", 100);
|
||||
+ settingsState.insertSettingLocked(testKey1, testValue1, null, true, testPackage);
|
||||
+ int expectedMemUsage = testKey1.length() + testValue1.length()
|
||||
+ + testValue1.length() /* size for default */;
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test inserting another key
|
||||
+ final String testKey2 = settingName + "2";
|
||||
+ settingsState.insertSettingLocked(testKey2, testValue1, null, false, testPackage);
|
||||
+ expectedMemUsage += testKey2.length() + testValue1.length();
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test updating first key with new default
|
||||
+ final String testValue2 = Strings.repeat("A", 300);
|
||||
+ settingsState.insertSettingLocked(testKey1, testValue2, null, true, testPackage);
|
||||
+ expectedMemUsage += (testValue2.length() - testValue1.length()) * 2;
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test updating first key without new default
|
||||
+ final String testValue3 = Strings.repeat("A", 50);
|
||||
+ settingsState.insertSettingLocked(testKey1, testValue3, null, false, testPackage);
|
||||
+ expectedMemUsage -= testValue2.length() - testValue3.length();
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test updating second key
|
||||
+ settingsState.insertSettingLocked(testKey2, testValue2, null, false, testPackage);
|
||||
+ expectedMemUsage -= testValue1.length() - testValue2.length();
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test resetting key
|
||||
+ settingsState.resetSettingLocked(testKey1);
|
||||
+ expectedMemUsage += testValue2.length() - testValue3.length();
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test resetting default value
|
||||
+ settingsState.resetSettingDefaultValueLocked(testKey1);
|
||||
+ expectedMemUsage -= testValue2.length();
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test deletion
|
||||
+ settingsState.deleteSettingLocked(testKey2);
|
||||
+ expectedMemUsage -= testValue2.length() + testKey2.length() /* key is deleted too */;
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test another package with a different key
|
||||
+ final String testPackage2 = testPackage + "2";
|
||||
+ final String testKey3 = settingName + "3";
|
||||
+ settingsState.insertSettingLocked(testKey3, testValue1, null, true, testPackage2);
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+ final int expectedMemUsage2 = testKey3.length() + testValue1.length() * 2;
|
||||
+ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
|
||||
+
|
||||
+ // Test system package
|
||||
+ settingsState.insertSettingLocked(testKey1, testValue1, null, true, "android");
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+ assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
|
||||
+ assertEquals(0, settingsState.getMemoryUsage("android"));
|
||||
+
|
||||
+ // Test invalid value
|
||||
+ try {
|
||||
+ settingsState.insertSettingLocked(testKey1, Strings.repeat("A", 20001), null, false,
|
||||
+ testPackage);
|
||||
+ fail("Should throw because it exceeded per package memory usage");
|
||||
+ } catch (IllegalStateException ex) {
|
||||
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
|
||||
+ }
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
+
|
||||
+ // Test invalid key
|
||||
+ try {
|
||||
+ settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", null, false,
|
||||
+ testPackage);
|
||||
+ fail("Should throw because it exceeded per package memory usage");
|
||||
+ } catch (IllegalStateException ex) {
|
||||
+ assertTrue(ex.getMessage().contains("You are adding too many system settings"));
|
||||
+ }
|
||||
+ assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,240 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Khoa Hong <khoahong@google.com>
|
||||
Date: Wed, 19 Oct 2022 16:29:18 +0800
|
||||
Subject: [PATCH] Add protections agains use-after-free issues if cancel() or
|
||||
queue() is called after a device connection has been closed.
|
||||
|
||||
This is a backport of ag/7528082 and ag/20033068.
|
||||
|
||||
Bug: 132319116
|
||||
Bug: 130571162
|
||||
Bug: 204584366
|
||||
Test: CTS Verifier: USB Accessory Test & USB Device Test
|
||||
Change-Id: I952ab566e26a808997e362dc85ebd1d8eb4574b9
|
||||
(cherry picked from commit 7a8d56b2fe3496f7717ad1afe45d2ef523b7e252)
|
||||
Merged-In: I952ab566e26a808997e362dc85ebd1d8eb4574b9
|
||||
---
|
||||
.../hardware/usb/UsbDeviceConnection.java | 71 ++++++++++++++--
|
||||
.../java/android/hardware/usb/UsbRequest.java | 82 +++++++++++++++++--
|
||||
2 files changed, 141 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/hardware/usb/UsbDeviceConnection.java b/core/java/android/hardware/usb/UsbDeviceConnection.java
|
||||
index 5b15c0d2fd9c..43a1b39d6be4 100644
|
||||
--- a/core/java/android/hardware/usb/UsbDeviceConnection.java
|
||||
+++ b/core/java/android/hardware/usb/UsbDeviceConnection.java
|
||||
@@ -50,6 +50,8 @@ public class UsbDeviceConnection {
|
||||
|
||||
private final CloseGuard mCloseGuard = CloseGuard.get();
|
||||
|
||||
+ private final Object mLock = new Object();
|
||||
+
|
||||
/**
|
||||
* UsbDevice should only be instantiated by UsbService implementation
|
||||
* @hide
|
||||
@@ -60,13 +62,23 @@ public class UsbDeviceConnection {
|
||||
|
||||
/* package */ boolean open(String name, ParcelFileDescriptor pfd, @NonNull Context context) {
|
||||
mContext = context.getApplicationContext();
|
||||
- boolean wasOpened = native_open(name, pfd.getFileDescriptor());
|
||||
|
||||
- if (wasOpened) {
|
||||
- mCloseGuard.open("close");
|
||||
+ synchronized (mLock) {
|
||||
+ boolean wasOpened = native_open(name, pfd.getFileDescriptor());
|
||||
+
|
||||
+ if (wasOpened) {
|
||||
+ mCloseGuard.open("close");
|
||||
+ }
|
||||
+
|
||||
+ return wasOpened;
|
||||
}
|
||||
+ }
|
||||
|
||||
- return wasOpened;
|
||||
+ /***
|
||||
+ * @return If this connection is currently open and usable.
|
||||
+ */
|
||||
+ boolean isOpen() {
|
||||
+ return mNativeContext != 0;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -78,6 +90,49 @@ public class UsbDeviceConnection {
|
||||
return mContext;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Cancel a request which relates to this connection.
|
||||
+ *
|
||||
+ * @return true if the request was successfully cancelled.
|
||||
+ */
|
||||
+ /* package */ boolean cancelRequest(UsbRequest request) {
|
||||
+ synchronized (mLock) {
|
||||
+ if (!isOpen()) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return request.cancelIfOpen();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * This is meant to be called by UsbRequest's queue() in order to synchronize on
|
||||
+ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
|
||||
+ */
|
||||
+ /* package */ boolean queueRequest(UsbRequest request, ByteBuffer buffer, int length) {
|
||||
+ synchronized (mLock) {
|
||||
+ if (!isOpen()) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return request.queueIfConnectionOpen(buffer, length);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * This is meant to be called by UsbRequest's queue() in order to synchronize on
|
||||
+ * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
|
||||
+ */
|
||||
+ /* package */ boolean queueRequest(UsbRequest request, @Nullable ByteBuffer buffer) {
|
||||
+ synchronized (mLock) {
|
||||
+ if (!isOpen()) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return request.queueIfConnectionOpen(buffer);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Releases all system resources related to the device.
|
||||
* Once the object is closed it cannot be used again.
|
||||
@@ -85,9 +140,11 @@ public class UsbDeviceConnection {
|
||||
* to retrieve a new instance to reestablish communication with the device.
|
||||
*/
|
||||
public void close() {
|
||||
- if (mNativeContext != 0) {
|
||||
- native_close();
|
||||
- mCloseGuard.close();
|
||||
+ synchronized (mLock) {
|
||||
+ if (isOpen()) {
|
||||
+ native_close();
|
||||
+ mCloseGuard.close();
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/core/java/android/hardware/usb/UsbRequest.java b/core/java/android/hardware/usb/UsbRequest.java
|
||||
index 2e8f8e12b508..2c77647a26be 100644
|
||||
--- a/core/java/android/hardware/usb/UsbRequest.java
|
||||
+++ b/core/java/android/hardware/usb/UsbRequest.java
|
||||
@@ -107,11 +107,13 @@ public class UsbRequest {
|
||||
* Releases all resources related to this request.
|
||||
*/
|
||||
public void close() {
|
||||
- if (mNativeContext != 0) {
|
||||
- mEndpoint = null;
|
||||
- mConnection = null;
|
||||
- native_close();
|
||||
- mCloseGuard.close();
|
||||
+ synchronized (mLock) {
|
||||
+ if (mNativeContext != 0) {
|
||||
+ mEndpoint = null;
|
||||
+ mConnection = null;
|
||||
+ native_close();
|
||||
+ mCloseGuard.close();
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -183,6 +185,28 @@ public class UsbRequest {
|
||||
*/
|
||||
@Deprecated
|
||||
public boolean queue(ByteBuffer buffer, int length) {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (connection == null) {
|
||||
+ // The expected exception by CTS Verifier - USB Device test
|
||||
+ throw new NullPointerException("invalid connection");
|
||||
+ }
|
||||
+
|
||||
+ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
|
||||
+ // the connection being closed while queueing.
|
||||
+ return connection.queueRequest(this, buffer, length);
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
|
||||
+ * there, to prevent the connection being closed while queueing.
|
||||
+ */
|
||||
+ /* package */ boolean queueIfConnectionOpen(ByteBuffer buffer, int length) {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (connection == null || !connection.isOpen()) {
|
||||
+ // The expected exception by CTS Verifier - USB Device test
|
||||
+ throw new NullPointerException("invalid connection");
|
||||
+ }
|
||||
+
|
||||
boolean out = (mEndpoint.getDirection() == UsbConstants.USB_DIR_OUT);
|
||||
boolean result;
|
||||
|
||||
@@ -227,6 +251,28 @@ public class UsbRequest {
|
||||
* @return true if the queueing operation succeeded
|
||||
*/
|
||||
public boolean queue(@Nullable ByteBuffer buffer) {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (connection == null) {
|
||||
+ // The expected exception by CTS Verifier - USB Device test
|
||||
+ throw new IllegalStateException("invalid connection");
|
||||
+ }
|
||||
+
|
||||
+ // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
|
||||
+ // the connection being closed while queueing.
|
||||
+ return connection.queueRequest(this, buffer);
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
|
||||
+ * there, to prevent the connection being closed while queueing.
|
||||
+ */
|
||||
+ /* package */ boolean queueIfConnectionOpen(@Nullable ByteBuffer buffer) {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (connection == null || !connection.isOpen()) {
|
||||
+ // The expected exception by CTS Verifier - USB Device test
|
||||
+ throw new IllegalStateException("invalid connection");
|
||||
+ }
|
||||
+
|
||||
// Request need to be initialized
|
||||
Preconditions.checkState(mNativeContext != 0, "request is not initialized");
|
||||
|
||||
@@ -344,6 +390,32 @@ public class UsbRequest {
|
||||
* @return true if cancelling succeeded
|
||||
*/
|
||||
public boolean cancel() {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (connection == null) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return connection.cancelRequest(this);
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Cancels a pending queue operation (for use when the UsbDeviceConnection associated
|
||||
+ * with this request is synchronized). This ensures we don't have a race where the
|
||||
+ * device is closed and then the request is canceled which would lead to a
|
||||
+ * use-after-free because the cancel operation uses the device connection
|
||||
+ * information freed in the when UsbDeviceConnection is closed.<br/>
|
||||
+ *
|
||||
+ * This method assumes the connected is not closed while this method is executed.
|
||||
+ *
|
||||
+ * @return true if cancelling succeeded.
|
||||
+ */
|
||||
+ /* package */ boolean cancelIfOpen() {
|
||||
+ UsbDeviceConnection connection = mConnection;
|
||||
+ if (mNativeContext == 0 || (connection != null && !connection.isOpen())) {
|
||||
+ Log.w(TAG,
|
||||
+ "Detected attempt to cancel a request on a connection which isn't open");
|
||||
+ return false;
|
||||
+ }
|
||||
return native_cancel();
|
||||
}
|
||||
|
||||
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Wed, 26 Oct 2022 14:03:48 -0700
|
||||
Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive()
|
||||
|
||||
Bug: 241387741
|
||||
Test: build ok
|
||||
Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
|
||||
(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0)
|
||||
Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
|
||||
---
|
||||
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
index 86657d53..cf5aafb6 100755
|
||||
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
@@ -1077,6 +1077,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
|
||||
return status;
|
||||
}
|
||||
|
||||
+ if (len > (MAX_BUFF_SIZE * 2))
|
||||
+ {
|
||||
+ android_errorWriteLog(0x534e4554, "241387741");
|
||||
+ return status;
|
||||
+ }
|
||||
+
|
||||
gphNxpExtns_Context.RawWriteCallBack = false;
|
||||
gphNxpExtns_Context.CallBackMifare = NULL;
|
||||
gphNxpExtns_Context.CallBackCtxt = NdefMap;
|
||||
@ -0,0 +1,61 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Grace Jia <xiaotonj@google.com>
|
||||
Date: Thu, 22 Sep 2022 14:20:57 -0700
|
||||
Subject: [PATCH] Fix security vulnerability when register phone accounts.
|
||||
|
||||
Currently if the registered self-managed phone account updated to a call
|
||||
provider phone account, the enable state will be directly copied to the
|
||||
updated one so that malicious app can perform call spoofing attack
|
||||
without any permission requirements. Fix this by disallowing change a
|
||||
self-managed phone account to a managed phone account.
|
||||
|
||||
Bug: 246930197
|
||||
Test: CtsTelecomTestCases:SelfManagedConnectionSreviceTest
|
||||
Change-Id: I8f7984cd491632b3219133044438b82ca4dec80e
|
||||
Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e
|
||||
(cherry picked from commit 833dd8480adc773e36d388521a14fd8cd11d6a30)
|
||||
Merged-In: I8f7984cd491632b3219133044438b82ca4dec80e
|
||||
---
|
||||
.../server/telecom/PhoneAccountRegistrar.java | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/server/telecom/PhoneAccountRegistrar.java b/src/com/android/server/telecom/PhoneAccountRegistrar.java
|
||||
index 5323a9669..4bcd2e5c3 100644
|
||||
--- a/src/com/android/server/telecom/PhoneAccountRegistrar.java
|
||||
+++ b/src/com/android/server/telecom/PhoneAccountRegistrar.java
|
||||
@@ -48,6 +48,7 @@ import android.telephony.TelephonyManager;
|
||||
import android.text.TextUtils;
|
||||
import android.util.AtomicFile;
|
||||
import android.util.Base64;
|
||||
+import android.util.EventLog;
|
||||
import android.util.Xml;
|
||||
|
||||
// TODO: Needed for move to system service: import com.android.internal.R;
|
||||
@@ -680,6 +681,7 @@ public class PhoneAccountRegistrar {
|
||||
|
||||
PhoneAccount oldAccount = getPhoneAccountUnchecked(account.getAccountHandle());
|
||||
if (oldAccount != null) {
|
||||
+ enforceSelfManagedAccountUnmodified(account, oldAccount);
|
||||
mState.accounts.remove(oldAccount);
|
||||
isEnabled = oldAccount.isEnabled();
|
||||
Log.i(this, "Modify account: %s", getAccountDiffString(account, oldAccount));
|
||||
@@ -738,6 +740,19 @@ public class PhoneAccountRegistrar {
|
||||
}
|
||||
}
|
||||
|
||||
+ private void enforceSelfManagedAccountUnmodified(PhoneAccount newAccount,
|
||||
+ PhoneAccount oldAccount) {
|
||||
+ if (oldAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED) &&
|
||||
+ (!newAccount.hasCapabilities(PhoneAccount.CAPABILITY_SELF_MANAGED))) {
|
||||
+ EventLog.writeEvent(0x534e4554, "246930197");
|
||||
+ Log.w(this, "Self-managed phone account %s replaced by a non self-managed one",
|
||||
+ newAccount.getAccountHandle());
|
||||
+ throw new IllegalArgumentException("Error, cannot change a self-managed "
|
||||
+ + "phone account " + newAccount.getAccountHandle()
|
||||
+ + " to other kinds of phone account");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Un-registers all phone accounts associated with a specified package.
|
||||
*
|
||||
@ -0,0 +1,100 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Stuart <tjstuart@google.com>
|
||||
Date: Wed, 28 Sep 2022 09:40:14 -0700
|
||||
Subject: [PATCH] prevent overlays on the phone settings
|
||||
|
||||
A report came in showing a 3rd party app could overlay a button
|
||||
on the phone settings causing unwanted behavior. In order to prevent
|
||||
this, a new system flag has been added that only allows system overlays.
|
||||
|
||||
bug: 246933785
|
||||
Test: manual
|
||||
Change-Id: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
|
||||
Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
|
||||
(cherry picked from commit e827d8f13c1c92622474fa2bf9e41a1f4ce21e2c)
|
||||
Merged-In: I427b65bc6c1acf06676e1753a34a7a38e21bbae0
|
||||
---
|
||||
AndroidManifest.xml | 3 +++
|
||||
.../phone/settings/AccessibilitySettingsActivity.java | 6 ++++--
|
||||
.../phone/settings/PhoneAccountSettingsActivity.java | 5 ++++-
|
||||
.../android/phone/settings/VoicemailSettingsActivity.java | 4 ++++
|
||||
4 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
|
||||
index 810e7bca0..766572164 100644
|
||||
--- a/AndroidManifest.xml
|
||||
+++ b/AndroidManifest.xml
|
||||
@@ -176,6 +176,9 @@
|
||||
<uses-permission android:name="android.permission.MANAGE_NETWORK_POLICY" />
|
||||
<uses-permission android:name="android.permission.READ_NETWORK_USAGE_HISTORY" />
|
||||
|
||||
+ <!-- Needed to block unwanted malicious pop up overlays -->
|
||||
+ <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
|
||||
+
|
||||
<application android:name="PhoneApp"
|
||||
android:persistent="true"
|
||||
android:label="@string/phoneAppLabel"
|
||||
diff --git a/src/com/android/phone/settings/AccessibilitySettingsActivity.java b/src/com/android/phone/settings/AccessibilitySettingsActivity.java
|
||||
index 769ef615f..c65aa3273 100644
|
||||
--- a/src/com/android/phone/settings/AccessibilitySettingsActivity.java
|
||||
+++ b/src/com/android/phone/settings/AccessibilitySettingsActivity.java
|
||||
@@ -24,10 +24,12 @@ import com.android.phone.R;
|
||||
|
||||
public class AccessibilitySettingsActivity extends PreferenceActivity {
|
||||
|
||||
- @Override
|
||||
+ @Override
|
||||
protected void onCreate(Bundle icicle) {
|
||||
super.onCreate(icicle);
|
||||
-
|
||||
+ getWindow().addPrivateFlags(
|
||||
+ android.view.WindowManager.LayoutParams
|
||||
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
|
||||
getActionBar().setTitle(R.string.accessibility_settings_activity_title);
|
||||
getFragmentManager().beginTransaction().replace(
|
||||
android.R.id.content, new AccessibilitySettingsFragment()).commit();
|
||||
diff --git a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
|
||||
index 71ae8cfa4..14321d0c6 100644
|
||||
--- a/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
|
||||
+++ b/src/com/android/phone/settings/PhoneAccountSettingsActivity.java
|
||||
@@ -19,6 +19,7 @@ package com.android.phone.settings;
|
||||
import android.os.Bundle;
|
||||
import android.preference.PreferenceActivity;
|
||||
import android.view.MenuItem;
|
||||
+import android.view.WindowManager;
|
||||
|
||||
import com.android.phone.R;
|
||||
|
||||
@@ -27,7 +28,9 @@ public class PhoneAccountSettingsActivity extends PreferenceActivity {
|
||||
@Override
|
||||
protected void onCreate(Bundle icicle) {
|
||||
super.onCreate(icicle);
|
||||
-
|
||||
+ getWindow().addPrivateFlags(
|
||||
+ android.view.WindowManager.LayoutParams
|
||||
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
|
||||
getActionBar().setTitle(R.string.phone_accounts);
|
||||
getFragmentManager().beginTransaction().replace(
|
||||
android.R.id.content, new PhoneAccountSettingsFragment()).commit();
|
||||
diff --git a/src/com/android/phone/settings/VoicemailSettingsActivity.java b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
index 04e8bf502..7c5dbf20c 100644
|
||||
--- a/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
+++ b/src/com/android/phone/settings/VoicemailSettingsActivity.java
|
||||
@@ -37,6 +37,7 @@ import android.text.TextDirectionHeuristics;
|
||||
import android.text.TextUtils;
|
||||
import android.util.Log;
|
||||
import android.view.MenuItem;
|
||||
+import android.view.WindowManager;
|
||||
import android.widget.ListAdapter;
|
||||
import android.widget.Toast;
|
||||
|
||||
@@ -207,6 +208,9 @@ public class VoicemailSettingsActivity extends PreferenceActivity
|
||||
@Override
|
||||
protected void onCreate(Bundle icicle) {
|
||||
super.onCreate(icicle);
|
||||
+ getWindow().addPrivateFlags(
|
||||
+ android.view.WindowManager.LayoutParams
|
||||
+ .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
|
||||
// Make sure we are running as the primary user only
|
||||
UserManager userManager = getApplicationContext().getSystemService(UserManager.class);
|
||||
if (!userManager.isPrimaryUser()) {
|
||||
40
Patches/LineageOS-15.1/android_system_bt/347127.patch
Normal file
40
Patches/LineageOS-15.1/android_system_bt/347127.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Raghavender Reddy Bujala <c-bujalr@codeaurora.org>
|
||||
Date: Thu, 2 Dec 2021 16:04:19 +0530
|
||||
Subject: [PATCH] BT: Once AT command is retrieved, return from method.
|
||||
|
||||
- Observed SIGSEV issue in Defensics, when received
|
||||
buf is more than BTA_HF_CLIENT_AT_PARSER_MAX_LEN.
|
||||
|
||||
- Commented recover cut data, after AT command is
|
||||
retrieved because leftover data/buf is more than
|
||||
BTA_HF_CLIENT_AT_PARSER_MAX_LEN and leading to
|
||||
offset corruption.
|
||||
|
||||
CRs-Fixed: 3052411
|
||||
Change-Id: I6375d00eebfbf97ffc40456622a6d39e4388f4b2
|
||||
---
|
||||
bta/hf_client/bta_hf_client_at.cc | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bta/hf_client/bta_hf_client_at.cc b/bta/hf_client/bta_hf_client_at.cc
|
||||
index 6c52edadc..dd3ea6846 100644
|
||||
--- a/bta/hf_client/bta_hf_client_at.cc
|
||||
+++ b/bta/hf_client/bta_hf_client_at.cc
|
||||
@@ -1615,9 +1615,13 @@ void bta_hf_client_at_parse(tBTA_HF_CLIENT_CB* client_cb, char* buf,
|
||||
bta_hf_client_at_parse_start(client_cb);
|
||||
bta_hf_client_at_clear_buf(client_cb);
|
||||
|
||||
- /* recover cut data */
|
||||
- memcpy(client_cb->at_cb.buf, tmp_buff, tmp);
|
||||
- client_cb->at_cb.offset += tmp;
|
||||
+ /* TODO: recover cut data */
|
||||
+ // memcpy(client_cb->at_cb.buf, tmp_buff, tmp);
|
||||
+ // client_cb->at_cb.offset += tmp;
|
||||
+ // Observed SIGSEV issue in Defensics, when received buf is more than
|
||||
+ // BTA_HF_CLIENT_AT_PARSER_MAX_LEN.
|
||||
+ // Assuming to return from here, Once AT command is retrieved.
|
||||
+ return;
|
||||
}
|
||||
|
||||
memcpy(client_cb->at_cb.buf + client_cb->at_cb.offset, buf, len);
|
||||
78
Patches/LineageOS-15.1/android_system_bt/347128.patch
Normal file
78
Patches/LineageOS-15.1/android_system_bt/347128.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Sagar Verma <quic_sagarv@quicinc.com>
|
||||
Date: Sun, 12 Jun 2022 00:05:07 +0530
|
||||
Subject: [PATCH] AVRC: Validating msg size before accessing fields
|
||||
|
||||
This change adds buffer length validation during the parsing of AVRCP
|
||||
browse commands.
|
||||
|
||||
Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba
|
||||
---
|
||||
stack/avrc/avrc_pars_tg.cc | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
|
||||
index 7042f4da7..38c0ca385 100644
|
||||
--- a/stack/avrc/avrc_pars_tg.cc
|
||||
+++ b/stack/avrc/avrc_pars_tg.cc
|
||||
@@ -407,6 +407,12 @@ tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) {
|
||||
return status;
|
||||
}
|
||||
|
||||
+#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \
|
||||
+ if (!(_b_)) { \
|
||||
+ AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__); \
|
||||
+ return _status_; \
|
||||
+ }
|
||||
+
|
||||
/*******************************************************************************
|
||||
*
|
||||
* Function avrc_pars_browsing_cmd
|
||||
@@ -425,6 +431,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
||||
tAVRC_STS status = AVRC_STS_NO_ERROR;
|
||||
uint8_t* p = p_msg->p_browse_data;
|
||||
int count;
|
||||
+ uint16_t min_len = 3;
|
||||
|
||||
p_result->pdu = *p++;
|
||||
AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu);
|
||||
@@ -438,6 +445,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
||||
break;
|
||||
|
||||
case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */
|
||||
+ min_len += 10;
|
||||
STREAM_TO_UINT8(p_result->get_items.scope, p);
|
||||
// To be modified later here (Scope) when all browsing commands are
|
||||
// supported
|
||||
@@ -458,6 +466,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
||||
if (buf_len < (count << 2))
|
||||
p_result->get_items.attr_count = count = (buf_len >> 2);
|
||||
for (int idx = 0; idx < count; idx++) {
|
||||
+ min_len += 4;
|
||||
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
|
||||
+ (p_msg->browse_len >= min_len),
|
||||
+ "msg too short");
|
||||
+
|
||||
BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p);
|
||||
}
|
||||
}
|
||||
@@ -474,6 +487,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
||||
break;
|
||||
|
||||
case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */
|
||||
+ min_len += 12;
|
||||
BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p);
|
||||
if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) {
|
||||
status = AVRC_STS_BAD_SCOPE;
|
||||
@@ -490,6 +504,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg,
|
||||
p_result->get_attrs.attr_count = count = (buf_len >> 2);
|
||||
for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count;
|
||||
idx++) {
|
||||
+ min_len += 4;
|
||||
+ RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
|
||||
+ (p_msg->browse_len >= min_len),
|
||||
+ "msg too short");
|
||||
+
|
||||
BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p);
|
||||
if (AVRC_IS_VALID_MEDIA_ATTRIBUTE(
|
||||
p_result->get_attrs.p_attr_list[count])) {
|
||||
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: George Chang <georgekgchang@google.com>
|
||||
Date: Wed, 5 Jun 2019 15:57:56 +0800
|
||||
Subject: [PATCH] Prevent OOB write in Mfc_Transceive
|
||||
|
||||
Bug: 132082342
|
||||
Test: Manual test/ Mifare Tag Read/Write
|
||||
Merged-In: I3e1977514ba924655d42be4782244c6ef1cf7619
|
||||
Change-Id: I3e1977514ba924655d42be4782244c6ef1cf7619
|
||||
(cherry picked from commit edda944f0d84216e57846ae9a6799a90b875b427)
|
||||
---
|
||||
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
index 34caef21..282ffc1a 100644
|
||||
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
@@ -1094,6 +1094,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
|
||||
NFCSTATUS status = NFCSTATUS_FAILED;
|
||||
uint8_t i = 0x00;
|
||||
|
||||
+ if( len == 0 )
|
||||
+ {
|
||||
+ android_errorWriteLog(0x534e4554, "132082342");
|
||||
+ return status;
|
||||
+ }
|
||||
+
|
||||
gphNxpExtns_Context.RawWriteCallBack = false;
|
||||
gphNxpExtns_Context.CallBackMifare = NULL;
|
||||
gphNxpExtns_Context.CallBackCtxt = NdefMap;
|
||||
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Wed, 26 Oct 2022 14:03:48 -0700
|
||||
Subject: [PATCH] DO NOT MERGE OOBW in Mfc_Transceive()
|
||||
|
||||
Bug: 241387741
|
||||
Test: build ok
|
||||
Change-Id: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
|
||||
(cherry picked from commit f5f24d0ea2bcc33f18915c4c7369f803c45e53b0)
|
||||
Merged-In: Idf45b940ac21eeb4cf09c222988bfce22b0bef55
|
||||
---
|
||||
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
index 282ffc1a..8e9399ef 100644
|
||||
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
||||
@@ -1100,6 +1100,12 @@ NFCSTATUS Mfc_Transceive(uint8_t *p_data, uint32_t len)
|
||||
return status;
|
||||
}
|
||||
|
||||
+ if (len > (MAX_BUFF_SIZE * 2))
|
||||
+ {
|
||||
+ android_errorWriteLog(0x534e4554, "241387741");
|
||||
+ return status;
|
||||
+ }
|
||||
+
|
||||
gphNxpExtns_Context.RawWriteCallBack = false;
|
||||
gphNxpExtns_Context.CallBackMifare = NULL;
|
||||
gphNxpExtns_Context.CallBackCtxt = NdefMap;
|
||||
@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
|
||||
applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
|
||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2021-10-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
sed -i 's/2021-10-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -157,6 +157,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/345898-backport.patch"; #P_asb_
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/345902-backport.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/346949.patch"; #n-asb-2023-01 Disable all A11yServices from an uninstalled package.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/347047-backport.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/347048-backport.patch"; #P_asb_2023-01 Revert "Revert "RESTRICT AUTOMERGE Validate permission tree size..." #XXX: uncertain backport
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/347049-backport.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/347051-backport.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
|
||||
@ -276,6 +283,7 @@ fi;
|
||||
if enterAndClear "packages/apps/Nfc"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Settings"; then
|
||||
@ -338,9 +346,11 @@ if enterAndClear "packages/services/Telecomm"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/services/Telephony"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041-backport.patch"; #P_asb_2023-01 Prevent overlays on the phone settings
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_All_Modes.patch"; #(DivestOS)
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
|
||||
fi;
|
||||
@ -362,6 +372,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added m
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT command is retrieved, return from method.
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/core"; then
|
||||
@ -388,15 +400,17 @@ if enterAndClear "system/vold"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption (DivestOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then
|
||||
if enterAndClear "vendor/nxp/opensource/external/libnfc-nci"; then #keep in sync with system/nfc
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332458-backport.patch"; #n-asb-2022-06 Out of Bounds Read in nfa_dm_check_set_config
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then
|
||||
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch"; #n-asb-2019-08 Prevent OOB write in Mfc_Transceive
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/lineage"; then
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user