Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-09-27 19:56:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

17.1: February ASB work

Browse Source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-02-08 20:17:09 -05:00
parent fa044409c0
commit b42fd1ab93
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
14 changed files with 1065 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Patches/LineageOS-17.1/android_frameworks_av/381886.patch Normal file
View File

@ -0,0 +1,35 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ashish Kumar Gupta <kumarashishg@google.com>
Date: Tue, 21 Nov 2023 08:48:43 +0530
Subject: [PATCH] Update mtp packet buffer
Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
Bug: 300007708
Test: build and flash the device. Check MTP works
Test: run fuzzer locally
(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
---
media/mtp/MtpPacket.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
index e4467bbfdc..87c5c0495b 100644
--- a/media/mtp/MtpPacket.cpp
+++ b/media/mtp/MtpPacket.cpp
@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
return;
}
int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
- if (mPacketSize < offset + sizeof(uint32_t))
+ if (mPacketSize < offset + sizeof(uint32_t)) {
mPacketSize = offset + sizeof(uint32_t);
+ allocate(mPacketSize);
+ }
putUInt32(offset, value);
}

2
Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch
View File

@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 41b1ddaf887b..78bdde0c5ef9 100644
index 98d7cecd81ca..ad536de06e66 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -5025,12 +5025,7 @@ public class ActivityManagerService extends IActivityManager.Stub

52
Patches/LineageOS-17.1/android_frameworks_base/379136.patch
View File

@ -1,4 +1,4 @@
From a1e8ab5e0dbb34361cbd548abac2f8cf980faab9 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jing Ji <jji@google.com>
Date: Thu, 19 Oct 2023 14:22:58 -0700
Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses
@ -18,33 +18,10 @@ Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 5a12cdaae56c..9a9c05060a4c 100644
index 41b1ddaf887b..98d7cecd81ca 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -3690,6 +3690,22 @@ public void killAllBackgroundProcesses() {
throw new SecurityException(msg);
}
+ final int callingUid = Binder.getCallingUid();
+ final int callingPid = Binder.getCallingPid();
+
+ ProcessRecord proc;
+ synchronized (mPidsSelfLocked) {
+ proc = mPidsSelfLocked.get(callingPid);
+ }
+ if (callingUid >= FIRST_APPLICATION_UID
+ && (proc == null || !proc.info.isSystemApp())) {
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
+ + callingPid + ", uid=" + callingUid + " is not allowed";
+ Slog.w(TAG, msg);
+ // Silently return to avoid existing apps from crashing.
+ return;
+ }
+
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {
@@ -3730,22 +3746,6 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) {
@@ -4217,22 +4217,6 @@ public class ActivityManagerService extends IActivityManager.Stub
throw new SecurityException(msg);
}
@ -67,3 +44,26 @@ index 5a12cdaae56c..9a9c05060a4c 100644
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {
@@ -4268,6 +4252,22 @@ public class ActivityManagerService extends IActivityManager.Stub
throw new SecurityException(msg);
}
+ final int callingUid = Binder.getCallingUid();
+ final int callingPid = Binder.getCallingPid();
+
+ ProcessRecord proc;
+ synchronized (mPidsSelfLocked) {
+ proc = mPidsSelfLocked.get(callingPid);
+ }
+ if (callingUid >= FIRST_APPLICATION_UID
+ && (proc == null || !proc.info.isSystemApp())) {
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
+ + callingPid + ", uid=" + callingUid + " is not allowed";
+ Slog.w(TAG, msg);
+ // Silently return to avoid existing apps from crashing.
+ return;
+ }
+
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {

240
Patches/LineageOS-17.1/android_frameworks_base/381887-backport.patch Normal file
View File

@ -0,0 +1,240 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nan Wu <wnan@google.com>
Date: Fri, 2 Dec 2022 19:08:54 +0000
Subject: [PATCH] DO NOT MERGE Disallow Wallpaper service to launch activity
from background.
Add a flag so that when a foreground client binds to a service,
disallow the bound service to launch activity from background.
Modify the WallpaperManagerService to take advantage of the new flag.
Test: atest BackgroundActivityLaunchTest WallpaperManagerServiceTests
Bug: 261072174
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4c065abfaf59bdc237f65ceb9704d76bf0819d3a)
Merged-In: Id4e4cb6144597cf3638f2aaa34ea455a239fa1a7
Change-Id: Id4e4cb6144597cf3638f2aaa34ea455a239fa1a7
---
core/java/android/content/Context.java | 9 +++++
.../server/activitymanagerservice.proto | 1 +
.../android/server/am/ConnectionRecord.java | 5 +++
.../com/android/server/am/ProcessRecord.java | 20 ++++++-----
.../com/android/server/am/ServiceRecord.java | 2 +-
.../wallpaper/WallpaperManagerService.java | 3 +-
.../server/wm/WindowProcessController.java | 36 ++++++++++++++++---
7 files changed, 61 insertions(+), 15 deletions(-)
diff --git a/core/java/android/content/Context.java b/core/java/android/content/Context.java
index 414cc39f5310..6fb10c1c277c 100644
--- a/core/java/android/content/Context.java
+++ b/core/java/android/content/Context.java
@@ -236,6 +236,7 @@ public abstract class Context {
BIND_IMPORTANT,
BIND_ADJUST_WITH_ACTIVITY,
BIND_NOT_PERCEPTIBLE,
+ BIND_DENY_ACTIVITY_STARTS,
BIND_INCLUDE_CAPABILITIES
})
@Retention(RetentionPolicy.SOURCE)
@@ -349,6 +350,14 @@ public abstract class Context {
/*********** Public flags above this line ***********/
/*********** Hidden flags below this line ***********/
+ /**
+ * Flag for {@link #bindService}: If binding from an app that is visible, the bound service is
+ * allowed to start an activity from background. Add a flag so that this behavior can be opted
+ * out.
+ * @hide
+ */
+ public static final int BIND_DENY_ACTIVITY_STARTS = 0X000004000;
+
/**
* Flag for {@link #bindService}: This flag is intended to be used only by the system to adjust
* the scheduling policy for IMEs (and any other out-of-process user-visible components that
diff --git a/core/proto/android/server/activitymanagerservice.proto b/core/proto/android/server/activitymanagerservice.proto
index 7fb6f98ab662..55c5705fe0f6 100644
--- a/core/proto/android/server/activitymanagerservice.proto
+++ b/core/proto/android/server/activitymanagerservice.proto
@@ -593,6 +593,7 @@ message ConnectionRecordProto {
DEAD = 15;
NOT_PERCEPTIBLE = 16;
INCLUDE_CAPABILITIES = 17;
+ DENY_ACTIVITY_STARTS = 18;
}
repeated Flag flags = 3;
optional string service_name = 4;
diff --git a/services/core/java/com/android/server/am/ConnectionRecord.java b/services/core/java/com/android/server/am/ConnectionRecord.java
index 459508486384..0b8b55cfdcc2 100644
--- a/services/core/java/com/android/server/am/ConnectionRecord.java
+++ b/services/core/java/com/android/server/am/ConnectionRecord.java
@@ -67,6 +67,7 @@ final class ConnectionRecord {
Context.BIND_NOT_VISIBLE,
Context.BIND_NOT_PERCEPTIBLE,
Context.BIND_INCLUDE_CAPABILITIES,
+ Context.BIND_DENY_ACTIVITY_STARTS,
};
private static final int[] BIND_PROTO_ENUMS = new int[] {
ConnectionRecordProto.AUTO_CREATE,
@@ -86,6 +87,7 @@ final class ConnectionRecord {
ConnectionRecordProto.NOT_VISIBLE,
ConnectionRecordProto.NOT_PERCEPTIBLE,
ConnectionRecordProto.INCLUDE_CAPABILITIES,
+ ConnectionRecordProto.DENY_ACTIVITY_STARTS,
};
void dump(PrintWriter pw, String prefix) {
@@ -219,6 +221,9 @@ final class ConnectionRecord {
if ((flags & Context.BIND_NOT_PERCEPTIBLE) != 0) {
sb.append("!PRCP ");
}
+ if ((flags & Context.BIND_DENY_ACTIVITY_STARTS) != 0) {
+ sb.append("BALFD ");
+ }
if ((flags & Context.BIND_INCLUDE_CAPABILITIES) != 0) {
sb.append("CAPS ");
}
diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java
index ea3084274ae0..6f8d9a1ef228 100644
--- a/services/core/java/com/android/server/am/ProcessRecord.java
+++ b/services/core/java/com/android/server/am/ProcessRecord.java
@@ -1187,14 +1187,14 @@ class ProcessRecord implements WindowProcessListener {
!mAllowBackgroundActivityStartsTokens.isEmpty());
}
- void addBoundClientUid(int clientUid) {
+ void addBoundClientUid(int clientUid, String clientPackageName, int bindFlags) {
mBoundClientUids.add(clientUid);
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
+ mWindowProcessController.addBoundClientUid(clientUid, clientPackageName, bindFlags);
}
void updateBoundClientUids() {
+ clearBoundClientUids();
if (services.isEmpty()) {
- clearBoundClientUids();
return;
}
// grab a set of clientUids of all connections of all services
@@ -1207,12 +1207,14 @@ class ProcessRecord implements WindowProcessListener {
for (int conni = 0; conni < N; conni++) {
ArrayList<ConnectionRecord> c = conns.valueAt(conni);
for (int i = 0; i < c.size(); i++) {
- boundClientUids.add(c.get(i).clientUid);
+ ConnectionRecord cr = c.get(i);
+ boundClientUids.add(cr.clientUid);
+ mWindowProcessController
+ .addBoundClientUid(cr.clientUid, cr.clientPackageName, cr.flags);
}
}
}
mBoundClientUids = boundClientUids;
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
}
void addBoundClientUidsOfNewService(ServiceRecord sr) {
@@ -1223,15 +1225,17 @@ class ProcessRecord implements WindowProcessListener {
for (int conni = conns.size() - 1; conni >= 0; conni--) {
ArrayList<ConnectionRecord> c = conns.valueAt(conni);
for (int i = 0; i < c.size(); i++) {
- mBoundClientUids.add(c.get(i).clientUid);
+ ConnectionRecord cr = c.get(i);
+ mBoundClientUids.add(cr.clientUid);
+ mWindowProcessController
+ .addBoundClientUid(cr.clientUid, cr.clientPackageName, cr.flags);
}
}
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
}
void clearBoundClientUids() {
mBoundClientUids.clear();
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
+ mWindowProcessController.clearBoundClientUids();
}
void setActiveInstrumentation(ActiveInstrumentation instr) {
diff --git a/services/core/java/com/android/server/am/ServiceRecord.java b/services/core/java/com/android/server/am/ServiceRecord.java
index c408695bcb66..8262b9a334bf 100644
--- a/services/core/java/com/android/server/am/ServiceRecord.java
+++ b/services/core/java/com/android/server/am/ServiceRecord.java
@@ -611,7 +611,7 @@ final class ServiceRecord extends Binder implements ComponentName.WithComponentN
// if we have a process attached, add bound client uid of this connection to it
if (app != null) {
- app.addBoundClientUid(c.clientUid);
+ app.addBoundClientUid(c.clientUid, c.clientPackageName, c.flags);
}
}
diff --git a/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java b/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
index 37ae3340d319..ec7414bbf768 100644
--- a/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
+++ b/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
@@ -2713,7 +2713,8 @@ public class WallpaperManagerService extends IWallpaperManager.Stub
if (!mContext.bindServiceAsUser(intent, newConn,
Context.BIND_AUTO_CREATE | Context.BIND_SHOWING_UI
| Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE
- | Context.BIND_INCLUDE_CAPABILITIES,
+ | Context.BIND_INCLUDE_CAPABILITIES
+ | Context.BIND_DENY_ACTIVITY_STARTS,
new UserHandle(serviceUserId))) {
String msg = "Unable to bind service: "
+ componentName;
diff --git a/services/core/java/com/android/server/wm/WindowProcessController.java b/services/core/java/com/android/server/wm/WindowProcessController.java
index e0a9af543f99..39962216483c 100644
--- a/services/core/java/com/android/server/wm/WindowProcessController.java
+++ b/services/core/java/com/android/server/wm/WindowProcessController.java
@@ -44,6 +44,7 @@ import android.app.ActivityThread;
import android.app.IApplicationThread;
import android.app.ProfilerInfo;
import android.app.servertransaction.ConfigurationChangeItem;
+import android.content.Context;
import android.content.Intent;
import android.content.pm.ActivityInfo;
import android.content.pm.ApplicationInfo;
@@ -436,16 +437,41 @@ public class WindowProcessController extends ConfigurationContainer<Configuratio
}
private boolean isBoundByForegroundUid() {
- for (int i = mBoundClientUids.size() - 1; i >= 0; --i) {
- if (mAtm.isUidForeground(mBoundClientUids.valueAt(i))) {
- return true;
+ synchronized (this) {
+ if (mBoundClientUids != null) {
+ for (int i = mBoundClientUids.size() - 1; i >= 0; --i) {
+ if (mAtm.isUidForeground(mBoundClientUids.valueAt(i))) {
+ return true;
+ }
+ }
}
}
return false;
}
- public void setBoundClientUids(ArraySet<Integer> boundClientUids) {
- mBoundClientUids = boundClientUids;
+ /**
+ * Clear all bound client Uids.
+ */
+ public void clearBoundClientUids() {
+ synchronized (this) {
+ if (mBoundClientUids == null) {
+ mBoundClientUids = new ArraySet<>();
+ } else {
+ mBoundClientUids.clear();
+ }
+ }
+ }
+
+ /**
+ * Add bound client Uid.
+ */
+ public void addBoundClientUid(int clientUid, String clientPackageName, int bindFlags) {
+ if ((bindFlags & Context.BIND_DENY_ACTIVITY_STARTS) == 0) {
+ if (mBoundClientUids == null) {
+ mBoundClientUids = new ArraySet<>();
+ }
+ mBoundClientUids.add(clientUid);
+ }
}
public void setInstrumenting(boolean instrumenting,

110
Patches/LineageOS-17.1/android_frameworks_base/381889-backport.patch Normal file
View File

@ -0,0 +1,110 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
Date: Fri, 13 Oct 2023 16:19:27 -0400
Subject: [PATCH] Unbind TileService onNullBinding
Test: atest TileLifecycleManagerTest
Test: manual: adb shell dumpsys activity service
Test: sts test
Bug: 300903792
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
---
.../qs/external/TileLifecycleManager.java | 5 +++
.../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
2 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
index effea6a877b8..270b7dd9d936 100644
--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
@@ -194,6 +194,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
handlePendingMessages();
}
+ @Override
+ public void onNullBinding(ComponentName name) {
+ setBindService(false);
+ }
+
@Override
public void onServiceDisconnected(ComponentName name) {
if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
index f35295cf6f99..329af0f1fb57 100644
--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.any;
import static org.mockito.Mockito.anyInt;
import static org.mockito.Mockito.anyString;
+import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import android.content.ComponentName;
+import android.content.Context;
import android.content.Intent;
+import android.content.ServiceConnection;
import android.content.pm.PackageInfo;
import android.content.pm.ServiceInfo;
import android.net.Uri;
@@ -50,7 +53,7 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.mockito.Mockito;
+import org.mockito.ArgumentCaptor;
@SmallTest
@RunWith(AndroidJUnit4.class)
@@ -58,8 +61,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
private static final int TEST_FAIL_TIMEOUT = 5000;
private final PackageManagerAdapter mMockPackageManagerAdapter =
- Mockito.mock(PackageManagerAdapter.class);
- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
+ mock(PackageManagerAdapter.class);
+ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
private ComponentName mTileServiceComponentName;
private Intent mTileServiceIntent;
private UserHandle mUser;
@@ -84,7 +87,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
mThread.start();
mHandler = Handler.createAsync(mThread.getLooper());
mStateManager = new TileLifecycleManager(mHandler, mContext,
- Mockito.mock(IQSService.class), new Tile(),
+ mock(IQSService.class), new Tile(),
mTileServiceIntent,
mUser,
mMockPackageManagerAdapter);
@@ -237,4 +240,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
verifyBind(2);
verify(mMockTileService, times(2)).onStartListening();
}
+
+ @Test
+ public void testNullBindingCallsUnbind() {
+ Context mockContext = mock(Context.class);
+ // Binding has to succeed
+ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
+ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
+ mock(IQSService.class),
+ new Tile(),
+ mTileServiceIntent,
+ mUser,
+ mMockPackageManagerAdapter,
+ mMockBroadcastDispatcher);
+
+ manager.setBindService(true);
+
+ ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
+ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
+
+ captor.getValue().onNullBinding(mTileServiceComponentName);
+ verify(mockContext).unbindService(captor.getValue());
+ }
}

78
Patches/LineageOS-17.1/android_frameworks_base/381890-backport.patch Normal file
View File

@ -0,0 +1,78 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christophe Pinelli <cpinelli@google.com>
Date: Tue, 16 May 2023 17:40:02 +0000
Subject: [PATCH] Restrict activity launch when caller is running in the
background
Test: test on device + atest-src BackgroundActivityLaunchTest#testBackgroundActivityBlockedInStartNextMatchingActivity
Bug: 230492947
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d8368be4f8fb7019ea24b4798f029301c704092c)
Merged-In: I7ae88eb62e435b9a77d2a724c5a953fe1f35b838
Change-Id: I7ae88eb62e435b9a77d2a724c5a953fe1f35b838
---
.../server/wm/ActivityTaskManagerService.java | 51 +++++++++++--------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
index 5bcc5975604a..7384ca7173d3 100644
--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
+++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
@@ -1194,28 +1194,37 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub {
final long origId = Binder.clearCallingIdentity();
// TODO(b/64750076): Check if calling pid should really be -1.
- final int res = getActivityStartController()
- .obtainStarter(intent, "startNextMatchingActivity")
- .setCaller(r.app.getThread())
- .setResolvedType(r.resolvedType)
- .setActivityInfo(aInfo)
- .setResultTo(resultTo != null ? resultTo.appToken : null)
- .setResultWho(resultWho)
- .setRequestCode(requestCode)
- .setCallingPid(-1)
- .setCallingUid(r.launchedFromUid)
- .setCallingPackage(r.launchedFromPackage)
- .setRealCallingPid(-1)
- .setRealCallingUid(r.launchedFromUid)
- .setActivityOptions(options)
- .execute();
- Binder.restoreCallingIdentity(origId);
-
- r.finishing = wasFinishing;
- if (res != ActivityManager.START_SUCCESS) {
- return false;
+ try {
+ if (options == null) {
+ options = new SafeActivityOptions(ActivityOptions.makeBasic());
+ }
+ // Fixes b/230492947
+ // Prevents background activity launch through #startNextMatchingActivity
+ // An activity going into the background could still go back to the foreground
+ // if the intent used matches both:
+ // - the activity in the background
+ // - a second activity.
+ options.getOptions(r).setAvoidMoveToFront();
+ final int res = getActivityStartController()
+ .obtainStarter(intent, "startNextMatchingActivity")
+ .setCaller(r.app.getThread())
+ .setResolvedType(r.resolvedType)
+ .setActivityInfo(aInfo)
+ .setResultTo(resultTo != null ? resultTo.appToken : null)
+ .setResultWho(resultWho)
+ .setRequestCode(requestCode)
+ .setCallingPid(-1)
+ .setCallingUid(r.launchedFromUid)
+ .setCallingPackage(r.launchedFromPackage)
+ .setRealCallingPid(-1)
+ .setRealCallingUid(r.launchedFromUid)
+ .setActivityOptions(options)
+ .execute();
+ r.finishing = wasFinishing;
+ return res == ActivityManager.START_SUCCESS;
+ } finally {
+ Binder.restoreCallingIdentity(origId);
}
- return true;
}
}

222
Patches/LineageOS-17.1/android_frameworks_base/381892-backport.patch Normal file
View File

@ -0,0 +1,222 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Valentin Iftime <valiiftime@google.com>
Date: Wed, 8 Nov 2023 11:01:32 +0100
Subject: [PATCH] Enforce persisted snoozed notifications limits
Prevent DoS attack that causes boot-looping by serializing a huge amount of snoozed notifications:
- Check snooze limits for persisted notifications
- Remove persisted group summary notification when in-memory counterpart is removed
- Prevent unpriviledged API calls that allow 3P apps to snooze notifications with context/criterion
Test: atest SnoozeHelperTest
Test: atest NotificationManagerServiceTest
Bug: 307948424
Bug: 308414141
(cherry picked from commit 965ff2d3c5487f72a77f6153ed8542cb2621d93c)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:87c11b6df3d6ba696a8978a01ef5d66aeab45c8f)
Merged-In: I3571fa9207b778def652130d3ca840183a9a8414
Change-Id: I3571fa9207b778def652130d3ca840183a9a8414
---
.../server/notification/SnoozeHelper.java | 22 +++-
.../server/notification/SnoozeHelperTest.java | 105 +++++++++++++++++-
2 files changed, 124 insertions(+), 3 deletions(-)
diff --git a/services/core/java/com/android/server/notification/SnoozeHelper.java b/services/core/java/com/android/server/notification/SnoozeHelper.java
index 4a6648f74194..2341a055580a 100644
--- a/services/core/java/com/android/server/notification/SnoozeHelper.java
+++ b/services/core/java/com/android/server/notification/SnoozeHelper.java
@@ -94,12 +94,27 @@ public class SnoozeHelper {
}
protected boolean canSnooze(int numberToSnooze) {
- if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT) {
+ if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT
+ || (countPersistedNotificationsLocked() + numberToSnooze)
+ > CONCURRENT_SNOOZE_LIMIT) {
return false;
}
return true;
}
+ private int countPersistedNotificationsLocked() {
+ int numNotifications = 0;
+ for (ArrayMap<String, String> persistedWithContext :
+ mPersistedSnoozedNotificationsWithContext.values()) {
+ numNotifications += persistedWithContext.size();
+ }
+ for (ArrayMap<String, Long> persistedWithDuration :
+ mPersistedSnoozedNotifications.values()) {
+ numNotifications += persistedWithDuration.size();
+ }
+ return numNotifications;
+ }
+
protected boolean isSnoozed(int userId, String pkg, String key) {
return mSnoozedNotifications.containsKey(userId)
&& mSnoozedNotifications.get(userId).containsKey(pkg)
@@ -300,6 +315,11 @@ public class SnoozeHelper {
mPackages.remove(groupSummaryKey);
mUsers.remove(groupSummaryKey);
+ final String trimmedKey = getTrimmedString(groupSummaryKey);
+ removeRecordLocked(pkg, trimmedKey, userId, mPersistedSnoozedNotifications);
+ removeRecordLocked(pkg, trimmedKey, userId,
+ mPersistedSnoozedNotificationsWithContext);
+
if (record != null && !record.isCanceled) {
MetricsLogger.action(record.getLogMaker()
.setCategory(MetricsProto.MetricsEvent.NOTIFICATION_SNOOZED)
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
index 6772c7df0aa1..0d5e1347a56a 100644
--- a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
+++ b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
@@ -17,6 +17,8 @@ package com.android.server.notification;
import static com.android.server.notification.SnoozeHelper.CONCURRENT_SNOOZE_LIMIT;
+import static com.google.common.truth.Truth.assertThat;
+
import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertFalse;
import static junit.framework.Assert.assertTrue;
@@ -57,6 +59,16 @@ import org.mockito.MockitoAnnotations;
public class SnoozeHelperTest extends UiServiceTestCase {
private static final String TEST_CHANNEL_ID = "test_channel_id";
+ private static final String XML_TAG_NAME = "snoozed-notifications";
+ private static final String XML_SNOOZED_NOTIFICATION = "notification";
+ private static final String XML_SNOOZED_NOTIFICATION_CONTEXT = "context";
+ private static final String XML_SNOOZED_NOTIFICATION_KEY = "key";
+ private static final String XML_SNOOZED_NOTIFICATION_TIME = "time";
+ private static final String XML_SNOOZED_NOTIFICATION_CONTEXT_ID = "id";
+ private static final String XML_SNOOZED_NOTIFICATION_VERSION_LABEL = "version";
+ private static final String XML_SNOOZED_NOTIFICATION_PKG = "pkg";
+ private static final String XML_SNOOZED_NOTIFICATION_USER_ID = "user-id";
+
@Mock SnoozeHelper.Callback mCallback;
@Mock AlarmManager mAm;
@Mock ManagedServices.UserProfiles mUserProfiles;
@@ -121,6 +133,57 @@ public class SnoozeHelperTest extends UiServiceTestCase {
assertFalse(mSnoozeHelper.canSnooze(1));
}
+ @Test
+ public void testSnoozeLimit_maximumPersisted() throws XmlPullParserException, IOException {
+ final long snoozeTimeout = 1234;
+ final String snoozeContext = "ctx";
+ // Serialize & deserialize notifications so that only persisted lists are used
+ XmlSerializer serializer = new FastXmlSerializer();
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ serializer.setOutput(new BufferedOutputStream(baos), "utf-8");
+ serializer.startDocument(null, true);
+ serializer.startTag(null, XML_TAG_NAME);
+ // Serialize maximum number of timed + context snoozed notifications, half of each
+ for (int i = 0; i < CONCURRENT_SNOOZE_LIMIT; i++) {
+ final boolean timedNotification = i % 2 == 0;
+ if (timedNotification) {
+ serializer.startTag(null, XML_SNOOZED_NOTIFICATION);
+ } else {
+ serializer.startTag(null, XML_SNOOZED_NOTIFICATION_CONTEXT);
+ }
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_PKG, "pkg");
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_USER_ID,
+ String.valueOf(UserHandle.USER_SYSTEM));
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_VERSION_LABEL, "1");
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_KEY, "key" + i);
+ if (timedNotification) {
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_TIME,
+ String.valueOf(snoozeTimeout));
+ serializer.endTag(null, XML_SNOOZED_NOTIFICATION);
+ } else {
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_CONTEXT_ID, snoozeContext);
+ serializer.endTag(null, XML_SNOOZED_NOTIFICATION_CONTEXT);
+ }
+ }
+ serializer.endTag(null, XML_TAG_NAME);
+ serializer.endDocument();
+ serializer.flush();
+
+ XmlPullParser parser = Xml.newPullParser();
+ parser.setInput(new BufferedInputStream(
+ new ByteArrayInputStream(baos.toByteArray())), "utf-8");
+ mSnoozeHelper.readXml(parser, 1);
+ // Verify that we can't snooze any more notifications
+ // and that the limit is caused by persisted notifications
+ assertThat(mSnoozeHelper.canSnooze(1)).isFalse();
+ assertThat(mSnoozeHelper.isSnoozed(UserHandle.USER_SYSTEM, "pkg", "key0")).isFalse();
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM,
+ "pkg", "key0")).isEqualTo(snoozeTimeout);
+ assertThat(
+ mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
+ "key1")).isEqualTo(snoozeContext);
+ }
+
@Test
public void testCancelByApp() throws Exception {
NotificationRecord r = getNotificationRecord("pkg", 1, "one", UserHandle.SYSTEM);
@@ -328,6 +391,7 @@ public class SnoozeHelperTest extends UiServiceTestCase {
@Test
public void repostGroupSummary_repostsSummary() throws Exception {
+ final int snoozeDuration = 1000;
IntArray profileIds = new IntArray();
profileIds.add(UserHandle.USER_SYSTEM);
when(mUserProfiles.getCurrentProfileIds()).thenReturn(profileIds);
@@ -335,10 +399,44 @@ public class SnoozeHelperTest extends UiServiceTestCase {
"pkg", 1, "one", UserHandle.SYSTEM, "group1", true);
NotificationRecord r2 = getNotificationRecord(
"pkg", 2, "two", UserHandle.SYSTEM, "group1", false);
- mSnoozeHelper.snooze(r, 1000);
- mSnoozeHelper.snooze(r2, 1000);
+ final long snoozeTime = System.currentTimeMillis() + snoozeDuration;
+ mSnoozeHelper.snooze(r, snoozeDuration);
+ mSnoozeHelper.snooze(r2, snoozeDuration);
+ assertEquals(2, mSnoozeHelper.getSnoozed().size());
+ assertEquals(2, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
+ // Verify that summary notification was added to the persisted list
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
+ r.getKey())).isAtLeast(snoozeTime);
+
+ mSnoozeHelper.repostGroupSummary("pkg", UserHandle.USER_SYSTEM, r.getGroupKey());
+
+ verify(mCallback, times(1)).repost(UserHandle.USER_SYSTEM, r, false);
+ verify(mCallback, never()).repost(UserHandle.USER_SYSTEM, r2, false);
+
+ assertEquals(1, mSnoozeHelper.getSnoozed().size());
+ assertEquals(1, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
+ // Verify that summary notification was removed from the persisted list
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
+ r.getKey())).isEqualTo(0);
+ }
+
+ @Test
+ public void snoozeWithContext_repostGroupSummary_removesPersisted() throws Exception {
+ final String snoozeContext = "zzzzz";
+ IntArray profileIds = new IntArray();
+ profileIds.add(UserHandle.USER_SYSTEM);
+ when(mUserProfiles.getCurrentProfileIds()).thenReturn(profileIds);
+ NotificationRecord r = getNotificationRecord(
+ "pkg", 1, "one", UserHandle.SYSTEM, "group1", true);
+ NotificationRecord r2 = getNotificationRecord(
+ "pkg", 2, "two", UserHandle.SYSTEM, "group1", false);
+ mSnoozeHelper.snooze(r, snoozeContext);
+ mSnoozeHelper.snooze(r2, snoozeContext);
assertEquals(2, mSnoozeHelper.getSnoozed().size());
assertEquals(2, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
+ // Verify that summary notification was added to the persisted list
+ assertThat(mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM,
+ "pkg", r.getKey())).isEqualTo(snoozeContext);
mSnoozeHelper.repostGroupSummary("pkg", UserHandle.USER_SYSTEM, r.getGroupKey());
@@ -347,6 +445,9 @@ public class SnoozeHelperTest extends UiServiceTestCase {
assertEquals(1, mSnoozeHelper.getSnoozed().size());
assertEquals(1, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
+ // Verify that summary notification was removed from the persisted list
+ assertThat(mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM,
+ "pkg", r.getKey())).isNull();
}
@Test

98
Patches/LineageOS-17.1/android_packages_providers_DownloadProvider/381893.patch Normal file
View File

@ -0,0 +1,98 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sergey Nikolaienkov <sergeynv@google.com>
Date: Mon, 3 Jul 2023 17:09:28 +0200
Subject: [PATCH] DO NOT MERGE: Consolidate queryChildDocumentsXxx()
implementations
Make sure to override the single right variant of the
FileSystemProvider#queryChildDocuments() method: the one that takes the
"includeHidden" boolean argument.
Bug: 200034476
Bug: 220066255
Bug: 283962634
Test: make, install and run manually
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e11e4ca6eef7e77042f2b27fce4fdb8a0b3d0371)
Merged-In: I4c00693e28f3d50d716350a65e9e6bfd7482b085
Change-Id: I4c00693e28f3d50d716350a65e9e6bfd7482b085
---
.../downloads/DownloadStorageProvider.java | 38 ++++++-------------
1 file changed, 12 insertions(+), 26 deletions(-)
diff --git a/src/com/android/providers/downloads/DownloadStorageProvider.java b/src/com/android/providers/downloads/DownloadStorageProvider.java
index 051cf35c..2bacc826 100644
--- a/src/com/android/providers/downloads/DownloadStorageProvider.java
+++ b/src/com/android/providers/downloads/DownloadStorageProvider.java
@@ -304,39 +304,26 @@ public class DownloadStorageProvider extends FileSystemProvider {
}
@Override
- public Cursor queryChildDocuments(String parentDocId, String[] projection, String sortOrder)
- throws FileNotFoundException {
- return queryChildDocuments(parentDocId, projection, sortOrder, false);
- }
-
- @Override
- public Cursor queryChildDocumentsForManage(
- String parentDocId, String[] projection, String sortOrder)
- throws FileNotFoundException {
- return queryChildDocuments(parentDocId, projection, sortOrder, true);
- }
-
- private Cursor queryChildDocuments(String parentDocId, String[] projection,
- String sortOrder, boolean manage) throws FileNotFoundException {
-
+ protected Cursor queryChildDocuments(String documentId, String[] projection, String sortOrder,
+ boolean includeHidden) throws FileNotFoundException {
// Delegate to real provider
final long token = Binder.clearCallingIdentity();
Cursor cursor = null;
try {
- if (RawDocumentsHelper.isRawDocId(parentDocId)) {
- return super.queryChildDocuments(parentDocId, projection, sortOrder);
+ if (RawDocumentsHelper.isRawDocId(documentId)) {
+ return super.queryChildDocuments(documentId, projection, sortOrder, includeHidden);
}
final DownloadsCursor result = new DownloadsCursor(projection,
getContext().getContentResolver());
final ArrayList<Uri> notificationUris = new ArrayList<>();
- if (isMediaStoreDownloadDir(parentDocId)) {
+ if (isMediaStoreDownloadDir(documentId)) {
includeDownloadsFromMediaStore(result, null /* queryArgs */,
null /* filePaths */, notificationUris,
- getMediaStoreIdString(parentDocId), NO_LIMIT, manage);
+ getMediaStoreIdString(documentId), NO_LIMIT, includeHidden);
} else {
- assert (DOC_ID_ROOT.equals(parentDocId));
- if (manage) {
+ assert (DOC_ID_ROOT.equals(documentId));
+ if (includeHidden) {
cursor = mDm.query(
new DownloadManager.Query().setOnlyIncludeVisibleInDownloadsUi(true));
} else {
@@ -351,7 +338,7 @@ public class DownloadStorageProvider extends FileSystemProvider {
notificationUris.add(cursor.getNotificationUri());
includeDownloadsFromMediaStore(result, null /* queryArgs */,
filePaths, notificationUris,
- null /* parentId */, NO_LIMIT, manage);
+ null /* parentId */, NO_LIMIT, includeHidden);
includeFilesFromSharedStorage(result, filePaths, null);
}
result.setNotificationUris(getContext().getContentResolver(), notificationUris);
@@ -472,12 +459,11 @@ public class DownloadStorageProvider extends FileSystemProvider {
return result;
}
- private void includeSearchFilesFromSharedStorage(DownloadsCursor result,
- String[] projection, Set<String> filePaths,
- Bundle queryArgs) throws FileNotFoundException {
+ private void includeSearchFilesFromSharedStorage(DownloadsCursor result, String[] projection,
+ Set<String> filePaths, Bundle queryArgs) throws FileNotFoundException {
final File downloadDir = getPublicDownloadsDirectory();
try (Cursor rawFilesCursor = super.querySearchDocuments(downloadDir,
- projection, filePaths, queryArgs)) {
+ projection, /* exclusion */ filePaths, queryArgs)) {
final boolean shouldExcludeMedia = queryArgs.getBoolean(
DocumentsContract.QUERY_ARG_EXCLUDE_MEDIA, false /* defaultValue */);

44
Patches/LineageOS-17.1/android_system_bt/381894.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 00:53:33 +0000
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
attp_build_value_cmd
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
---
btif/src/btif_gatt_util.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
index 16f227511..a0798df15 100644
--- a/btif/src/btif_gatt_util.cc
+++ b/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@
#define LOG_TAG "bt_btif_gatt"
+#include <algorithm>
+
#include "btif_gatt_util.h"
#include <errno.h>
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
p_dest->attr_value.handle = p_src->attr_value.handle;
- p_dest->attr_value.len = p_src->attr_value.len;
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
p_dest->attr_value.offset = p_src->attr_value.offset;
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
}
/*******************************************************************************

38
Patches/LineageOS-17.1/android_system_bt/381895.patch Normal file
View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 18:23:53 +0000
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
---
stack/gatt/att_protocol.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index 5d3d4a818..cdf472e40 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
tGATT_FIND_TYPE_VALUE* p_value_type) {
uint8_t* p;
uint16_t len = p_value_type->value_len;
- BT_HDR* p_buf =
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ BT_HDR* p_buf = nullptr;
+
+ if (payload_size < 5) {
+ return nullptr;
+ }
+
+ p_buf =
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
p_buf->offset = L2CAP_MIN_OFFSET;

71
Patches/LineageOS-17.1/android_system_core/381896.patch Normal file
View File

@ -0,0 +1,71 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keith Mok <keithmok@google.com>
Date: Thu, 31 Aug 2023 00:31:35 +0000
Subject: [PATCH] Add seal if ashmem-dev is backed by memfd
Need to seal the buffer size in align with ashmem if set to PROT_READ
only to prevent untrusted remote process to shrink the buffer size and
crash it.
Bug: 294609150
Test: build
Ignore-AOSP-First: Security
(cherry picked from commit f83c5c8fecf89d9315945368aa20350c2f235cc0)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:61a2897733e15a12b7aa2dfd99957e83cbe59351)
Merged-In: I9288cf30b41e84ad8d3247c204e20482912bff69
Change-Id: I9288cf30b41e84ad8d3247c204e20482912bff69
---
libcutils/ashmem-dev.cpp | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
index e67b45808..a081837e5 100644
--- a/libcutils/ashmem-dev.cpp
+++ b/libcutils/ashmem-dev.cpp
@@ -360,6 +360,12 @@ static int memfd_create_region(const char* name, size_t size) {
return -1;
}
+ // forbid size changes to match ashmem behaviour
+ if (fcntl(fd, F_ADD_SEALS, F_SEAL_GROW | F_SEAL_SHRINK) == -1) {
+ ALOGE("memfd_create(%s, %zd) F_ADD_SEALS failed: %m", name, size);
+ return -1;
+ }
+
if (debug_log) {
ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
}
@@ -411,14 +417,29 @@ error:
}
static int memfd_set_prot_region(int fd, int prot) {
- /* Only proceed if an fd needs to be write-protected */
+ int seals = fcntl(fd, F_GET_SEALS);
+ if (seals == -1) {
+ ALOGE("memfd_set_prot_region(%d, %d): F_GET_SEALS failed: %s\n", fd, prot, strerror(errno));
+ return -1;
+ }
+
if (prot & PROT_WRITE) {
+ /* Now we want the buffer to be read-write, let's check if the buffer
+ * has been previously marked as read-only before, if so return error
+ */
+ if (seals & F_SEAL_FUTURE_WRITE) {
+ ALOGE("memfd_set_prot_region(%d, %d): region is write protected\n", fd, prot);
+ errno = EINVAL; // inline with ashmem error code, if already in
+ // read-only mode
+ return -1;
+ }
return 0;
}
- if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
- ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE seal failed: %s\n", fd, prot,
- strerror(errno));
+ /* We would only allow read-only for any future file operations */
+ if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE | F_SEAL_SEAL) == -1) {
+ ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE | F_SEAL_SEAL seal failed: %s\n",
+ fd, prot, strerror(errno));
return -1;
}

44
Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/381897.patch Normal file
View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 00:53:33 +0000
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
attp_build_value_cmd
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
---
btif/src/btif_gatt_util.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
index 6be1cb238..5b101450d 100644
--- a/btif/src/btif_gatt_util.cc
+++ b/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@
#define LOG_TAG "bt_btif_gatt"
+#include <algorithm>
+
#include "btif_gatt_util.h"
#include <errno.h>
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
p_dest->attr_value.handle = p_src->attr_value.handle;
- p_dest->attr_value.len = p_src->attr_value.len;
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
p_dest->attr_value.offset = p_src->attr_value.offset;
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
}
/*******************************************************************************

38
Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/381898.patch Normal file
View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 18:23:53 +0000
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
---
stack/gatt/att_protocol.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index 2b800b716..d1e0ece59 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
tGATT_FIND_TYPE_VALUE* p_value_type) {
uint8_t* p;
uint16_t len = p_value_type->value_len;
- BT_HDR* p_buf =
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ BT_HDR* p_buf = nullptr;
+
+ if (payload_size < 5) {
+ return nullptr;
+ }
+
+ p_buf =
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
p_buf->offset = L2CAP_MIN_OFFSET;

21
Scripts/LineageOS-17.1/Patch.sh
View File

@ -98,6 +98,8 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-02
fi;
if enterAndClear "build/soong"; then
@ -160,9 +162,17 @@ if enterAndClear "external/zlib"; then
git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
fi;
if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
#applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
applyPatch "$DOS_PATCHES/android_frameworks_base/381887-backport.patch"; #R_asb_2024-02 Disallow Wallpaper service to launch activity from background.
applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding
applyPatch "$DOS_PATCHES/android_frameworks_base/381890-backport.patch"; #R_asb_2024-02 Restrict activity launch when caller is running in the background
#applyPatch "$DOS_PATCHES/android_frameworks_base/381892-backport.patch"; #R_asb_2024-02 Enforce persisted snoozed notifications limits #XXX: error: cannot find symbol
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -385,6 +395,7 @@ fi;
#fi;
if enterAndClear "packages/providers/DownloadProvider"; then
#applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/381893.patch"; #R_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations #XXX: DownloadStorageProvider.java:306: error: method does not override or implement a method from a supertype
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
fi;
@ -397,6 +408,8 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/381894.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -412,6 +425,7 @@ if enterAndClear "system/core"; then
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
git revert --no-edit 3032c7aa5ce90c0ae9c08fe271052c6e0304a1e7 01266f589e6deaef30b782531ae14435cdd2f18e; #insanity
git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update recovery
applyPatch "$DOS_PATCHES/android_system_core/381896.patch"; #R_asb_2024-02 Add seal if ashmem-dev is backed by memfd
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
@ -448,6 +462,11 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport-prereq.patch"; #R_
applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
fi;
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/381897.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/381898.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
fi;
if enterAndClear "vendor/lineage"; then
rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys
rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics