14.1: June ASB picks

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-14.1/android_frameworks_base/393646.patch

@@ -0,0 +1,43 @@
+From 2786005045df9d37fc4de14e5e4f60b9d5ec59b7 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 26 Mar 2024 10:31:44 -0700
+Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService.
+
+Another verification is needed after Bundle modification.
+Bug: 321941232
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f)
+Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297
+Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297
+---
+ .../android/server/accounts/AccountManagerService.java | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 126955add01a9..6ae79ec2e4aaa 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -2971,6 +2971,11 @@ public void onResult(Bundle result) {
+ 
+             // Strip auth token from result.
+             result.remove(AccountManager.KEY_AUTHTOKEN);
++            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                        "invalid intent in bundle returned");
++                return;
++            }
+ 
+             if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                 Log.v(TAG,
+@@ -4402,6 +4407,11 @@ public void onResult(Bundle result) {
+                     } else {
+                         if (mStripAuthTokenFromResult) {
+                             result.remove(AccountManager.KEY_AUTHTOKEN);
++                            if (!checkKeyIntent(Binder.getCallingUid(), result)) {
++                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                                        "invalid intent in bundle returned");
++                                return;
++                            }
+                         }
+                         if (Log.isLoggable(TAG, Log.VERBOSE)) {
+                             Log.v(TAG, getClass().getSimpleName()

Patches/LineageOS-14.1/android_frameworks_base/393647.patch

@@ -0,0 +1,54 @@
+From 1595b95840ad55128edacd32996afb954480aefd Mon Sep 17 00:00:00 2001
+From: Chris Wailes <chriswailes@google.com>
+Date: Thu, 18 Apr 2019 18:25:57 -0700
+Subject: [PATCH] [BACKPORT] Adds additional sanitization for Zygote command
+ arguments.
+
+Previously we were only insuring that the arguments provided to the
+Zygote didn't contain any newlines.  This adds additional checks for
+carriage returns and standalone integer arguments to protect against
+malicious argument and packet injection respectively.
+
+Bug: 130164289
+Test: m & flash & boot & check logs
+Change-Id: I4055c50d52db0047c02c11096710fd07b429660c
+Merged-In: I4055c50d52db0047c02c11096710fd07b429660c
+(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a)
+---
+ core/java/android/os/Process.java | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
+index e1b7fdad25e7d..1e084529de6e5 100644
+--- a/core/java/android/os/Process.java
++++ b/core/java/android/os/Process.java
+@@ -16,6 +16,7 @@
+ 
+ package android.os;
+ 
++import android.annotation.NonNull;
+ import android.annotation.TestApi;
+ import android.net.LocalSocket;
+ import android.net.LocalSocketAddress;
+@@ -564,15 +565,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr
+      * @throws ZygoteStartFailedEx if process start failed for any reason
+      */
+     private static ProcessStartResult zygoteSendArgsAndGetResult(
+-            ZygoteState zygoteState, ArrayList<String> args)
++            ZygoteState zygoteState, @NonNull ArrayList<String> args)
+             throws ZygoteStartFailedEx {
+         try {
+             // Throw early if any of the arguments are malformed. This means we can
+             // avoid writing a partial response to the zygote.
+             int sz = args.size();
+             for (int i = 0; i < sz; i++) {
++                // Making two indexOf calls here is faster than running a manually fused loop due
++                // to the fact that indexOf is a optimized intrinsic.
+                 if (args.get(i).indexOf('\n') >= 0) {
+-                    throw new ZygoteStartFailedEx("embedded newlines not allowed");
++                    throw new ZygoteStartFailedEx("Embedded newlines not allowed");
++                } else if (args.get(i).indexOf('\r') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
+                 }
+             }
+ 

Patches/LineageOS-14.1/android_frameworks_base/393648.patch

@@ -0,0 +1,32 @@
+From 556cc034e359fd1bb64a1b16ebe7a61f06810bcb Mon Sep 17 00:00:00 2001
+From: Hans Boehm <hboehm@google.com>
+Date: Tue, 2 Jan 2024 16:53:13 -0800
+Subject: [PATCH] [BACKPORT] Check hidden API exemptions
+
+Refuse to deal with newlines and null characters in
+HiddenApiSettings.update(). Also disallow nulls in process start
+arguments.
+
+Bug: 316153291
+Test: Treehugger for now
+(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8)
+Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4
+---
+ core/java/android/os/Process.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
+index 1e084529de6e5..de8287baa828b 100644
+--- a/core/java/android/os/Process.java
++++ b/core/java/android/os/Process.java
+@@ -578,6 +578,8 @@ private static ProcessStartResult zygoteSendArgsAndGetResult(
+                     throw new ZygoteStartFailedEx("Embedded newlines not allowed");
+                 } else if (args.get(i).indexOf('\r') >= 0) {
+                     throw new ZygoteStartFailedEx("Embedded carriage returns not allowed");
++                } else if (args.get(i).indexOf('\u0000') >= 0) {
++                    throw new ZygoteStartFailedEx("Embedded nulls not allowed");
+                 }
+             }
+ 

Patches/LineageOS-14.1/android_frameworks_base/393649.patch

@@ -0,0 +1,61 @@
+From 53abf79f26084d26d2887d716137fa9cd4eeefc9 Mon Sep 17 00:00:00 2001
+From: Ameer Armaly <aarmaly@google.com>
+Date: Fri, 8 Mar 2024 19:41:06 +0000
+Subject: [PATCH] [RESTRICT AUTOMERGE] AccessibilityManagerService: remove
+ uninstalled services from enabled list after service update.
+
+Bug: 326485767
+Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f6192d3a77520d40b6a93de8f45400e19f5ba29f)
+Merged-In: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0
+Change-Id: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0
+
+Change-Id: I898044b388399bded66acb22dba55c5df26ccc9f
+---
+ .../AccessibilityManagerService.java          | 22 +++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 34ccb7b82c87c..38cf47a5d87b9 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -1294,10 +1294,13 @@ private void updateServicesLocked(UserState userState) {
+         boolean isUnlockingOrUnlocked = mContext.getSystemService(UserManager.class)
+                 .isUserUnlockingOrUnlocked(userState.mUserId);
+ 
++        // Store the list of installed services.
++        mTempComponentNameSet.clear();
+         for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) {
+             AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i);
+             ComponentName componentName = ComponentName.unflattenFromString(
+                     installedService.getId());
++            mTempComponentNameSet.add(componentName);
+ 
+             Service service = componentNameToServiceMap.get(componentName);
+ 
+@@ -1325,6 +1328,25 @@ private void updateServicesLocked(UserState userState) {
+             }
+         }
+ 
++        // If any services have been removed, remove them from the enabled list and the touch
++        // exploration granted list.
++        boolean anyServiceRemoved =
++                userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp))
++                        || userState.mTouchExplorationGrantedServices.removeIf(
++                                (comp) -> !mTempComponentNameSet.contains(comp));
++        if (anyServiceRemoved) {
++            // Update the enabled services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
++                    userState.mEnabledServices,
++                    userState.mUserId);
++            // Update the touch exploration granted services setting.
++            persistComponentNamesToSettingLocked(
++                    Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
++                    userState.mTouchExplorationGrantedServices,
++                    userState.mUserId);
++        }
++        mTempComponentNameSet.clear();
+         updateAccessibilityEnabledSetting(userState);
+     }
+ 

Scripts/LineageOS-14.1/Patch.sh

@@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-05 #XXX
+sed -i 's/2021-06-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-06 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -282,6 +282,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 F
 applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit.
 applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout.
 applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-05 Add more checkKeyIntent checks to AccountManagerService.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-05 Adds additional sanitization for Zygote command arguments.
+applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-05 Check hidden API exemptions
+applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-05 AccessibilityManagerService: remove uninstalled services from enabled list after service update.
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)