diff --git a/Patches/LineageOS-14.1/android_frameworks_base/393646.patch b/Patches/LineageOS-14.1/android_frameworks_base/393646.patch new file mode 100644 index 00000000..4260bf9b --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/393646.patch @@ -0,0 +1,43 @@ +From 2786005045df9d37fc4de14e5e4f60b9d5ec59b7 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 26 Mar 2024 10:31:44 -0700 +Subject: [PATCH] Add more checkKeyIntent checks to AccountManagerService. + +Another verification is needed after Bundle modification. +Bug: 321941232 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:36db8a1d61a881f89fdd3911886adcda6e1f0d7f) +Merged-In: I9e45d758a2320328da5664b6341eafe6f285f297 +Change-Id: I9e45d758a2320328da5664b6341eafe6f285f297 +--- + .../android/server/accounts/AccountManagerService.java | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 126955add01a9..6ae79ec2e4aaa 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -2971,6 +2971,11 @@ public void onResult(Bundle result) { + + // Strip auth token from result. + result.remove(AccountManager.KEY_AUTHTOKEN); ++ if (!checkKeyIntent(Binder.getCallingUid(), result)) { ++ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, ++ "invalid intent in bundle returned"); ++ return; ++ } + + if (Log.isLoggable(TAG, Log.VERBOSE)) { + Log.v(TAG, +@@ -4402,6 +4407,11 @@ public void onResult(Bundle result) { + } else { + if (mStripAuthTokenFromResult) { + result.remove(AccountManager.KEY_AUTHTOKEN); ++ if (!checkKeyIntent(Binder.getCallingUid(), result)) { ++ onError(AccountManager.ERROR_CODE_INVALID_RESPONSE, ++ "invalid intent in bundle returned"); ++ return; ++ } + } + if (Log.isLoggable(TAG, Log.VERBOSE)) { + Log.v(TAG, getClass().getSimpleName() diff --git a/Patches/LineageOS-14.1/android_frameworks_base/393647.patch b/Patches/LineageOS-14.1/android_frameworks_base/393647.patch new file mode 100644 index 00000000..155cd751 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/393647.patch @@ -0,0 +1,54 @@ +From 1595b95840ad55128edacd32996afb954480aefd Mon Sep 17 00:00:00 2001 +From: Chris Wailes +Date: Thu, 18 Apr 2019 18:25:57 -0700 +Subject: [PATCH] [BACKPORT] Adds additional sanitization for Zygote command + arguments. + +Previously we were only insuring that the arguments provided to the +Zygote didn't contain any newlines. This adds additional checks for +carriage returns and standalone integer arguments to protect against +malicious argument and packet injection respectively. + +Bug: 130164289 +Test: m & flash & boot & check logs +Change-Id: I4055c50d52db0047c02c11096710fd07b429660c +Merged-In: I4055c50d52db0047c02c11096710fd07b429660c +(cherry picked from commit c99198249f8bb79487d4f9f0f45b5b2fefaba41a) +--- + core/java/android/os/Process.java | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java +index e1b7fdad25e7d..1e084529de6e5 100644 +--- a/core/java/android/os/Process.java ++++ b/core/java/android/os/Process.java +@@ -16,6 +16,7 @@ + + package android.os; + ++import android.annotation.NonNull; + import android.annotation.TestApi; + import android.net.LocalSocket; + import android.net.LocalSocketAddress; +@@ -564,15 +565,19 @@ private static String getAbiList(BufferedWriter writer, DataInputStream inputStr + * @throws ZygoteStartFailedEx if process start failed for any reason + */ + private static ProcessStartResult zygoteSendArgsAndGetResult( +- ZygoteState zygoteState, ArrayList args) ++ ZygoteState zygoteState, @NonNull ArrayList args) + throws ZygoteStartFailedEx { + try { + // Throw early if any of the arguments are malformed. This means we can + // avoid writing a partial response to the zygote. + int sz = args.size(); + for (int i = 0; i < sz; i++) { ++ // Making two indexOf calls here is faster than running a manually fused loop due ++ // to the fact that indexOf is a optimized intrinsic. + if (args.get(i).indexOf('\n') >= 0) { +- throw new ZygoteStartFailedEx("embedded newlines not allowed"); ++ throw new ZygoteStartFailedEx("Embedded newlines not allowed"); ++ } else if (args.get(i).indexOf('\r') >= 0) { ++ throw new ZygoteStartFailedEx("Embedded carriage returns not allowed"); + } + } + diff --git a/Patches/LineageOS-14.1/android_frameworks_base/393648.patch b/Patches/LineageOS-14.1/android_frameworks_base/393648.patch new file mode 100644 index 00000000..8cf553b2 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/393648.patch @@ -0,0 +1,32 @@ +From 556cc034e359fd1bb64a1b16ebe7a61f06810bcb Mon Sep 17 00:00:00 2001 +From: Hans Boehm +Date: Tue, 2 Jan 2024 16:53:13 -0800 +Subject: [PATCH] [BACKPORT] Check hidden API exemptions + +Refuse to deal with newlines and null characters in +HiddenApiSettings.update(). Also disallow nulls in process start +arguments. + +Bug: 316153291 +Test: Treehugger for now +(cherry picked from commit 7ba059e2cf0a2c20f9a849719cdc32b12c933a44) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:60669aa49aba34c0950d6246bd95b54f91a3c8e8) +Merged-In: I83cd60e46407a4a082f9f3c80e937dbd522dbac4 +Change-Id: I83cd60e46407a4a082f9f3c80e937dbd522dbac4 +--- + core/java/android/os/Process.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java +index 1e084529de6e5..de8287baa828b 100644 +--- a/core/java/android/os/Process.java ++++ b/core/java/android/os/Process.java +@@ -578,6 +578,8 @@ private static ProcessStartResult zygoteSendArgsAndGetResult( + throw new ZygoteStartFailedEx("Embedded newlines not allowed"); + } else if (args.get(i).indexOf('\r') >= 0) { + throw new ZygoteStartFailedEx("Embedded carriage returns not allowed"); ++ } else if (args.get(i).indexOf('\u0000') >= 0) { ++ throw new ZygoteStartFailedEx("Embedded nulls not allowed"); + } + } + diff --git a/Patches/LineageOS-14.1/android_frameworks_base/393649.patch b/Patches/LineageOS-14.1/android_frameworks_base/393649.patch new file mode 100644 index 00000000..68d18284 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/393649.patch @@ -0,0 +1,61 @@ +From 53abf79f26084d26d2887d716137fa9cd4eeefc9 Mon Sep 17 00:00:00 2001 +From: Ameer Armaly +Date: Fri, 8 Mar 2024 19:41:06 +0000 +Subject: [PATCH] [RESTRICT AUTOMERGE] AccessibilityManagerService: remove + uninstalled services from enabled list after service update. + +Bug: 326485767 +Test: atest AccessibilityEndToEndTest#testUpdateServiceWithoutIntent_disablesService +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f6192d3a77520d40b6a93de8f45400e19f5ba29f) +Merged-In: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0 +Change-Id: Ia86857d58ebab925ec6e55f9e5fa64e265326ec0 + +Change-Id: I898044b388399bded66acb22dba55c5df26ccc9f +--- + .../AccessibilityManagerService.java | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +index 34ccb7b82c87c..38cf47a5d87b9 100644 +--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java ++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java +@@ -1294,10 +1294,13 @@ private void updateServicesLocked(UserState userState) { + boolean isUnlockingOrUnlocked = mContext.getSystemService(UserManager.class) + .isUserUnlockingOrUnlocked(userState.mUserId); + ++ // Store the list of installed services. ++ mTempComponentNameSet.clear(); + for (int i = 0, count = userState.mInstalledServices.size(); i < count; i++) { + AccessibilityServiceInfo installedService = userState.mInstalledServices.get(i); + ComponentName componentName = ComponentName.unflattenFromString( + installedService.getId()); ++ mTempComponentNameSet.add(componentName); + + Service service = componentNameToServiceMap.get(componentName); + +@@ -1325,6 +1328,25 @@ private void updateServicesLocked(UserState userState) { + } + } + ++ // If any services have been removed, remove them from the enabled list and the touch ++ // exploration granted list. ++ boolean anyServiceRemoved = ++ userState.mEnabledServices.removeIf((comp) -> !mTempComponentNameSet.contains(comp)) ++ || userState.mTouchExplorationGrantedServices.removeIf( ++ (comp) -> !mTempComponentNameSet.contains(comp)); ++ if (anyServiceRemoved) { ++ // Update the enabled services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES, ++ userState.mEnabledServices, ++ userState.mUserId); ++ // Update the touch exploration granted services setting. ++ persistComponentNamesToSettingLocked( ++ Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES, ++ userState.mTouchExplorationGrantedServices, ++ userState.mUserId); ++ } ++ mTempComponentNameSet.clear(); + updateAccessibilityEnabledSetting(userState); + } + diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index f9386922..e077c09c 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2024-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-05 #XXX +sed -i 's/2021-06-05/2024-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-06 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -282,6 +282,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/378956.patch"; #n-asb-2024-01 F applyPatch "$DOS_PATCHES/android_frameworks_base/385241.patch"; #n-asb-2024-03 Resolve custom printer icon boundary exploit. applyPatch "$DOS_PATCHES/android_frameworks_base/385242.patch"; #n-asb-2024-03 Close AccountManagerService.session after timeout. applyPatch "$DOS_PATCHES/android_frameworks_base/388831.patch"; #n-asb-2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long. +applyPatch "$DOS_PATCHES/android_frameworks_base/393646.patch"; #n-asb-2024-05 Add more checkKeyIntent checks to AccountManagerService. +applyPatch "$DOS_PATCHES/android_frameworks_base/393647.patch"; #n-asb-2024-05 Adds additional sanitization for Zygote command arguments. +applyPatch "$DOS_PATCHES/android_frameworks_base/393648.patch"; #n-asb-2024-05 Check hidden API exemptions +applyPatch "$DOS_PATCHES/android_frameworks_base/393649.patch"; #n-asb-2024-05 AccessibilityManagerService: remove uninstalled services from enabled list after service update. git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)