mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-11 23:49:34 -05:00
16.0: February ASB work
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
b42fd1ab93
commit
d90b84321d
35
Patches/LineageOS-16.0/android_frameworks_av/381886.patch
Normal file
35
Patches/LineageOS-16.0/android_frameworks_av/381886.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ashish Kumar Gupta <kumarashishg@google.com>
|
||||
Date: Tue, 21 Nov 2023 08:48:43 +0530
|
||||
Subject: [PATCH] Update mtp packet buffer
|
||||
|
||||
Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
|
||||
|
||||
Bug: 300007708
|
||||
Test: build and flash the device. Check MTP works
|
||||
Test: run fuzzer locally
|
||||
(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
|
||||
Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
|
||||
Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
|
||||
---
|
||||
media/mtp/MtpPacket.cpp | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
|
||||
index 917967cf17..d7567141d6 100644
|
||||
--- a/media/mtp/MtpPacket.cpp
|
||||
+++ b/media/mtp/MtpPacket.cpp
|
||||
@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
|
||||
return;
|
||||
}
|
||||
int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
|
||||
- if (mPacketSize < offset + sizeof(uint32_t))
|
||||
+ if (mPacketSize < offset + sizeof(uint32_t)) {
|
||||
mPacketSize = offset + sizeof(uint32_t);
|
||||
+ allocate(mPacketSize);
|
||||
+ }
|
||||
putUInt32(offset, value);
|
||||
}
|
||||
|
@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
|
||||
1 file changed, 1 insertion(+), 7 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index e1159493fe24..d6443110128d 100644
|
||||
index fb941a7641fc..89ca8f21abcb 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -7937,13 +7937,7 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
|
@ -0,0 +1,110 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
|
||||
Date: Fri, 13 Oct 2023 16:19:27 -0400
|
||||
Subject: [PATCH] Unbind TileService onNullBinding
|
||||
|
||||
Test: atest TileLifecycleManagerTest
|
||||
Test: manual: adb shell dumpsys activity service
|
||||
Test: sts test
|
||||
Bug: 300903792
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
|
||||
Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
|
||||
Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
|
||||
---
|
||||
.../qs/external/TileLifecycleManager.java | 5 +++
|
||||
.../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
|
||||
2 files changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
index 1170d7b6e8a9..c0d4736d4a97 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
@@ -192,6 +192,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
|
||||
handlePendingMessages();
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onNullBinding(ComponentName name) {
|
||||
+ setBindService(false);
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void onServiceDisconnected(ComponentName name) {
|
||||
if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
|
||||
diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
index e5e8ae3311ef..4a389743a395 100644
|
||||
--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.mockito.Mockito.any;
|
||||
import static org.mockito.Mockito.anyInt;
|
||||
import static org.mockito.Mockito.anyString;
|
||||
+import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import android.content.ComponentName;
|
||||
+import android.content.Context;
|
||||
import android.content.Intent;
|
||||
+import android.content.ServiceConnection;
|
||||
import android.content.pm.PackageInfo;
|
||||
import android.content.pm.ServiceInfo;
|
||||
import android.net.Uri;
|
||||
@@ -49,7 +52,7 @@ import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
-import org.mockito.Mockito;
|
||||
+import org.mockito.ArgumentCaptor;
|
||||
|
||||
@SmallTest
|
||||
@RunWith(AndroidJUnit4.class)
|
||||
@@ -57,8 +60,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
private static final int TEST_FAIL_TIMEOUT = 5000;
|
||||
|
||||
private final PackageManagerAdapter mMockPackageManagerAdapter =
|
||||
- Mockito.mock(PackageManagerAdapter.class);
|
||||
- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
|
||||
+ mock(PackageManagerAdapter.class);
|
||||
+ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
|
||||
private ComponentName mTileServiceComponentName;
|
||||
private Intent mTileServiceIntent;
|
||||
private UserHandle mUser;
|
||||
@@ -83,7 +86,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
mThread.start();
|
||||
mHandler = Handler.createAsync(mThread.getLooper());
|
||||
mStateManager = new TileLifecycleManager(mHandler, mContext,
|
||||
- Mockito.mock(IQSService.class), new Tile(),
|
||||
+ mock(IQSService.class), new Tile(),
|
||||
mTileServiceIntent,
|
||||
mUser,
|
||||
mMockPackageManagerAdapter);
|
||||
@@ -236,4 +239,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
verifyBind(2);
|
||||
verify(mMockTileService, times(2)).onStartListening();
|
||||
}
|
||||
+
|
||||
+ @Test
|
||||
+ public void testNullBindingCallsUnbind() {
|
||||
+ Context mockContext = mock(Context.class);
|
||||
+ // Binding has to succeed
|
||||
+ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
|
||||
+ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
|
||||
+ mock(IQSService.class),
|
||||
+ new Tile(),
|
||||
+ mTileServiceIntent,
|
||||
+ mUser,
|
||||
+ mMockPackageManagerAdapter,
|
||||
+ mMockBroadcastDispatcher);
|
||||
+
|
||||
+ manager.setBindService(true);
|
||||
+
|
||||
+ ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
|
||||
+ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
|
||||
+
|
||||
+ captor.getValue().onNullBinding(mTileServiceComponentName);
|
||||
+ verify(mockContext).unbindService(captor.getValue());
|
||||
+ }
|
||||
}
|
44
Patches/LineageOS-16.0/android_system_bt/381894.patch
Normal file
44
Patches/LineageOS-16.0/android_system_bt/381894.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 00:53:33 +0000
|
||||
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
|
||||
attp_build_value_cmd
|
||||
|
||||
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
|
||||
|
||||
Bug: 276898739
|
||||
Test: manual
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
|
||||
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
---
|
||||
btif/src/btif_gatt_util.cc | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
|
||||
index 16f227511..a0798df15 100644
|
||||
--- a/btif/src/btif_gatt_util.cc
|
||||
+++ b/btif/src/btif_gatt_util.cc
|
||||
@@ -18,6 +18,8 @@
|
||||
|
||||
#define LOG_TAG "bt_btif_gatt"
|
||||
|
||||
+#include <algorithm>
|
||||
+
|
||||
#include "btif_gatt_util.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
|
||||
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
|
||||
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
|
||||
p_dest->attr_value.handle = p_src->attr_value.handle;
|
||||
- p_dest->attr_value.len = p_src->attr_value.len;
|
||||
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
|
||||
p_dest->attr_value.offset = p_src->attr_value.offset;
|
||||
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
|
||||
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
38
Patches/LineageOS-16.0/android_system_bt/381895.patch
Normal file
38
Patches/LineageOS-16.0/android_system_bt/381895.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 18:23:53 +0000
|
||||
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
|
||||
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
|
||||
|
||||
Bug: 297524203
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
|
||||
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
---
|
||||
stack/gatt/att_protocol.cc | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
|
||||
index 142216cc9..5bd814c88 100644
|
||||
--- a/stack/gatt/att_protocol.cc
|
||||
+++ b/stack/gatt/att_protocol.cc
|
||||
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
|
||||
tGATT_FIND_TYPE_VALUE* p_value_type) {
|
||||
uint8_t* p;
|
||||
uint16_t len = p_value_type->value_len;
|
||||
- BT_HDR* p_buf =
|
||||
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
+ BT_HDR* p_buf = nullptr;
|
||||
+
|
||||
+ if (payload_size < 5) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
+
|
||||
+ p_buf =
|
||||
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
|
||||
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
|
||||
p_buf->offset = L2CAP_MIN_OFFSET;
|
@ -99,7 +99,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2022-01-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-01 #XXX
|
||||
sed -i 's/2022-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #P_asb_2024-02 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -161,10 +161,12 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/av"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
|
||||
@ -365,6 +367,8 @@ fi;
|
||||
if enterAndClear "system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/381894.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
fi;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user