15.1+16.0: September 2022 ASB picks

16.0 backports thanks to MSe1969 as usual:
https://github.com/lin16-microg/android_system_bt/commits/lineage-16.0 - last 3 commits
https://github.com/lin16-microg/android_frameworks_base/commits/lineage-16.0 - last 4 commits
https://github.com/lin16-microg/android_external_expat/commits/lineage-16.0 - last 4 commits

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_external_expat/337987.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Thu, 2 Jun 2022 19:32:22 +0000
+Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow
+
+Bug: http://b/221255869
+Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
+(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)
+Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29
+---
+ lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2f4e7258..91f50034 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1741,6 +1741,11 @@ XML_GetBuffer(XML_Parser parser, int len)
+     keep = (int)(bufferPtr - buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+     if (neededSize  <= bufferLim - buffer) {

Patches/LineageOS-15.1/android_frameworks_base/337990.patch

@@ -0,0 +1,113 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Manjeet Rulhania <mrulhania@google.com>
+Date: Thu, 28 Apr 2022 20:23:58 +0000
+Subject: [PATCH 1/4] Fix duplicate permission privilege escalation
+
+Duplicate permissions definition with different group allows
+privilege permission escalation to a different permission group.
+
+Android studio and gradle plugin does not allow duplicate
+permissions with different attributes, these tools only allow
+if duplicate permissions are exact copies.
+
+Also platform stores permissions in map at multiple places with
+permission name as key. This suggests that we can disallow
+duplicate permissions during package install/update.
+
+Bug: 213323615
+Test: manual
+Change-Id: I6f44e740897305e7a0553c1cf6c3af37faf02a2e
+Merged-In: I1910dca44104e35a57eba4acfa8188cd9b8626ac
+Merged-In: I34120fff2ec2a158dfa55779d2afd4bbd49487ff
+Merged-In: I9bc839836786a0876e67fd73c05f8944bb532249
+(cherry picked from commit 31bd425bb66b108cdec357a00f4a586379bcd33a)
+Merged-In: I6f44e740897305e7a0553c1cf6c3af37faf02a2e
+---
+ .../android/content/pm/PackageParser.java     | 53 +++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index 8c66fb227cf9..349f021c16ad 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -80,6 +80,7 @@ import android.util.ArraySet;
+ import android.util.AttributeSet;
+ import android.util.Base64;
+ import android.util.DisplayMetrics;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.Pair;
+ import android.util.Slog;
+@@ -121,6 +122,7 @@ import java.util.Collections;
+ import java.util.Comparator;
+ import java.util.Iterator;
+ import java.util.List;
++import java.util.Objects;
+ import java.util.Set;
+ import java.util.UUID;
+ import java.util.concurrent.Callable;
+@@ -2637,6 +2639,12 @@ public class PackageParser {
+             }
+         }
+ 
++        if (declareDuplicatePermission(pkg)) {
++            outError[0] = "Found duplicate permission with a different attribute value.";
++            mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;
++            return null;
++        }
++
+         if (supportsSmallScreens < 0 || (supportsSmallScreens > 0
+                 && pkg.applicationInfo.targetSdkVersion
+                         >= android.os.Build.VERSION_CODES.DONUT)) {
+@@ -2675,6 +2683,51 @@ public class PackageParser {
+         return pkg;
+     }
+ 
++    /**
++     * @return {@code true} if the package declares malformed duplicate permissions.
++     */
++    public static boolean declareDuplicatePermission(@NonNull Package pkg) {
++        final List<Permission> permissions = pkg.permissions;
++        final int size = permissions.size();
++        if (size > 0) {
++            final ArrayMap<String, Permission> checkDuplicatePerm = new ArrayMap<>(size);
++            for (int i = 0; i < size; i++) {
++                final Permission permissionDefinition = permissions.get(i);
++                final String name = permissionDefinition.info.name;
++                final Permission perm = checkDuplicatePerm.get(name);
++                if (isMalformedDuplicate(permissionDefinition, perm)) {
++                    // Fix for b/213323615
++                    EventLog.writeEvent(0x534e4554, "213323615",
++                            "The package " + pkg.packageName + " seems malicious");
++                    return true;
++                }
++                checkDuplicatePerm.put(name, permissionDefinition);
++            }
++        }
++        return false;
++    }
++
++    /**
++     * Determines if a duplicate permission is malformed .i.e. defines different protection level
++     * or group.
++     */
++    private static boolean isMalformedDuplicate(Permission p1, Permission p2) {
++        // Since a permission tree is also added as a permission with normal protection
++        // level, we need to skip if the parsedPermission is a permission tree.
++        if (p1 == null || p2 == null || p1.tree || p2.tree) {
++            return false;
++        }
++
++        if (p1.info.getProtection() != p2.info.getProtection()) {
++            return true;
++        }
++        if (!Objects.equals(p1.info.group, p2.info.group)) {
++            return true;
++        }
++
++        return false;
++    }
++
+     private boolean checkOverlayRequiredSystemProperty(String propName, String propValue) {
+ 
+         if (TextUtils.isEmpty(propName) || TextUtils.isEmpty(propValue)) {

Patches/LineageOS-15.1/android_frameworks_base/337991.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Steven Moreland <smoreland@google.com>
+Date: Wed, 30 Mar 2022 21:46:29 +0000
+Subject: [PATCH 2/4] Parcel: recycle recycles
+
+Before, it was like getting a used pan with food stuck on it. We run
+a clean ship here. You want a Parcel? You get a fresh Parcel. When
+we recycle a Parcel, we do a real clean-up job. Air freshener. All
+bits brushed over. These Parcel objects are clean as heck now!
+
+(specifically cleans mClassCookies)
+
+Bug: 208279300
+Test: build
+Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218
+Change-Id: I250872f5c6796bb64e2dc68008154c0e90feb218
+(cherry picked from commit 46770fa49c9a5e51a5ea5a3afc7aab0dba2e59bd)
+(cherry picked from commit b5c79e141a81fa86fc834980d46886ac3c86ab11)
+Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218
+---
+ core/java/android/os/Parcel.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
+index 7da3e1fded30..49c22732470f 100644
+--- a/core/java/android/os/Parcel.java
++++ b/core/java/android/os/Parcel.java
+@@ -393,6 +393,7 @@ public final class Parcel {
+      */
+     public final void recycle() {
+         if (DEBUG_RECYCLE) mStack = null;
++        mClassCookies = null;
+         freeBuffer();
+ 
+         final Parcel[] pool;

Patches/LineageOS-15.1/android_frameworks_base/337992-backport.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Adrian Roos <roosa@google.com>
+Date: Thu, 24 Sep 2020 15:30:46 +0200
+Subject: [PATCH 3/4] IMMS: Make IMMS PendingIntents immutable
+
+Fixes: 154913391
+Test: n/a
+Change-Id: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+(cherry picked from commit d4b625994f7664666ac7b53bf6a7d79a6459b3f1)
+(cherry picked from commit 6842f03c9d2f128785df5ce2bd02c61f35226554)
+(cherry picked from commit 2b859826165bddb11f17b217d097253c442f6045)
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+---
+ .../java/com/android/server/InputMethodManagerService.java  | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java
+index d177e596cb04..f6c62addbaa4 100644
+--- a/services/core/java/com/android/server/InputMethodManagerService.java
++++ b/services/core/java/com/android/server/InputMethodManagerService.java
+@@ -1339,7 +1339,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
+ 
+         Intent intent = new Intent(ACTION_SHOW_INPUT_METHOD_PICKER)
+                 .setPackage(mContext.getPackageName());
+-        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, 0);
++        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent,
++                PendingIntent.FLAG_IMMUTABLE);
+ 
+         mShowOngoingImeSwitcherForPhones = false;
+ 
+@@ -1892,7 +1893,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_LABEL,
+                 com.android.internal.R.string.input_method_binding_label);
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_INTENT, PendingIntent.getActivity(
+-                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), 0));
++                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS),
++                PendingIntent.FLAG_IMMUTABLE));
+         if (bindCurrentInputMethodService(mCurIntent, this, IME_CONNECTION_BIND_FLAGS)) {
+             mLastBindTime = SystemClock.uptimeMillis();
+             mHaveConnection = true;

Patches/LineageOS-15.1/android_frameworks_base/337993.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Manjeet Rulhania <mrulhania@google.com>
+Date: Thu, 30 Jun 2022 18:52:50 +0000
+Subject: [PATCH 4/4] Remove package name from SafetyNet logs
+
+Bug: 213323615
+Test: AppSecurityTests
+Change-Id: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a
+Merged-In: I993832e148636f1795ffe393c6dc74a08b9442f8
+Merged-In: I8f823487ca16861a35135cfc3383fa2ce8258017
+Merged-In: I4b61d13256ce0bfb8fc9d21db52ee78ce2097f14
+(cherry picked from commit 50d343c656921ba9c730c68b7a41de6b15f57f03)
+Merged-In: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a
+---
+ core/java/android/content/pm/PackageParser.java | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index 349f021c16ad..118e5c9e6535 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -2697,8 +2697,7 @@ public class PackageParser {
+                 final Permission perm = checkDuplicatePerm.get(name);
+                 if (isMalformedDuplicate(permissionDefinition, perm)) {
+                     // Fix for b/213323615
+-                    EventLog.writeEvent(0x534e4554, "213323615",
+-                            "The package " + pkg.packageName + " seems malicious");
++                    EventLog.writeEvent(0x534e4554, "213323615");
+                     return true;
+                 }
+                 checkDuplicatePerm.put(name, permissionDefinition);

Patches/LineageOS-15.1/android_system_bt/337995-backport.patch

@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chienyuan <chienyuanhuang@google.com>
+Date: Tue, 12 Feb 2019 16:01:00 +0800
+Subject: [PATCH] Fix OOB in bnep_is_packet_allowed
+
+Bug: 112050983
+Test: PoC
+Change-Id: I5d331f46cdba86c8e61de206a2ede1d2b348d7e4
+(cherry picked from commit 230f252b8a1a1073ec1a4081545b2ff62393d16d)
+CRs-Fixed: 3155069
+---
+ stack/bnep/bnep_api.cc   | 13 +++++++++++--
+ stack/bnep/bnep_int.h    |  4 ++--
+ stack/bnep/bnep_utils.cc | 12 +++++++++++-
+ 3 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
+index 4d1c2d99e..817507320 100644
+--- a/stack/bnep/bnep_api.cc
++++ b/stack/bnep/bnep_api.cc
+@@ -360,7 +360,7 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
+   /* Check if the packet should be filtered out */
+   p_data = (uint8_t*)(p_buf + 1) + p_buf->offset;
+   if (bnep_is_packet_allowed(p_bcb, p_dest_addr, protocol, fw_ext_present,
+-                             p_data) != BNEP_SUCCESS) {
++                             p_data, p_buf->len) != BNEP_SUCCESS) {
+     /*
+     ** If packet is filtered and ext headers are present
+     ** drop the data and forward the ext headers
+@@ -372,6 +372,11 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
+       org_len = p_buf->len;
+       new_len = 0;
+       do {
++        if ((new_len + 2) > org_len) {
++          osi_free(p_buf);
++          return BNEP_IGNORE_CMD;
++        }
++
+         ext = *p_data++;
+         length = *p_data++;
+         p_data += length;
+@@ -466,7 +471,7 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
+ 
+   /* Check if the packet should be filtered out */
+   if (bnep_is_packet_allowed(p_bcb, p_dest_addr, protocol, fw_ext_present,
+-                             p_data) != BNEP_SUCCESS) {
++                             p_data, len) != BNEP_SUCCESS) {
+     /*
+     ** If packet is filtered and ext headers are present
+     ** drop the data and forward the ext headers
+@@ -479,6 +484,10 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
+       new_len = 0;
+       p = p_data;
+       do {
++        if ((new_len + 2) > org_len) {
++          return BNEP_IGNORE_CMD;
++        }
++
+         ext = *p_data++;
+         length = *p_data++;
+         p_data += length;
+diff --git a/stack/bnep/bnep_int.h b/stack/bnep/bnep_int.h
+index e25e7f822..1abb3340f 100644
+--- a/stack/bnep/bnep_int.h
++++ b/stack/bnep/bnep_int.h
+@@ -229,8 +229,8 @@ extern void bnep_sec_check_complete(const RawAddress* bd_addr,
+ extern tBNEP_RESULT bnep_is_packet_allowed(tBNEP_CONN* p_bcb,
+                                            const RawAddress& p_dest_addr,
+                                            uint16_t protocol,
+-                                           bool fw_ext_present,
+-                                           uint8_t* p_data);
++                                           bool fw_ext_present, uint8_t* p_data,
++                                           uint16_t org_len);
+ extern uint32_t bnep_get_uuid32(tBT_UUID* src_uuid);
+ 
+ #endif
+diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc
+index 3bab9eebd..76065dfe5 100644
+--- a/stack/bnep/bnep_utils.cc
++++ b/stack/bnep/bnep_utils.cc
+@@ -1253,23 +1253,33 @@ void bnep_sec_check_complete(UNUSED_ATTR const RawAddress* bd_addr,
+ tBNEP_RESULT bnep_is_packet_allowed(tBNEP_CONN* p_bcb,
+                                     const RawAddress& p_dest_addr,
+                                     uint16_t protocol, bool fw_ext_present,
+-                                    uint8_t* p_data) {
++                                    uint8_t* p_data, uint16_t org_len) {
+   if (p_bcb->rcvd_num_filters) {
+     uint16_t i, proto;
+ 
+     /* Findout the actual protocol to check for the filtering */
+     proto = protocol;
+     if (proto == BNEP_802_1_P_PROTOCOL) {
++      uint16_t new_len = 0;
+       if (fw_ext_present) {
+         uint8_t len, ext;
+         /* parse the extension headers and findout actual protocol */
+         do {
++          if ((new_len + 2) > org_len) {
++            return BNEP_IGNORE_CMD;
++          }
++
+           ext = *p_data++;
+           len = *p_data++;
+           p_data += len;
+ 
++          new_len += (len + 2);
++
+         } while (ext & 0x80);
+       }
++      if ((new_len + 4) > org_len) {
++        return BNEP_IGNORE_CMD;
++      }
+       p_data += 2;
+       BE_STREAM_TO_UINT16(proto, p_data);
+     }

Patches/LineageOS-15.1/android_system_bt/337996.patch

@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chienyuan <chienyuanhuang@google.com>
+Date: Wed, 30 Jan 2019 19:17:03 +0800
+Subject: [PATCH 1/2] Fix OOB in BNEP_Write
+
+Bug: 112050583
+Test: PoC
+Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
+(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
+CRs-Fixed: 3155069
+---
+ stack/bnep/bnep_api.cc | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
+index e5d3c0948..4d1c2d99e 100644
+--- a/stack/bnep/bnep_api.cc
++++ b/stack/bnep/bnep_api.cc
+@@ -346,10 +346,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
+   p_bcb = &(bnep_cb.bcb[handle - 1]);
+   /* Check MTU size */
+   if (p_buf->len > BNEP_MTU_SIZE) {
+-    BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len,
++    BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len,
+                      BNEP_MTU_SIZE);
+     osi_free(p_buf);
+     return (BNEP_MTU_EXCEDED);
++  } else if (p_buf->len < 2) {
++    BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
++                     p_buf->len);
++    osi_free(p_buf);
++    return BNEP_IGNORE_CMD;
+   }
+ 
+   /* Check if the packet should be filtered out */
+@@ -446,9 +451,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
+ 
+   /* Check MTU size. Consider the possibility of having extension headers */
+   if (len > BNEP_MTU_SIZE) {
+-    BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len,
++    BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len,
+                      BNEP_MTU_SIZE);
+     return (BNEP_MTU_EXCEDED);
++  } else if (len < 2) {
++    BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
++                     len);
++    return BNEP_IGNORE_CMD;
+   }
+ 
+   if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);

Patches/LineageOS-15.1/android_system_bt/337997.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Venkata Jagadeesh Garaga <quic_vgaraga@quicinc.com>
+Date: Tue, 22 Mar 2022 13:35:43 +0530
+Subject: [PATCH 2/2] Fix OOB in reassemble_and_dispatch
+
+Fix OOB while reading L2cap length in HCI pkt
+
+Change-Id: I7f32b171e8c68b9724f95fcf2327959539e2d0d5
+CRs-Fixed: 3155132
+---
+ hci/src/packet_fragmenter.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
+index 4c8906e38..eeaf52b30 100644
+--- a/hci/src/packet_fragmenter.cc
++++ b/hci/src/packet_fragmenter.cc
+@@ -123,12 +123,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
+   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
+     uint8_t* stream = packet->data;
+     uint16_t handle;
+-    uint16_t l2cap_length;
+     uint16_t acl_length;
+ 
+     STREAM_TO_UINT16(handle, stream);
+     STREAM_TO_UINT16(acl_length, stream);
+-    STREAM_TO_UINT16(l2cap_length, stream);
+ 
+     CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
+ 
+@@ -163,6 +161,9 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
+         return;
+       }
+ 
++      uint16_t l2cap_length;
++      STREAM_TO_UINT16(l2cap_length, stream);
++
+       uint16_t full_length =
+           l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
+ 

Patches/LineageOS-16.0/android_frameworks_base/337992-Backport.patch

@@ -0,0 +1,41 @@
+From 3a1887eb6147d7e51a79c387aaed38c08056c789 Mon Sep 17 00:00:00 2001
+From: Adrian Roos <roosa@google.com>
+Date: Thu, 24 Sep 2020 15:30:46 +0200
+Subject: [PATCH] IMMS: Make IMMS PendingIntents immutable
+
+Fixes: 154913391
+Test: n/a
+Change-Id: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+(cherry picked from commit d4b625994f7664666ac7b53bf6a7d79a6459b3f1)
+(cherry picked from commit 6842f03c9d2f128785df5ce2bd02c61f35226554)
+(cherry picked from commit 2b859826165bddb11f17b217d097253c442f6045)
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+---
+ .../java/com/android/server/InputMethodManagerService.java  | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java
+index 412b314aefbf..e728b0aa92e8 100644
+--- a/services/core/java/com/android/server/InputMethodManagerService.java
++++ b/services/core/java/com/android/server/InputMethodManagerService.java
+@@ -1402,7 +1402,8 @@ public void executeMessage(Message msg) {
+ 
+         Intent intent = new Intent(ACTION_SHOW_INPUT_METHOD_PICKER)
+                 .setPackage(mContext.getPackageName());
+-        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, 0);
++        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent,
++                PendingIntent.FLAG_IMMUTABLE);
+ 
+         mShowOngoingImeSwitcherForPhones = false;
+ 
+@@ -2003,7 +2004,8 @@ InputBindResult startInputInnerLocked() {
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_LABEL,
+                 com.android.internal.R.string.input_method_binding_label);
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_INTENT, PendingIntent.getActivity(
+-                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), 0));
++                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS),
++                PendingIntent.FLAG_IMMUTABLE));
+         if (bindCurrentInputMethodServiceLocked(mCurIntent, this, IME_CONNECTION_BIND_FLAGS)) {
+             mLastBindTime = SystemClock.uptimeMillis();
+             mHaveConnection = true;

Patches/LineageOS-17.1/android_frameworks_base/0014-Sensors_Permission.patch

@@ -34,10 +34,10 @@ index b99634c11742..d74627f45dbd 100644
      field public static final String SENSORS = "android.permission-group.SENSORS";
      field public static final String SMS = "android.permission-group.SMS";
 diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
-index 861b0d922d32..e9a0696ebaff 100644
+index 7f728febe5d9..f9f3ead23fb8 100644
 --- a/core/java/android/content/pm/PackageParser.java
 +++ b/core/java/android/content/pm/PackageParser.java
-@@ -286,6 +286,8 @@ public class PackageParser {
+@@ -288,6 +288,8 @@ public class PackageParser {
      @UnsupportedAppUsage
      public static final PackageParser.NewPermissionInfo NEW_PERMISSIONS[] =
          new PackageParser.NewPermissionInfo[] {

Scripts/LineageOS-15.1/Patch.sh

@@ -74,7 +74,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; fi; #Replace the Messaging app with Silence
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2022-08-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2022-09-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -96,6 +96,10 @@ if [ "$(type -t DOS_WEBVIEW_CHERRYPICK)" = "alias" ] ; then DOS_WEBVIEW_CHERRYPI
 if [ "$DOS_WEBVIEW_LFS" = true ]; then git lfs pull; fi; #Ensure the objects are available
 fi;
 
+if enterAndClear "external/expat"; then
+applyPatch "$DOS_PATCHES/android_external_expat/337987.patch"; #Q_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
+fi;
+
 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then
 #if enterAndClear "external/hardened_malloc"; then
 #applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
@@ -126,6 +130,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/335117-backport.patch"; #P_asb_
 #applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent TODO: 335116 must be backported
 applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash
 applyPatch "$DOS_PATCHES/android_frameworks_base/335121-backport.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters
+applyPatch "$DOS_PATCHES/android_frameworks_base/337990.patch"; #Q_asb_2022-09 Fix duplicate permission privilege escalation
+applyPatch "$DOS_PATCHES/android_frameworks_base/337991.patch"; #Q_asb_2022-09 Parcel: recycle recycles
+applyPatch "$DOS_PATCHES/android_frameworks_base/337992-backport.patch"; #Q_asb_2022-09 IMMS: Make IMMS PendingIntents immutable
+applyPatch "$DOS_PATCHES/android_frameworks_base/337993.patch"; #Q_asb_2022-09 Remove package name from SafetyNet logs
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@@ -302,6 +310,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Securit
 applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length
 applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST
 applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys
+applyPatch "$DOS_PATCHES/android_system_bt/337995-backport.patch"; #Q_asb_2022-09 Fix OOB in bnep_is_packet_allowed
+applyPatch "$DOS_PATCHES/android_system_bt/337996.patch"; #Q_asb_2022-09 Fix OOB in BNEP_Write
+applyPatch "$DOS_PATCHES/android_system_bt/337997.patch"; #Q_asb_2022-09 Fix OOB in reassemble_and_dispatch
 fi;
 
 if enterAndClear "system/core"; then

Scripts/LineageOS-16.0/Patch.sh

@@ -98,7 +98,7 @@ sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target/product/aosp_base_telephony.mk target/product/treble_common.mk; fi; #Replace the Messaging app with Silence
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2022-08-05/' core/version_defaults.mk; #Bump Security String #P_asb_2022-08 #XXX
+sed -i 's/2022-01-05/2022-09-05/' core/version_defaults.mk; #Bump Security String #P_asb_2022-09 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -119,6 +119,13 @@ if enterAndClear "external/conscrypt"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "external/expat"; then
+git fetch https://github.com/LineageOS/android_external_expat refs/changes/86/337986/2 && git cherry-pick FETCH_HEAD; #Q_asb_2022-09
+git fetch https://github.com/LineageOS/android_external_expat refs/changes/87/337987/2 && git cherry-pick FETCH_HEAD;
+git fetch https://github.com/LineageOS/android_external_expat refs/changes/88/337988/2 && git cherry-pick FETCH_HEAD;
+git fetch https://github.com/LineageOS/android_external_expat refs/changes/89/337989/2 && git cherry-pick FETCH_HEAD;
+fi;
+
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
@@ -138,6 +145,10 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram
 fi;
 
 if enterAndClear "frameworks/base"; then
+git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/90/337990/2 && git cherry-pick FETCH_HEAD; #Q_asb_2022-09
+git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/91/337991/2 && git cherry-pick FETCH_HEAD;
+applyPatch "$DOS_PATCHES/android_frameworks_base/337992-Backport.patch"; #(MSe1969)
+git fetch https://github.com/LineageOS/android_frameworks_base refs/changes/93/337993/2 && git cherry-pick FETCH_HEAD;
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@@ -311,9 +322,12 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0001-PREREQ_Handle_
 applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred_Network_Modes.patch";
 fi;
 
-#if enterAndClear "system/bt"; then
+if enterAndClear "system/bt"; then
+git fetch https://github.com/LineageOS/android_vendor_qcom_opensource_system_bt refs/changes/95/337995/1 && git cherry-pick FETCH_HEAD; #Q_asb_2022-09
+git fetch https://github.com/LineageOS/android_vendor_qcom_opensource_system_bt refs/changes/96/337996/1 && git cherry-pick FETCH_HEAD;
+git fetch https://github.com/LineageOS/android_vendor_qcom_opensource_system_bt refs/changes/97/337997/1 && git cherry-pick FETCH_HEAD;
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
-#fi;
+fi;
 
 if enterAndClear "system/core"; then
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file

Scripts/LineageOS-17.1/Functions.sh

@@ -81,9 +81,8 @@ patchWorkspace() {
 	gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc";
 	gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
 
-	source build/envsetup.sh;
+	#source build/envsetup.sh;
 	#repopick -it ten-firewall;
-	repopick -it Q_asb_2022-09;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

Scripts/LineageOS-17.1/Patch.sh

@@ -97,7 +97,6 @@ if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2022-08-05/2022-09-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2022-09 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -119,13 +118,6 @@ if enterAndClear "external/conscrypt"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
-if enterAndClear "external/expat"; then
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/86/337986/1 && git cherry-pick FETCH_HEAD; #Q_asb_2022-09
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/87/337987/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/88/337988/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/89/337989/1 && git cherry-pick FETCH_HEAD;
-fi;
-
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras.patch"; #Expand workaround to all camera executables (DivestOS)

Scripts/LineageOS-18.1/Functions.sh

@@ -122,12 +122,11 @@ patchWorkspace() {
 	gpgVerifyGitTag "$DOS_BUILD_BASE/external/hardened_malloc";
 	gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
 
-	source build/envsetup.sh;
+	#source build/envsetup.sh;
 	#repopick -it eleven-firewall;
 	#repopick -i 314130; #adbconnection: don't spin if adbd isn't running
 	#repopick -i 314453; #TaskViewTouchController: Null check current animation on drag
 	#repopick -i 325011; #lineage: Opt-in to shipping full recovery image by default
-	repopick -it R_asb_2022-09;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

Scripts/LineageOS-18.1/Patch.sh

@@ -96,7 +96,6 @@ if [ "$DOS_SILENCE_INCLUDED" = true ]; then sed -i 's/messaging/Silence/' target
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2022-08-05/2022-09-05/' core/version_defaults.mk; #Bump Security String #R_asb_2022-09 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -118,13 +117,6 @@ if enterAndClear "external/conscrypt"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
-if enterAndClear "external/expat"; then
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/66/337966/1 && git cherry-pick FETCH_HEAD; #R_asb_2022-09
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/67/337967/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/68/337968/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/69/337969/1 && git cherry-pick FETCH_HEAD;
-fi;
-
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras.patch"; #Expand workaround to all camera executables (DivestOS)

Scripts/LineageOS-19.1/Functions.sh

@@ -114,8 +114,7 @@ patchWorkspace() {
 	gpgVerifyGitTag "$DOS_BUILD_BASE/external/SecureCamera";
 	gpgVerifyGitHead "$DOS_BUILD_BASE/external/chromium-webview";
 
-	source build/envsetup.sh;
-	repopick -it S_asb_2022-09;
+	#source build/envsetup.sh;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

Scripts/LineageOS-19.1/Patch.sh

@@ -97,7 +97,6 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2022-08-05/2022-09-05/' core/version_defaults.mk; #Bump Security String #S_asb_2022-09 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -114,13 +113,6 @@ if enterAndClear "external/conscrypt"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
-if enterAndClear "external/expat"; then
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/00/337900/1 && git cherry-pick FETCH_HEAD; #S_asb_2022-09
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/01/337901/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/02/337902/1 && git cherry-pick FETCH_HEAD;
-git fetch https://github.com/LineageOS/android_external_expat refs/changes/03/337903/1 && git cherry-pick FETCH_HEAD;
-fi;
-
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES/android_external_hardened_malloc/0001-Broken_Cameras-1.patch"; #Workarounds for Pixel 3 SoC era camera driver bugs (GrapheneOS)