From e7b390d7e67a9c95c2bd21c96441a7492c578ce4 Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 9 Jun 2023 17:49:40 -0400 Subject: [PATCH] Picks https://review.lineageos.org/q/topic:%22n-asb-2023-06%22 Signed-off-by: Tad --- .../android_frameworks_av/358729.patch | 75 ++++++++++ .../android_frameworks_base/358732.patch | 77 ++++++++++ .../android_frameworks_base/358733.patch | 52 +++++++ .../android_frameworks_base/358734.patch | 81 ++++++++++ .../358738.patch | 28 ++++ .../358739.patch | 27 ++++ .../android_system_bt/358735.patch | 105 +++++++++++++ .../android_system_bt/358736.patch | 139 ++++++++++++++++++ .../android_system_bt/358737.patch | 84 +++++++++++ Scripts/LineageOS-14.1/Patch.sh | 14 +- 10 files changed, 681 insertions(+), 1 deletion(-) create mode 100644 Patches/LineageOS-14.1/android_frameworks_av/358729.patch create mode 100644 Patches/LineageOS-14.1/android_frameworks_base/358732.patch create mode 100644 Patches/LineageOS-14.1/android_frameworks_base/358733.patch create mode 100644 Patches/LineageOS-14.1/android_frameworks_base/358734.patch create mode 100644 Patches/LineageOS-14.1/android_packages_apps_Settings/358738.patch create mode 100644 Patches/LineageOS-14.1/android_packages_apps_TvSettings/358739.patch create mode 100644 Patches/LineageOS-14.1/android_system_bt/358735.patch create mode 100644 Patches/LineageOS-14.1/android_system_bt/358736.patch create mode 100644 Patches/LineageOS-14.1/android_system_bt/358737.patch diff --git a/Patches/LineageOS-14.1/android_frameworks_av/358729.patch b/Patches/LineageOS-14.1/android_frameworks_av/358729.patch new file mode 100644 index 00000000..39a8a30b --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_av/358729.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ray Essick +Date: Mon, 27 Mar 2023 18:16:46 -0500 +Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling + +readSampleData() did not initialize buffer before filling it, +leading to OOB memory references. Correct and clarify the book +keeping around output buffer management. + +Bug: 275418191 +Test: CtsMediaExtractorTestCases w/debug messages +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786) +Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d +Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d +--- + media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp +index c3e8f20473..40fe71866e 100644 +--- a/media/libstagefright/NuMediaExtractor.cpp ++++ b/media/libstagefright/NuMediaExtractor.cpp +@@ -481,9 +481,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(TrackInfo *info, const sp< + numPageSamples = -1; + } + ++ // insert, including accounting for the space used. + memcpy((uint8_t *)buffer->data() + info->mSample->range_length(), + &numPageSamples, + sizeof(numPageSamples)); ++ buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples)); + + uint32_t type; + const void *data; +@@ -532,6 +534,8 @@ status_t NuMediaExtractor::readSampleData(const sp &buffer) { + + ssize_t minIndex = fetchTrackSamples(); + ++ buffer->setRange(0, 0); // start with an empty buffer ++ + if (minIndex < 0) { + return ERROR_END_OF_STREAM; + } +@@ -546,25 +550,25 @@ status_t NuMediaExtractor::readSampleData(const sp &buffer) { + sampleSize += sizeof(int32_t); + } + ++ // capacity() is ok since we cleared out the buffer + if (buffer->capacity() < sampleSize) { + return -ENOMEM; + } + ++ const size_t srclen = info->mSample->range_length(); + const uint8_t *src = + (const uint8_t *)info->mSample->data() + + info->mSample->range_offset(); + +- memcpy((uint8_t *)buffer->data(), src, info->mSample->range_length()); ++ memcpy((uint8_t *)buffer->data(), src, srclen); ++ buffer->setRange(0, srclen); + + status_t err = OK; + if (info->mTrackFlags & kIsVorbis) { ++ // adjusts range when it inserts the extra bits + err = appendVorbisNumPageSamples(info, buffer); + } + +- if (err == OK) { +- buffer->setRange(0, sampleSize); +- } +- + return err; + } + diff --git a/Patches/LineageOS-14.1/android_frameworks_base/358732.patch b/Patches/LineageOS-14.1/android_frameworks_base/358732.patch new file mode 100644 index 00000000..bd700fe9 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/358732.patch @@ -0,0 +1,77 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Valentin Iftime +Date: Wed, 22 Feb 2023 09:38:55 +0100 +Subject: [PATCH] Prevent RemoteViews crashing SystemUi + + Catch canvas drawing exceptions caused by unsuported image sizes. + +Test: 1. Post a custom view notification with a layout + containing an ImageView that references a 5k x 5k image +2. Add an App Widget to the home screen with that has the + layout mentioned above as preview/initial layout. + +Bug: 268193777 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d) +Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a +Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a +--- + .../android/appwidget/AppWidgetHostView.java | 38 ++++++++++++++----- + 1 file changed, 28 insertions(+), 10 deletions(-) + +diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java +index 5d99ada9a024..07a23916b4c9 100644 +--- a/core/java/android/appwidget/AppWidgetHostView.java ++++ b/core/java/android/appwidget/AppWidgetHostView.java +@@ -248,19 +248,26 @@ public class AppWidgetHostView extends FrameLayout { + super.onLayout(changed, left, top, right, bottom); + } catch (final RuntimeException e) { + Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e); +- removeViewInLayout(mView); +- View child = getErrorView(); +- prepareView(child); +- addViewInLayout(child, 0, child.getLayoutParams()); +- measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY), +- MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY)); +- child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight, +- child.getMeasuredHeight() + mPaddingTop + mPaddingBottom); +- mView = child; +- mViewMode = VIEW_MODE_ERROR; ++ handleViewError(); + } + } + ++ /** ++ * Remove bad view and replace with error message view ++ */ ++ private void handleViewError() { ++ removeViewInLayout(mView); ++ View child = getErrorView(); ++ prepareView(child); ++ addViewInLayout(child, 0, child.getLayoutParams()); ++ measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY), ++ MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY)); ++ child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight, ++ child.getMeasuredHeight() + mPaddingTop + mPaddingBottom); ++ mView = child; ++ mViewMode = VIEW_MODE_ERROR; ++ } ++ + /** + * Provide guidance about the size of this widget to the AppWidgetManager. The widths and + * heights should correspond to the full area the AppWidgetHostView is given. Padding added by +@@ -767,4 +774,15 @@ public class AppWidgetHostView extends FrameLayout { + } + }; + } ++ ++ @Override ++ protected void dispatchDraw(Canvas canvas) { ++ try { ++ super.dispatchDraw(canvas); ++ } catch (Exception e) { ++ // Catch draw exceptions that may be caused by RemoteViews ++ Log.e(TAG, "Drawing view failed: " + e); ++ post(this::handleViewError); ++ } ++ } + } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/358733.patch b/Patches/LineageOS-14.1/android_frameworks_base/358733.patch new file mode 100644 index 00000000..dad925e0 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/358733.patch @@ -0,0 +1,52 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Lee +Date: Fri, 17 Feb 2023 16:05:17 -0800 +Subject: [PATCH] Check key intent for selectors and prohibited flags + +Bug: 265015796 +Test: atest +FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest +(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8) +Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3 +Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3 +--- + .../server/accounts/AccountManagerService.java | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index b27f9b08c05e..bdbf03eda2f5 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4244,10 +4244,6 @@ public class AccountManagerService + if (intent.getClipData() == null) { + intent.setClipData(ClipData.newPlainText(null, null)); + } +- intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION +- | Intent.FLAG_GRANT_WRITE_URI_PERMISSION +- | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION +- | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION)); + long bid = Binder.clearCallingIdentity(); + try { + PackageManager pm = mContext.getPackageManager(); +@@ -4290,7 +4286,19 @@ public class AccountManagerService + if (intent == null) { + return (simulateIntent == null); + } +- return intent.filterEquals(simulateIntent); ++ if (!intent.filterEquals(simulateIntent)) { ++ return false; ++ } ++ ++ if (intent.getSelector() != simulateIntent.getSelector()) { ++ return false; ++ } ++ ++ int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION ++ | Intent.FLAG_GRANT_WRITE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION ++ | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION; ++ return (simulateIntent.getFlags() & prohibitedFlags) == 0; + } + + private void close() { diff --git a/Patches/LineageOS-14.1/android_frameworks_base/358734.patch b/Patches/LineageOS-14.1/android_frameworks_base/358734.patch new file mode 100644 index 00000000..bed040a4 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/358734.patch @@ -0,0 +1,81 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kweku Adams +Date: Wed, 21 Sep 2022 22:13:01 +0000 +Subject: [PATCH] Handle invalid data during job loading. + +Catch exceptions that may be thrown if invalid data ended up in the +persisted job file. + +Bug: 246541702 +Bug: 246542132 +Bug: 246542285 +Bug: 246542330 +Test: install test app with invalid job config, start app to schedule job, then reboot device +(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203) +Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e +Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e +--- + .../java/com/android/server/job/JobStore.java | 28 +++++++++++++++++-- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java +index 602b9c755e88..80750ab0b927 100644 +--- a/services/core/java/com/android/server/job/JobStore.java ++++ b/services/core/java/com/android/server/job/JobStore.java +@@ -464,6 +464,12 @@ public class JobStore { + if (JobSchedulerService.DEBUG) { + Slog.d(TAG, "Error parsing xml.", e); + } ++ } catch (Exception e) { ++ if (JobSchedulerService.DEBUG) { ++ // Crashing at this point would result in a boot loop, so live with a general ++ // Exception for system stability's sake. ++ Slog.d(TAG, "Unexpected exception", e); ++ } + } + } + +@@ -575,6 +581,15 @@ public class JobStore { + } catch (NumberFormatException e) { + Slog.d(TAG, "Error reading constraints, skipping."); + return null; ++ } catch (XmlPullParserException e) { ++ Slog.d(TAG, "Error Parser Exception.", e); ++ return null; ++ } catch (IOException e) { ++ Slog.d(TAG, "Error I/O Exception.", e); ++ return null; ++ } catch (IllegalArgumentException e) { ++ Slog.e(TAG, "Constraints contained invalid data", e); ++ return null; + } + parser.next(); // Consume + +@@ -668,8 +683,14 @@ public class JobStore { + return null; + } + +- PersistableBundle extras = PersistableBundle.restoreFromXml(parser); +- jobBuilder.setExtras(extras); ++ final PersistableBundle extras; ++ try { ++ extras = PersistableBundle.restoreFromXml(parser); ++ jobBuilder.setExtras(extras); ++ } catch (IllegalArgumentException e) { ++ Slog.e(TAG, "Persisted extras contained invalid data", e); ++ return null; ++ } + parser.nextTag(); // Consume + + // Migrate sync jobs forward from earlier, incomplete representation +@@ -700,7 +721,8 @@ public class JobStore { + return new JobInfo.Builder(jobId, cname); + } + +- private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) { ++ private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) ++ throws XmlPullParserException, IOException { + String val = parser.getAttributeValue(null, "connectivity"); + if (val != null) { + jobBuilder.setRequiredNetworkType(JobInfo.NETWORK_TYPE_ANY); diff --git a/Patches/LineageOS-14.1/android_packages_apps_Settings/358738.patch b/Patches/LineageOS-14.1/android_packages_apps_Settings/358738.patch new file mode 100644 index 00000000..5106ab1d --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_Settings/358738.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 7 Mar 2023 10:36:41 -0800 +Subject: [PATCH] Convert argument to intent in AddAccountSettings. + +Bug: 265798353 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da) +Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a +Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a +--- + src/com/android/settings/accounts/AddAccountSettings.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java +index ce16ba3d5a..c2613e7fbc 100644 +--- a/src/com/android/settings/accounts/AddAccountSettings.java ++++ b/src/com/android/settings/accounts/AddAccountSettings.java +@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity { + addAccountOptions.putParcelable(EXTRA_USER, mUserHandle); + intent.putExtras(addAccountOptions); + intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); +- startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle); ++ startActivityForResultAsUser( ++ new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle); + } else { + setResult(RESULT_OK); + if (mPendingIntent != null) { diff --git a/Patches/LineageOS-14.1/android_packages_apps_TvSettings/358739.patch b/Patches/LineageOS-14.1/android_packages_apps_TvSettings/358739.patch new file mode 100644 index 00000000..1734779b --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_TvSettings/358739.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 7 Mar 2023 10:55:07 -0800 +Subject: [PATCH] Convert argument to intent in addAccount TvSettings. + +Bug: 265798353 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac) +Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e +Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e +--- + .../tv/settings/accounts/AddAccountWithTypeActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java +index 5f1dc0977..6294128f6 100644 +--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java ++++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java +@@ -50,7 +50,7 @@ public class AddAccountWithTypeActivity extends Activity { + Log.e(TAG, "Failed to retrieve add account intent from authenticator"); + setResultAndFinish(Activity.RESULT_CANCELED); + } else { +- startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT); ++ startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT); + } + } catch (IOException|AuthenticatorException|OperationCanceledException e) { + Log.e(TAG, "Failed to get add account intent: ", e); diff --git a/Patches/LineageOS-14.1/android_system_bt/358735.patch b/Patches/LineageOS-14.1/android_system_bt/358735.patch new file mode 100644 index 00000000..13d71cfc --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/358735.patch @@ -0,0 +1,105 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 11 Oct 2022 21:23:22 +0000 +Subject: [PATCH] Prevent use-after-free of HID reports + +BTA sends the the HID report pointer to BTIF and deallocates it immediately. +This is now prevented by providing a deep copy callback function for HID +reports when tranferring context from BTA to BTIF. + +This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825, +already merged on T for b/227620181. + +Bug: 228837201 +Test: Validated against researcher POC, ran BT unit tests, played audio +manually. +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42) +Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19 +Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19 +--- + btif/src/btif_hh.c | 49 +++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 46 insertions(+), 3 deletions(-) + +diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c +index a4057cca5..69e87b9f8 100644 +--- a/btif/src/btif_hh.c ++++ b/btif/src/btif_hh.c +@@ -1093,6 +1093,38 @@ static void btif_hh_upstreams_evt(UINT16 event, char* p_param) + } + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_hsdata_rpt_copy_cb ++ * ++ * Description Deep copies the tBTA_HH_HSDATA structure ++ * ++ * Returns void ++ * ++ ******************************************************************************/ ++ ++static void btif_hh_hsdata_rpt_copy_cb(UINT16 event, char* p_dest, ++ char* p_src) { ++ tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest; ++ tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src; ++ BT_HDR* hdr; ++ ++ if (!p_src) { ++ BTIF_TRACE_ERROR("%s: Nothing to copy", __func__); ++ return; ++ } ++ ++ memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA)); ++ ++ hdr = p_src_data->rsp_data.p_rpt_data; ++ if (hdr != NULL) { ++ UINT8* p_data = ((UINT8*)p_dst_data) + sizeof(tBTA_HH_HSDATA); ++ memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len); ++ ++ p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data; ++ } ++} ++ + /******************************************************************************* + ** + ** Function bte_hh_evt +@@ -1107,6 +1139,7 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data) + { + bt_status_t status; + int param_len = 0; ++ tBTIF_COPY_CBACK* p_copy_cback = NULL; + + if (BTA_HH_ENABLE_EVT == event) + param_len = sizeof(tBTA_HH_STATUS); +@@ -1118,16 +1151,26 @@ static void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH *p_data) + param_len = sizeof(tBTA_HH_CBDATA); + else if (BTA_HH_GET_DSCP_EVT == event) + param_len = sizeof(tBTA_HH_DEV_DSCP_INFO); +- else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event)|| (BTA_HH_GET_IDLE_EVT == event)) ++ else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event)) + param_len = sizeof(tBTA_HH_HSDATA); +- else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event)) ++ else if (BTA_HH_GET_RPT_EVT == event) { ++ BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data; ++ param_len = sizeof(tBTA_HH_HSDATA); ++ ++ if (hdr != NULL) { ++ p_copy_cback = btif_hh_hsdata_rpt_copy_cb; ++ param_len += BT_HDR_SIZE + hdr->offset + hdr->len; ++ } ++ } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) || ++ (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event)) + param_len = sizeof(tBTA_HH_CBDATA); + else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event) ) + param_len = sizeof(tBTA_HH_DEV_INFO); + else if (BTA_HH_API_ERR_EVT == event) + param_len = 0; + /* switch context to btif task context (copy full union size for convenience) */ +- status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event, (void*)p_data, param_len, NULL); ++ status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event, ++ (void*)p_data, param_len, p_copy_cback); + + /* catch any failed context transfers */ + ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status); diff --git a/Patches/LineageOS-14.1/android_system_bt/358736.patch b/Patches/LineageOS-14.1/android_system_bt/358736.patch new file mode 100644 index 00000000..1b4b9ef5 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/358736.patch @@ -0,0 +1,139 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 21 Mar 2023 22:35:35 +0000 +Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length + in sdpu_build_uuid_seq"" + +This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6. + +Reason for revert: Reinstate original change for QPR +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec) +Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8 +Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8 +--- + stack/sdp/sdp_discovery.c | 64 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 59 insertions(+), 5 deletions(-) + +diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c +index ec85da47a..d57c47790 100644 +--- a/stack/sdp/sdp_discovery.c ++++ b/stack/sdp/sdp_discovery.c +@@ -73,11 +73,18 @@ extern fixed_queue_t *btu_general_alarm_queue; + ** Returns Pointer to next byte in the output buffer. + ** + *******************************************************************************/ +-static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list) ++static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_uuid_list, ++ UINT16 bytes_left) + { + UINT16 xx; + UINT8 *p_len; + ++ if (bytes_left < 2) { ++ SDP_TRACE_ERROR("SDP: No space for data element header"); ++ return (p_out); ++ } ++ ++ + /* First thing is the data element header */ + UINT8_TO_BE_STREAM (p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE); + +@@ -85,9 +92,19 @@ static UINT8 *sdpu_build_uuid_seq (UINT8 *p_out, UINT16 num_uuids, tSDP_UUID *p_ + p_len = p_out; + p_out += 1; + ++ /* Account for data element header and length */ ++ bytes_left -= 2; ++ + /* Now, loop through and put in all the UUID(s) */ + for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) + { ++ if (p_uuid_list->len + 1 > bytes_left) { ++ SDP_TRACE_ERROR("SDP: Too many UUIDs for internal buffer"); ++ break; ++ } else { ++ bytes_left -= (p_uuid_list->len + 1); ++ } ++ + if (p_uuid_list->len == 2) + { + UINT8_TO_BE_STREAM (p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES); +@@ -130,6 +147,7 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 * + UINT8 *p, *p_start, *p_param_len; + BT_HDR *p_cmd = (BT_HDR *) osi_malloc(SDP_DATA_BUF_SIZE); + UINT16 param_len; ++ UINT16 bytes_left = SDP_DATA_BUF_SIZE; + + /* Prepare the buffer for sending the packet to L2CAP */ + p_cmd->offset = L2CAP_MIN_OFFSET; +@@ -144,11 +162,29 @@ static void sdp_snd_service_search_req(tCONN_CB *p_ccb, UINT8 cont_len, UINT8 * + p_param_len = p; + p += 2; + ++ /* Account for header size, max service record count and ++ * continuation state */ ++ const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET + ++ 3u + /* service search request header */ ++ 2u + /* param len */ ++ 3u + ((p_cont) ? cont_len : 0)); ++ ++ if (base_bytes > bytes_left) { ++ SDP_TRACE_ERROR("SDP: Overran SDP data buffer"); ++ osi_free(p_cmd); ++ return; ++ } ++ ++ bytes_left -= base_bytes; ++ + /* Build the UID sequence. */ + #if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE) +- p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]); ++ p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx], ++ bytes_left); + #else +- p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters); ++ /* Build the UID sequence. */ ++ p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters, ++ bytes_left); + #endif + + /* Set max service record count */ +@@ -686,6 +722,7 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, + { + BT_HDR *p_msg = (BT_HDR *)osi_malloc(SDP_DATA_BUF_SIZE); + UINT8 *p; ++ UINT16 bytes_left = SDP_DATA_BUF_SIZE; + + p_msg->offset = L2CAP_MIN_OFFSET; + p = p_start = (UINT8 *)(p_msg + 1) + L2CAP_MIN_OFFSET; +@@ -699,11 +736,28 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, + p_param_len = p; + p += 2; + ++ /* Account for header size, max service record count and ++ * continuation state */ ++ const UINT16 base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET + ++ 3u + /* service search request header */ ++ 2u + /* param len */ ++ 3u + /* max service record count */ ++ ((p_reply) ? (*p_reply) : 0)); ++ ++ if (base_bytes > bytes_left) { ++ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); ++ return; ++ } ++ ++ bytes_left -= base_bytes; ++ + /* Build the UID sequence. */ + #if (defined(SDP_BROWSE_PLUS) && SDP_BROWSE_PLUS == TRUE) +- p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]); ++ p = sdpu_build_uuid_seq (p, 1, &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx], ++ bytes_left); + #else +- p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters); ++ p = sdpu_build_uuid_seq (p, p_ccb->p_db->num_uuid_filters, p_ccb->p_db->uuid_filters, ++ bytes_left); + #endif + + /* Max attribute byte count */ diff --git a/Patches/LineageOS-14.1/android_system_bt/358737.patch b/Patches/LineageOS-14.1/android_system_bt/358737.patch new file mode 100644 index 00000000..05a685bf --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/358737.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 21 Mar 2023 22:39:16 +0000 +Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades + (P_256->P_192)"" + +This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f. + +Function btm_sec_encrypt_change() is called at most places +with argument "encr_enable" treated as bool and not as per +(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The +function has special handling for "encr_enable=1" to downgrade +the link key type for BR/EDR case. This gets executed even +when the caller/context did not mean/expect so. It appears +this handling in btm_sec_encrypt_change() is not necessary and +is removed by this commit to prevent accidental execution of it. + +Test: Verified re-pairing with an iPhone works fine now + +Issue Reproduction Steps: +1. Enable Bluetooth Hotspot on Android device (DUT). +2. Pair and connect an iPhone to DUT. +3. Forget this pairing on DUT. +4. On iPhone settings, click on old DUT's paired entry to connect. +5. iPhone notifies to click 'Forget Device' and try fresh pairing. +6. On iPhone, after doing 'Forget Device', discover DUT again. +7. Attempt pairing to DUT by clicking on discovered DUT entry. + Pairing will be unsuccessful. + +Issue Cause: +During re-pairing, DUT is seen to downgrade +BR/EDR link key unexpectedly from link key type 0x8 +(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB). + +Log snippet (re-pairing time): +btm_sec_link_key_notification set new_encr_key_256 to 1 +btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1 +btm_sec_encrypt_change new_encr_key_256 is 1 +--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed--- +btm_sec_encrypt_change new_encr_key_256 is 0 +updated link key type to 5 +btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1 + +This is a backport of the following patch: aosp/1890096 + +Bug: 258834033 + +Reason for revert: Reinstate original change for QPR +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f) +Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6 +Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6 +--- + stack/btm/btm_sec.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c +index 175fefeae..f8884b917 100644 +--- a/stack/btm/btm_sec.c ++++ b/stack/btm/btm_sec.c +@@ -4348,24 +4348,6 @@ void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable) + } + } + } +- else +- { +- // BR/EDR is successfully encrypted. Correct LK type if needed +- // (BR/EDR LK derived from LE LTK was used for encryption) +- if ((encr_enable == 1) && /* encryption is ON for SSP */ +- /* LK type is for BR/EDR SC */ +- (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 || +- p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) +- { +- if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) +- p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB; +- else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */ +- p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB; +- +- BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type); +- btm_send_link_key_notif(p_dev_rec); +- } +- } + } + #else + btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable); diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 30480817..c01e9cde 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-05 #XXX +sed -i 's/2021-06-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-06 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -142,6 +142,7 @@ if enterAndClear "frameworks/av"; then applyPatch "$DOS_PATCHES/android_frameworks_av/212799.patch"; #FLAC extractor CVE-2017-0592. alt: 212827/174106 (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_av/319987.patch"; #n-asb-2021-12 Fix heap-buffer-overflow in MPEG4Extractor applyPatch "$DOS_PATCHES/android_frameworks_av/321222.patch"; #n-asb-2022-01 SimpleDecodingSource:Prevent OOB write in heap mem +applyPatch "$DOS_PATCHES/android_frameworks_av/358729.patch"; #n-asb-2023-06 Fix NuMediaExtractor::readSampleData buffer Handling fi; if enterAndClear "frameworks/base"; then @@ -195,6 +196,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 E applyPatch "$DOS_PATCHES/android_frameworks_base/355865.patch"; #n-asb-2023-05 Uri: check authority and scheme as part of determining URI path applyPatch "$DOS_PATCHES/android_frameworks_base/355866.patch"; #n-asb-2023-05 Checks if AccessibilityServiceInfo is within parcelable size. #applyPatch "$DOS_PATCHES/android_frameworks_base/355867.patch"; #n-asb-2023-05 Stop managed profile owner granting READ_SMS #XXX: no-op +applyPatch "$DOS_PATCHES/android_frameworks_base/358732.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi +applyPatch "$DOS_PATCHES/android_frameworks_base/358733.patch"; #n-asb-2023-06 Check key intent for selectors and prohibited flags +applyPatch "$DOS_PATCHES/android_frameworks_base/358734.patch"; #n-asb-2023-06 Handle invalid data during job loading. git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -363,6 +367,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358738.patch"; #n-asb-2023-06 Convert argument to intent in AddAccountSettings. git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) @@ -378,6 +383,10 @@ if enterAndClear "packages/apps/SetupWizard"; then applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics.patch"; #Remove the rest of CMStats (DivestOS) fi; +if enterAndClear "packages/apps/TvSettings"; then +applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358739.patch"; #n-asb-2023-06 Convert argument to intent in addAccount TvSettings. +fi; + if enterAndClear "packages/apps/Updater"; then applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS) applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS) @@ -452,6 +461,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/351106.patch"; #n-asb-2023-03 Fix an applyPatch "$DOS_PATCHES/android_system_bt/351109.patch"; #n-asb-2023-03 AVRCP: Fix potential buffer overflow applyPatch "$DOS_PATCHES/android_system_bt/353754.patch"; #n-asb-2023-04 AVDTP: Fix a potential overflow about the media payload offset applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an OOB bug in register_notification_rsp +applyPatch "$DOS_PATCHES/android_system_bt/358735.patch"; #n-asb-2023-06 Prevent use-after-free of HID reports +applyPatch "$DOS_PATCHES/android_system_bt/358736.patch"; #n-asb-2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq"" +applyPatch "$DOS_PATCHES/android_system_bt/358737.patch"; #n-asb-2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)"" applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)