Pull in n-asb-2023-04

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-14.1/android_external_libnfc-nci/353760.patch

@@ -0,0 +1,30 @@
+From 86e2cbf8227fff2b020ba5ff858d054318044916 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 31 Jan 2023 19:04:09 -0800
+Subject: [PATCH] OOBW in nci_snd_set_routing_cmd()
+
+Bug: 264879662
+Test: read a tag, nfc on/off
+Change-Id: I408cf611fb35e9467d7484165ce48759970b158a
+(cherry picked from commit 1dd4d2e1b481dd83ca2b222993fdb74ae5306c78)
+Merged-In: I408cf611fb35e9467d7484165ce48759970b158a
+---
+ src/nfc/nci/nci_hmsgs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/nfc/nci/nci_hmsgs.c b/src/nfc/nci/nci_hmsgs.c
+index af6ad5d..d7a96b4 100644
+--- a/src/nfc/nci/nci_hmsgs.c
++++ b/src/nfc/nci/nci_hmsgs.c
+@@ -588,6 +588,11 @@ UINT8 nci_snd_set_routing_cmd (BOOLEAN more, UINT8 num_tlv, UINT8 tlv_size, UINT
+     UINT8 *pp;
+     UINT8 size = tlv_size + 2;
+ 
++    if (size < tlv_size)
++    {
++        return (NCI_STATUS_FAILED);
++    }
++
+     if (tlv_size == 0)
+     {
+         /* just to terminate routing table

Patches/LineageOS-14.1/android_frameworks_base/353756.patch

@@ -0,0 +1,97 @@
+From 6dbd9ee40a5c13e8e4a5b1aca039bb6c00031501 Mon Sep 17 00:00:00 2001
+From: Jing Ji <jji@google.com>
+Date: Thu, 4 Aug 2022 11:36:26 -0700
+Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started
+ from SHELL only now.
+
+Or, if an instrumentation starts another instrumentation and so on,
+and the original instrumentation is started from SHELL, allow all
+Context#startInstrumentation calls in this chain.
+
+Otherwise, it'll throw a SecurityException.
+
+Bug: 237766679
+Test: atest CtsAppTestCases:InstrumentationTest
+Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c
+Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c
+Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892
+Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1)
+Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+---
+ .../server/am/ActivityManagerService.java     | 41 ++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 4e48f422a2fe3..73ecd14090c99 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -4306,6 +4306,29 @@ public int getPackageProcessState(String packageName, String callingPackage) {
+         return procState;
+     }
+ 
++    @GuardedBy("this")
++    private boolean hasActiveInstrumentationLocked(int pid) {
++        if (pid == 0) {
++            return false;
++        }
++        synchronized (mPidsSelfLocked) {
++            ProcessRecord process = mPidsSelfLocked.get(pid);
++            return process != null && process.instrumentationClass != null;
++        }
++    }
++
++    private String getPackageNameByPid(int pid) {
++        synchronized (mPidsSelfLocked) {
++            final ProcessRecord app = mPidsSelfLocked.get(pid);
++
++            if (app != null && app.info != null) {
++                return app.info.packageName;
++            }
++
++            return null;
++        }
++    }
++
+     private boolean isCallerShell() {
+         final int callingUid = Binder.getCallingUid();
+         return callingUid == Process.SHELL_UID || callingUid == Process.ROOT_UID;
+@@ -18947,7 +18970,9 @@ public boolean startInstrumentation(ComponentName className,
+             IInstrumentationWatcher watcher, IUiAutomationConnection uiAutomationConnection,
+             int userId, String abiOverride) {
+         enforceNotIsolatedCaller("startInstrumentation");
+-        userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
++        final int callingUid = Binder.getCallingUid();
++        final int callingPid = Binder.getCallingPid();
++        userId = mUserController.handleIncomingUser(callingPid, callingUid,
+                 userId, false, ALLOW_FULL_ONLY, "startInstrumentation", null);
+         // Refuse possible leaked file descriptors
+         if (arguments != null && arguments.hasFileDescriptors()) {
+@@ -18987,7 +19012,7 @@ public boolean startInstrumentation(ComponentName className,
+                 String msg = "Permission Denial: starting instrumentation "
+                         + className + " from pid="
+                         + Binder.getCallingPid()
+-                        + ", uid=" + Binder.getCallingPid()
++                        + ", uid=" + Binder.getCallingUid()
+                         + " not allowed because package " + ii.packageName
+                         + " does not have a signature matching the target "
+                         + ii.targetPackage;
+@@ -18995,6 +19020,18 @@ public boolean startInstrumentation(ComponentName className,
+                 throw new SecurityException(msg);
+             }
+ 
++            if (!Build.IS_DEBUGGABLE && callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID
++                    && callingUid != Process.SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) {
++                // If it's not debug build and not called from root/shell/system uid, reject it.
++                final String msg = "Permission Denial: instrumentation test "
++                        + className + " from pid=" + callingPid + ", uid=" + callingUid
++                        + ", pkgName=" + getPackageNameByPid(callingPid)
++                        + " not allowed because it's not started from SHELL";
++                Slog.wtfQuiet(TAG, msg);
++                reportStartInstrumentationFailureLocked(watcher, className, msg);
++                throw new SecurityException(msg);
++            }
++
+             final long origId = Binder.clearCallingIdentity();
+             // Instrumentation can kill and relaunch even persistent processes
+             forceStopPackageLocked(ii.targetPackage, -1, true, false, true, true, false, userId,

Patches/LineageOS-14.1/android_frameworks_base/353757.patch

@@ -0,0 +1,33 @@
+From 1168540ec2ed0fa57c19f5a5033c6fd7cbf74a25 Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <malhk@google.com>
+Date: Mon, 7 Nov 2022 23:33:55 +0000
+Subject: [PATCH] Checking if package belongs to UID before registering
+ broadcast receiver
+
+Test: manual testing done on device by installing test APK and checking if receiver can register
+Bug: 242040055
+Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0)
+(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130)
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+---
+ services/core/java/com/android/server/am/ActiveServices.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
+index c38dad9125de5..cb3fb9f5abbe0 100755
+--- a/services/core/java/com/android/server/am/ActiveServices.java
++++ b/services/core/java/com/android/server/am/ActiveServices.java
+@@ -1326,6 +1326,11 @@ private ServiceLookupResult retrieveServiceLocked(Intent service,
+                             throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " + name +
+                                     " is not an isolatedProcess");
+                         }
++                        if (AppGlobals.getPackageManager().getPackageUid(callingPackage,
++                                0, userId) != callingUid) {
++                            throw new SecurityException("BIND_EXTERNAL_SERVICE failed, "
++                                    + "calling package not owned by calling UID ");
++                        }
+                         // Run the service under the calling package's application.
+                         ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo(
+                                 callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId);

Patches/LineageOS-14.1/android_frameworks_base/353758.patch

@@ -0,0 +1,71 @@
+From c7267fd43b5a9aa80f218fb5c09385269925b073 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Mon, 12 Dec 2022 15:49:16 +0000
+Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass
+
+The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly  only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call.
+
+This CL did the following:
+
+- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null.
+
+Bug: 260567867
+Bug: 262230405
+Test: local test, see b/262230405
+Test: atest CtsAccountManagerTestCases
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477
+(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981)
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+---
+ .../server/accounts/AccountManagerService.java    | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 1692367c70a1..9aef2cc347d2 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -2936,8 +2936,7 @@ public void onResult(Bundle result) {
+             Bundle.setDefusable(result, true);
+             mNumResults++;
+             Intent intent = null;
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
++            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {
+@@ -4215,8 +4214,10 @@ protected boolean checkKeyIntent(int authUid, Bundle bundle) {
+                 EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
+                 return false;
+             }
+-
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            if (intent == null) {
++                return true;
++            }
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4265,7 +4266,10 @@ private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
+             p.recycle();
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+-            return (intent.filterEquals(simulateIntent));
++            if (intent == null) {
++                return (simulateIntent == null);
++            }
++            return intent.filterEquals(simulateIntent);
+         }
+ 
+         private void close() {
+@@ -4409,8 +4413,7 @@ public void onResult(Bundle result) {
+                     }
+                 }
+             }
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
++            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {

Patches/LineageOS-14.1/android_frameworks_base/353759.patch

@@ -0,0 +1,34 @@
+From ff21c932b70b820c32a3a5331128a85e382f9885 Mon Sep 17 00:00:00 2001
+From: Winson Chiu <chiuwinson@google.com>
+Date: Fri, 6 Jan 2023 21:26:24 +0000
+Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT
+ AUTOMERGE
+
+Avoids deserialization error when the scheme contains a
+reserved character.
+
+Bug: 261858325
+
+Test: atest android.content.cts.IntentTest#testEncoding
+
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4)
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+---
+ core/java/android/content/Intent.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index 2142aae2ec74a..0059f9edb6e15 100644
+--- a/core/java/android/content/Intent.java
++++ b/core/java/android/content/Intent.java
+@@ -8602,7 +8602,7 @@ private void toUriFragment(StringBuilder uri, String scheme, String defAction,
+     private void toUriInner(StringBuilder uri, String scheme, String defAction,
+             String defPackage, int flags) {
+         if (scheme != null) {
+-            uri.append("scheme=").append(scheme).append(';');
++            uri.append("scheme=").append(Uri.encode(scheme)).append(';');
+         }
+         if (mAction != null && !mAction.equals(defAction)) {
+             uri.append("action=").append(Uri.encode(mAction)).append(';');

Patches/LineageOS-14.1/android_system_bt/353754.patch

@@ -0,0 +1,53 @@
+From cb6a14a070dbaf85a8fb0db89531aef3e091711b Mon Sep 17 00:00:00 2001
+From: Cheney Ni <cheneyni@google.com>
+Date: Fri, 1 Oct 2021 20:44:20 +0800
+Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload
+ offset
+
+This variable is uint16, and is possible to overflow when the length of
+header extension is larger. Here we compare with the data length to
+prevent any exceptions.
+
+Bug: 142546355
+Tag: #security
+Test: A2DP sink playback
+Ignore-AOSP-First: security vulnerabilities
+Change-Id: Id13b1ebde8f603123c8b7a49922b2f1378ab788f
+---
+ stack/avdt/avdt_scb_act.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c
+index d7cf791ccf..6b6d708f77 100644
+--- a/stack/avdt/avdt_scb_act.c
++++ b/stack/avdt/avdt_scb_act.c
+@@ -291,19 +291,26 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
+         if (offset > len) goto length_error;
+         p += 2;
+         BE_STREAM_TO_UINT16(ex_len, p);
+-        offset += ex_len * 4;
+         p += ex_len * 4;
+     }
+ 
++    if ((p - p_start) > len)
++    {
++        android_errorWriteLog(0x534e4554, "142546355");
++        osi_free_and_reset((void **)&p_data->p_pkt);
++        return;
++    }
++    offset = p - p_start;
++
+     /* adjust length for any padding at end of packet */
+     if (o_p)
+     {
+         /* padding length in last byte of packet */
+-        pad_len =  *(p_start + p_data->p_pkt->len);
++        pad_len = *(p_start + len);
+     }
+ 
+     /* do sanity check */
+-    if ((offset > p_data->p_pkt->len) || ((pad_len + offset) > p_data->p_pkt->len))
++    if (pad_len > (len - offset))
+     {
+         AVDT_TRACE_WARNING("Got bad media packet");
+         osi_free_and_reset((void **)&p_data->p_pkt);

Patches/LineageOS-14.1/android_system_bt/353755.patch

@@ -0,0 +1,36 @@
+From 1f57f8785858f189bf3aa005f4e0cb92388d5d2c Mon Sep 17 00:00:00 2001
+From: Hui Peng <phui@google.com>
+Date: Fri, 20 Jan 2023 19:39:30 +0000
+Subject: [PATCH] Fix an OOB bug in register_notification_rsp
+
+This is a backport of I901d973a736678d7f3cc816ddf0cbbcbbd1fe93f
+to rvc-dev.
+
+Bug: 245916076
+Test: manual
+Ignore-AOSP-First: security
+Change-Id: I37a9f45e707702b2ec52b5a2d572f177f2911765
+(cherry picked from commit 901e34203c6280d414cbfa3978de04fd6515ffdf)
+Merged-In: I37a9f45e707702b2ec52b5a2d572f177f2911765
+---
+ btif/src/btif_rc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/btif/src/btif_rc.c b/btif/src/btif_rc.c
+index 632ec9c33d..b42df67b11 100644
+--- a/btif/src/btif_rc.c
++++ b/btif/src/btif_rc.c
+@@ -3170,6 +3170,13 @@ static bt_status_t register_notification_rsp(btrc_event_id_t event_id,
+         BTIF_TRACE_ERROR("Avrcp Event id not registered: event_id = %x", event_id);
+         return BT_STATUS_NOT_READY;
+     }
++
++    if (event_id > MAX_RC_NOTIFICATIONS)
++    {
++        BTIF_TRACE_ERROR("Invalid event id");
++        return BT_STATUS_PARM_INVALID;
++    }
++
+     memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
+     avrc_rsp.reg_notif.event_id = event_id;
+ 

Scripts/LineageOS-14.1/Patch.sh

@@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2023-03-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-03 #XXX
+sed -i 's/2021-06-05/2023-04-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-04 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -115,6 +115,7 @@ applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332459.patch"; #n-asb-2022-
 applyPatch "$DOS_PATCHES/android_external_libnfc-nci/332460.patch"; #n-asb-2022-06 Double Free in ce_t4t_data_cback
 applyPatch "$DOS_PATCHES/android_external_libnfc-nci/341071.patch"; #n-asb-2022-10 The length of a packet should be non-zero
 applyPatch "$DOS_PATCHES/android_external_libnfc-nci/343955.patch"; #n-asb-2022-11 OOBW in phNxpNciHal_write_unlocked()
+applyPatch "$DOS_PATCHES/android_external_libnfc-nci/353760.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd()
 fi;
 
 if enterAndClear "external/sonivox"; then
@@ -183,6 +184,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/346951.patch"; #n-asb-2023-01 F
 applyPatch "$DOS_PATCHES/android_frameworks_base/348650.patch"; #n-asb-2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
 applyPatch "$DOS_PATCHES/android_frameworks_base/348651.patch"; #n-asb-2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
 applyPatch "$DOS_PATCHES/android_frameworks_base/352086.patch"; #n-asb-2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag
+applyPatch "$DOS_PATCHES/android_frameworks_base/353756.patch"; #n-asb-2023-04 Context#startInstrumentation could be started from SHELL only now.
+applyPatch "$DOS_PATCHES/android_frameworks_base/353757.patch"; #n-asb-2023-04 Checking if package belongs to UID before registering broadcast receiver
+applyPatch "$DOS_PATCHES/android_frameworks_base/353758.patch"; #n-asb-2023-04 Fix checkKeyIntentParceledCorrectly's bypass
+applyPatch "$DOS_PATCHES/android_frameworks_base/353759.patch"; #n-asb-2023-04 Encode Intent scheme when serializing to URI string
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@@ -435,6 +440,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/348654.patch"; #n-asb-2023-02 Add bou
 applyPatch "$DOS_PATCHES/android_system_bt/351105.patch"; #n-asb-2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
 applyPatch "$DOS_PATCHES/android_system_bt/351106.patch"; #n-asb-2023-03 Fix an OOB write in SDP_AddAttribute
 applyPatch "$DOS_PATCHES/android_system_bt/351109.patch"; #n-asb-2023-03 AVRCP: Fix potential buffer overflow
+applyPatch "$DOS_PATCHES/android_system_bt/353754.patch"; #n-asb-2023-04 AVDTP: Fix a potential overflow about the media payload offset
+applyPatch "$DOS_PATCHES/android_system_bt/353755.patch"; #n-asb-2023-04 Fix an OOB bug in register_notification_rsp
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)