mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 15:09:34 -05:00
17.1 December ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
ba1e29a1b1
commit
f18fb48d8a
@ -0,0 +1,104 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Toni Heidenreich <tonihei@google.com>
|
||||
Date: Wed, 6 Sep 2023 12:49:33 +0000
|
||||
Subject: [PATCH] httplive: fix use-after-free
|
||||
|
||||
Implement a mutex to ensure secure multi-threaded
|
||||
access to the KeyedVector in MetaDataBase.
|
||||
Concurrent access by different threads can lead
|
||||
to accessing the wrong memory location due to
|
||||
potential changes in the vector
|
||||
|
||||
Bug: 298057702
|
||||
Test: HTTP Live Streaming test
|
||||
(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)
|
||||
Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
|
||||
Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
|
||||
---
|
||||
media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp
|
||||
index bfea6f1537..a3c623e354 100644
|
||||
--- a/media/libstagefright/foundation/MetaDataBase.cpp
|
||||
+++ b/media/libstagefright/foundation/MetaDataBase.cpp
|
||||
@@ -24,6 +24,8 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
+#include <mutex>
|
||||
+
|
||||
#include <media/stagefright/foundation/ADebug.h>
|
||||
#include <media/stagefright/foundation/AString.h>
|
||||
#include <media/stagefright/foundation/hexdump.h>
|
||||
@@ -75,6 +77,7 @@ struct MetaDataBase::Rect {
|
||||
|
||||
|
||||
struct MetaDataBase::MetaDataInternal {
|
||||
+ std::mutex mLock;
|
||||
KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;
|
||||
};
|
||||
|
||||
@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() {
|
||||
}
|
||||
|
||||
void MetaDataBase::clear() {
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
mInternalData->mItems.clear();
|
||||
}
|
||||
|
||||
bool MetaDataBase::remove(uint32_t key) {
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
||||
|
||||
if (i < 0) {
|
||||
@@ -249,6 +254,7 @@ bool MetaDataBase::setData(
|
||||
uint32_t key, uint32_t type, const void *data, size_t size) {
|
||||
bool overwrote_existing = true;
|
||||
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
||||
if (i < 0) {
|
||||
typed_data item;
|
||||
@@ -266,6 +272,7 @@ bool MetaDataBase::setData(
|
||||
|
||||
bool MetaDataBase::findData(uint32_t key, uint32_t *type,
|
||||
const void **data, size_t *size) const {
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
||||
|
||||
if (i < 0) {
|
||||
@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
|
||||
}
|
||||
|
||||
bool MetaDataBase::hasData(uint32_t key) const {
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
ssize_t i = mInternalData->mItems.indexOfKey(key);
|
||||
|
||||
if (i < 0) {
|
||||
@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) {
|
||||
|
||||
String8 MetaDataBase::toString() const {
|
||||
String8 s;
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
for (int i = mInternalData->mItems.size(); --i >= 0;) {
|
||||
int32_t key = mInternalData->mItems.keyAt(i);
|
||||
char cc[5];
|
||||
@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const {
|
||||
}
|
||||
|
||||
void MetaDataBase::dumpToLog() const {
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
for (int i = mInternalData->mItems.size(); --i >= 0;) {
|
||||
int32_t key = mInternalData->mItems.keyAt(i);
|
||||
char cc[5];
|
||||
@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const {
|
||||
|
||||
status_t MetaDataBase::writeToParcel(Parcel &parcel) {
|
||||
status_t ret;
|
||||
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
|
||||
size_t numItems = mInternalData->mItems.size();
|
||||
ret = parcel.writeUint32(uint32_t(numItems));
|
||||
if (ret) {
|
@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission.
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index 3e99e594a702..409c546ca624 100644
|
||||
index faeb5f348834..120c5c10cb16 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -5026,12 +5026,7 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
|
@ -55,7 +55,7 @@ index 55104b4e0ee2..5ed2807922d9 100644
|
||||
<protected-broadcast android:name="com.android.settingslib.action.UNREGISTER_SLICE_RECEIVER" />
|
||||
<protected-broadcast android:name="com.android.settings.flashlight.action.FLASHLIGHT_CHANGED" />
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
index a7d5c64dd3a3..f0bb02d21c8a 100644
|
||||
index 5c343c941454..c838c5680829 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
@@ -152,6 +152,8 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
@ -117,7 +117,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644
|
||||
/**
|
||||
* Let's us know when the device is waking up.
|
||||
*/
|
||||
@@ -1380,6 +1404,10 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
@@ -1384,6 +1408,10 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
|
||||
if (DEBUG) Log.d(TAG, "doKeyguard: showing the lock screen");
|
||||
showLocked(options);
|
||||
@ -128,7 +128,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644
|
||||
}
|
||||
|
||||
private void lockProfile(int userId) {
|
||||
@@ -1543,6 +1571,12 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
@@ -1547,6 +1575,12 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -141,7 +141,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644
|
||||
}
|
||||
}
|
||||
};
|
||||
@@ -1964,6 +1998,7 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
@@ -1968,6 +2002,7 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
mHideAnimationRun = false;
|
||||
adjustStatusBarLocked();
|
||||
sendUserPresentBroadcast();
|
||||
|
95
Patches/LineageOS-17.1/android_frameworks_base/377001.patch
Normal file
95
Patches/LineageOS-17.1/android_frameworks_base/377001.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= <matiashe@google.com>
|
||||
Date: Wed, 5 Jul 2023 13:52:21 +0200
|
||||
Subject: [PATCH] Visit Uris added by WearableExtender
|
||||
|
||||
Bug: 283962802
|
||||
Test: atest + manual (POC app now crashes on notify() as expected)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab)
|
||||
Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed
|
||||
Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed
|
||||
---
|
||||
core/java/android/app/Notification.java | 17 +++++++++++++++-
|
||||
.../NotificationManagerServiceTest.java | 20 +++++++++++++++++++
|
||||
2 files changed, 36 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
|
||||
index d8eefc3d3be4..9d0a5e93e2d8 100644
|
||||
--- a/core/java/android/app/Notification.java
|
||||
+++ b/core/java/android/app/Notification.java
|
||||
@@ -1790,6 +1790,10 @@ public class Notification implements Parcelable
|
||||
}
|
||||
}
|
||||
|
||||
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
|
||||
+ visitIconUri(visitor, getIcon());
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public Action clone() {
|
||||
return new Action(
|
||||
@@ -2467,7 +2471,7 @@ public class Notification implements Parcelable
|
||||
|
||||
if (actions != null) {
|
||||
for (Action action : actions) {
|
||||
- visitIconUri(visitor, action.getIcon());
|
||||
+ action.visitUris(visitor);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2501,6 +2505,11 @@ public class Notification implements Parcelable
|
||||
if (mBubbleMetadata != null) {
|
||||
visitIconUri(visitor, mBubbleMetadata.getIcon());
|
||||
}
|
||||
+
|
||||
+ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) {
|
||||
+ WearableExtender extender = new WearableExtender(this);
|
||||
+ extender.visitUris(visitor);
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -9818,6 +9827,12 @@ public class Notification implements Parcelable
|
||||
mFlags &= ~mask;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ private void visitUris(@NonNull Consumer<Uri> visitor) {
|
||||
+ for (Action action : mActions) {
|
||||
+ action.visitUris(visitor);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
index 34550bb52a52..61297cf67ee0 100755
|
||||
--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
+++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
|
||||
@@ -3528,6 +3528,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
|
||||
verify(visitor, times(1)).accept(eq(personIcon3.getUri()));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void testVisitUris_wearableExtender() {
|
||||
+ Icon actionIcon = Icon.createWithContentUri("content://media/action");
|
||||
+ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction");
|
||||
+ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(),
|
||||
+ PendingIntent.FLAG_IMMUTABLE);
|
||||
+ Notification n = new Notification.Builder(mContext, "a")
|
||||
+ .setSmallIcon(android.R.drawable.sym_def_app_icon)
|
||||
+ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build())
|
||||
+ .extend(new Notification.WearableExtender().addAction(
|
||||
+ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build()))
|
||||
+ .build();
|
||||
+
|
||||
+ Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
|
||||
+ n.visitUris(visitor);
|
||||
+
|
||||
+ verify(visitor).accept(eq(actionIcon.getUri()));
|
||||
+ verify(visitor).accept(eq(wearActionIcon.getUri()));
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void testSetNotificationPolicy_preP_setOldFields() {
|
||||
ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class);
|
26
Patches/LineageOS-17.1/android_frameworks_base/377002.patch
Normal file
26
Patches/LineageOS-17.1/android_frameworks_base/377002.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Lifu Tang <lifu@google.com>
|
||||
Date: Wed, 5 Jul 2023 13:03:00 -0700
|
||||
Subject: [PATCH] Fix bypass BAL via `requestGeofence`
|
||||
|
||||
Bug: 273729172
|
||||
Test: manually
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f9be7c3c859dc82d37452570d9878b58f6437a9)
|
||||
Merged-In: Ia8094244f908b20d42711b6ea8f58f9b3345b563
|
||||
Change-Id: Ia8094244f908b20d42711b6ea8f58f9b3345b563
|
||||
---
|
||||
services/core/java/com/android/server/PendingIntentUtils.java | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/PendingIntentUtils.java b/services/core/java/com/android/server/PendingIntentUtils.java
|
||||
index 1600101b20f4..a72a4d254a2a 100644
|
||||
--- a/services/core/java/com/android/server/PendingIntentUtils.java
|
||||
+++ b/services/core/java/com/android/server/PendingIntentUtils.java
|
||||
@@ -34,6 +34,7 @@ public class PendingIntentUtils {
|
||||
public static Bundle createDontSendToRestrictedAppsBundle(@Nullable Bundle bundle) {
|
||||
final BroadcastOptions options = BroadcastOptions.makeBasic();
|
||||
options.setDontSendToRestrictedApps(true);
|
||||
+ options.setPendingIntentBackgroundActivityLaunchAllowed(false);
|
||||
if (bundle == null) {
|
||||
return options.toBundle();
|
||||
}
|
@ -0,0 +1,123 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Kweku Adams <kwekua@google.com>
|
||||
Date: Fri, 23 Sep 2022 21:06:53 +0000
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data.
|
||||
|
||||
Drop invalid data when writing or reading from XML. PersistableBundle
|
||||
does lazy unparcelling, so checking the values during unparcelling would
|
||||
remove the benefit of the lazy unparcelling. Checking the validity when
|
||||
writing to or reading from XML seems like the best alternative.
|
||||
|
||||
Bug: 246542285
|
||||
Bug: 247513680
|
||||
Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file
|
||||
(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9)
|
||||
Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
|
||||
Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
|
||||
---
|
||||
core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++----
|
||||
1 file changed, 34 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java
|
||||
index 6f1bf71f187b..3e6312754359 100644
|
||||
--- a/core/java/android/os/PersistableBundle.java
|
||||
+++ b/core/java/android/os/PersistableBundle.java
|
||||
@@ -18,6 +18,7 @@ package android.os;
|
||||
|
||||
import android.annotation.Nullable;
|
||||
import android.util.ArrayMap;
|
||||
+import android.util.Slog;
|
||||
import android.util.proto.ProtoOutputStream;
|
||||
|
||||
import com.android.internal.util.XmlUtils;
|
||||
@@ -38,6 +39,8 @@ import java.util.ArrayList;
|
||||
*/
|
||||
public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,
|
||||
XmlUtils.WriteMapCallback {
|
||||
+ private static final String TAG = "PersistableBundle";
|
||||
+
|
||||
private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";
|
||||
public static final PersistableBundle EMPTY;
|
||||
|
||||
@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
|
||||
* @hide
|
||||
*/
|
||||
public PersistableBundle(Bundle b) {
|
||||
- this(b.getMap());
|
||||
+ this(b, true);
|
||||
+ }
|
||||
+
|
||||
+ private PersistableBundle(Bundle b, boolean throwException) {
|
||||
+ this(b.getMap(), throwException);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
|
||||
* @param map a Map containing only those items that can be persisted.
|
||||
* @throws IllegalArgumentException if any element of #map cannot be persisted.
|
||||
*/
|
||||
- private PersistableBundle(ArrayMap<String, Object> map) {
|
||||
+ private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {
|
||||
super();
|
||||
mFlags = FLAG_DEFUSABLE;
|
||||
|
||||
@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
|
||||
|
||||
// Now verify each item throwing an exception if there is a violation.
|
||||
final int N = mMap.size();
|
||||
- for (int i=0; i<N; i++) {
|
||||
+ for (int i = N - 1; i >= 0; --i) {
|
||||
Object value = mMap.valueAt(i);
|
||||
if (value instanceof ArrayMap) {
|
||||
// Fix up any Maps by replacing them with PersistableBundles.
|
||||
- mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));
|
||||
+ mMap.setValueAt(i,
|
||||
+ new PersistableBundle((ArrayMap<String, Object>) value, throwException));
|
||||
} else if (value instanceof Bundle) {
|
||||
- mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));
|
||||
+ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));
|
||||
} else if (!isValidType(value)) {
|
||||
- throw new IllegalArgumentException("Bad value in PersistableBundle key="
|
||||
- + mMap.keyAt(i) + " value=" + value);
|
||||
+ final String errorMsg = "Bad value in PersistableBundle key="
|
||||
+ + mMap.keyAt(i) + " value=" + value;
|
||||
+ if (throwException) {
|
||||
+ throw new IllegalArgumentException(errorMsg);
|
||||
+ } else {
|
||||
+ Slog.wtfStack(TAG, errorMsg);
|
||||
+ mMap.removeAt(i);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
|
||||
/** @hide */
|
||||
public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException {
|
||||
unparcel();
|
||||
+ // Explicitly drop invalid types an attacker may have added before persisting.
|
||||
+ for (int i = mMap.size() - 1; i >= 0; --i) {
|
||||
+ final Object value = mMap.valueAt(i);
|
||||
+ if (!isValidType(value)) {
|
||||
+ Slog.e(TAG, "Dropping bad data before persisting: "
|
||||
+ + mMap.keyAt(i) + "=" + value);
|
||||
+ mMap.removeAt(i);
|
||||
+ }
|
||||
+ }
|
||||
XmlUtils.writeMapXml(mMap, out, this);
|
||||
}
|
||||
|
||||
@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa
|
||||
while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&
|
||||
(event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {
|
||||
if (event == XmlPullParser.START_TAG) {
|
||||
+ // Don't throw an exception when restoring from XML since an attacker could try to
|
||||
+ // input invalid data in the persisted file.
|
||||
return new PersistableBundle((ArrayMap<String, Object>)
|
||||
XmlUtils.readThisArrayMapXml(in, startTag, tagName,
|
||||
- new MyReadMapCallback()));
|
||||
+ new MyReadMapCallback()),
|
||||
+ /* throwException */ false);
|
||||
}
|
||||
}
|
||||
return EMPTY;
|
43
Patches/LineageOS-17.1/android_frameworks_base/377006.patch
Normal file
43
Patches/LineageOS-17.1/android_frameworks_base/377006.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Marzia Favaro <marziana@google.com>
|
||||
Date: Mon, 31 Jul 2023 15:10:34 +0000
|
||||
Subject: [PATCH] Require permission to unlock keyguard
|
||||
|
||||
Bug: 288896339
|
||||
Test: Manual, verify that the app which can be found on the bug can no longer call
|
||||
keyguardGoingAway successfully
|
||||
|
||||
Require permission to unlock keyguard
|
||||
|
||||
Bug: 288896339
|
||||
Test: Manual, verify that the app which can be found on the bug can no longer call
|
||||
keyguardGoingAway successfully
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd2aa5d309c5bf8e73161975bd5aba7945b25e84)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ef1345d278bd2a8944c6362bf65cff7305ca6fc5)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ad8e7e3b1db22684988a179e23639567a4096ca6)
|
||||
Merged-In: I7ba7e56f954c8e6f1f734311f735215918975bc6
|
||||
Change-Id: I7ba7e56f954c8e6f1f734311f735215918975bc6
|
||||
---
|
||||
.../java/com/android/server/wm/ActivityTaskManagerService.java | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
index d0dad0a23729..5bcc5975604a 100644
|
||||
--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
+++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
@@ -18,6 +18,7 @@ package com.android.server.wm;
|
||||
|
||||
import static android.Manifest.permission.BIND_VOICE_INTERACTION;
|
||||
import static android.Manifest.permission.CHANGE_CONFIGURATION;
|
||||
+import static android.Manifest.permission.CONTROL_KEYGUARD;
|
||||
import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS;
|
||||
import static android.Manifest.permission.INTERACT_ACROSS_USERS;
|
||||
import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
|
||||
@@ -3890,6 +3891,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub {
|
||||
|
||||
@Override
|
||||
public void keyguardGoingAway(int flags) {
|
||||
+ mAmInternal.enforceCallingPermission(CONTROL_KEYGUARD, "unlock keyguard");
|
||||
enforceNotIsolatedCaller("keyguardGoingAway");
|
||||
final long token = Binder.clearCallingIdentity();
|
||||
try {
|
63
Patches/LineageOS-17.1/android_frameworks_base/377008.patch
Normal file
63
Patches/LineageOS-17.1/android_frameworks_base/377008.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pawan Wagh <waghpawan@google.com>
|
||||
Date: Tue, 13 Jun 2023 17:37:26 +0000
|
||||
Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service
|
||||
|
||||
readFileDescriptor doesn't provide ownership of the fds. fdopen
|
||||
needs ownership of the fds. Fds read from parcel should be duped
|
||||
in this scenario and readUniqueFileDescriptor dups fds internally.
|
||||
|
||||
Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
|
||||
Test: atest incidentd_test
|
||||
Bug: 286931110
|
||||
Bug: 283699145
|
||||
(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055)
|
||||
Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
|
||||
Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e
|
||||
---
|
||||
cmds/incidentd/src/IncidentService.cpp | 20 ++++++++++++--------
|
||||
1 file changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp
|
||||
index a52726396b53..a4819633efee 100644
|
||||
--- a/cmds/incidentd/src/IncidentService.cpp
|
||||
+++ b/cmds/incidentd/src/IncidentService.cpp
|
||||
@@ -418,9 +418,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel*
|
||||
|
||||
switch (code) {
|
||||
case SHELL_COMMAND_TRANSACTION: {
|
||||
- int in = data.readFileDescriptor();
|
||||
- int out = data.readFileDescriptor();
|
||||
- int err = data.readFileDescriptor();
|
||||
+ unique_fd in, out, err;
|
||||
+ if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status;
|
||||
+
|
||||
+ if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status;
|
||||
+
|
||||
+ if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status;
|
||||
+
|
||||
int argc = data.readInt32();
|
||||
Vector<String8> args;
|
||||
for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
|
||||
@@ -430,15 +434,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel*
|
||||
sp<IResultReceiver> resultReceiver =
|
||||
IResultReceiver::asInterface(data.readStrongBinder());
|
||||
|
||||
- FILE* fin = fdopen(in, "r");
|
||||
- FILE* fout = fdopen(out, "w");
|
||||
- FILE* ferr = fdopen(err, "w");
|
||||
+ FILE* fin = fdopen(in.release(), "r");
|
||||
+ FILE* fout = fdopen(out.release(), "w");
|
||||
+ FILE* ferr = fdopen(err.release(), "w");
|
||||
|
||||
if (fin == NULL || fout == NULL || ferr == NULL) {
|
||||
resultReceiver->send(NO_MEMORY);
|
||||
} else {
|
||||
- err = command(fin, fout, ferr, args);
|
||||
- resultReceiver->send(err);
|
||||
+ status_t result = command(fin, fout, ferr, args);
|
||||
+ resultReceiver->send(result);
|
||||
}
|
||||
|
||||
if (fin != NULL) {
|
29
Patches/LineageOS-17.1/android_frameworks_base/377009.patch
Normal file
29
Patches/LineageOS-17.1/android_frameworks_base/377009.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pinyao Ting <pinyaoting@google.com>
|
||||
Date: Mon, 24 Jul 2023 14:58:56 -0700
|
||||
Subject: [PATCH] Validate userId when publishing shortcuts
|
||||
|
||||
Bug: 288110451
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c)
|
||||
Merged-In: Idbde676f871db83825155730e3714f3727e25762
|
||||
Change-Id: Idbde676f871db83825155730e3714f3727e25762
|
||||
---
|
||||
services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
|
||||
index d1ee52eef2df..0e887d375924 100644
|
||||
--- a/services/core/java/com/android/server/pm/ShortcutService.java
|
||||
+++ b/services/core/java/com/android/server/pm/ShortcutService.java
|
||||
@@ -1589,6 +1589,10 @@ public class ShortcutService extends IShortcutService.Stub {
|
||||
android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
|
||||
throw new SecurityException("Shortcut package name mismatch");
|
||||
}
|
||||
+ final int callingUid = injectBinderCallingUid();
|
||||
+ if (UserHandle.getUserId(callingUid) != si.getUserId()) {
|
||||
+ throw new SecurityException("User-ID in shortcut doesn't match the caller");
|
||||
+ }
|
||||
}
|
||||
|
||||
private void verifyShortcutInfoPackages(
|
45
Patches/LineageOS-17.1/android_frameworks_base/377010.patch
Normal file
45
Patches/LineageOS-17.1/android_frameworks_base/377010.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Beverly Tai <beverlyt@google.com>
|
||||
Date: Thu, 14 Sep 2023 20:50:28 +0000
|
||||
Subject: [PATCH] Revert "On device lockdown, always show the keyguard"
|
||||
|
||||
This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94.
|
||||
|
||||
Reason for revert: b/300463732 regression
|
||||
Bug: 300463732
|
||||
Bug: 218495634
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f)
|
||||
Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82
|
||||
Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82
|
||||
---
|
||||
.../systemui/keyguard/KeyguardViewMediator.java | 10 +---------
|
||||
1 file changed, 1 insertion(+), 9 deletions(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
index a7d5c64dd3a3..e21b14dec0b0 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
@@ -556,13 +556,6 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper);
|
||||
}
|
||||
}
|
||||
-
|
||||
- @Override
|
||||
- public void onStrongAuthStateChanged(int userId) {
|
||||
- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
- doKeyguardLocked(null);
|
||||
- }
|
||||
- }
|
||||
};
|
||||
|
||||
ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() {
|
||||
@@ -1326,8 +1319,7 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
}
|
||||
|
||||
// if another app is disabling us, don't show
|
||||
- if (!mExternallyEnabled
|
||||
- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
+ if (!mExternallyEnabled) {
|
||||
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");
|
||||
|
||||
mNeedToReshowWhenReenabled = true;
|
33
Patches/LineageOS-17.1/android_frameworks_base/377011.patch
Normal file
33
Patches/LineageOS-17.1/android_frameworks_base/377011.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Kunal Malhotra <malhk@google.com>
|
||||
Date: Thu, 2 Feb 2023 23:48:27 +0000
|
||||
Subject: [PATCH] Adding in verification of calling UID in onShellCommand
|
||||
|
||||
Test: manual testing on device
|
||||
Bug: b/261709193
|
||||
(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0)
|
||||
Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273
|
||||
Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273
|
||||
---
|
||||
.../java/com/android/server/am/ActivityManagerService.java | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
index 3e99e594a702..faeb5f348834 100644
|
||||
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
||||
@@ -9884,6 +9884,13 @@ public class ActivityManagerService extends IActivityManager.Stub
|
||||
public void onShellCommand(FileDescriptor in, FileDescriptor out,
|
||||
FileDescriptor err, String[] args, ShellCallback callback,
|
||||
ResultReceiver resultReceiver) {
|
||||
+ final int callingUid = Binder.getCallingUid();
|
||||
+ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) {
|
||||
+ if (resultReceiver != null) {
|
||||
+ resultReceiver.send(-1, null);
|
||||
+ }
|
||||
+ throw new SecurityException("Shell commands are only callable by root or shell");
|
||||
+ }
|
||||
(new ActivityManagerShellCommand(this, false)).exec(
|
||||
this, in, out, err, args, callback, resultReceiver);
|
||||
}
|
71
Patches/LineageOS-17.1/android_frameworks_base/377012.patch
Normal file
71
Patches/LineageOS-17.1/android_frameworks_base/377012.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Beverly Tai <beverlyt@google.com>
|
||||
Date: Tue, 19 Sep 2023 21:01:11 +0000
|
||||
Subject: [PATCH] Updated: always show the keyguard on device lockdown
|
||||
|
||||
Additionally, don't hide keyguard when it's disabled if the user has locked
|
||||
down the device.
|
||||
|
||||
Manual test steps:
|
||||
1. Enable app pinning and disable "Ask for PIN before unpinning" setting
|
||||
2. Pin an app (ie: Settings)
|
||||
3. Lockdown from the power menu
|
||||
4. Observe: user is brought to the keyguard, primary auth is
|
||||
required to enter the device.
|
||||
=> After entering correct credential, the device is still in
|
||||
app pinning mode.
|
||||
=> After entering an incorrect credential, the keyguard remains
|
||||
showing and the user can attempt again up to the limit
|
||||
|
||||
Bug: 300463732
|
||||
Bug: 218495634
|
||||
Test: atest KeyguardViewMediatorTest
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff)
|
||||
Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0
|
||||
Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0
|
||||
---
|
||||
.../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
index e21b14dec0b0..5c343c941454 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
|
||||
@@ -541,6 +541,13 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
}
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onStrongAuthStateChanged(int userId) {
|
||||
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
+ doKeyguardLocked(null);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void onTrustChanged(int userId) {
|
||||
if (userId == KeyguardUpdateMonitor.getCurrentUser()) {
|
||||
@@ -1107,6 +1114,10 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
mExternallyEnabled = enabled;
|
||||
|
||||
if (!enabled && mShowing) {
|
||||
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
+ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown");
|
||||
+ return;
|
||||
+ }
|
||||
if (mExitSecureCallback != null) {
|
||||
if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring");
|
||||
// we're in the process of handling a request to verify the user
|
||||
@@ -1318,8 +1329,9 @@ public class KeyguardViewMediator extends SystemUI {
|
||||
return;
|
||||
}
|
||||
|
||||
- // if another app is disabling us, don't show
|
||||
- if (!mExternallyEnabled) {
|
||||
+ // if another app is disabling us, don't show unless we're in lockdown mode
|
||||
+ if (!mExternallyEnabled
|
||||
+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
|
||||
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");
|
||||
|
||||
mNeedToReshowWhenReenabled = true;
|
@ -0,0 +1,99 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Beth Thibodeau <ethibodeau@google.com>
|
||||
Date: Tue, 8 Aug 2023 16:19:48 -0500
|
||||
Subject: [PATCH] RESTRICT AUTOMERGE: Check URI permissions for resumable media
|
||||
artwork
|
||||
|
||||
When resumable media is added that has artwork set via URI, check the
|
||||
permissions for the URI before attempting to load it
|
||||
|
||||
Test: atest MediaDataManagerTest UriGrantsManagerServiceTest
|
||||
Test: manual with test app
|
||||
Bug: 284297452
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c13567e39cd906c8544011de537490b70ce29b2f)
|
||||
Merged-In: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3
|
||||
Change-Id: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3
|
||||
---
|
||||
core/java/android/app/IUriGrantsManager.aidl | 3 ++
|
||||
.../server/uri/UriGrantsManagerService.java | 42 +++++++++++++++++++
|
||||
2 files changed, 45 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/app/IUriGrantsManager.aidl b/core/java/android/app/IUriGrantsManager.aidl
|
||||
index 9e7f2fecfea0..b630d034dca9 100644
|
||||
--- a/core/java/android/app/IUriGrantsManager.aidl
|
||||
+++ b/core/java/android/app/IUriGrantsManager.aidl
|
||||
@@ -39,4 +39,7 @@ interface IUriGrantsManager {
|
||||
void clearGrantedUriPermissions(in String packageName, int userId);
|
||||
ParceledListSlice getUriPermissions(in String packageName, boolean incoming,
|
||||
boolean persistedOnly);
|
||||
+
|
||||
+ int checkGrantUriPermission_ignoreNonSystem(
|
||||
+ int sourceUid, String targetPkg, in Uri uri, int modeFlags, int userId);
|
||||
}
|
||||
diff --git a/services/core/java/com/android/server/uri/UriGrantsManagerService.java b/services/core/java/com/android/server/uri/UriGrantsManagerService.java
|
||||
index 55f062bca2d1..7cab7b28cfee 100644
|
||||
--- a/services/core/java/com/android/server/uri/UriGrantsManagerService.java
|
||||
+++ b/services/core/java/com/android/server/uri/UriGrantsManagerService.java
|
||||
@@ -43,6 +43,7 @@ import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
|
||||
import static org.xmlpull.v1.XmlPullParser.START_TAG;
|
||||
|
||||
import android.annotation.Nullable;
|
||||
+import android.annotation.RequiresPermission;
|
||||
import android.app.ActivityManager;
|
||||
import android.app.ActivityManagerInternal;
|
||||
import android.app.AppGlobals;
|
||||
@@ -65,6 +66,7 @@ import android.os.Handler;
|
||||
import android.os.IBinder;
|
||||
import android.os.Looper;
|
||||
import android.os.Message;
|
||||
+import android.os.Process;
|
||||
import android.os.RemoteException;
|
||||
import android.os.SystemClock;
|
||||
import android.os.UserHandle;
|
||||
@@ -1225,6 +1227,46 @@ public class UriGrantsManagerService extends IUriGrantsManager.Stub {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Check if the targetPkg can be granted permission to access uri by
|
||||
+ * the callingUid using the given modeFlags. See {@link #checkGrantUriPermissionUnlocked}.
|
||||
+ *
|
||||
+ * @param callingUid The uid of the grantor app that has permissions to the uri.
|
||||
+ * @param targetPkg The package name of the granted app that needs permissions to the uri.
|
||||
+ * @param uri The uri for which permissions should be granted.
|
||||
+ * @param modeFlags The modes to grant. See {@link Intent#FLAG_GRANT_READ_URI_PERMISSION}, etc.
|
||||
+ * @param userId The userId in which the uri is to be resolved.
|
||||
+ * @return uid of the target or -1 if permission grant not required. Returns -1 if the caller
|
||||
+ * does not hold INTERACT_ACROSS_USERS_FULL
|
||||
+ * @throws SecurityException if the grant is not allowed.
|
||||
+ */
|
||||
+ @Override
|
||||
+ @RequiresPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL)
|
||||
+ public int checkGrantUriPermission_ignoreNonSystem(int callingUid, String targetPkg, Uri uri,
|
||||
+ int modeFlags, int userId) {
|
||||
+ if (!isCallerIsSystemOrPrivileged()) {
|
||||
+ return Process.INVALID_UID;
|
||||
+ }
|
||||
+ final long origId = Binder.clearCallingIdentity();
|
||||
+ try {
|
||||
+ return checkGrantUriPermissionUnlocked(callingUid, targetPkg, uri, modeFlags,
|
||||
+ userId);
|
||||
+ } finally {
|
||||
+ Binder.restoreCallingIdentity(origId);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ private boolean isCallerIsSystemOrPrivileged() {
|
||||
+ final int uid = Binder.getCallingUid();
|
||||
+ if (uid == Process.SYSTEM_UID || uid == Process.ROOT_UID) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ return ActivityManager.checkComponentPermission(
|
||||
+ android.Manifest.permission.INTERACT_ACROSS_USERS_FULL,
|
||||
+ uid, /* owningUid = */-1, /* exported = */ true)
|
||||
+ == PackageManager.PERMISSION_GRANTED;
|
||||
+ }
|
||||
+
|
||||
private void writeGrantedUriPermissions() {
|
||||
if (DEBUG) Slog.v(TAG, "writeGrantedUriPermissions()");
|
||||
|
@ -72,10 +72,10 @@ index 214feebcb..9bd85aa13 100644
|
||||
{"initNative", "()V", (void*)initNative},
|
||||
{"sendMediaUpdateNative", "(ZZZ)V", (void*)sendMediaUpdateNative},
|
||||
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
index 55b391c56..ea1eeeb73 100644
|
||||
index aa0a13d46..997ac5a29 100644
|
||||
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
@@ -1238,7 +1238,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj,
|
||||
@@ -1239,7 +1239,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj,
|
||||
return output_bytes;
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,38 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Thu, 5 Oct 2023 00:01:03 +0000
|
||||
Subject: [PATCH] Fix UAF in ~CallbackEnv
|
||||
|
||||
com_android_bluetooth_btservice_AdapterService does not null its local
|
||||
JNI environment variable after detaching the thread (which frees the
|
||||
environment context), allowing UAF under certain conditions.
|
||||
|
||||
Null the variable in this case.
|
||||
|
||||
Testing here was done through a custom unit test; see patchsets 4-6 for
|
||||
contents. However, unit testing of the JNI layer is problematic in
|
||||
production, so that part of the patch is omitted for final merge.
|
||||
|
||||
Bug: 291500341
|
||||
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
|
||||
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
|
||||
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
|
||||
---
|
||||
jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
index 55b391c56..aa0a13d46 100644
|
||||
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
|
||||
return;
|
||||
}
|
||||
vm->DetachCurrentThread();
|
||||
+ callbackEnv = NULL;
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pinyao Ting <pinyaoting@google.com>
|
||||
Date: Tue, 12 Sep 2023 22:37:16 +0000
|
||||
Subject: [PATCH] Fix permission bypass in legacy shortcut
|
||||
|
||||
Intent created for Chooser should not be allowed in legacy shortcuts
|
||||
since it doesn't make sense for user to tap on a shortcut in homescreen
|
||||
to share, the expected share flow started from ShareSheet.
|
||||
|
||||
Bug: 295334906, 295045199
|
||||
Test: manual
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305)
|
||||
Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
|
||||
Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa
|
||||
---
|
||||
.../android/launcher3/util/PackageManagerHelper.java | 11 ++---------
|
||||
1 file changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
index f263331f8f..1ca28f82dc 100644
|
||||
--- a/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
+++ b/src/com/android/launcher3/util/PackageManagerHelper.java
|
||||
@@ -114,15 +114,8 @@ public class PackageManagerHelper {
|
||||
public boolean hasPermissionForActivity(Intent intent, String srcPackage) {
|
||||
// b/270152142
|
||||
if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
|
||||
- final Bundle extras = intent.getExtras();
|
||||
- if (extras == null) {
|
||||
- return true;
|
||||
- }
|
||||
- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT
|
||||
- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT);
|
||||
- if (intent == null) {
|
||||
- return true;
|
||||
- }
|
||||
+ // Chooser shortcuts is not a valid target
|
||||
+ return false;
|
||||
}
|
||||
ResolveInfo target = mPm.resolveActivity(intent, 0);
|
||||
if (target == null) {
|
@ -0,0 +1,108 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Pranav Madapurmath <pmadapurmath@google.com>
|
||||
Date: Wed, 5 Apr 2023 21:36:12 +0000
|
||||
Subject: [PATCH] Resolve account image icon profile boundary exploit.
|
||||
|
||||
Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit
|
||||
is possible where the user can upload an image icon (belonging to
|
||||
another user) via registering a phone account. This CL provides a
|
||||
lightweight solution for parsing the image URI to detect profile
|
||||
exploitation.
|
||||
|
||||
Fixes: 273502295
|
||||
Fixes: 296915211
|
||||
Test: Unit test to enforce successful/failure path
|
||||
(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7)
|
||||
(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42)
|
||||
Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
|
||||
Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5
|
||||
---
|
||||
.../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++
|
||||
.../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++
|
||||
2 files changed, 43 insertions(+)
|
||||
|
||||
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
|
||||
index 8c498fc55..4472ad837 100644
|
||||
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
|
||||
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
|
||||
@@ -37,6 +37,7 @@ import android.content.pm.PackageManager;
|
||||
import android.content.res.Resources;
|
||||
import android.content.pm.ParceledListSlice;
|
||||
import android.content.pm.ResolveInfo;
|
||||
+import android.graphics.drawable.Icon;
|
||||
import android.net.Uri;
|
||||
import android.os.Binder;
|
||||
import android.os.Build;
|
||||
@@ -513,6 +514,9 @@ public class TelecomServiceImpl {
|
||||
if (callingUid != Process.SHELL_UID) {
|
||||
enforceUserHandleMatchesCaller(account.getAccountHandle());
|
||||
}
|
||||
+ // Validate the profile boundary of the given image URI.
|
||||
+ validateAccountIconUserBoundary(account.getIcon());
|
||||
+
|
||||
final long token = Binder.clearCallingIdentity();
|
||||
try {
|
||||
mPhoneAccountRegistrar.registerPhoneAccount(account);
|
||||
@@ -2100,4 +2104,22 @@ public class TelecomServiceImpl {
|
||||
mContext.sendBroadcast(intent);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ private void validateAccountIconUserBoundary(Icon icon) {
|
||||
+ // Refer to Icon#getUriString for context. The URI string is invalid for icons of
|
||||
+ // incompatible types.
|
||||
+ if (icon != null && (icon.getType() == Icon.TYPE_URI
|
||||
+ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) {
|
||||
+ String encodedUser = icon.getUri().getEncodedUserInfo();
|
||||
+ // If there is no encoded user, the URI is calling into the calling user space
|
||||
+ if (encodedUser != null) {
|
||||
+ int userId = Integer.parseInt(encodedUser);
|
||||
+ if (userId != UserHandle.getUserId(Binder.getCallingUid())) {
|
||||
+ // If we are transcending the profile boundary, throw an error.
|
||||
+ throw new IllegalArgumentException("Attempting to register a phone account with"
|
||||
+ + " an image icon belonging to another user.");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
||||
index 00d8000e4..6daf516d1 100644
|
||||
--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
||||
+++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java
|
||||
@@ -30,6 +30,7 @@ import android.content.Context;
|
||||
import android.content.Intent;
|
||||
import android.content.pm.ApplicationInfo;
|
||||
import android.content.pm.PackageManager;
|
||||
+import android.graphics.drawable.Icon;
|
||||
import android.net.Uri;
|
||||
import android.os.Binder;
|
||||
import android.os.Bundle;
|
||||
@@ -531,6 +532,26 @@ public class TelecomServiceImplTest extends TelecomTestCase {
|
||||
}
|
||||
}
|
||||
|
||||
+ @SmallTest
|
||||
+ @Test
|
||||
+ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException {
|
||||
+ String packageNameToUse = "com.android.officialpackage";
|
||||
+ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName(
|
||||
+ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle());
|
||||
+ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/");
|
||||
+ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
|
||||
+ doReturn(PackageManager.PERMISSION_GRANTED)
|
||||
+ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE);
|
||||
+
|
||||
+ // This should fail; security exception will be thrown.
|
||||
+ registerPhoneAccountTestHelper(phoneAccount, false);
|
||||
+
|
||||
+ icon = Icon.createWithContentUri("content://0@media/external/images/media/");
|
||||
+ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build();
|
||||
+ // This should succeed.
|
||||
+ registerPhoneAccountTestHelper(phoneAccount, true);
|
||||
+ }
|
||||
+
|
||||
@SmallTest
|
||||
@Test
|
||||
public void testUnregisterPhoneAccount() throws RemoteException {
|
99
Patches/LineageOS-17.1/android_system_bt/377017.patch
Normal file
99
Patches/LineageOS-17.1/android_system_bt/377017.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Sat, 2 Sep 2023 04:20:10 +0000
|
||||
Subject: [PATCH] Reject access to secure service authenticated from a temp
|
||||
bonding [1]
|
||||
|
||||
Rejecct access to services running on l2cap
|
||||
|
||||
Backport of
|
||||
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
|
||||
Bug: 294854926
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
|
||||
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
---
|
||||
stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index 3ba1a6023..d4377a1fe 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -104,7 +104,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
|
||||
uint32_t mx_proto_id,
|
||||
uint32_t mx_chan_id);
|
||||
|
||||
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
@@ -146,7 +146,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
|
||||
* Returns bool true or false
|
||||
*
|
||||
******************************************************************************/
|
||||
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
|
||||
return (true);
|
||||
}
|
||||
@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
return (false);
|
||||
}
|
||||
|
||||
+/*******************************************************************************
|
||||
+ *
|
||||
+ * Function access_secure_service_from_temp_bond
|
||||
+ *
|
||||
+ * Description a utility function to test whether an access to
|
||||
+ * secure service from temp bonding is happening
|
||||
+ *
|
||||
+ * Returns true if the aforementioned condition holds,
|
||||
+ * false otherwise
|
||||
+ *
|
||||
+ ******************************************************************************/
|
||||
+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
+ bool locally_initiated,
|
||||
+ uint16_t security_req) {
|
||||
+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
|
||||
+ btm_dev_authenticated(p_dev_rec) &&
|
||||
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
|
||||
+}
|
||||
+
|
||||
/*******************************************************************************
|
||||
*
|
||||
* Function BTM_SecRegister
|
||||
@@ -2077,9 +2096,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
|
||||
}
|
||||
|
||||
if (rc == BTM_SUCCESS) {
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
|
||||
+ rc = BTM_FAILED_ON_SECURITY;
|
||||
+ }
|
||||
if (p_callback)
|
||||
- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
|
||||
- return (BTM_SUCCESS);
|
||||
+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
|
||||
+ return (rc);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5138,6 +5161,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
}
|
||||
}
|
||||
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec,
|
||||
+ p_dev_rec->is_originator,
|
||||
+ p_dev_rec->security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
|
||||
+ return (BTM_FAILED_ON_SECURITY);
|
||||
+ }
|
||||
+
|
||||
/* All required security procedures already established */
|
||||
p_dev_rec->security_required &=
|
||||
~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
|
37
Patches/LineageOS-17.1/android_system_bt/377018.patch
Normal file
37
Patches/LineageOS-17.1/android_system_bt/377018.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Sat, 2 Sep 2023 04:27:29 +0000
|
||||
Subject: [PATCH] Reject access to secure services authenticated from temp
|
||||
bonding [2]
|
||||
|
||||
Reject access to service running on rfcomm
|
||||
|
||||
this is a backport of
|
||||
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
|
||||
Bug: 294854926
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb)
|
||||
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
---
|
||||
stack/btm/btm_sec.cc | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index d4377a1fe..6163c3fb7 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -2425,6 +2425,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
|
||||
mx_chan_id, p_callback, p_ref_data);
|
||||
} else /* rc == BTM_SUCCESS */
|
||||
{
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec,
|
||||
+ is_originator, security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject");
|
||||
+ rc = BTM_FAILED_ON_SECURITY;
|
||||
+ }
|
||||
/* access granted */
|
||||
if (p_callback) {
|
||||
(*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);
|
47
Patches/LineageOS-17.1/android_system_bt/377019.patch
Normal file
47
Patches/LineageOS-17.1/android_system_bt/377019.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Tue, 12 Sep 2023 23:47:48 +0000
|
||||
Subject: [PATCH] Reject access to secure service authenticated from a temp
|
||||
bonding [3]
|
||||
|
||||
Allow access to rfcomm PSM by default
|
||||
|
||||
Original bug
|
||||
Bug: 294854926
|
||||
|
||||
Nearby regressions:
|
||||
Bug: 298539299
|
||||
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec)
|
||||
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
|
||||
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
|
||||
---
|
||||
stack/btm/btm_sec.cc | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index 6163c3fb7..e69fe9b4c 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -2119,15 +2119,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
|
||||
btm_cb.security_mode == BTM_SEC_MODE_SC) {
|
||||
if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
|
||||
if (is_originator) {
|
||||
- /* SM4 to SM4 -> always authenticate & encrypt */
|
||||
- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
|
||||
+ /* SM4 to SM4 -> always encrypt */
|
||||
+ security_required |= BTM_SEC_OUT_ENCRYPT;
|
||||
} else /* acceptor */
|
||||
{
|
||||
/* SM4 to SM4: the acceptor needs to make sure the authentication is
|
||||
* already done */
|
||||
chk_acp_auth_done = true;
|
||||
- /* SM4 to SM4 -> always authenticate & encrypt */
|
||||
- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
|
||||
+ /* SM4 to SM4 -> always encrypt */
|
||||
+ security_required |= BTM_SEC_IN_ENCRYPT;
|
||||
}
|
||||
} else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
|
||||
/* the remote features are not known yet */
|
128
Patches/LineageOS-17.1/android_system_bt/377020.patch
Normal file
128
Patches/LineageOS-17.1/android_system_bt/377020.patch
Normal file
@ -0,0 +1,128 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Tue, 12 Sep 2023 23:54:08 +0000
|
||||
Subject: [PATCH] Reorganize the code for checking auth requirement
|
||||
|
||||
Original bug
|
||||
Bug: 294854926
|
||||
|
||||
regressions:
|
||||
Bug: 299570702
|
||||
|
||||
Test: Test: m com.android.btservices
|
||||
Test: QA validation
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91)
|
||||
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
|
||||
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
|
||||
---
|
||||
stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------
|
||||
1 file changed, 56 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index e69fe9b4c..e73cfb363 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -5081,46 +5081,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
|
||||
/* If connection is not authenticated and authentication is required */
|
||||
/* start authentication and return PENDING to the caller */
|
||||
- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) &&
|
||||
- ((p_dev_rec->is_originator &&
|
||||
- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) ||
|
||||
- (!p_dev_rec->is_originator &&
|
||||
- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) ||
|
||||
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
|
||||
- (!p_dev_rec->is_originator &&
|
||||
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) &&
|
||||
- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
|
||||
-/*
|
||||
- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
|
||||
- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
|
||||
- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
|
||||
- * authenticated connections, hence we cannot distinguish here.
|
||||
- */
|
||||
-
|
||||
- BTM_TRACE_EVENT("Security Manager: Start authentication");
|
||||
+ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) {
|
||||
+ bool start_auth = false;
|
||||
+
|
||||
+ // Check link status of BR/EDR
|
||||
+ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
|
||||
+ if (p_dev_rec->is_originator) {
|
||||
+ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
|
||||
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
|
||||
+ start_auth = true;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
|
||||
+ LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
|
||||
+ start_auth = true;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- /*
|
||||
- * If we do have a link-key, but we end up here because we need an
|
||||
- * upgrade, then clear the link-key known and authenticated flag before
|
||||
- * restarting authentication.
|
||||
- * WARNING: If the controller has link-key, it is optional and
|
||||
- * recommended for the controller to send a Link_Key_Request.
|
||||
- * In case we need an upgrade, the only alternative would be to delete
|
||||
- * the existing link-key. That could lead to very bad user experience
|
||||
- * or even IOP issues, if a reconnect causes a new connection that
|
||||
- * requires an upgrade.
|
||||
- */
|
||||
- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
|
||||
- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
|
||||
- (!p_dev_rec->is_originator &&
|
||||
- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
|
||||
- p_dev_rec->sec_flags &=
|
||||
- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
|
||||
- BTM_SEC_AUTHENTICATED);
|
||||
+ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) {
|
||||
+ /*
|
||||
+ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
|
||||
+ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
|
||||
+ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
|
||||
+ * authenticated connections, hence we cannot distinguish here.
|
||||
+ */
|
||||
+ if (!p_dev_rec->is_originator) {
|
||||
+ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) {
|
||||
+ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required");
|
||||
+ start_auth = true;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
- btm_sec_start_authentication(p_dev_rec);
|
||||
- return (BTM_CMD_STARTED);
|
||||
+ if (start_auth) {
|
||||
+ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication");
|
||||
+
|
||||
+ /*
|
||||
+ * If we do have a link-key, but we end up here because we need an
|
||||
+ * upgrade, then clear the link-key known and authenticated flag before
|
||||
+ * restarting authentication.
|
||||
+ * WARNING: If the controller has link-key, it is optional and
|
||||
+ * recommended for the controller to send a Link_Key_Request.
|
||||
+ * In case we need an upgrade, the only alternative would be to delete
|
||||
+ * the existing link-key. That could lead to very bad user experience
|
||||
+ * or even IOP issues, if a reconnect causes a new connection that
|
||||
+ * requires an upgrade.
|
||||
+ */
|
||||
+ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) &&
|
||||
+ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) &&
|
||||
+ (!p_dev_rec->is_originator &&
|
||||
+ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
|
||||
+ p_dev_rec->sec_flags &=
|
||||
+ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
|
||||
+ BTM_SEC_AUTHENTICATED);
|
||||
+ }
|
||||
+
|
||||
+ btm_sec_start_authentication(p_dev_rec);
|
||||
+ return (BTM_CMD_STARTED);
|
||||
+ }
|
||||
}
|
||||
|
||||
/* If connection is not encrypted and encryption is required */
|
46
Patches/LineageOS-17.1/android_system_bt/377021.patch
Normal file
46
Patches/LineageOS-17.1/android_system_bt/377021.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 13 Sep 2023 00:00:44 +0000
|
||||
Subject: [PATCH] Enforce authentication if encryption is required
|
||||
|
||||
Original bug
|
||||
Bug: 294854926
|
||||
|
||||
regressions:
|
||||
Bug: 299570702
|
||||
Bug: 299561281
|
||||
|
||||
Test: Test: m com.android.btservices
|
||||
Test: QA validation
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553)
|
||||
Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
|
||||
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa
|
||||
---
|
||||
stack/btm/btm_sec.cc | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index e73cfb363..de91023c6 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -5087,13 +5087,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
// Check link status of BR/EDR
|
||||
if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
|
||||
if (p_dev_rec->is_originator) {
|
||||
- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) {
|
||||
- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required");
|
||||
+ if (p_dev_rec->security_required &
|
||||
+ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) {
|
||||
+ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required");
|
||||
start_auth = true;
|
||||
}
|
||||
} else {
|
||||
- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) {
|
||||
- LOG_DEBUG(LOG_TAG, "Incoming authentication Required");
|
||||
+ if (p_dev_rec->security_required &
|
||||
+ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) {
|
||||
+ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required");
|
||||
start_auth = true;
|
||||
}
|
||||
}
|
@ -0,0 +1,56 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Tue, 3 Oct 2023 21:27:49 +0000
|
||||
Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature
|
||||
|
||||
BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
|
||||
to be deduced through a side-channel attack.
|
||||
|
||||
Change to CRYPTO_memcmp, which is hardened against this attack, to
|
||||
eliminate this attack.
|
||||
|
||||
Bug: 274478807
|
||||
Test: atest bluetooth_test_gd_unit
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)
|
||||
Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c
|
||||
Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c
|
||||
---
|
||||
stack/Android.bp | 1 +
|
||||
stack/btm/btm_ble.cc | 3 ++-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stack/Android.bp b/stack/Android.bp
|
||||
index c4684236e..4021d9e51 100644
|
||||
--- a/stack/Android.bp
|
||||
+++ b/stack/Android.bp
|
||||
@@ -178,6 +178,7 @@ cc_library_static {
|
||||
shared_libs: [
|
||||
"libcutils",
|
||||
"liblog",
|
||||
+ "libcrypto",
|
||||
],
|
||||
required: [
|
||||
"libldacBT_enc",
|
||||
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
|
||||
index b1f4119d5..f34c6db59 100644
|
||||
--- a/stack/btm/btm_ble.cc
|
||||
+++ b/stack/btm/btm_ble.cc
|
||||
@@ -41,6 +41,7 @@
|
||||
#include "hcimsgs.h"
|
||||
#include "log/log.h"
|
||||
#include "l2c_int.h"
|
||||
+#include "openssl/mem.h"
|
||||
#include "osi/include/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
#include "stack/crypto_toolbox/crypto_toolbox.h"
|
||||
@@ -2110,7 +2111,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
|
||||
|
||||
crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len,
|
||||
BTM_CMAC_TLEN_SIZE, p_mac);
|
||||
- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
|
||||
+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
|
||||
btm_ble_increment_sign_ctr(bd_addr, false);
|
||||
verified = true;
|
||||
}
|
115
Patches/LineageOS-17.1/android_system_netd/377024-backport.patch
Normal file
115
Patches/LineageOS-17.1/android_system_netd/377024-backport.patch
Normal file
@ -0,0 +1,115 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Lin Lee <linlee@google.com>
|
||||
Date: Mon, 7 Aug 2023 09:34:41 +0000
|
||||
Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
||||
|
||||
Use thread join to avoid thread exiting after instance
|
||||
recycled.
|
||||
|
||||
Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds.
|
||||
|
||||
Test: m, fuzzing
|
||||
Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer
|
||||
|
||||
Bug: 272382770
|
||||
Ignore-AOSP-First: Security Issue
|
||||
(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd)
|
||||
Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138
|
||||
Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138
|
||||
---
|
||||
server/MDnsSdListener.cpp | 35 +++++++++++++++++++++++------------
|
||||
server/MDnsSdListener.h | 4 +++-
|
||||
2 files changed, 26 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
|
||||
index 42dcddf3..d551d37c 100644
|
||||
--- a/server/MDnsSdListener.cpp
|
||||
+++ b/server/MDnsSdListener.cpp
|
||||
@@ -29,6 +29,7 @@
|
||||
#include <sys/poll.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
+#include <thread>
|
||||
|
||||
#define LOG_TAG "MDnsDS"
|
||||
#define DBG 1
|
||||
@@ -527,12 +528,18 @@ MDnsSdListener::Monitor::Monitor() {
|
||||
mPollSize = 10;
|
||||
socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, mCtrlSocketPair);
|
||||
|
||||
- const int rval = ::android::netdutils::threadLaunch(this);
|
||||
- if (rval != 0) {
|
||||
- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval);
|
||||
- }
|
||||
+ mRescanThread = new std::thread(&Monitor::run, this);
|
||||
+ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread.");
|
||||
}
|
||||
|
||||
+MDnsSdListener::Monitor::~Monitor() {
|
||||
+ if (VDBG) ALOGD("Monitor recycling");
|
||||
+ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will
|
||||
+ // be 17 = POLLIN | POLLHUP
|
||||
+ mRescanThread->join();
|
||||
+ delete mRescanThread;
|
||||
+ if (VDBG) ALOGD("Monitor recycled");
|
||||
+}
|
||||
#define NAP_TIME 200 // 200 ms between polls
|
||||
static int wait_for_property(const char *name, const char *desired_value, int maxwait)
|
||||
{
|
||||
@@ -611,14 +618,18 @@ void MDnsSdListener::Monitor::run() {
|
||||
}
|
||||
}
|
||||
if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents);
|
||||
- switch (mPollFds[0].revents) {
|
||||
- case POLLIN: {
|
||||
- char readBuf[2];
|
||||
- read(mCtrlSocketPair[0], &readBuf, 1);
|
||||
- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
|
||||
- if (memcmp(RESCAN, readBuf, 1) == 0) {
|
||||
- pollCount = rescan();
|
||||
- }
|
||||
+ if (mPollFds[0].revents & POLLHUP) {
|
||||
+ free(mPollFds);
|
||||
+ free(mPollRefs);
|
||||
+ if (VDBG) ALOGD("Monitor thread leaving.");
|
||||
+ return;
|
||||
+ }
|
||||
+ if (mPollFds[0].revents == POLLIN) {
|
||||
+ char readBuf[2];
|
||||
+ read(mCtrlSocketPair[0], &readBuf, 1);
|
||||
+ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]);
|
||||
+ if (memcmp(RESCAN, readBuf, 1) == 0) {
|
||||
+ pollCount = rescan();
|
||||
}
|
||||
}
|
||||
mPollFds[0].revents = 0;
|
||||
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
|
||||
index 47ddc28f..915a3bc8 100644
|
||||
--- a/server/MDnsSdListener.h
|
||||
+++ b/server/MDnsSdListener.h
|
||||
@@ -21,6 +21,7 @@
|
||||
#include <dns_sd.h>
|
||||
#include <sysutils/FrameworkListener.h>
|
||||
#include <mutex>
|
||||
+#include <thread>
|
||||
|
||||
#include "NetdCommand.h"
|
||||
|
||||
@@ -70,7 +71,7 @@ private:
|
||||
class Monitor {
|
||||
public:
|
||||
Monitor();
|
||||
- virtual ~Monitor() {}
|
||||
+ ~Monitor();
|
||||
DNSServiceRef *allocateServiceRef(int id, Context *c);
|
||||
void startMonitoring(int id);
|
||||
DNSServiceRef *lookupServiceRef(int id);
|
||||
@@ -100,6 +101,7 @@ private:
|
||||
int mPollSize;
|
||||
int mCtrlSocketPair[2];
|
||||
std::mutex mMutex;
|
||||
+ std::thread* mRescanThread;
|
||||
};
|
||||
|
||||
class Handler : public NetdCommand {
|
@ -0,0 +1,40 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Thu, 5 Oct 2023 00:01:03 +0000
|
||||
Subject: [PATCH] Fix UAF in ~CallbackEnv
|
||||
|
||||
com_android_bluetooth_btservice_AdapterService does not null its local
|
||||
JNI environment variable after detaching the thread (which frees the
|
||||
environment context), allowing UAF under certain conditions.
|
||||
|
||||
Null the variable in this case.
|
||||
|
||||
Testing here was done through a custom unit test; see patchsets 4-6 for
|
||||
contents. However, unit testing of the JNI layer is problematic in
|
||||
production, so that part of the patch is omitted for final merge.
|
||||
|
||||
Bug: 291500341
|
||||
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
|
||||
Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
|
||||
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
|
||||
|
||||
Change-Id: I6abe916720bcd6dbd8a532c2611c11d3c39f1940
|
||||
---
|
||||
jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
index fdb7dbf0b..b7e927b56 100644
|
||||
--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
+++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
|
||||
@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
|
||||
return;
|
||||
}
|
||||
vm->DetachCurrentThread();
|
||||
+ callbackEnv = NULL;
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,101 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Sat, 2 Sep 2023 04:20:10 +0000
|
||||
Subject: [PATCH] Reject access to secure service authenticated from a temp
|
||||
bonding [1]
|
||||
|
||||
Rejecct access to services running on l2cap
|
||||
|
||||
Backport of
|
||||
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
|
||||
Bug: 294854926
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
|
||||
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
|
||||
|
||||
Change-Id: I0435b4ee14c40213f3dae8abc54143ef7e8f67e0
|
||||
---
|
||||
stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index 40f051c0d..4da0320c5 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -102,7 +102,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
|
||||
uint32_t mx_proto_id,
|
||||
uint32_t mx_chan_id);
|
||||
|
||||
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec);
|
||||
static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
@@ -144,7 +144,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
|
||||
* Returns bool true or false
|
||||
*
|
||||
******************************************************************************/
|
||||
-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
+static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
|
||||
return (true);
|
||||
}
|
||||
@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
return (false);
|
||||
}
|
||||
|
||||
+/*******************************************************************************
|
||||
+ *
|
||||
+ * Function access_secure_service_from_temp_bond
|
||||
+ *
|
||||
+ * Description a utility function to test whether an access to
|
||||
+ * secure service from temp bonding is happening
|
||||
+ *
|
||||
+ * Returns true if the aforementioned condition holds,
|
||||
+ * false otherwise
|
||||
+ *
|
||||
+ ******************************************************************************/
|
||||
+static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
|
||||
+ bool locally_initiated,
|
||||
+ uint16_t security_req) {
|
||||
+ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
|
||||
+ btm_dev_authenticated(p_dev_rec) &&
|
||||
+ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
|
||||
+}
|
||||
+
|
||||
/*******************************************************************************
|
||||
*
|
||||
* Function BTM_SecRegister
|
||||
@@ -2271,9 +2290,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
|
||||
}
|
||||
|
||||
if (rc == BTM_SUCCESS) {
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
|
||||
+ rc = BTM_FAILED_ON_SECURITY;
|
||||
+ }
|
||||
if (p_callback)
|
||||
- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS);
|
||||
- return (BTM_SUCCESS);
|
||||
+ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
|
||||
+ return (rc);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5486,6 +5509,13 @@ extern tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) {
|
||||
}
|
||||
}
|
||||
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec,
|
||||
+ p_dev_rec->is_originator,
|
||||
+ p_dev_rec->security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
|
||||
+ return (BTM_FAILED_ON_SECURITY);
|
||||
+ }
|
||||
+
|
||||
/* All required security procedures already established */
|
||||
p_dev_rec->security_required &=
|
||||
~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
|
@ -0,0 +1,37 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Sat, 2 Sep 2023 04:27:29 +0000
|
||||
Subject: [PATCH] Reject access to secure services authenticated from temp
|
||||
bonding [2]
|
||||
|
||||
Reject access to service running on rfcomm
|
||||
|
||||
this is a backport of
|
||||
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
|
||||
Bug: 294854926
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb)
|
||||
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
|
||||
---
|
||||
stack/btm/btm_sec.cc | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index 4da0320c5..93e8b7a60 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -2633,6 +2633,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
|
||||
mx_chan_id, p_callback, p_ref_data);
|
||||
} else /* rc == BTM_SUCCESS */
|
||||
{
|
||||
+ if (access_secure_service_from_temp_bond(p_dev_rec,
|
||||
+ is_originator, security_required)) {
|
||||
+ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject");
|
||||
+ rc = BTM_FAILED_ON_SECURITY;
|
||||
+ }
|
||||
/* access granted */
|
||||
if (p_callback) {
|
||||
(*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc);
|
@ -0,0 +1,47 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Tue, 12 Sep 2023 23:47:48 +0000
|
||||
Subject: [PATCH] Reject access to secure service authenticated from a temp
|
||||
bonding [3]
|
||||
|
||||
Allow access to rfcomm PSM by default
|
||||
|
||||
Original bug
|
||||
Bug: 294854926
|
||||
|
||||
Nearby regressions:
|
||||
Bug: 298539299
|
||||
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec)
|
||||
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
|
||||
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
|
||||
---
|
||||
stack/btm/btm_sec.cc | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
||||
index 93e8b7a60..80f4d3031 100644
|
||||
--- a/stack/btm/btm_sec.cc
|
||||
+++ b/stack/btm/btm_sec.cc
|
||||
@@ -2313,15 +2313,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
|
||||
btm_cb.security_mode == BTM_SEC_MODE_SC) {
|
||||
if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
|
||||
if (is_originator) {
|
||||
- /* SM4 to SM4 -> always authenticate & encrypt */
|
||||
- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
|
||||
+ /* SM4 to SM4 -> always encrypt */
|
||||
+ security_required |= BTM_SEC_OUT_ENCRYPT;
|
||||
} else /* acceptor */
|
||||
{
|
||||
/* SM4 to SM4: the acceptor needs to make sure the authentication is
|
||||
* already done */
|
||||
chk_acp_auth_done = true;
|
||||
- /* SM4 to SM4 -> always authenticate & encrypt */
|
||||
- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
|
||||
+ /* SM4 to SM4 -> always encrypt */
|
||||
+ security_required |= BTM_SEC_IN_ENCRYPT;
|
||||
}
|
||||
} else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
|
||||
/* the remote features are not known yet */
|
@ -0,0 +1,23 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Mon, 11 Dec 2023 13:42:41 -0500
|
||||
Subject: [PATCH] Fixup missing import
|
||||
|
||||
Signed-off-by: Tad <tad@spotco.us>
|
||||
Change-Id: I52177ea7c37da977a133afa791e7319c7fb4843b
|
||||
---
|
||||
stack/Android.bp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/stack/Android.bp b/stack/Android.bp
|
||||
index 696cd6cd2..7bc03a2c2 100644
|
||||
--- a/stack/Android.bp
|
||||
+++ b/stack/Android.bp
|
||||
@@ -185,6 +185,7 @@ cc_library_static {
|
||||
shared_libs: [
|
||||
"libcutils",
|
||||
"liblog",
|
||||
+ "libcrypto",
|
||||
],
|
||||
required: [
|
||||
"libldacBT_enc",
|
@ -0,0 +1,45 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Delwiche <delwiche@google.com>
|
||||
Date: Tue, 3 Oct 2023 21:27:49 +0000
|
||||
Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature
|
||||
|
||||
BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
|
||||
to be deduced through a side-channel attack.
|
||||
|
||||
Change to CRYPTO_memcmp, which is hardened against this attack, to
|
||||
eliminate this attack.
|
||||
|
||||
Bug: 274478807
|
||||
Test: atest bluetooth_test_gd_unit
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce)
|
||||
Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c
|
||||
Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c
|
||||
|
||||
Change-Id: Ib7f3fff9f40140978c4dfb2f20ca57127586a05a
|
||||
---
|
||||
stack/btm/btm_ble.cc | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc
|
||||
index 7fd154d2d..56f4fa1cd 100644
|
||||
--- a/stack/btm/btm_ble.cc
|
||||
+++ b/stack/btm/btm_ble.cc
|
||||
@@ -41,6 +41,7 @@
|
||||
#include "hcimsgs.h"
|
||||
#include "log/log.h"
|
||||
#include "l2c_int.h"
|
||||
+#include "openssl/mem.h"
|
||||
#include "osi/include/log.h"
|
||||
#include "osi/include/osi.h"
|
||||
#include "stack/crypto_toolbox/crypto_toolbox.h"
|
||||
@@ -2183,7 +2184,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
|
||||
|
||||
crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len,
|
||||
BTM_CMAC_TLEN_SIZE, p_mac);
|
||||
- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
|
||||
+ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
|
||||
btm_ble_increment_sign_ctr(bd_addr, false);
|
||||
verified = true;
|
||||
}
|
@ -0,0 +1,30 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Wed, 24 May 2023 13:28:21 +0530
|
||||
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
|
||||
|
||||
Root cause:
|
||||
if the length of "pin_code" is greater than 16,
|
||||
an OOBW will be triggered due to a missing bounds check.
|
||||
|
||||
Fix:
|
||||
Check is added to avoid Out of Bound Write.
|
||||
|
||||
CRs-Fixed: 3507292
|
||||
Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
|
||||
---
|
||||
btif/src/bluetooth.cc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
|
||||
index 47667abd7..584d4c5db 100644
|
||||
--- a/btif/src/bluetooth.cc
|
||||
+++ b/btif/src/bluetooth.cc
|
||||
@@ -316,6 +316,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
|
||||
bt_pin_code_t tmp_pin_code;
|
||||
/* sanity check */
|
||||
if (interface_ready() == false) return BT_STATUS_NOT_READY;
|
||||
+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
|
||||
|
||||
memcpy(&tmp_pin_code, pin_code, pin_len);
|
||||
return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
|
@ -0,0 +1,35 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: balakrishna <quic_kunthumu@quicinc.com>
|
||||
Date: Tue, 7 Mar 2023 16:53:46 +0530
|
||||
Subject: [PATCH] BT: Fixing the rfc_slot_id overflow
|
||||
|
||||
Root cause:
|
||||
overflow causing leak in slot fds.
|
||||
As slot id 0 not valid, we are not able to release these fds later.
|
||||
|
||||
Fix:
|
||||
Changes are made to avoid overflow while allocate rfc slots.
|
||||
|
||||
CRs-Fixed: 3417458
|
||||
Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0
|
||||
---
|
||||
btif/src/btif_sock_rfc.cc | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc
|
||||
index c2a0bc868..bfe549eb7 100644
|
||||
--- a/btif/src/btif_sock_rfc.cc
|
||||
+++ b/btif/src/btif_sock_rfc.cc
|
||||
@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name,
|
||||
}
|
||||
|
||||
// Increment slot id and make sure we don't use id=0.
|
||||
- if (++rfc_slot_id == 0) rfc_slot_id = 1;
|
||||
+ if (UINT32_MAX == rfc_slot_id) {
|
||||
+ rfc_slot_id = 1;
|
||||
+ } else {
|
||||
+ ++rfc_slot_id;
|
||||
+ }
|
||||
|
||||
slot->fd = fds[0];
|
||||
slot->app_fd = fds[1];
|
@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
||||
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
|
||||
sed -i 's/2023-11-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-12 #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -149,7 +150,21 @@ if enterAndClear "external/zlib"; then
|
||||
git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/av"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_av/376999-backport.patch"; #R_asb_2023-12 httplive: fix use-after-free
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377001.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence`
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377006.patch"; #R_asb_2023-12 Require permission to unlock keyguard
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377010.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard"
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/377012.patch"; #R_asb_2023-12 Updated: always show the keyguard on device lockdown
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/377013-backport.patch"; #R_asb_2023-12 Check URI permissions for resumable media artwork #XXX
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
|
||||
@ -280,6 +295,7 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Bluetooth"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv
|
||||
#applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272652.patch"; #ten-bt-sbc-hd-dualchannel: SBC Dual Channel (SBC HD Audio) support (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272653.patch"; #ten-bt-sbc-hd-dualchannel: Assume optional codecs are supported if were supported previously (ValdikSS)
|
||||
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
|
||||
@ -352,6 +368,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics
|
||||
fi;
|
||||
|
||||
if enterAndClear "packages/apps/Trebuchet"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut
|
||||
cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
|
||||
fi;
|
||||
|
||||
@ -379,11 +396,21 @@ fi;
|
||||
#cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/;
|
||||
#fi;
|
||||
|
||||
if enterAndClear "packages/services/Telecomm"; then
|
||||
applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit.
|
||||
fi;
|
||||
|
||||
if enterAndClear "prebuilts/abi-dumps/vndk"; then
|
||||
applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS)
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
||||
@ -410,6 +437,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/netd"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
|
||||
applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS)
|
||||
fi;
|
||||
@ -461,6 +489,20 @@ if enter "vendor/divested"; then
|
||||
echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch
|
||||
awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377026.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377027.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377028.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/qcom/opensource/commonsys/packages/apps/Bluetooth"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv
|
||||
fi;
|
||||
#
|
||||
#END OF ROM CHANGES
|
||||
#
|
||||
|
@ -468,7 +468,7 @@ awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compil
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/0001-Fixup-missing-import.patch"; #R_asb_2023-12
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import
|
||||
fi;
|
||||
#
|
||||
#END OF ROM CHANGES
|
||||
|
Loading…
Reference in New Issue
Block a user