From f18fb48d8a8c3f01571cfa2b87affe1f5b3e740c Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 11 Dec 2023 19:26:24 -0500 Subject: [PATCH] 17.1 December ASB work Signed-off-by: Tad --- .../376999-backport.patch | 104 ++++++++++++++ .../0007-Always_Restict_Serial.patch | 2 +- .../0015-Automatic_Reboot.patch | 8 +- .../android_frameworks_base/377001.patch | 95 +++++++++++++ .../android_frameworks_base/377002.patch | 26 ++++ .../377004-backport.patch | 123 +++++++++++++++++ .../android_frameworks_base/377006.patch | 43 ++++++ .../android_frameworks_base/377008.patch | 63 +++++++++ .../android_frameworks_base/377009.patch | 29 ++++ .../android_frameworks_base/377010.patch | 45 ++++++ .../android_frameworks_base/377011.patch | 33 +++++ .../android_frameworks_base/377012.patch | 71 ++++++++++ .../377013-backport.patch | 99 ++++++++++++++ .../0001-constify_JNINativeMethod.patch | 4 +- .../377014-backport.patch | 38 ++++++ .../377015.patch | 40 ++++++ .../377016-backport.patch | 108 +++++++++++++++ .../android_system_bt/377017.patch | 99 ++++++++++++++ .../android_system_bt/377018.patch | 37 +++++ .../android_system_bt/377019.patch | 47 +++++++ .../android_system_bt/377020.patch | 128 ++++++++++++++++++ .../android_system_bt/377021.patch | 46 +++++++ .../android_system_bt/377023-backport.patch | 56 ++++++++ .../android_system_netd/377024-backport.patch | 115 ++++++++++++++++ .../377025.patch | 40 ++++++ .../377026.patch | 101 ++++++++++++++ .../377027.patch | 37 +++++ .../377028.patch | 47 +++++++ .../377029-fix.patch | 23 ++++ .../377029.patch | 45 ++++++ .../377030.patch | 30 ++++ .../377031.patch | 35 +++++ ...-missing-import.patch => 377029-fix.patch} | 0 Scripts/LineageOS-17.1/Patch.sh | 42 ++++++ Scripts/LineageOS-18.1/Patch.sh | 2 +- 35 files changed, 1853 insertions(+), 8 deletions(-) create mode 100644 Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377001.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377002.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377006.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377008.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377009.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377010.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377011.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377012.patch create mode 100644 Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch create mode 100644 Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch create mode 100644 Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377017.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377018.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377019.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377020.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377021.patch create mode 100644 Patches/LineageOS-17.1/android_system_bt/377023-backport.patch create mode 100644 Patches/LineageOS-17.1/android_system_netd/377024-backport.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch create mode 100644 Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch rename Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/{0001-Fixup-missing-import.patch => 377029-fix.patch} (100%) diff --git a/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch b/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch new file mode 100644 index 00000000..727e3214 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_av/376999-backport.patch @@ -0,0 +1,104 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Toni Heidenreich +Date: Wed, 6 Sep 2023 12:49:33 +0000 +Subject: [PATCH] httplive: fix use-after-free + +Implement a mutex to ensure secure multi-threaded +access to the KeyedVector in MetaDataBase. +Concurrent access by different threads can lead +to accessing the wrong memory location due to +potential changes in the vector + +Bug: 298057702 +Test: HTTP Live Streaming test +(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) +Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a +Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a +--- + media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp +index bfea6f1537..a3c623e354 100644 +--- a/media/libstagefright/foundation/MetaDataBase.cpp ++++ b/media/libstagefright/foundation/MetaDataBase.cpp +@@ -24,6 +24,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -75,6 +77,7 @@ struct MetaDataBase::Rect { + + + struct MetaDataBase::MetaDataInternal { ++ std::mutex mLock; + KeyedVector mItems; + }; + +@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() { + } + + void MetaDataBase::clear() { ++ std::lock_guard guard(mInternalData->mLock); + mInternalData->mItems.clear(); + } + + bool MetaDataBase::remove(uint32_t key) { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -249,6 +254,7 @@ bool MetaDataBase::setData( + uint32_t key, uint32_t type, const void *data, size_t size) { + bool overwrote_existing = true; + ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + if (i < 0) { + typed_data item; +@@ -266,6 +272,7 @@ bool MetaDataBase::setData( + + bool MetaDataBase::findData(uint32_t key, uint32_t *type, + const void **data, size_t *size) const { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, + } + + bool MetaDataBase::hasData(uint32_t key) const { ++ std::lock_guard guard(mInternalData->mLock); + ssize_t i = mInternalData->mItems.indexOfKey(key); + + if (i < 0) { +@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) { + + String8 MetaDataBase::toString() const { + String8 s; ++ std::lock_guard guard(mInternalData->mLock); + for (int i = mInternalData->mItems.size(); --i >= 0;) { + int32_t key = mInternalData->mItems.keyAt(i); + char cc[5]; +@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const { + } + + void MetaDataBase::dumpToLog() const { ++ std::lock_guard guard(mInternalData->mLock); + for (int i = mInternalData->mItems.size(); --i >= 0;) { + int32_t key = mInternalData->mItems.keyAt(i); + char cc[5]; +@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const { + + status_t MetaDataBase::writeToParcel(Parcel &parcel) { + status_t ret; ++ std::lock_guard guard(mInternalData->mLock); + size_t numItems = mInternalData->mItems.size(); + ret = parcel.writeUint32(uint32_t(numItems)); + if (ret) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch index 02588892..07c1f50f 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0007-Always_Restict_Serial.patch @@ -10,7 +10,7 @@ requiring the READ_PHONE_STATE permission. 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java -index 3e99e594a702..409c546ca624 100644 +index faeb5f348834..120c5c10cb16 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -5026,12 +5026,7 @@ public class ActivityManagerService extends IActivityManager.Stub diff --git a/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch b/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch index c5968c11..497fb78b 100644 --- a/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch +++ b/Patches/LineageOS-17.1/android_frameworks_base/0015-Automatic_Reboot.patch @@ -55,7 +55,7 @@ index 55104b4e0ee2..5ed2807922d9 100644 diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java -index a7d5c64dd3a3..f0bb02d21c8a 100644 +index 5c343c941454..c838c5680829 100644 --- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java @@ -152,6 +152,8 @@ public class KeyguardViewMediator extends SystemUI { @@ -117,7 +117,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644 /** * Let's us know when the device is waking up. */ -@@ -1380,6 +1404,10 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1384,6 +1408,10 @@ public class KeyguardViewMediator extends SystemUI { if (DEBUG) Log.d(TAG, "doKeyguard: showing the lock screen"); showLocked(options); @@ -128,7 +128,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644 } private void lockProfile(int userId) { -@@ -1543,6 +1571,12 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1547,6 +1575,12 @@ public class KeyguardViewMediator extends SystemUI { } } } @@ -141,7 +141,7 @@ index a7d5c64dd3a3..f0bb02d21c8a 100644 } } }; -@@ -1964,6 +1998,7 @@ public class KeyguardViewMediator extends SystemUI { +@@ -1968,6 +2002,7 @@ public class KeyguardViewMediator extends SystemUI { mHideAnimationRun = false; adjustStatusBarLocked(); sendUserPresentBroadcast(); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377001.patch b/Patches/LineageOS-17.1/android_frameworks_base/377001.patch new file mode 100644 index 00000000..7375e8ab --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377001.patch @@ -0,0 +1,95 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C3=ADas=20Hern=C3=A1ndez?= +Date: Wed, 5 Jul 2023 13:52:21 +0200 +Subject: [PATCH] Visit Uris added by WearableExtender + +Bug: 283962802 +Test: atest + manual (POC app now crashes on notify() as expected) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a6f44e911f2d7204cc28c710e54f97c96231abab) +Merged-In: I0da18c631eb5e4844a48760c7aaedab715a0bfed +Change-Id: I0da18c631eb5e4844a48760c7aaedab715a0bfed +--- + core/java/android/app/Notification.java | 17 +++++++++++++++- + .../NotificationManagerServiceTest.java | 20 +++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java +index d8eefc3d3be4..9d0a5e93e2d8 100644 +--- a/core/java/android/app/Notification.java ++++ b/core/java/android/app/Notification.java +@@ -1790,6 +1790,10 @@ public class Notification implements Parcelable + } + } + ++ private void visitUris(@NonNull Consumer visitor) { ++ visitIconUri(visitor, getIcon()); ++ } ++ + @Override + public Action clone() { + return new Action( +@@ -2467,7 +2471,7 @@ public class Notification implements Parcelable + + if (actions != null) { + for (Action action : actions) { +- visitIconUri(visitor, action.getIcon()); ++ action.visitUris(visitor); + } + } + +@@ -2501,6 +2505,11 @@ public class Notification implements Parcelable + if (mBubbleMetadata != null) { + visitIconUri(visitor, mBubbleMetadata.getIcon()); + } ++ ++ if (extras != null && extras.containsKey(WearableExtender.EXTRA_WEARABLE_EXTENSIONS)) { ++ WearableExtender extender = new WearableExtender(this); ++ extender.visitUris(visitor); ++ } + } + + /** +@@ -9818,6 +9827,12 @@ public class Notification implements Parcelable + mFlags &= ~mask; + } + } ++ ++ private void visitUris(@NonNull Consumer visitor) { ++ for (Action action : mActions) { ++ action.visitUris(visitor); ++ } ++ } + } + + /** +diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +index 34550bb52a52..61297cf67ee0 100755 +--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java ++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java +@@ -3528,6 +3528,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase { + verify(visitor, times(1)).accept(eq(personIcon3.getUri())); + } + ++ @Test ++ public void testVisitUris_wearableExtender() { ++ Icon actionIcon = Icon.createWithContentUri("content://media/action"); ++ Icon wearActionIcon = Icon.createWithContentUri("content://media/wearAction"); ++ PendingIntent intent = PendingIntent.getActivity(mContext, 0, new Intent(), ++ PendingIntent.FLAG_IMMUTABLE); ++ Notification n = new Notification.Builder(mContext, "a") ++ .setSmallIcon(android.R.drawable.sym_def_app_icon) ++ .addAction(new Notification.Action.Builder(actionIcon, "Hey!", intent).build()) ++ .extend(new Notification.WearableExtender().addAction( ++ new Notification.Action.Builder(wearActionIcon, "Wear!", intent).build())) ++ .build(); ++ ++ Consumer visitor = (Consumer) spy(Consumer.class); ++ n.visitUris(visitor); ++ ++ verify(visitor).accept(eq(actionIcon.getUri())); ++ verify(visitor).accept(eq(wearActionIcon.getUri())); ++ } ++ + @Test + public void testSetNotificationPolicy_preP_setOldFields() { + ZenModeHelper mZenModeHelper = mock(ZenModeHelper.class); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377002.patch b/Patches/LineageOS-17.1/android_frameworks_base/377002.patch new file mode 100644 index 00000000..9a8753df --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377002.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lifu Tang +Date: Wed, 5 Jul 2023 13:03:00 -0700 +Subject: [PATCH] Fix bypass BAL via `requestGeofence` + +Bug: 273729172 +Test: manually +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7f9be7c3c859dc82d37452570d9878b58f6437a9) +Merged-In: Ia8094244f908b20d42711b6ea8f58f9b3345b563 +Change-Id: Ia8094244f908b20d42711b6ea8f58f9b3345b563 +--- + services/core/java/com/android/server/PendingIntentUtils.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/services/core/java/com/android/server/PendingIntentUtils.java b/services/core/java/com/android/server/PendingIntentUtils.java +index 1600101b20f4..a72a4d254a2a 100644 +--- a/services/core/java/com/android/server/PendingIntentUtils.java ++++ b/services/core/java/com/android/server/PendingIntentUtils.java +@@ -34,6 +34,7 @@ public class PendingIntentUtils { + public static Bundle createDontSendToRestrictedAppsBundle(@Nullable Bundle bundle) { + final BroadcastOptions options = BroadcastOptions.makeBasic(); + options.setDontSendToRestrictedApps(true); ++ options.setPendingIntentBackgroundActivityLaunchAllowed(false); + if (bundle == null) { + return options.toBundle(); + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch new file mode 100644 index 00000000..2c21ab21 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377004-backport.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kweku Adams +Date: Fri, 23 Sep 2022 21:06:53 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data. + +Drop invalid data when writing or reading from XML. PersistableBundle +does lazy unparcelling, so checking the values during unparcelling would +remove the benefit of the lazy unparcelling. Checking the validity when +writing to or reading from XML seems like the best alternative. + +Bug: 246542285 +Bug: 247513680 +Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file +(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9) +Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 +Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15 +--- + core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++---- + 1 file changed, 34 insertions(+), 8 deletions(-) + +diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java +index 6f1bf71f187b..3e6312754359 100644 +--- a/core/java/android/os/PersistableBundle.java ++++ b/core/java/android/os/PersistableBundle.java +@@ -18,6 +18,7 @@ package android.os; + + import android.annotation.Nullable; + import android.util.ArrayMap; ++import android.util.Slog; + import android.util.proto.ProtoOutputStream; + + import com.android.internal.util.XmlUtils; +@@ -38,6 +39,8 @@ import java.util.ArrayList; + */ + public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable, + XmlUtils.WriteMapCallback { ++ private static final String TAG = "PersistableBundle"; ++ + private static final String TAG_PERSISTABLEMAP = "pbundle_as_map"; + public static final PersistableBundle EMPTY; + +@@ -100,7 +103,11 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + * @hide + */ + public PersistableBundle(Bundle b) { +- this(b.getMap()); ++ this(b, true); ++ } ++ ++ private PersistableBundle(Bundle b, boolean throwException) { ++ this(b.getMap(), throwException); + } + + /** +@@ -109,7 +116,7 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + * @param map a Map containing only those items that can be persisted. + * @throws IllegalArgumentException if any element of #map cannot be persisted. + */ +- private PersistableBundle(ArrayMap map) { ++ private PersistableBundle(ArrayMap map, boolean throwException) { + super(); + mFlags = FLAG_DEFUSABLE; + +@@ -118,16 +125,23 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + + // Now verify each item throwing an exception if there is a violation. + final int N = mMap.size(); +- for (int i=0; i= 0; --i) { + Object value = mMap.valueAt(i); + if (value instanceof ArrayMap) { + // Fix up any Maps by replacing them with PersistableBundles. +- mMap.setValueAt(i, new PersistableBundle((ArrayMap) value)); ++ mMap.setValueAt(i, ++ new PersistableBundle((ArrayMap) value, throwException)); + } else if (value instanceof Bundle) { +- mMap.setValueAt(i, new PersistableBundle(((Bundle) value))); ++ mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException)); + } else if (!isValidType(value)) { +- throw new IllegalArgumentException("Bad value in PersistableBundle key=" +- + mMap.keyAt(i) + " value=" + value); ++ final String errorMsg = "Bad value in PersistableBundle key=" ++ + mMap.keyAt(i) + " value=" + value; ++ if (throwException) { ++ throw new IllegalArgumentException(errorMsg); ++ } else { ++ Slog.wtfStack(TAG, errorMsg); ++ mMap.removeAt(i); ++ } + } + } + } +@@ -242,6 +256,15 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + /** @hide */ + public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException { + unparcel(); ++ // Explicitly drop invalid types an attacker may have added before persisting. ++ for (int i = mMap.size() - 1; i >= 0; --i) { ++ final Object value = mMap.valueAt(i); ++ if (!isValidType(value)) { ++ Slog.e(TAG, "Dropping bad data before persisting: " ++ + mMap.keyAt(i) + "=" + value); ++ mMap.removeAt(i); ++ } ++ } + XmlUtils.writeMapXml(mMap, out, this); + } + +@@ -290,9 +313,12 @@ public final class PersistableBundle extends BaseBundle implements Cloneable, Pa + while (((event = in.next()) != XmlPullParser.END_DOCUMENT) && + (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) { + if (event == XmlPullParser.START_TAG) { ++ // Don't throw an exception when restoring from XML since an attacker could try to ++ // input invalid data in the persisted file. + return new PersistableBundle((ArrayMap) + XmlUtils.readThisArrayMapXml(in, startTag, tagName, +- new MyReadMapCallback())); ++ new MyReadMapCallback()), ++ /* throwException */ false); + } + } + return EMPTY; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377006.patch b/Patches/LineageOS-17.1/android_frameworks_base/377006.patch new file mode 100644 index 00000000..c1b02775 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377006.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marzia Favaro +Date: Mon, 31 Jul 2023 15:10:34 +0000 +Subject: [PATCH] Require permission to unlock keyguard + +Bug: 288896339 +Test: Manual, verify that the app which can be found on the bug can no longer call +keyguardGoingAway successfully + +Require permission to unlock keyguard + +Bug: 288896339 +Test: Manual, verify that the app which can be found on the bug can no longer call +keyguardGoingAway successfully +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd2aa5d309c5bf8e73161975bd5aba7945b25e84) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ef1345d278bd2a8944c6362bf65cff7305ca6fc5) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ad8e7e3b1db22684988a179e23639567a4096ca6) +Merged-In: I7ba7e56f954c8e6f1f734311f735215918975bc6 +Change-Id: I7ba7e56f954c8e6f1f734311f735215918975bc6 +--- + .../java/com/android/server/wm/ActivityTaskManagerService.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java +index d0dad0a23729..5bcc5975604a 100644 +--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java ++++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java +@@ -18,6 +18,7 @@ package com.android.server.wm; + + import static android.Manifest.permission.BIND_VOICE_INTERACTION; + import static android.Manifest.permission.CHANGE_CONFIGURATION; ++import static android.Manifest.permission.CONTROL_KEYGUARD; + import static android.Manifest.permission.CONTROL_REMOTE_APP_TRANSITION_ANIMATIONS; + import static android.Manifest.permission.INTERACT_ACROSS_USERS; + import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL; +@@ -3890,6 +3891,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { + + @Override + public void keyguardGoingAway(int flags) { ++ mAmInternal.enforceCallingPermission(CONTROL_KEYGUARD, "unlock keyguard"); + enforceNotIsolatedCaller("keyguardGoingAway"); + final long token = Binder.clearCallingIdentity(); + try { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377008.patch b/Patches/LineageOS-17.1/android_frameworks_base/377008.patch new file mode 100644 index 00000000..203ee0b5 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377008.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pawan Wagh +Date: Tue, 13 Jun 2023 17:37:26 +0000 +Subject: [PATCH] Use readUniqueFileDescriptor in incidentd service + +readFileDescriptor doesn't provide ownership of the fds. fdopen +needs ownership of the fds. Fds read from parcel should be duped +in this scenario and readUniqueFileDescriptor dups fds internally. + +Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer +Test: atest incidentd_test +Bug: 286931110 +Bug: 283699145 +(cherry picked from commit ba78ef276951269f7b024baebdf1b8fa40bedb23) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b4aaf180ee8f3e375c7ab411f03cf9c24c1d8055) +Merged-In: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e +Change-Id: Ibe03a17dee91ac5bf25d123d4fd9c0bdd3c7d80e +--- + cmds/incidentd/src/IncidentService.cpp | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/cmds/incidentd/src/IncidentService.cpp b/cmds/incidentd/src/IncidentService.cpp +index a52726396b53..a4819633efee 100644 +--- a/cmds/incidentd/src/IncidentService.cpp ++++ b/cmds/incidentd/src/IncidentService.cpp +@@ -418,9 +418,13 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* + + switch (code) { + case SHELL_COMMAND_TRANSACTION: { +- int in = data.readFileDescriptor(); +- int out = data.readFileDescriptor(); +- int err = data.readFileDescriptor(); ++ unique_fd in, out, err; ++ if (status_t status = data.readUniqueFileDescriptor(&in); status != OK) return status; ++ ++ if (status_t status = data.readUniqueFileDescriptor(&out); status != OK) return status; ++ ++ if (status_t status = data.readUniqueFileDescriptor(&err); status != OK) return status; ++ + int argc = data.readInt32(); + Vector args; + for (int i = 0; i < argc && data.dataAvail() > 0; i++) { +@@ -430,15 +434,15 @@ status_t IncidentService::onTransact(uint32_t code, const Parcel& data, Parcel* + sp resultReceiver = + IResultReceiver::asInterface(data.readStrongBinder()); + +- FILE* fin = fdopen(in, "r"); +- FILE* fout = fdopen(out, "w"); +- FILE* ferr = fdopen(err, "w"); ++ FILE* fin = fdopen(in.release(), "r"); ++ FILE* fout = fdopen(out.release(), "w"); ++ FILE* ferr = fdopen(err.release(), "w"); + + if (fin == NULL || fout == NULL || ferr == NULL) { + resultReceiver->send(NO_MEMORY); + } else { +- err = command(fin, fout, ferr, args); +- resultReceiver->send(err); ++ status_t result = command(fin, fout, ferr, args); ++ resultReceiver->send(result); + } + + if (fin != NULL) { diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377009.patch b/Patches/LineageOS-17.1/android_frameworks_base/377009.patch new file mode 100644 index 00000000..140c7daf --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377009.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Mon, 24 Jul 2023 14:58:56 -0700 +Subject: [PATCH] Validate userId when publishing shortcuts + +Bug: 288110451 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c) +Merged-In: Idbde676f871db83825155730e3714f3727e25762 +Change-Id: Idbde676f871db83825155730e3714f3727e25762 +--- + services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java +index d1ee52eef2df..0e887d375924 100644 +--- a/services/core/java/com/android/server/pm/ShortcutService.java ++++ b/services/core/java/com/android/server/pm/ShortcutService.java +@@ -1589,6 +1589,10 @@ public class ShortcutService extends IShortcutService.Stub { + android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, ""); + throw new SecurityException("Shortcut package name mismatch"); + } ++ final int callingUid = injectBinderCallingUid(); ++ if (UserHandle.getUserId(callingUid) != si.getUserId()) { ++ throw new SecurityException("User-ID in shortcut doesn't match the caller"); ++ } + } + + private void verifyShortcutInfoPackages( diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377010.patch b/Patches/LineageOS-17.1/android_frameworks_base/377010.patch new file mode 100644 index 00000000..c1819206 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377010.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly Tai +Date: Thu, 14 Sep 2023 20:50:28 +0000 +Subject: [PATCH] Revert "On device lockdown, always show the keyguard" + +This reverts commit b23c2d5fb6630ea0da503b937f62880594b13e94. + +Reason for revert: b/300463732 regression +Bug: 300463732 +Bug: 218495634 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f57217125f2b124c16c463ef4507fb054cc1ba4f) +Merged-In: I31485d0d8caa3060e998636b071dbe03f6b4fc82 +Change-Id: I31485d0d8caa3060e998636b071dbe03f6b4fc82 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index a7d5c64dd3a3..e21b14dec0b0 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -556,13 +556,6 @@ public class KeyguardViewMediator extends SystemUI { + notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); + } + } +- +- @Override +- public void onStrongAuthStateChanged(int userId) { +- if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { +- doKeyguardLocked(null); +- } +- } + }; + + ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { +@@ -1326,8 +1319,7 @@ public class KeyguardViewMediator extends SystemUI { + } + + // if another app is disabling us, don't show +- if (!mExternallyEnabled +- && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ if (!mExternallyEnabled) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + mNeedToReshowWhenReenabled = true; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377011.patch b/Patches/LineageOS-17.1/android_frameworks_base/377011.patch new file mode 100644 index 00000000..65ca1618 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377011.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kunal Malhotra +Date: Thu, 2 Feb 2023 23:48:27 +0000 +Subject: [PATCH] Adding in verification of calling UID in onShellCommand + +Test: manual testing on device +Bug: b/261709193 +(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0) +Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273 +Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273 +--- + .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 3e99e594a702..faeb5f348834 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -9884,6 +9884,13 @@ public class ActivityManagerService extends IActivityManager.Stub + public void onShellCommand(FileDescriptor in, FileDescriptor out, + FileDescriptor err, String[] args, ShellCallback callback, + ResultReceiver resultReceiver) { ++ final int callingUid = Binder.getCallingUid(); ++ if (callingUid != ROOT_UID && callingUid != Process.SHELL_UID) { ++ if (resultReceiver != null) { ++ resultReceiver.send(-1, null); ++ } ++ throw new SecurityException("Shell commands are only callable by root or shell"); ++ } + (new ActivityManagerShellCommand(this, false)).exec( + this, in, out, err, args, callback, resultReceiver); + } diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377012.patch b/Patches/LineageOS-17.1/android_frameworks_base/377012.patch new file mode 100644 index 00000000..5f74de49 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377012.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beverly Tai +Date: Tue, 19 Sep 2023 21:01:11 +0000 +Subject: [PATCH] Updated: always show the keyguard on device lockdown + +Additionally, don't hide keyguard when it's disabled if the user has locked +down the device. + +Manual test steps: + 1. Enable app pinning and disable "Ask for PIN before unpinning" setting + 2. Pin an app (ie: Settings) + 3. Lockdown from the power menu + 4. Observe: user is brought to the keyguard, primary auth is + required to enter the device. + => After entering correct credential, the device is still in + app pinning mode. + => After entering an incorrect credential, the keyguard remains + showing and the user can attempt again up to the limit + +Bug: 300463732 +Bug: 218495634 +Test: atest KeyguardViewMediatorTest +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:35a6e2f2c952440b1102033b2c3e496438503cff) +Merged-In: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 +Change-Id: I70fdae80f717712b3dfc9df54b9649959b4bb8f0 +--- + .../systemui/keyguard/KeyguardViewMediator.java | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +index e21b14dec0b0..5c343c941454 100644 +--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java ++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +@@ -541,6 +541,13 @@ public class KeyguardViewMediator extends SystemUI { + } + } + ++ @Override ++ public void onStrongAuthStateChanged(int userId) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ doKeyguardLocked(null); ++ } ++ } ++ + @Override + public void onTrustChanged(int userId) { + if (userId == KeyguardUpdateMonitor.getCurrentUser()) { +@@ -1107,6 +1114,10 @@ public class KeyguardViewMediator extends SystemUI { + mExternallyEnabled = enabled; + + if (!enabled && mShowing) { ++ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { ++ Log.d(TAG, "keyguardEnabled(false) overridden by user lockdown"); ++ return; ++ } + if (mExitSecureCallback != null) { + if (DEBUG) Log.d(TAG, "in process of verifyUnlock request, ignoring"); + // we're in the process of handling a request to verify the user +@@ -1318,8 +1329,9 @@ public class KeyguardViewMediator extends SystemUI { + return; + } + +- // if another app is disabling us, don't show +- if (!mExternallyEnabled) { ++ // if another app is disabling us, don't show unless we're in lockdown mode ++ if (!mExternallyEnabled ++ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { + if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); + + mNeedToReshowWhenReenabled = true; diff --git a/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch new file mode 100644 index 00000000..192ce059 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/377013-backport.patch @@ -0,0 +1,99 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Beth Thibodeau +Date: Tue, 8 Aug 2023 16:19:48 -0500 +Subject: [PATCH] RESTRICT AUTOMERGE: Check URI permissions for resumable media + artwork + +When resumable media is added that has artwork set via URI, check the +permissions for the URI before attempting to load it + +Test: atest MediaDataManagerTest UriGrantsManagerServiceTest +Test: manual with test app +Bug: 284297452 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c13567e39cd906c8544011de537490b70ce29b2f) +Merged-In: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3 +Change-Id: Ie79915d3d1712f08dc2e8dfbd5bc7fd32bb308a3 +--- + core/java/android/app/IUriGrantsManager.aidl | 3 ++ + .../server/uri/UriGrantsManagerService.java | 42 +++++++++++++++++++ + 2 files changed, 45 insertions(+) + +diff --git a/core/java/android/app/IUriGrantsManager.aidl b/core/java/android/app/IUriGrantsManager.aidl +index 9e7f2fecfea0..b630d034dca9 100644 +--- a/core/java/android/app/IUriGrantsManager.aidl ++++ b/core/java/android/app/IUriGrantsManager.aidl +@@ -39,4 +39,7 @@ interface IUriGrantsManager { + void clearGrantedUriPermissions(in String packageName, int userId); + ParceledListSlice getUriPermissions(in String packageName, boolean incoming, + boolean persistedOnly); ++ ++ int checkGrantUriPermission_ignoreNonSystem( ++ int sourceUid, String targetPkg, in Uri uri, int modeFlags, int userId); + } +diff --git a/services/core/java/com/android/server/uri/UriGrantsManagerService.java b/services/core/java/com/android/server/uri/UriGrantsManagerService.java +index 55f062bca2d1..7cab7b28cfee 100644 +--- a/services/core/java/com/android/server/uri/UriGrantsManagerService.java ++++ b/services/core/java/com/android/server/uri/UriGrantsManagerService.java +@@ -43,6 +43,7 @@ import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT; + import static org.xmlpull.v1.XmlPullParser.START_TAG; + + import android.annotation.Nullable; ++import android.annotation.RequiresPermission; + import android.app.ActivityManager; + import android.app.ActivityManagerInternal; + import android.app.AppGlobals; +@@ -65,6 +66,7 @@ import android.os.Handler; + import android.os.IBinder; + import android.os.Looper; + import android.os.Message; ++import android.os.Process; + import android.os.RemoteException; + import android.os.SystemClock; + import android.os.UserHandle; +@@ -1225,6 +1227,46 @@ public class UriGrantsManagerService extends IUriGrantsManager.Stub { + return false; + } + ++ /** ++ * Check if the targetPkg can be granted permission to access uri by ++ * the callingUid using the given modeFlags. See {@link #checkGrantUriPermissionUnlocked}. ++ * ++ * @param callingUid The uid of the grantor app that has permissions to the uri. ++ * @param targetPkg The package name of the granted app that needs permissions to the uri. ++ * @param uri The uri for which permissions should be granted. ++ * @param modeFlags The modes to grant. See {@link Intent#FLAG_GRANT_READ_URI_PERMISSION}, etc. ++ * @param userId The userId in which the uri is to be resolved. ++ * @return uid of the target or -1 if permission grant not required. Returns -1 if the caller ++ * does not hold INTERACT_ACROSS_USERS_FULL ++ * @throws SecurityException if the grant is not allowed. ++ */ ++ @Override ++ @RequiresPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL) ++ public int checkGrantUriPermission_ignoreNonSystem(int callingUid, String targetPkg, Uri uri, ++ int modeFlags, int userId) { ++ if (!isCallerIsSystemOrPrivileged()) { ++ return Process.INVALID_UID; ++ } ++ final long origId = Binder.clearCallingIdentity(); ++ try { ++ return checkGrantUriPermissionUnlocked(callingUid, targetPkg, uri, modeFlags, ++ userId); ++ } finally { ++ Binder.restoreCallingIdentity(origId); ++ } ++ } ++ ++ private boolean isCallerIsSystemOrPrivileged() { ++ final int uid = Binder.getCallingUid(); ++ if (uid == Process.SYSTEM_UID || uid == Process.ROOT_UID) { ++ return true; ++ } ++ return ActivityManager.checkComponentPermission( ++ android.Manifest.permission.INTERACT_ACROSS_USERS_FULL, ++ uid, /* owningUid = */-1, /* exported = */ true) ++ == PackageManager.PERMISSION_GRANTED; ++ } ++ + private void writeGrantedUriPermissions() { + if (DEBUG) Slog.v(TAG, "writeGrantedUriPermissions()"); + diff --git a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch index f0275a23..a6a19320 100644 --- a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch +++ b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch @@ -72,10 +72,10 @@ index 214feebcb..9bd85aa13 100644 {"initNative", "()V", (void*)initNative}, {"sendMediaUpdateNative", "(ZZZ)V", (void*)sendMediaUpdateNative}, diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp -index 55b391c56..ea1eeeb73 100644 +index aa0a13d46..997ac5a29 100644 --- a/jni/com_android_bluetooth_btservice_AdapterService.cpp +++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp -@@ -1238,7 +1238,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj, +@@ -1239,7 +1239,7 @@ static jbyteArray obfuscateAddressNative(JNIEnv* env, jobject obj, return output_bytes; } diff --git a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch new file mode 100644 index 00000000..c73830c0 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/377014-backport.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 5 Oct 2023 00:01:03 +0000 +Subject: [PATCH] Fix UAF in ~CallbackEnv + +com_android_bluetooth_btservice_AdapterService does not null its local +JNI environment variable after detaching the thread (which frees the +environment context), allowing UAF under certain conditions. + +Null the variable in this case. + +Testing here was done through a custom unit test; see patchsets 4-6 for +contents. However, unit testing of the JNI layer is problematic in +production, so that part of the patch is omitted for final merge. + +Bug: 291500341 +Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) +Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 +Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 +--- + jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp +index 55b391c56..aa0a13d46 100644 +--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp ++++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp +@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { + return; + } + vm->DetachCurrentThread(); ++ callbackEnv = NULL; + } + } + diff --git a/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch b/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch new file mode 100644 index 00000000..9ba49a68 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Trebuchet/377015.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Tue, 12 Sep 2023 22:37:16 +0000 +Subject: [PATCH] Fix permission bypass in legacy shortcut + +Intent created for Chooser should not be allowed in legacy shortcuts +since it doesn't make sense for user to tap on a shortcut in homescreen +to share, the expected share flow started from ShareSheet. + +Bug: 295334906, 295045199 +Test: manual +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b7b192bd7f24a2aa7d6881ee949657c9760c0305) +Merged-In: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa +Change-Id: I8d0cbccdc31bd4cb927830e5ecf841147400fdfa +--- + .../android/launcher3/util/PackageManagerHelper.java | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/src/com/android/launcher3/util/PackageManagerHelper.java b/src/com/android/launcher3/util/PackageManagerHelper.java +index f263331f8f..1ca28f82dc 100644 +--- a/src/com/android/launcher3/util/PackageManagerHelper.java ++++ b/src/com/android/launcher3/util/PackageManagerHelper.java +@@ -114,15 +114,8 @@ public class PackageManagerHelper { + public boolean hasPermissionForActivity(Intent intent, String srcPackage) { + // b/270152142 + if (Intent.ACTION_CHOOSER.equals(intent.getAction())) { +- final Bundle extras = intent.getExtras(); +- if (extras == null) { +- return true; +- } +- // If given intent is ACTION_CHOOSER, verify srcPackage has permission over EXTRA_INTENT +- intent = (Intent) extras.getParcelable(Intent.EXTRA_INTENT); +- if (intent == null) { +- return true; +- } ++ // Chooser shortcuts is not a valid target ++ return false; + } + ResolveInfo target = mPm.resolveActivity(intent, 0); + if (target == null) { diff --git a/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch b/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch new file mode 100644 index 00000000..868aaa98 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_services_Telecomm/377016-backport.patch @@ -0,0 +1,108 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pranav Madapurmath +Date: Wed, 5 Apr 2023 21:36:12 +0000 +Subject: [PATCH] Resolve account image icon profile boundary exploit. + +Because Telecom grants the INTERACT_ACROSS_USERS permission, an exploit +is possible where the user can upload an image icon (belonging to +another user) via registering a phone account. This CL provides a +lightweight solution for parsing the image URI to detect profile +exploitation. + +Fixes: 273502295 +Fixes: 296915211 +Test: Unit test to enforce successful/failure path +(cherry picked from commit d0d1d38e37de54e58a7532a0020582fbd7d476b7) +(cherry picked from commit e7d0ca3fe5be6e393f643f565792ea5e7ed05f48) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a604311f86ea8136ca2ac9f9ff0af7fa57ee3f42) +Merged-In: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 +Change-Id: I2b6418f019a373ee9f02ba8683e5b694e7ab80a5 +--- + .../server/telecom/TelecomServiceImpl.java | 22 +++++++++++++++++++ + .../telecom/tests/TelecomServiceImplTest.java | 21 ++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java +index 8c498fc55..4472ad837 100644 +--- a/src/com/android/server/telecom/TelecomServiceImpl.java ++++ b/src/com/android/server/telecom/TelecomServiceImpl.java +@@ -37,6 +37,7 @@ import android.content.pm.PackageManager; + import android.content.res.Resources; + import android.content.pm.ParceledListSlice; + import android.content.pm.ResolveInfo; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Build; +@@ -513,6 +514,9 @@ public class TelecomServiceImpl { + if (callingUid != Process.SHELL_UID) { + enforceUserHandleMatchesCaller(account.getAccountHandle()); + } ++ // Validate the profile boundary of the given image URI. ++ validateAccountIconUserBoundary(account.getIcon()); ++ + final long token = Binder.clearCallingIdentity(); + try { + mPhoneAccountRegistrar.registerPhoneAccount(account); +@@ -2100,4 +2104,22 @@ public class TelecomServiceImpl { + mContext.sendBroadcast(intent); + } + } ++ ++ private void validateAccountIconUserBoundary(Icon icon) { ++ // Refer to Icon#getUriString for context. The URI string is invalid for icons of ++ // incompatible types. ++ if (icon != null && (icon.getType() == Icon.TYPE_URI ++ /*|| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP*/)) { ++ String encodedUser = icon.getUri().getEncodedUserInfo(); ++ // If there is no encoded user, the URI is calling into the calling user space ++ if (encodedUser != null) { ++ int userId = Integer.parseInt(encodedUser); ++ if (userId != UserHandle.getUserId(Binder.getCallingUid())) { ++ // If we are transcending the profile boundary, throw an error. ++ throw new IllegalArgumentException("Attempting to register a phone account with" ++ + " an image icon belonging to another user."); ++ } ++ } ++ } ++ } + } +diff --git a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +index 00d8000e4..6daf516d1 100644 +--- a/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java ++++ b/tests/src/com/android/server/telecom/tests/TelecomServiceImplTest.java +@@ -30,6 +30,7 @@ import android.content.Context; + import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; ++import android.graphics.drawable.Icon; + import android.net.Uri; + import android.os.Binder; + import android.os.Bundle; +@@ -531,6 +532,26 @@ public class TelecomServiceImplTest extends TelecomTestCase { + } + } + ++ @SmallTest ++ @Test ++ public void testRegisterPhoneAccountImageIconCrossUser() throws RemoteException { ++ String packageNameToUse = "com.android.officialpackage"; ++ PhoneAccountHandle phHandle = new PhoneAccountHandle(new ComponentName( ++ packageNameToUse, "cs"), "test", Binder.getCallingUserHandle()); ++ Icon icon = Icon.createWithContentUri("content://10@media/external/images/media/"); ++ PhoneAccount phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); ++ doReturn(PackageManager.PERMISSION_GRANTED) ++ .when(mContext).checkCallingOrSelfPermission(MODIFY_PHONE_STATE); ++ ++ // This should fail; security exception will be thrown. ++ registerPhoneAccountTestHelper(phoneAccount, false); ++ ++ icon = Icon.createWithContentUri("content://0@media/external/images/media/"); ++ phoneAccount = makePhoneAccount(phHandle).setIcon(icon).build(); ++ // This should succeed. ++ registerPhoneAccountTestHelper(phoneAccount, true); ++ } ++ + @SmallTest + @Test + public void testUnregisterPhoneAccount() throws RemoteException { diff --git a/Patches/LineageOS-17.1/android_system_bt/377017.patch b/Patches/LineageOS-17.1/android_system_bt/377017.patch new file mode 100644 index 00000000..9b729407 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377017.patch @@ -0,0 +1,99 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:20:10 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [1] + +Rejecct access to services running on l2cap + +Backport of +Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) +Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 +Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 +--- + stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 3ba1a6023..d4377a1fe 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -104,7 +104,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, + uint32_t mx_proto_id, + uint32_t mx_chan_id); + +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, +@@ -146,7 +146,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { + * Returns bool true or false + * + ******************************************************************************/ +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { + if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { + return (true); + } +@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, + return (false); + } + ++/******************************************************************************* ++ * ++ * Function access_secure_service_from_temp_bond ++ * ++ * Description a utility function to test whether an access to ++ * secure service from temp bonding is happening ++ * ++ * Returns true if the aforementioned condition holds, ++ * false otherwise ++ * ++ ******************************************************************************/ ++static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, ++ bool locally_initiated, ++ uint16_t security_req) { ++ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && ++ btm_dev_authenticated(p_dev_rec) && ++ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; ++} ++ + /******************************************************************************* + * + * Function BTM_SecRegister +@@ -2077,9 +2096,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + } + + if (rc == BTM_SUCCESS) { ++ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + if (p_callback) +- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); +- return (BTM_SUCCESS); ++ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); ++ return (rc); + } + } + +@@ -5138,6 +5161,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + } + } + ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ p_dev_rec->is_originator, ++ p_dev_rec->security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ return (BTM_FAILED_ON_SECURITY); ++ } ++ + /* All required security procedures already established */ + p_dev_rec->security_required &= + ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-17.1/android_system_bt/377018.patch b/Patches/LineageOS-17.1/android_system_bt/377018.patch new file mode 100644 index 00000000..9b91946b --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377018.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:27:29 +0000 +Subject: [PATCH] Reject access to secure services authenticated from temp + bonding [2] + +Reject access to service running on rfcomm + +this is a backport of +I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) +Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +--- + stack/btm/btm_sec.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index d4377a1fe..6163c3fb7 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2425,6 +2425,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, + mx_chan_id, p_callback, p_ref_data); + } else /* rc == BTM_SUCCESS */ + { ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + /* access granted */ + if (p_callback) { + (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-17.1/android_system_bt/377019.patch b/Patches/LineageOS-17.1/android_system_bt/377019.patch new file mode 100644 index 00000000..c423d2a8 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377019.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 12 Sep 2023 23:47:48 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [3] + +Allow access to rfcomm PSM by default + +Original bug +Bug: 294854926 + +Nearby regressions: +Bug: 298539299 + +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) +Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +--- + stack/btm/btm_sec.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 6163c3fb7..e69fe9b4c 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2119,15 +2119,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + btm_cb.security_mode == BTM_SEC_MODE_SC) { + if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { + if (is_originator) { +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_OUT_ENCRYPT; + } else /* acceptor */ + { + /* SM4 to SM4: the acceptor needs to make sure the authentication is + * already done */ + chk_acp_auth_done = true; +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_IN_ENCRYPT; + } + } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { + /* the remote features are not known yet */ diff --git a/Patches/LineageOS-17.1/android_system_bt/377020.patch b/Patches/LineageOS-17.1/android_system_bt/377020.patch new file mode 100644 index 00000000..fc711bf6 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377020.patch @@ -0,0 +1,128 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 12 Sep 2023 23:54:08 +0000 +Subject: [PATCH] Reorganize the code for checking auth requirement + +Original bug +Bug: 294854926 + +regressions: +Bug: 299570702 + +Test: Test: m com.android.btservices +Test: QA validation +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0c488b2420befe0f8038957861072a8e63702f91) +Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 +Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4 +--- + stack/btm/btm_sec.cc | 93 ++++++++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 37 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index e69fe9b4c..e73cfb363 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -5081,46 +5081,65 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + + /* If connection is not authenticated and authentication is required */ + /* start authentication and return PENDING to the caller */ +- if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) && +- ((p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) || +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))) || +- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) && +- (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) { +-/* +- * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, +- * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the +- * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM +- * authenticated connections, hence we cannot distinguish here. +- */ +- +- BTM_TRACE_EVENT("Security Manager: Start authentication"); ++ if (p_dev_rec->hci_handle != HCI_INVALID_HANDLE) { ++ bool start_auth = false; ++ ++ // Check link status of BR/EDR ++ if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { ++ if (p_dev_rec->is_originator) { ++ if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { ++ LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); ++ start_auth = true; ++ } ++ } else { ++ if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { ++ LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); ++ start_auth = true; ++ } ++ } ++ } + +- /* +- * If we do have a link-key, but we end up here because we need an +- * upgrade, then clear the link-key known and authenticated flag before +- * restarting authentication. +- * WARNING: If the controller has link-key, it is optional and +- * recommended for the controller to send a Link_Key_Request. +- * In case we need an upgrade, the only alternative would be to delete +- * the existing link-key. That could lead to very bad user experience +- * or even IOP issues, if a reconnect causes a new connection that +- * requires an upgrade. +- */ +- if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && +- (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && +- (!p_dev_rec->is_originator && +- (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { +- p_dev_rec->sec_flags &= +- ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | +- BTM_SEC_AUTHENTICATED); ++ if (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)) { ++ /* ++ * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use, ++ * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the ++ * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM ++ * authenticated connections, hence we cannot distinguish here. ++ */ ++ if (!p_dev_rec->is_originator) { ++ if (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) { ++ LOG_DEBUG(LOG_TAG, "BTM_SEC_IN_MIN_16_DIGIT_PIN Required"); ++ start_auth = true; ++ } ++ } + } + +- btm_sec_start_authentication(p_dev_rec); +- return (BTM_CMD_STARTED); ++ if (start_auth) { ++ LOG_DEBUG(LOG_TAG, "Security Manager: Start authentication"); ++ ++ /* ++ * If we do have a link-key, but we end up here because we need an ++ * upgrade, then clear the link-key known and authenticated flag before ++ * restarting authentication. ++ * WARNING: If the controller has link-key, it is optional and ++ * recommended for the controller to send a Link_Key_Request. ++ * In case we need an upgrade, the only alternative would be to delete ++ * the existing link-key. That could lead to very bad user experience ++ * or even IOP issues, if a reconnect causes a new connection that ++ * requires an upgrade. ++ */ ++ if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) && ++ (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) && ++ (!p_dev_rec->is_originator && ++ (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) { ++ p_dev_rec->sec_flags &= ++ ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED | ++ BTM_SEC_AUTHENTICATED); ++ } ++ ++ btm_sec_start_authentication(p_dev_rec); ++ return (BTM_CMD_STARTED); ++ } + } + + /* If connection is not encrypted and encryption is required */ diff --git a/Patches/LineageOS-17.1/android_system_bt/377021.patch b/Patches/LineageOS-17.1/android_system_bt/377021.patch new file mode 100644 index 00000000..cde9c109 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377021.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 13 Sep 2023 00:00:44 +0000 +Subject: [PATCH] Enforce authentication if encryption is required + +Original bug +Bug: 294854926 + +regressions: +Bug: 299570702 +Bug: 299561281 + +Test: Test: m com.android.btservices +Test: QA validation +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:778d3fb3fb520e54425ecefe9a28453002053553) +Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa +Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa +--- + stack/btm/btm_sec.cc | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index e73cfb363..de91023c6 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -5087,13 +5087,15 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + // Check link status of BR/EDR + if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) { + if (p_dev_rec->is_originator) { +- if (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE) { +- LOG_DEBUG(LOG_TAG, "Outgoing authentication Required"); ++ if (p_dev_rec->security_required & ++ (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) { ++ LOG_DEBUG(LOG_TAG, "Outgoing authentication/encryption Required"); + start_auth = true; + } + } else { +- if (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE) { +- LOG_DEBUG(LOG_TAG, "Incoming authentication Required"); ++ if (p_dev_rec->security_required & ++ (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) { ++ LOG_DEBUG(LOG_TAG, "Incoming authentication/encryption Required"); + start_auth = true; + } + } diff --git a/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch b/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch new file mode 100644 index 00000000..3893dfb7 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/377023-backport.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 3 Oct 2023 21:27:49 +0000 +Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature + +BTM_BleVerifySignature uses a stock memcmp, allowing signature contents +to be deduced through a side-channel attack. + +Change to CRYPTO_memcmp, which is hardened against this attack, to +eliminate this attack. + +Bug: 274478807 +Test: atest bluetooth_test_gd_unit +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) +Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c +Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c +--- + stack/Android.bp | 1 + + stack/btm/btm_ble.cc | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/stack/Android.bp b/stack/Android.bp +index c4684236e..4021d9e51 100644 +--- a/stack/Android.bp ++++ b/stack/Android.bp +@@ -178,6 +178,7 @@ cc_library_static { + shared_libs: [ + "libcutils", + "liblog", ++ "libcrypto", + ], + required: [ + "libldacBT_enc", +diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc +index b1f4119d5..f34c6db59 100644 +--- a/stack/btm/btm_ble.cc ++++ b/stack/btm/btm_ble.cc +@@ -41,6 +41,7 @@ + #include "hcimsgs.h" + #include "log/log.h" + #include "l2c_int.h" ++#include "openssl/mem.h" + #include "osi/include/log.h" + #include "osi/include/osi.h" + #include "stack/crypto_toolbox/crypto_toolbox.h" +@@ -2110,7 +2111,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, + + crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len, + BTM_CMAC_TLEN_SIZE, p_mac); +- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { ++ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { + btm_ble_increment_sign_ctr(bd_addr, false); + verified = true; + } diff --git a/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch b/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch new file mode 100644 index 00000000..e3999bc6 --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_netd/377024-backport.patch @@ -0,0 +1,115 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lin Lee +Date: Mon, 7 Aug 2023 09:34:41 +0000 +Subject: [PATCH] Fix Heap-use-after-free in MDnsSdListener::Monitor::run + +Use thread join to avoid thread exiting after instance +recycled. + +Prior to implementing this patch, fuzzing would lead to a segmentation fault after approximately 500 rounds. With the addition of the patch, the fuzzing process can now be repeated for over 30,000 rounds. + +Test: m, fuzzing +Fuzzing: mma mdns_service_fuzzer && adb sync data && adb shell /data/fuzz/arm64/mdns_service_fuzzer/mdns_service_fuzzer + +Bug: 272382770 +Ignore-AOSP-First: Security Issue +(cherry picked from commit 9c0c15f80cffb98b36284dd169a2e62e059dbbe3) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:75e5e2e1faec7aa2812fc6fba30d6fe80558bacd) +Merged-In: I5bc85451b4e6539bad45ceb672924a37952cc138 +Change-Id: I5bc85451b4e6539bad45ceb672924a37952cc138 +--- + server/MDnsSdListener.cpp | 35 +++++++++++++++++++++++------------ + server/MDnsSdListener.h | 4 +++- + 2 files changed, 26 insertions(+), 13 deletions(-) + +diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp +index 42dcddf3..d551d37c 100644 +--- a/server/MDnsSdListener.cpp ++++ b/server/MDnsSdListener.cpp +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #define LOG_TAG "MDnsDS" + #define DBG 1 +@@ -527,12 +528,18 @@ MDnsSdListener::Monitor::Monitor() { + mPollSize = 10; + socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, mCtrlSocketPair); + +- const int rval = ::android::netdutils::threadLaunch(this); +- if (rval != 0) { +- ALOGW("Error spawning monitor thread: %s (%d)", strerror(-rval), -rval); +- } ++ mRescanThread = new std::thread(&Monitor::run, this); ++ if (!mRescanThread->joinable()) ALOGE("Unable to launch thread."); + } + ++MDnsSdListener::Monitor::~Monitor() { ++ if (VDBG) ALOGD("Monitor recycling"); ++ close(mCtrlSocketPair[1]); // interrupt poll in MDnsSdListener::Monitor::run() and revent will ++ // be 17 = POLLIN | POLLHUP ++ mRescanThread->join(); ++ delete mRescanThread; ++ if (VDBG) ALOGD("Monitor recycled"); ++} + #define NAP_TIME 200 // 200 ms between polls + static int wait_for_property(const char *name, const char *desired_value, int maxwait) + { +@@ -611,14 +618,18 @@ void MDnsSdListener::Monitor::run() { + } + } + if (VDBG) ALOGD("controlSocket shows revent= %d", mPollFds[0].revents); +- switch (mPollFds[0].revents) { +- case POLLIN: { +- char readBuf[2]; +- read(mCtrlSocketPair[0], &readBuf, 1); +- if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); +- if (memcmp(RESCAN, readBuf, 1) == 0) { +- pollCount = rescan(); +- } ++ if (mPollFds[0].revents & POLLHUP) { ++ free(mPollFds); ++ free(mPollRefs); ++ if (VDBG) ALOGD("Monitor thread leaving."); ++ return; ++ } ++ if (mPollFds[0].revents == POLLIN) { ++ char readBuf[2]; ++ read(mCtrlSocketPair[0], &readBuf, 1); ++ if (DBG) ALOGD("MDnsSdListener::Monitor got %c", readBuf[0]); ++ if (memcmp(RESCAN, readBuf, 1) == 0) { ++ pollCount = rescan(); + } + } + mPollFds[0].revents = 0; +diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h +index 47ddc28f..915a3bc8 100644 +--- a/server/MDnsSdListener.h ++++ b/server/MDnsSdListener.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include "NetdCommand.h" + +@@ -70,7 +71,7 @@ private: + class Monitor { + public: + Monitor(); +- virtual ~Monitor() {} ++ ~Monitor(); + DNSServiceRef *allocateServiceRef(int id, Context *c); + void startMonitoring(int id); + DNSServiceRef *lookupServiceRef(int id); +@@ -100,6 +101,7 @@ private: + int mPollSize; + int mCtrlSocketPair[2]; + std::mutex mMutex; ++ std::thread* mRescanThread; + }; + + class Handler : public NetdCommand { diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch new file mode 100644 index 00000000..82308d74 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 5 Oct 2023 00:01:03 +0000 +Subject: [PATCH] Fix UAF in ~CallbackEnv + +com_android_bluetooth_btservice_AdapterService does not null its local +JNI environment variable after detaching the thread (which frees the +environment context), allowing UAF under certain conditions. + +Null the variable in this case. + +Testing here was done through a custom unit test; see patchsets 4-6 for +contents. However, unit testing of the JNI layer is problematic in +production, so that part of the patch is omitted for final merge. + +Bug: 291500341 +Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80) +Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030 +Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030 + +Change-Id: I6abe916720bcd6dbd8a532c2611c11d3c39f1940 +--- + jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp +index fdb7dbf0b..b7e927b56 100644 +--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp ++++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp +@@ -404,6 +404,7 @@ static void callback_thread_event(bt_cb_thread_evt event) { + return; + } + vm->DetachCurrentThread(); ++ callbackEnv = NULL; + } + } + diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch new file mode 100644 index 00000000..36593cf0 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377026.patch @@ -0,0 +1,101 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:20:10 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [1] + +Rejecct access to services running on l2cap + +Backport of +Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d) +Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 +Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3 + +Change-Id: I0435b4ee14c40213f3dae8abc54143ef7e8f67e0 +--- + stack/btm/btm_sec.cc | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 40f051c0d..4da0320c5 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -102,7 +102,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, + uint32_t mx_proto_id, + uint32_t mx_chan_id); + +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); + static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, +@@ -144,7 +144,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { + * Returns bool true or false + * + ******************************************************************************/ +-static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { ++static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { + if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { + return (true); + } +@@ -220,6 +220,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, + return (false); + } + ++/******************************************************************************* ++ * ++ * Function access_secure_service_from_temp_bond ++ * ++ * Description a utility function to test whether an access to ++ * secure service from temp bonding is happening ++ * ++ * Returns true if the aforementioned condition holds, ++ * false otherwise ++ * ++ ******************************************************************************/ ++static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, ++ bool locally_initiated, ++ uint16_t security_req) { ++ return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && ++ btm_dev_authenticated(p_dev_rec) && ++ p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; ++} ++ + /******************************************************************************* + * + * Function BTM_SecRegister +@@ -2271,9 +2290,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + } + + if (rc == BTM_SUCCESS) { ++ if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + if (p_callback) +- (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); +- return (BTM_SUCCESS); ++ (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); ++ return (rc); + } + } + +@@ -5486,6 +5509,13 @@ extern tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { + } + } + ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ p_dev_rec->is_originator, ++ p_dev_rec->security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); ++ return (BTM_FAILED_ON_SECURITY); ++ } ++ + /* All required security procedures already established */ + p_dev_rec->security_required &= + ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch new file mode 100644 index 00000000..da175a97 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377027.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Sat, 2 Sep 2023 04:27:29 +0000 +Subject: [PATCH] Reject access to secure services authenticated from temp + bonding [2] + +Reject access to service running on rfcomm + +this is a backport of +I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 + +Bug: 294854926 +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5e0e907ec4948f06b3a35ecf08725c020d533ccb) +Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166 +--- + stack/btm/btm_sec.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 4da0320c5..93e8b7a60 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2633,6 +2633,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm, + mx_chan_id, p_callback, p_ref_data); + } else /* rc == BTM_SUCCESS */ + { ++ if (access_secure_service_from_temp_bond(p_dev_rec, ++ is_originator, security_required)) { ++ LOG_ERROR(LOG_TAG, "Trying to access a secure rfcomm service from a temp bonding, reject"); ++ rc = BTM_FAILED_ON_SECURITY; ++ } + /* access granted */ + if (p_callback) { + (*p_callback)(&bd_addr, transport, p_ref_data, (uint8_t)rc); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch new file mode 100644 index 00000000..fad1a908 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377028.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 12 Sep 2023 23:47:48 +0000 +Subject: [PATCH] Reject access to secure service authenticated from a temp + bonding [3] + +Allow access to rfcomm PSM by default + +Original bug +Bug: 294854926 + +Nearby regressions: +Bug: 298539299 + +Test: m com.android.btservices +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ab986fe4165aae74c5915f57ad2e78bf80f1d3ec) +Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66 +--- + stack/btm/btm_sec.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc +index 93e8b7a60..80f4d3031 100644 +--- a/stack/btm/btm_sec.cc ++++ b/stack/btm/btm_sec.cc +@@ -2313,15 +2313,15 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, + btm_cb.security_mode == BTM_SEC_MODE_SC) { + if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) { + if (is_originator) { +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_OUT_ENCRYPT; + } else /* acceptor */ + { + /* SM4 to SM4: the acceptor needs to make sure the authentication is + * already done */ + chk_acp_auth_done = true; +- /* SM4 to SM4 -> always authenticate & encrypt */ +- security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT); ++ /* SM4 to SM4 -> always encrypt */ ++ security_required |= BTM_SEC_IN_ENCRYPT; + } + } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) { + /* the remote features are not known yet */ diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch new file mode 100644 index 00000000..d4b94b5b --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tad +Date: Mon, 11 Dec 2023 13:42:41 -0500 +Subject: [PATCH] Fixup missing import + +Signed-off-by: Tad +Change-Id: I52177ea7c37da977a133afa791e7319c7fb4843b +--- + stack/Android.bp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/stack/Android.bp b/stack/Android.bp +index 696cd6cd2..7bc03a2c2 100644 +--- a/stack/Android.bp ++++ b/stack/Android.bp +@@ -185,6 +185,7 @@ cc_library_static { + shared_libs: [ + "libcutils", + "liblog", ++ "libcrypto", + ], + required: [ + "libldacBT_enc", diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch new file mode 100644 index 00000000..200888eb --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377029.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 3 Oct 2023 21:27:49 +0000 +Subject: [PATCH] Fix timing attack in BTM_BleVerifySignature + +BTM_BleVerifySignature uses a stock memcmp, allowing signature contents +to be deduced through a side-channel attack. + +Change to CRYPTO_memcmp, which is hardened against this attack, to +eliminate this attack. + +Bug: 274478807 +Test: atest bluetooth_test_gd_unit +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fcd1c44f7c4bf431dd6a6902d74c045174bd00ce) +Merged-In: I41a9b586d663d2ad4694222ae451d2d30a428a3c +Change-Id: I41a9b586d663d2ad4694222ae451d2d30a428a3c + +Change-Id: Ib7f3fff9f40140978c4dfb2f20ca57127586a05a +--- + stack/btm/btm_ble.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/stack/btm/btm_ble.cc b/stack/btm/btm_ble.cc +index 7fd154d2d..56f4fa1cd 100644 +--- a/stack/btm/btm_ble.cc ++++ b/stack/btm/btm_ble.cc +@@ -41,6 +41,7 @@ + #include "hcimsgs.h" + #include "log/log.h" + #include "l2c_int.h" ++#include "openssl/mem.h" + #include "osi/include/log.h" + #include "osi/include/osi.h" + #include "stack/crypto_toolbox/crypto_toolbox.h" +@@ -2183,7 +2184,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig, + + crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len, + BTM_CMAC_TLEN_SIZE, p_mac); +- if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { ++ if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) { + btm_ble_increment_sign_ctr(bd_addr, false); + verified = true; + } diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch new file mode 100644 index 00000000..bfaad663 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377030.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Wed, 24 May 2023 13:28:21 +0530 +Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc + +Root cause: +if the length of "pin_code" is greater than 16, +an OOBW will be triggered due to a missing bounds check. + +Fix: +Check is added to avoid Out of Bound Write. + +CRs-Fixed: 3507292 +Change-Id: I15a1eae59b17f633e29180a01676c260189b8353 +--- + btif/src/bluetooth.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc +index 47667abd7..584d4c5db 100644 +--- a/btif/src/bluetooth.cc ++++ b/btif/src/bluetooth.cc +@@ -316,6 +316,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, + bt_pin_code_t tmp_pin_code; + /* sanity check */ + if (interface_ready() == false) return BT_STATUS_NOT_READY; ++ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; + + memcpy(&tmp_pin_code, pin_code, pin_len); + return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch new file mode 100644 index 00000000..09cc0478 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/377031.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: balakrishna +Date: Tue, 7 Mar 2023 16:53:46 +0530 +Subject: [PATCH] BT: Fixing the rfc_slot_id overflow + +Root cause: +overflow causing leak in slot fds. +As slot id 0 not valid, we are not able to release these fds later. + +Fix: +Changes are made to avoid overflow while allocate rfc slots. + +CRs-Fixed: 3417458 +Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0 +--- + btif/src/btif_sock_rfc.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/btif/src/btif_sock_rfc.cc b/btif/src/btif_sock_rfc.cc +index c2a0bc868..bfe549eb7 100644 +--- a/btif/src/btif_sock_rfc.cc ++++ b/btif/src/btif_sock_rfc.cc +@@ -215,7 +215,11 @@ static rfc_slot_t* alloc_rfc_slot(const RawAddress* addr, const char* name, + } + + // Increment slot id and make sure we don't use id=0. +- if (++rfc_slot_id == 0) rfc_slot_id = 1; ++ if (UINT32_MAX == rfc_slot_id) { ++ rfc_slot_id = 1; ++ } else { ++ ++rfc_slot_id; ++ } + + slot->fd = fds[0]; + slot->app_fd = fds[1]; diff --git a/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/0001-Fixup-missing-import.patch b/Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch similarity index 100% rename from Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/0001-Fixup-missing-import.patch rename to Patches/LineageOS-18.1/android_vendor_qcom_opensource_system_bt/377029-fix.patch diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index bcffc831..87096b9c 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -98,6 +98,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig +sed -i 's/2023-11-05/2023-12-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-12 #XXX fi; if enterAndClear "build/soong"; then @@ -149,7 +150,21 @@ if enterAndClear "external/zlib"; then git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03 fi; +if enterAndClear "frameworks/av"; then +applyPatch "$DOS_PATCHES/android_frameworks_av/376999-backport.patch"; #R_asb_2023-12 httplive: fix use-after-free +fi; + if enterAndClear "frameworks/base"; then +applyPatch "$DOS_PATCHES/android_frameworks_base/377001.patch"; #R_asb_2023-12 Visit Uris added by WearableExtender +applyPatch "$DOS_PATCHES/android_frameworks_base/377002.patch"; #R_asb_2023-12 Fix bypass BAL via `requestGeofence` +applyPatch "$DOS_PATCHES/android_frameworks_base/377004-backport.patch"; #R_asb_2023-12 Drop invalid data. +applyPatch "$DOS_PATCHES/android_frameworks_base/377006.patch"; #R_asb_2023-12 Require permission to unlock keyguard +applyPatch "$DOS_PATCHES/android_frameworks_base/377008.patch"; #R_asb_2023-12 Use readUniqueFileDescriptor in incidentd service +applyPatch "$DOS_PATCHES/android_frameworks_base/377009.patch"; #R_asb_2023-12 Validate userId when publishing shortcuts +applyPatch "$DOS_PATCHES/android_frameworks_base/377010.patch"; #R_asb_2023-12 Revert "On device lockdown, always show the keyguard" +applyPatch "$DOS_PATCHES/android_frameworks_base/377011.patch"; #R_asb_2023-12 Adding in verification of calling UID in onShellCommand +applyPatch "$DOS_PATCHES/android_frameworks_base/377012.patch"; #R_asb_2023-12 Updated: always show the keyguard on device lockdown +#applyPatch "$DOS_PATCHES/android_frameworks_base/377013-backport.patch"; #R_asb_2023-12 Check URI permissions for resumable media artwork #XXX #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -280,6 +295,7 @@ if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then awk -i inplace '!/LineageAud fi; if enterAndClear "packages/apps/Bluetooth"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377014-backport.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272652.patch"; #ten-bt-sbc-hd-dualchannel: SBC Dual Channel (SBC HD Audio) support (ValdikSS) #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272653.patch"; #ten-bt-sbc-hd-dualchannel: Assume optional codecs are supported if were supported previously (ValdikSS) if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS) @@ -352,6 +368,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_SetupWizard/0001-Remove_Analytics fi; if enterAndClear "packages/apps/Trebuchet"; then +applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377015.patch"; #R_asb_2023-12 Fix permission bypass in legacy shortcut cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed fi; @@ -379,11 +396,21 @@ fi; #cp $DOS_PATCHES_COMMON/android_packages_providers_TelephonyProvider/carrier_list.* assets/; #fi; +if enterAndClear "packages/services/Telecomm"; then +applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit. +fi; + if enterAndClear "prebuilts/abi-dumps/vndk"; then applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patch"; #Work around ABI changes from compiler hardening (GrapheneOS) fi; if enterAndClear "system/bt"; then +applyPatch "$DOS_PATCHES/android_system_bt/377017.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +applyPatch "$DOS_PATCHES/android_system_bt/377018.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +applyPatch "$DOS_PATCHES/android_system_bt/377019.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +applyPatch "$DOS_PATCHES/android_system_bt/377020.patch"; #R_asb_2023-12 Reorganize the code for checking auth requirement +applyPatch "$DOS_PATCHES/android_system_bt/377021.patch"; #R_asb_2023-12 Enforce authentication if encryption is required +applyPatch "$DOS_PATCHES/android_system_bt/377023-backport.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -410,6 +437,7 @@ applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; # fi; if enterAndClear "system/netd"; then +applyPatch "$DOS_PATCHES/android_system_netd/377024-backport.patch"; #R_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run applyPatch "$DOS_PATCHES/android_system_netd/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) applyPatch "$DOS_PATCHES/android_system_netd/0002-hosts_toggle.patch"; #Add a toggle to disable /etc/hosts lookup (DivestOS) fi; @@ -461,6 +489,20 @@ if enter "vendor/divested"; then echo "PRODUCT_PACKAGES += vendor.lineage.trust@1.0-service" >> packages.mk; #Add deny usb service, all of our kernels have the necessary patch awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compile on some dexpreopt devices fi; + +if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377026.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1] +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377027.patch"; #R_asb_2023-12 Reject access to secure services authenticated from temp bonding [2] +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377028.patch"; #R_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3] +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029.patch"; #R_asb_2023-12 Fix timing attack in BTM_BleVerifySignature +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377030.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow +fi; + +if enterAndClear "vendor/qcom/opensource/commonsys/packages/apps/Bluetooth"; then +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/377025.patch"; #R_asb_2023-12 Fix UAF in ~CallbackEnv +fi; # #END OF ROM CHANGES # diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 2231dc10..489708da 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -468,7 +468,7 @@ awk -i inplace '!/speed-profile/' build/target/product/lowram.mk; #breaks compil fi; if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then -applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/0001-Fixup-missing-import.patch"; #R_asb_2023-12 +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/377029-fix.patch"; #R_asb_2023-12 Fix missing import fi; # #END OF ROM CHANGES