Reconcile picks

17.1 gains one patch

Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-02-08 19:54:59 -05:00
parent 44e57d0a5a
commit fa044409c0
No known key found for this signature in database
GPG Key ID: E599F62ECBAEAF2E
26 changed files with 2 additions and 1639 deletions

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Songyue Han <songyueh@google.com>
Date: Tue, 3 Oct 2023 22:40:14 +0000
Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for
unsupported cropwidth.
Bug: 300476626
Test: color_conversion_fuzzer
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c)
Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733
Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733
---
media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
index a1873bc5c4..94356b0b0c 100644
--- a/media/libstagefright/colorconversion/ColorConverter.cpp
+++ b/media/libstagefright/colorconversion/ColorConverter.cpp
@@ -592,7 +592,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410(
uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1;
size_t x = 0;
- for (; x < src.cropWidth() - 3; x += 4) {
+ // x % 4 is always 0 so x + 3 will never overflow.
+ for (; x + 3 < src.cropWidth(); x += 4) {
u01 = *((uint32_t*)ptr_u); ptr_u += 2;
v01 = *((uint32_t*)ptr_v); ptr_v += 2;

View File

@ -1,69 +0,0 @@
From a1e8ab5e0dbb34361cbd548abac2f8cf980faab9 Mon Sep 17 00:00:00 2001
From: Jing Ji <jji@google.com>
Date: Thu, 19 Oct 2023 14:22:58 -0700
Subject: [PATCH] DO NOT MERGE: Fix ActivityManager#killBackgroundProcesses
permissions
In the pevious CL, we incorrectly added the permission check in the
killBackgroundProcessesExcept. Now fix this issue.
Bug: 239423414
Bug: 223376078
Test: atest CtsAppTestCases:ActivityManagerTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140fce861944419a375c669010c6c47cd7ff5b37)
Merged-In: I9471a77188ee63ec32cd0c81569193e4ccad885b
Change-Id: I9471a77188ee63ec32cd0c81569193e4ccad885b
---
.../server/am/ActivityManagerService.java | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 5a12cdaae56c..9a9c05060a4c 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -3690,6 +3690,22 @@ public void killAllBackgroundProcesses() {
throw new SecurityException(msg);
}
+ final int callingUid = Binder.getCallingUid();
+ final int callingPid = Binder.getCallingPid();
+
+ ProcessRecord proc;
+ synchronized (mPidsSelfLocked) {
+ proc = mPidsSelfLocked.get(callingPid);
+ }
+ if (callingUid >= FIRST_APPLICATION_UID
+ && (proc == null || !proc.info.isSystemApp())) {
+ final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
+ + callingPid + ", uid=" + callingUid + " is not allowed";
+ Slog.w(TAG, msg);
+ // Silently return to avoid existing apps from crashing.
+ return;
+ }
+
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {
@@ -3730,22 +3746,6 @@ void killAllBackgroundProcessesExcept(int minTargetSdk, int maxProcState) {
throw new SecurityException(msg);
}
- final int callingUid = Binder.getCallingUid();
- final int callingPid = Binder.getCallingPid();
-
- ProcessRecord proc;
- synchronized (mPidsSelfLocked) {
- proc = mPidsSelfLocked.get(callingPid);
- }
- if (callingUid >= FIRST_APPLICATION_UID
- && (proc == null || !proc.info.isSystemApp())) {
- final String msg = "Permission Denial: killAllBackgroundProcesses() from pid="
- + callingPid + ", uid=" + callingUid + " is not allowed";
- Slog.w(TAG, msg);
- // Silently return to avoid existing apps from crashing.
- return;
- }
-
final long callingId = Binder.clearCallingIdentity();
try {
synchronized (this) {

View File

@ -1,40 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aaron Liu <aaronjli@google.com>
Date: Tue, 28 Mar 2023 13:15:04 -0700
Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
security method is none. This is mostly to fix the case where we auth
sim pin in the set up wizard and it goes straight to keyguard instead of
the setup wizard activity.
This works with the prevent bypass keyguard flag because the device
should be noe secure in this case.
Fixes: 222446076
Test: turn locked sim on, which opens the sim pin screen. Auth the
screen and observe that keyguard is not shown.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
Cherry-picking this CL as a security fix
Bug: 222446076
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
AOSP-Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
Change-Id: Id6eb8eff88481f9ec2c9cbcde9d7b0f78a349d98
---
.../src/com/android/keyguard/KeyguardSecurityContainer.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index 6a71cf84759c..bb205956e932 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
case SimPuk:
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
- if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
+ if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
KeyguardUpdateMonitor.getCurrentUser())) {
finish = true;
} else {

View File

@ -1,64 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aaron Liu <aaronjli@google.com>
Date: Fri, 11 Aug 2023 11:02:33 -0700
Subject: [PATCH] DO NOT MERGE Ensure finish lockscreen when usersetup
incomplete
Ensure that when the usersetup for the user is not complete, we do not
want to go to lockscreen, even if lockscreen is not disabled.
Bug: 222446076
Test: add Unit test,
Test: Wipe device, auth sim pin in setup, observe that lockscreen is
not there.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01ea2f91df5a1c67da2546d83beeee75c2c1ef94)
Merged-In: I8e33db8eb6e2c917966cab3d6a4f982670473040
Change-Id: I8e33db8eb6e2c917966cab3d6a4f982670473040
---
.../android/keyguard/KeyguardSecurityContainer.java | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index bb205956e932..a6fa034cb901 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -32,6 +32,8 @@ import android.widget.FrameLayout;
import com.android.internal.widget.LockPatternUtils;
import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+import com.android.systemui.statusbar.policy.DeviceProvisionedController;
+import com.android.systemui.Dependency;
public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSecurityView {
private static final boolean DEBUG = KeyguardConstants.DEBUG;
@@ -50,6 +52,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
private SecurityCallback mSecurityCallback;
private AlertDialog mAlertDialog;
+ private final DeviceProvisionedController mDeviceProvisionedController;
+
private final KeyguardUpdateMonitor mUpdateMonitor;
// Used to notify the container when something interesting happens.
@@ -81,6 +85,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
mSecurityModel = new KeyguardSecurityModel(context);
mLockPatternUtils = new LockPatternUtils(context);
mUpdateMonitor = KeyguardUpdateMonitor.getInstance(mContext);
+ mDeviceProvisionedController = Dependency.get(DeviceProvisionedController.class);
}
public void setSecurityCallback(SecurityCallback callback) {
@@ -351,8 +356,11 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
case SimPuk:
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
- KeyguardUpdateMonitor.getCurrentUser())) {
+ boolean isLockscreenDisabled = mLockPatternUtils.isLockScreenDisabled(
+ KeyguardUpdateMonitor.getCurrentUser())
+ || !mDeviceProvisionedController.isUserSetup(targetUserId);
+
+ if (securityMode == SecurityMode.None && isLockscreenDisabled) {
finish = true;
} else {
showSecurityScreen(securityMode);

View File

@ -1,94 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tetiana Meronyk <tetianameronyk@google.com>
Date: Thu, 24 Aug 2023 16:27:30 +0000
Subject: [PATCH] Truncate user data to a limit of 500 characters
Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
Bug: 293602317
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827)
Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
---
.../android/server/pm/UserManagerService.java | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 423b88388809..7b121ba5a0f6 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -216,6 +216,8 @@ public class UserManagerService extends IUserManager.Stub {
private static final int USER_VERSION = 7;
+ private static final int MAX_USER_STRING_LENGTH = 500;
+
private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
// Maximum number of managed profiles permitted per user is 1. This cannot be increased
@@ -2292,15 +2294,17 @@ public class UserManagerService extends IUserManager.Stub {
// Write seed data
if (userData.persistSeedData) {
if (userData.seedAccountName != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
+ truncateString(userData.seedAccountName));
}
if (userData.seedAccountType != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
+ truncateString(userData.seedAccountType));
}
}
if (userInfo.name != null) {
serializer.startTag(null, TAG_NAME);
- serializer.text(userInfo.name);
+ serializer.text(truncateString(userInfo.name));
serializer.endTag(null, TAG_NAME);
}
synchronized (mRestrictionsLock) {
@@ -2335,6 +2339,13 @@ public class UserManagerService extends IUserManager.Stub {
serializer.endDocument();
}
+ private String truncateString(String original) {
+ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
+ return original;
+ }
+ return original.substring(0, MAX_USER_STRING_LENGTH);
+ }
+
/*
* Writes the user list file in this format:
*
@@ -2632,6 +2643,7 @@ public class UserManagerService extends IUserManager.Stub {
private UserInfo createUserInternalUnchecked(String name, int flags, int parentId,
String[] disallowedPackages) {
+ String truncatedName = truncateString(name);
DeviceStorageMonitorInternal dsm = LocalServices
.getService(DeviceStorageMonitorInternal.class);
if (dsm.isMemoryLow()) {
@@ -2710,7 +2722,7 @@ public class UserManagerService extends IUserManager.Stub {
flags |= UserInfo.FLAG_EPHEMERAL;
}
- userInfo = new UserInfo(userId, name, null, flags);
+ userInfo = new UserInfo(userId, truncatedName, null, flags);
userInfo.serialNumber = mNextSerialNumber++;
long now = System.currentTimeMillis();
userInfo.creationTime = (now > EPOCH_PLUS_30_YEARS) ? now : 0;
@@ -3541,8 +3553,8 @@ public class UserManagerService extends IUserManager.Stub {
Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
return;
}
- userData.seedAccountName = accountName;
- userData.seedAccountType = accountType;
+ userData.seedAccountName = truncateString(accountName);
+ userData.seedAccountType = truncateString(accountType);
userData.seedAccountOptions = accountOptions;
userData.persistSeedData = persist;
}

View File

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raphael Kim <raphk@google.com>
Date: Mon, 18 Sep 2023 14:07:23 -0700
Subject: [PATCH] Validate component name length before requesting notification
access.
Bug: 295335110
Test: Test app with long component name
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8)
Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
---
.../server/companion/CompanionDeviceManagerService.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
index e39652d77b7a..087fe8560fc8 100644
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
@@ -107,6 +107,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
private static final boolean DEBUG = false;
private static final String LOG_TAG = "CompanionDeviceManagerService";
+ private static final int MAX_CN_LENGTH = 500;
+
private static final String XML_TAG_ASSOCIATIONS = "associations";
private static final String XML_TAG_ASSOCIATION = "association";
private static final String XML_ATTR_PACKAGE = "package";
@@ -290,6 +292,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
String callingPackage = component.getPackageName();
checkCanCallNotificationApi(callingPackage);
int userId = getCallingUserId();
+ if (component.flattenToString().length() > MAX_CN_LENGTH) {
+ throw new IllegalArgumentException("Component name is too long.");
+ }
final long identity = Binder.clearCallingIdentity();
try {
return PendingIntent.getActivity(getContext(),

View File

@ -1,66 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nan Wu <wnan@google.com>
Date: Fri, 25 Aug 2023 15:02:28 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when
sending non-PI target
Log ActivityManagerService.sendIntentSender if the target is not a
PendingIntent and a non-null whitelistToken is sent to the client.
This is simply to detect if there are real cases this would happen
before we decide simply remove whitelistToken in that case.
Do not pass whitelistToken when sending non-PI target
In ActivityManagerService.sendIntentSender, if the target is not a
PendingIntent, do not send whitelistToken to the client.
Bug: 279428283
Test: Manual test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52)
Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810
Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810
---
.../server/am/ActivityManagerService.java | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 847beb87408d..e1159493fe24 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -8625,12 +8625,12 @@ public class ActivityManagerService extends IActivityManager.Stub
}
@Override
- public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code,
+ public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code,
Intent intent, String resolvedType,
IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) {
if (target instanceof PendingIntentRecord) {
return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType,
- whitelistToken, finishedReceiver, requiredPermission, options);
+ allowlistToken, finishedReceiver, requiredPermission, options);
} else {
if (intent == null) {
// Weird case: someone has given us their own custom IIntentSender, and now
@@ -8642,7 +8642,20 @@ public class ActivityManagerService extends IActivityManager.Stub
intent = new Intent(Intent.ACTION_MAIN);
}
try {
- target.send(code, intent, resolvedType, whitelistToken, null,
+ if (allowlistToken != null) {
+ final int callingUid = Binder.getCallingUid();
+ final String packageName;
+ final long token = Binder.clearCallingIdentity();
+ try {
+ packageName = AppGlobals.getPackageManager().getNameForUid(callingUid);
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target."
+ + " Calling package: " + packageName + "; intent: " + intent
+ + "; options: " + options);
+ }
+ target.send(code, intent, resolvedType, null, null,
requiredPermission, options);
} catch (RemoteException e) {
}

View File

@ -1,40 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Will Leshner <wleshner@google.com>
Date: Tue, 31 Oct 2023 13:23:08 -0700
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
activities
Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
---
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
index 3c0f6fe8ccbb..0b771580fff4 100644
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -332,7 +332,17 @@ public class DreamBackend {
if (cn != null && cn.indexOf('/') < 0) {
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
}
- return cn == null ? null : ComponentName.unflattenFromString(cn);
+ // Ensure that the component is from the same package as the dream service. If not,
+ // treat the component as invalid and return null instead.
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+ if (result != null
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+ Log.w(TAG,
+ "Inconsistent package name in component: " + result.getPackageName()
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
+ return null;
+ }
+ return result;
}
private static void logd(String msg, Object... args) {

View File

@ -1,135 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 23 May 2023 23:23:11 +0000
Subject: [PATCH] Fix some OOB errors in BTM parsing
Some HCI BLE events are missing bounds checks, leading to possible OOB
access. Add the appropriate bounds checks on the packets.
Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
---
stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
stack/btu/btu_hcif.cc | 6 +++++
2 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index 4e8471261..8a2c53c30 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -1879,19 +1879,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
advertising_sid;
int8_t rssi, tx_power;
uint16_t event_type, periodic_adv_int, direct_address_type;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR(
- "Malformed LE Extended Advertising Report Event from controller - "
- "can't loop the data");
+ bytes_to_process += 24;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for metadata";
return;
}
@@ -1911,8 +1919,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the next packet*/
- if (p > data + data_len) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ bytes_to_process += pkt_data_len;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for packet data";
return;
}
@@ -1941,17 +1952,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* p = data;
uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
int8_t rssi;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
+ bytes_to_process += 9;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for metadata";
return;
}
@@ -1963,8 +1985,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
- if (p > data + data_len - sizeof(rssi)) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ // include rssi for this check
+ bytes_to_process += pkt_data_len + 1;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
+ "packet data and/or RSSI";
return;
}
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 720bab266..8c83fa10e 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -1810,6 +1810,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
return;
}
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
+ if (evt_len < 8) {
+ LOG_ERROR(LOG_TAG, "Event packet too short");
+ return;
+ }
+
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT16(tx_data_len, p);
p += 2; /* Skip the TxTimer */

View File

@ -1,32 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harish Mahendrakar <harish.mahendrakar@ittiam.com>
Date: Mon, 28 Aug 2023 17:35:56 +0000
Subject: [PATCH] Codec2BufferUtils: Use cropped dimensions in RGB to YUV
conversion
Bug: 283099444
Test: poc in the bug
(cherry picked from https://partner-android-review.googlesource.com/q/commit:3875b858a347e25db94574e6362798a849bf9ebd)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4eba80f6698cb2d7aa48ea4f7728dbdf11f29fd3)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d83225b43057dd25deb5083772e6ebc2f5e5253b)
Merged-In: I42c71616c9d50f61c92f461f6a91f5addb1d724a
Change-Id: I42c71616c9d50f61c92f461f6a91f5addb1d724a
---
media/codec2/sfplugin/utils/Codec2BufferUtils.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp b/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
index bf2a07ee52..9bc8eb9c4c 100644
--- a/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
+++ b/media/codec2/sfplugin/utils/Codec2BufferUtils.cpp
@@ -361,8 +361,8 @@ status_t ConvertRGBToPlanarYUV(
const uint8_t *pBlue = src.data()[C2PlanarLayout::PLANE_B];
#define CLIP3(x,y,z) (((z) < (x)) ? (x) : (((z) > (y)) ? (y) : (z)))
- for (size_t y = 0; y < src.height(); ++y) {
- for (size_t x = 0; x < src.width(); ++x) {
+ for (size_t y = 0; y < src.crop().height; ++y) {
+ for (size_t x = 0; x < src.crop().width; ++x) {
uint8_t red = *pRed;
uint8_t green = *pGreen;
uint8_t blue = *pBlue;

View File

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Songyue Han <songyueh@google.com>
Date: Tue, 3 Oct 2023 22:40:14 +0000
Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for
unsupported cropwidth.
Bug: 300476626
Test: color_conversion_fuzzer
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c)
Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733
Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733
---
media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
index d685321028..c491d8043b 100644
--- a/media/libstagefright/colorconversion/ColorConverter.cpp
+++ b/media/libstagefright/colorconversion/ColorConverter.cpp
@@ -648,7 +648,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410(
uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1;
size_t x = 0;
- for (; x < src.cropWidth() - 3; x += 4) {
+ // x % 4 is always 0 so x + 3 will never overflow.
+ for (; x + 3 < src.cropWidth(); x += 4) {
u01 = *((uint32_t*)ptr_u); ptr_u += 2;
v01 = *((uint32_t*)ptr_v); ptr_v += 2;

View File

@ -1,62 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aaron Liu <aaronjli@google.com>
Date: Fri, 11 Aug 2023 11:02:33 -0700
Subject: [PATCH] DO NOT MERGE Ensure finish lockscreen when usersetup
incomplete
Ensure that when the usersetup for the user is not complete, we do not
want to go to lockscreen, even if lockscreen is not disabled.
Bug: 222446076
Test: add Unit test,
Test: Wipe device, auth sim pin in setup, observe that lockscreen is
not there.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01ea2f91df5a1c67da2546d83beeee75c2c1ef94)
Merged-In: I8e33db8eb6e2c917966cab3d6a4f982670473040
Change-Id: I8e33db8eb6e2c917966cab3d6a4f982670473040
---
.../android/keyguard/KeyguardSecurityContainer.java | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index bd555e7360d8..31cfffee2a68 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -49,6 +49,7 @@ import com.android.systemui.Dependency;
import com.android.systemui.R;
import com.android.systemui.SystemUIFactory;
import com.android.systemui.statusbar.phone.UnlockMethodCache;
+import com.android.systemui.statusbar.policy.DeviceProvisionedController;
import com.android.systemui.util.InjectionInflationController;
public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSecurityView {
@@ -100,6 +101,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
private int mActivePointerId = -1;
private boolean mIsDragging;
private float mStartTouchY = -1;
+ private final DeviceProvisionedController mDeviceProvisionedController;
// Used to notify the container when something interesting happens.
public interface SecurityCallback {
@@ -136,6 +138,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
SystemUIFactory.getInstance().getRootComponent());
mUnlockMethodCache = UnlockMethodCache.getInstance(context);
mViewConfiguration = ViewConfiguration.get(context);
+ mDeviceProvisionedController = Dependency.get(DeviceProvisionedController.class);
}
public void setSecurityCallback(SecurityCallback callback) {
@@ -529,8 +532,11 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
case SimPuk:
// Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
- if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
- KeyguardUpdateMonitor.getCurrentUser())) {
+ boolean isLockscreenDisabled = mLockPatternUtils.isLockScreenDisabled(
+ KeyguardUpdateMonitor.getCurrentUser())
+ || !mDeviceProvisionedController.isUserSetup(targetUserId);
+
+ if (securityMode == SecurityMode.None && isLockscreenDisabled) {
finish = true;
eventSubtype = BOUNCER_DISMISS_SIM;
} else {

View File

@ -1,104 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tetiana Meronyk <tetianameronyk@google.com>
Date: Thu, 24 Aug 2023 16:27:30 +0000
Subject: [PATCH] Truncate user data to a limit of 500 characters
Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.
By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.
Bug: 293602317
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48d45b507df64708a214a800082b970c8b2bf827)
Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
---
.../android/server/pm/UserManagerService.java | 27 +++++++++++++------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index b7e9c7907f2c..318c11141cfe 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -225,6 +225,8 @@ public class UserManagerService extends IUserManager.Stub {
private static final int USER_VERSION = 7;
+ private static final int MAX_USER_STRING_LENGTH = 500;
+
private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms
// Maximum number of managed profiles permitted per user is 1. This cannot be increased
@@ -2417,15 +2419,17 @@ public class UserManagerService extends IUserManager.Stub {
// Write seed data
if (userData.persistSeedData) {
if (userData.seedAccountName != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
+ truncateString(userData.seedAccountName));
}
if (userData.seedAccountType != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
+ truncateString(userData.seedAccountType));
}
}
if (userInfo.name != null) {
serializer.startTag(null, TAG_NAME);
- serializer.text(userInfo.name);
+ serializer.text(truncateString(userInfo.name));
serializer.endTag(null, TAG_NAME);
}
synchronized (mRestrictionsLock) {
@@ -2466,6 +2470,13 @@ public class UserManagerService extends IUserManager.Stub {
serializer.endDocument();
}
+ private String truncateString(String original) {
+ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
+ return original;
+ }
+ return original.substring(0, MAX_USER_STRING_LENGTH);
+ }
+
/*
* Writes the user list file in this format:
*
@@ -2808,7 +2819,7 @@ public class UserManagerService extends IUserManager.Stub {
private UserInfo createUserInternalUncheckedNoTracing(@Nullable String name,
@UserInfoFlag int flags, @UserIdInt int parentId, boolean preCreate,
@Nullable String[] disallowedPackages, @NonNull TimingsTraceLog t) {
-
+ String truncatedName = truncateString(name);
// First try to use a pre-created user (if available).
// NOTE: currently we don't support pre-created managed profiles
if (!preCreate && (parentId < 0 && !UserInfo.isManagedProfile(flags))) {
@@ -2835,7 +2846,7 @@ public class UserManagerService extends IUserManager.Stub {
+ UserInfo.flagsToString(preCreatedUser.flags)
+ " new-user flags: " + UserInfo.flagsToString(flags));
}
- preCreatedUser.name = name;
+ preCreatedUser.name = truncatedName;
preCreatedUser.preCreated = false;
preCreatedUser.creationTime = getCreationTime();
@@ -2934,7 +2945,7 @@ public class UserManagerService extends IUserManager.Stub {
flags |= UserInfo.FLAG_EPHEMERAL;
}
- userInfo = new UserInfo(userId, name, null, flags);
+ userInfo = new UserInfo(userId, truncatedName, null, flags);
userInfo.serialNumber = mNextSerialNumber++;
userInfo.creationTime = getCreationTime();
userInfo.partial = true;
@@ -3866,8 +3877,8 @@ public class UserManagerService extends IUserManager.Stub {
Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
return;
}
- userData.seedAccountName = accountName;
- userData.seedAccountType = accountType;
+ userData.seedAccountName = truncateString(accountName);
+ userData.seedAccountType = truncateString(accountType);
userData.seedAccountOptions = accountOptions;
userData.persistSeedData = persist;
}

View File

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raphael Kim <raphk@google.com>
Date: Mon, 18 Sep 2023 14:07:23 -0700
Subject: [PATCH] Validate component name length before requesting notification
access.
Bug: 295335110
Test: Test app with long component name
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:447216ecbe5f22ea06379d9587dae530b1202fe8)
Merged-In: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
Change-Id: I7ea5d5c1f78858db9865f3310d1e0aff9c8b5579
---
.../server/companion/CompanionDeviceManagerService.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
index d8827aafeb69..73b8ff7067ef 100644
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
@@ -109,6 +109,8 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
private static final boolean DEBUG = false;
private static final String LOG_TAG = "CompanionDeviceManagerService";
+ private static final int MAX_CN_LENGTH = 500;
+
private static final String XML_TAG_ASSOCIATIONS = "associations";
private static final String XML_TAG_ASSOCIATION = "association";
private static final String XML_ATTR_PACKAGE = "package";
@@ -309,6 +311,9 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
String callingPackage = component.getPackageName();
checkCanCallNotificationApi(callingPackage);
int userId = getCallingUserId();
+ if (component.flattenToString().length() > MAX_CN_LENGTH) {
+ throw new IllegalArgumentException("Component name is too long.");
+ }
final long identity = Binder.clearCallingIdentity();
try {
return PendingIntent.getActivityAsUser(getContext(),

View File

@ -1,74 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nan Wu <wnan@google.com>
Date: Fri, 25 Aug 2023 15:02:28 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when
sending non-PI target
Log ActivityManagerService.sendIntentSender if the target is not a
PendingIntent and a non-null whitelistToken is sent to the client.
This is simply to detect if there are real cases this would happen
before we decide simply remove whitelistToken in that case.
Do not pass whitelistToken when sending non-PI target
In ActivityManagerService.sendIntentSender, if the target is not a
PendingIntent, do not send whitelistToken to the client.
Bug: 279428283
Test: Manual test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f12deecd46e79212deba584a1afea97d401dd52)
Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810
Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810
---
.../server/am/ActivityManagerService.java | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index faeb5f348834..41b1ddaf887b 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -160,7 +160,6 @@ import android.app.AppOpsManager;
import android.app.AppOpsManagerInternal.CheckOpsDelegate;
import android.app.ApplicationErrorReport;
import android.app.ApplicationThreadConstants;
-import android.app.AppOpsManager;
import android.app.BroadcastOptions;
import android.app.ContentProviderHolder;
import android.app.Dialog;
@@ -5465,12 +5464,12 @@ public class ActivityManagerService extends IActivityManager.Stub
}
@Override
- public int sendIntentSender(IIntentSender target, IBinder whitelistToken, int code,
+ public int sendIntentSender(IIntentSender target, IBinder allowlistToken, int code,
Intent intent, String resolvedType,
IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) {
if (target instanceof PendingIntentRecord) {
return ((PendingIntentRecord)target).sendWithResult(code, intent, resolvedType,
- whitelistToken, finishedReceiver, requiredPermission, options);
+ allowlistToken, finishedReceiver, requiredPermission, options);
} else {
if (intent == null) {
// Weird case: someone has given us their own custom IIntentSender, and now
@@ -5482,7 +5481,20 @@ public class ActivityManagerService extends IActivityManager.Stub
intent = new Intent(Intent.ACTION_MAIN);
}
try {
- target.send(code, intent, resolvedType, whitelistToken, null,
+ if (allowlistToken != null) {
+ final int callingUid = Binder.getCallingUid();
+ final String packageName;
+ final long token = Binder.clearCallingIdentity();
+ try {
+ packageName = AppGlobals.getPackageManager().getNameForUid(callingUid);
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target."
+ + " Calling package: " + packageName + "; intent: " + intent
+ + "; options: " + options);
+ }
+ target.send(code, intent, resolvedType, null, null,
requiredPermission, options);
} catch (RemoteException e) {
}

View File

@ -1,40 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Will Leshner <wleshner@google.com>
Date: Tue, 31 Oct 2023 13:23:08 -0700
Subject: [PATCH] Fix vulnerability that allowed attackers to start arbitary
activities
Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6926fd15fb16c51468dde270bd61ee68772b8c14)
Merged-In: I573040df84bf98a493b39f96c8581e4303206bac
Change-Id: I573040df84bf98a493b39f96c8581e4303206bac
---
.../com/android/settingslib/dream/DreamBackend.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
index 3c0f6fe8ccbb..0b771580fff4 100644
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -332,7 +332,17 @@ public class DreamBackend {
if (cn != null && cn.indexOf('/') < 0) {
cn = resolveInfo.serviceInfo.packageName + "/" + cn;
}
- return cn == null ? null : ComponentName.unflattenFromString(cn);
+ // Ensure that the component is from the same package as the dream service. If not,
+ // treat the component as invalid and return null instead.
+ final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+ if (result != null
+ && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+ Log.w(TAG,
+ "Inconsistent package name in component: " + result.getPackageName()
+ + ", should be: " + resolveInfo.serviceInfo.packageName);
+ return null;
+ }
+ return result;
}
private static void logd(String msg, Object... args) {

View File

@ -1,36 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shuzhen Wang <shuzhenwang@google.com>
Date: Fri, 27 Oct 2023 16:08:05 -0700
Subject: [PATCH] Camera2: Do not pass location info for startActivity case
If the Camera2 activity is started by startActivity, we shouldn't
unconditionally grant location.
Test: Use Camera2 app both independently and with INTENT
Bug: 285142084
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c097bb0e516b1d071f00ac99a8f29f4a72579ff)
Merged-In: I3b78840f9b0fefeadea44150ea319886f06c1485
Change-Id: I3b78840f9b0fefeadea44150ea319886f06c1485
---
src/com/android/camera/CameraActivity.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/com/android/camera/CameraActivity.java b/src/com/android/camera/CameraActivity.java
index af64c1091..026c8397f 100644
--- a/src/com/android/camera/CameraActivity.java
+++ b/src/com/android/camera/CameraActivity.java
@@ -1760,8 +1760,12 @@ public class CameraActivity extends QuickActivity
private boolean shouldUseNoOpLocation () {
String callingPackage = getCallingPackage();
if (callingPackage == null) {
- // Activity not started through startActivityForResult.
- return false;
+ if (isCaptureIntent()) {
+ // Activity not started through startActivityForResult.
+ return true;
+ } else {
+ callingPackage = mAppContext.getPackageName();
+ }
}
PackageInfo packageInfo = null;
try {

View File

@ -1,30 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 31 Oct 2023 11:13:03 -0700
Subject: [PATCH] Possible deadlock on the NfcService object
Bug: 268038643
Bug: 307489565
Test: CtsVerifier
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2d8ea70c65831313d73784fb3c78f64ff0cbd627)
Merged-In: I683ae425dafa4e209b9517b62ada7d8a694f84a9
Change-Id: I683ae425dafa4e209b9517b62ada7d8a694f84a9
---
src/com/android/nfc/NfcService.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
index 0e02cd03..00a0147d 100644
--- a/src/com/android/nfc/NfcService.java
+++ b/src/com/android/nfc/NfcService.java
@@ -852,9 +852,7 @@ public class NfcService implements DeviceHostListener {
}
public boolean isSecureNfcEnabled() {
- synchronized (NfcService.this) {
- return mIsSecureNfcEnabled;
- }
+ return mIsSecureNfcEnabled;
}
final class NfcAdapterService extends INfcAdapter.Stub {

View File

@ -1,280 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Valentin Iftime <valiiftime@google.com>
Date: Tue, 3 Oct 2023 17:28:34 +0200
Subject: [PATCH] Validate ringtone URIs before setting
Add checks URIs for content from other users.
Fail for users that are not profiles of the current user.
Test: atest DefaultRingtonePreferenceTest
Bug: 299614635
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7ba175eaeb6e8f1ea54e2ec13685d1cf1e9aad1c)
Merged-In: Ib266b285a3a1c6c5265ae2321159e61e08e349f6
Change-Id: Ib266b285a3a1c6c5265ae2321159e61e08e349f6
---
.../settings/DefaultRingtonePreference.java | 11 +--
.../android/settings/RingtonePreference.java | 82 +++++++++++++++++++
.../DefaultRingtonePreferenceTest.java | 75 ++++++++++++++++-
3 files changed, 155 insertions(+), 13 deletions(-)
diff --git a/src/com/android/settings/DefaultRingtonePreference.java b/src/com/android/settings/DefaultRingtonePreference.java
index 9bf626c9898..4c654887227 100644
--- a/src/com/android/settings/DefaultRingtonePreference.java
+++ b/src/com/android/settings/DefaultRingtonePreference.java
@@ -51,16 +51,9 @@ public class DefaultRingtonePreference extends RingtonePreference {
return;
}
- String mimeType = mUserContext.getContentResolver().getType(ringtoneUri);
- if (mimeType == null) {
+ if (!isValidRingtoneUri(ringtoneUri)) {
Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
- + " ignored: failure to find mimeType (no access from this context?)");
- return;
- }
-
- if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
- Log.e(TAG, "onSaveRingtone for URI:" + ringtoneUri
- + " ignored: associated mimeType:" + mimeType + " is not an audio type");
+ + " ignored: invalid ringtone Uri");
return;
}
diff --git a/src/com/android/settings/RingtonePreference.java b/src/com/android/settings/RingtonePreference.java
index 8f9c618d5e8..d283e390fc7 100644
--- a/src/com/android/settings/RingtonePreference.java
+++ b/src/com/android/settings/RingtonePreference.java
@@ -16,6 +16,8 @@
package com.android.settings;
+import android.content.ContentProvider;
+import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.res.TypedArray;
@@ -23,9 +25,11 @@ import android.media.AudioAttributes;
import android.media.RingtoneManager;
import android.net.Uri;
import android.os.UserHandle;
+import android.os.UserManager;
import android.provider.Settings.System;
import android.text.TextUtils;
import android.util.AttributeSet;
+import android.util.Log;
import androidx.preference.Preference;
import androidx.preference.PreferenceManager;
@@ -239,4 +243,82 @@ public class RingtonePreference extends Preference {
return true;
}
+ public boolean isDefaultRingtone(Uri ringtoneUri) {
+ // null URIs are valid (None/silence)
+ return ringtoneUri == null || RingtoneManager.isDefault(ringtoneUri);
+ }
+
+ protected boolean isValidRingtoneUri(Uri ringtoneUri) {
+ if (isDefaultRingtone(ringtoneUri)) {
+ return true;
+ }
+
+ // Return early for android resource URIs
+ if (ContentResolver.SCHEME_ANDROID_RESOURCE.equals(ringtoneUri.getScheme())) {
+ return true;
+ }
+
+ String mimeType = mUserContext.getContentResolver().getType(ringtoneUri);
+ if (mimeType == null) {
+ Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
+ + " failed: failure to find mimeType (no access from this context?)");
+ return false;
+ }
+
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+ || mimeType.equals("application/x-flac"))) {
+ Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
+ + " failed: associated mimeType:" + mimeType + " is not an audio type");
+ return false;
+ }
+
+ // Validate userId from URIs: content://{userId}@...
+ final int userIdFromUri = ContentProvider.getUserIdFromUri(ringtoneUri, mUserId);
+ if (userIdFromUri != mUserId) {
+ final UserManager userManager = mUserContext.getSystemService(UserManager.class);
+
+ if (!userManager.isSameProfileGroup(mUserId, userIdFromUri)) {
+ Log.e(TAG,
+ "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + userIdFromUri
+ + " and user " + mUserId + " are not in the same profile group");
+ return false;
+ }
+
+ final int parentUserId;
+ final int profileUserId;
+ if (userManager.isProfile()) {
+ profileUserId = mUserId;
+ parentUserId = userIdFromUri;
+ } else {
+ parentUserId = mUserId;
+ profileUserId = userIdFromUri;
+ }
+
+ final UserHandle parent = userManager.getProfileParent(UserHandle.of(profileUserId));
+ if (parent == null || parent.getIdentifier() != parentUserId) {
+ Log.e(TAG,
+ "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + profileUserId
+ + " is not a profile of user " + parentUserId);
+ return false;
+ }
+
+ // Allow parent <-> managed profile sharing, unless restricted
+ if (userManager.hasUserRestrictionForUser(
+ UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, UserHandle.of(parentUserId))) {
+ Log.e(TAG,
+ "isValidRingtoneUri for URI:" + ringtoneUri + " failed: user " + parentUserId
+ + " has restriction: " + UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE);
+ return false;
+ }
+
+ if (!userManager.isManagedProfile(profileUserId)) {
+ Log.e(TAG, "isValidRingtoneUri for URI:" + ringtoneUri
+ + " failed: user " + profileUserId + " is not a managed profile");
+ return false;
+ }
+ }
+
+ return true;
+ }
+
}
diff --git a/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java b/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
index 7877684dce6..360a8a555b4 100644
--- a/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
+++ b/tests/unit/src/com/android/settings/DefaultRingtonePreferenceTest.java
@@ -16,16 +16,19 @@
package com.android.settings;
+import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
+import android.content.ContentInterface;
import android.content.ContentResolver;
import android.content.Context;
-import android.media.RingtoneManager;
import android.net.Uri;
+import android.os.UserHandle;
+import android.os.UserManager;
import androidx.test.core.app.ApplicationProvider;
import androidx.test.ext.junit.runners.AndroidJUnit4;
@@ -34,17 +37,22 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
+import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
/** Unittest for DefaultRingtonePreference. */
@RunWith(AndroidJUnit4.class)
public class DefaultRingtonePreferenceTest {
+ private static final int OWNER_USER_ID = 1;
+ private static final int OTHER_USER_ID = 10;
+ private static final int INVALID_RINGTONE_TYPE = 0;
private DefaultRingtonePreference mDefaultRingtonePreference;
@Mock
private ContentResolver mContentResolver;
@Mock
+ private UserManager mUserManager;
private Uri mRingtoneUri;
@Before
@@ -52,14 +60,24 @@ public class DefaultRingtonePreferenceTest {
MockitoAnnotations.initMocks(this);
Context context = spy(ApplicationProvider.getApplicationContext());
- doReturn(mContentResolver).when(context).getContentResolver();
+ mContentResolver = ContentResolver.wrap(Mockito.mock(ContentInterface.class));
+ when(context.getContentResolver()).thenReturn(mContentResolver);
mDefaultRingtonePreference = spy(new DefaultRingtonePreference(context, null /* attrs */));
doReturn(context).when(mDefaultRingtonePreference).getContext();
+
+ // Use INVALID_RINGTONE_TYPE to return early in RingtoneManager.setActualDefaultRingtoneUri
when(mDefaultRingtonePreference.getRingtoneType())
- .thenReturn(RingtoneManager.TYPE_RINGTONE);
- mDefaultRingtonePreference.setUserId(1);
+ .thenReturn(INVALID_RINGTONE_TYPE);
+
+ mDefaultRingtonePreference.setUserId(OWNER_USER_ID);
mDefaultRingtonePreference.mUserContext = context;
+ when(mDefaultRingtonePreference.isDefaultRingtone(any(Uri.class))).thenReturn(false);
+
+ when(context.getSystemServiceName(UserManager.class)).thenReturn(Context.USER_SERVICE);
+ when(context.getSystemService(Context.USER_SERVICE)).thenReturn(mUserManager);
+
+ mRingtoneUri = Uri.parse("content://none");
}
@Test
@@ -79,4 +97,53 @@ public class DefaultRingtonePreferenceTest {
verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
}
+
+ @Test
+ public void onSaveRingtone_notManagedProfile_shouldNotSetRingtone() {
+ mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
+ when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
+ when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(true);
+ when(mUserManager.getProfileParent(UserHandle.of(OTHER_USER_ID))).thenReturn(
+ UserHandle.of(OWNER_USER_ID));
+ when(mUserManager.isManagedProfile(OTHER_USER_ID)).thenReturn(false);
+
+ mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
+
+ verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
+ }
+
+ @Test
+ public void onSaveRingtone_notSameUser_shouldNotSetRingtone() {
+ mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
+ when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
+ when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(false);
+
+ mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
+
+ verify(mDefaultRingtonePreference, never()).setActualDefaultRingtoneUri(mRingtoneUri);
+ }
+
+ @Test
+ public void onSaveRingtone_isManagedProfile_shouldSetRingtone() {
+ mRingtoneUri = Uri.parse("content://" + OTHER_USER_ID + "@ringtone");
+ when(mContentResolver.getType(mRingtoneUri)).thenReturn("audio/*");
+ when(mUserManager.isSameProfileGroup(OWNER_USER_ID, OTHER_USER_ID)).thenReturn(true);
+ when(mUserManager.getProfileParent(UserHandle.of(OTHER_USER_ID))).thenReturn(
+ UserHandle.of(OWNER_USER_ID));
+ when(mUserManager.isManagedProfile(OTHER_USER_ID)).thenReturn(true);
+
+ mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
+
+ verify(mDefaultRingtonePreference).setActualDefaultRingtoneUri(mRingtoneUri);
+ }
+
+ @Test
+ public void onSaveRingtone_defaultUri_shouldSetRingtone() {
+ mRingtoneUri = Uri.parse("default_ringtone");
+ when(mDefaultRingtonePreference.isDefaultRingtone(any(Uri.class))).thenReturn(true);
+
+ mDefaultRingtonePreference.onSaveRingtone(mRingtoneUri);
+
+ verify(mDefaultRingtonePreference).setActualDefaultRingtoneUri(mRingtoneUri);
+ }
}

View File

@ -1,135 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 23 May 2023 23:23:11 +0000
Subject: [PATCH] Fix some OOB errors in BTM parsing
Some HCI BLE events are missing bounds checks, leading to possible OOB
access. Add the appropriate bounds checks on the packets.
Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
---
stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
stack/btu/btu_hcif.cc | 6 +++++
2 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index 7f94bb8cb..ff86bd511 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -1774,19 +1774,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
advertising_sid;
int8_t rssi, tx_power;
uint16_t event_type, periodic_adv_int, direct_address_type;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR(
- "Malformed LE Extended Advertising Report Event from controller - "
- "can't loop the data");
+ bytes_to_process += 24;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for metadata";
return;
}
@@ -1806,8 +1814,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the next packet*/
- if (p > data + data_len) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ bytes_to_process += pkt_data_len;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for packet data";
return;
}
@@ -1836,17 +1847,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* p = data;
uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
int8_t rssi;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
+ bytes_to_process += 9;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for metadata";
return;
}
@@ -1858,8 +1880,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
- if (p > data + data_len - sizeof(rssi)) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ // include rssi for this check
+ bytes_to_process += pkt_data_len + 1;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
+ "packet data and/or RSSI";
return;
}
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 52d5d60f8..7bf385ea3 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -2180,6 +2180,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
return;
}
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
+ if (evt_len < 8) {
+ LOG_ERROR(LOG_TAG, "Event packet too short");
+ return;
+ }
+
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT16(tx_data_len, p);
p += 2; /* Skip the TxTimer */

View File

@ -1,30 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alisher Alikhodjaev <alisher@google.com>
Date: Tue, 31 Oct 2023 11:13:03 -0700
Subject: [PATCH] Possible deadlock on the NfcService object
Bug: 268038643
Bug: 307489565
Test: CtsVerifier
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2d8ea70c65831313d73784fb3c78f64ff0cbd627)
Merged-In: I683ae425dafa4e209b9517b62ada7d8a694f84a9
Change-Id: I683ae425dafa4e209b9517b62ada7d8a694f84a9
---
src/com/android/nfc/NfcService.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/com/android/nfc/NfcService.java b/src/com/android/nfc/NfcService.java
index d41ea4f2..c69c9466 100644
--- a/src/com/android/nfc/NfcService.java
+++ b/src/com/android/nfc/NfcService.java
@@ -1135,9 +1135,7 @@ public class NfcService implements DeviceHostListener {
}
public boolean isSecureNfcEnabled() {
- synchronized (NfcService.this) {
- return mIsSecureNfcEnabled;
- }
+ return mIsSecureNfcEnabled;
}
final class NfcAdapterService extends INfcAdapter.Stub {

View File

@ -1,135 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Tue, 23 May 2023 23:23:11 +0000
Subject: [PATCH] Fix some OOB errors in BTM parsing
Some HCI BLE events are missing bounds checks, leading to possible OOB
access. Add the appropriate bounds checks on the packets.
Bug: 279169188
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
---
stack/btm/btm_ble_gap.cc | 50 ++++++++++++++++++++++++++++++----------
stack/btu/btu_hcif.cc | 6 +++++
2 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index 1bd5b73c7..84af4eefa 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -1877,19 +1877,27 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
advertising_sid;
int8_t rssi, tx_power;
uint16_t event_type, periodic_adv_int, direct_address_type;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR(
- "Malformed LE Extended Advertising Report Event from controller - "
- "can't loop the data");
+ bytes_to_process += 24;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for metadata";
return;
}
@@ -1909,8 +1917,11 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the next packet*/
- if (p > data + data_len) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ bytes_to_process += pkt_data_len;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE extended advertising packet: not enough room "
+ "for packet data";
return;
}
@@ -1942,17 +1953,28 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* p = data;
uint8_t legacy_evt_type, addr_type, num_reports, pkt_data_len;
int8_t rssi;
+ size_t bytes_to_process;
/* Only process the results if the inquiry is still active */
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity)) return;
+ bytes_to_process = 1;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for num reports";
+ return;
+ }
+
/* Extract the number of reports in this event. */
STREAM_TO_UINT8(num_reports, p);
while (num_reports--) {
- if (p > data + data_len) {
- // TODO(jpawlowski): we should crash the stack here
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
+ bytes_to_process += 9;
+
+ if (data_len < bytes_to_process) {
+ LOG(ERROR)
+ << "Malformed LE advertising packet: not enough room for metadata";
return;
}
@@ -1964,8 +1986,12 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
- if (p > data + data_len - sizeof(rssi)) {
- LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+
+ // include rssi for this check
+ bytes_to_process += pkt_data_len + 1;
+ if (data_len < bytes_to_process) {
+ LOG(ERROR) << "Malformed LE advertising packet: not enough room for "
+ "packet data and/or RSSI";
return;
}
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 6f16bff83..071aafce3 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -1923,6 +1923,12 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) {
return;
}
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
+ if (evt_len < 8) {
+ LOG_ERROR(LOG_TAG, "Event packet too short");
+ return;
+ }
+
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT16(tx_data_len, p);
p += 2; /* Skip the TxTimer */

View File

@ -96,6 +96,7 @@ patchWorkspaceReal() {
repopick -fit P_asb_2023-10 -e 370704;
repopick -fit P_asb_2023-11 -e 374916;
repopick -fit P_asb_2023-12;
repopick -fit P_asb_2024-01;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

View File

@ -161,18 +161,10 @@ awk -i inplace '!/deletePackage/' pico/src/com/svox/pico/LangPackUninstaller.jav
fi;
if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/379144.patch"; #R_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_av/0001-HM-No_RLIMIT_AS.patch"; fi; #(GrapheneOS)
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/379145-backport.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
applyPatch "$DOS_PATCHES/android_frameworks_base/379146-backport.patch"; #R_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_2024-01 Truncate user data to a limit of 500 characters
applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access.
applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@ -373,7 +365,6 @@ fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/377030-backport.patch"; #R_asb_2023-12 Fix OOB Write in pin_reply in bluetooth.cc
applyPatch "$DOS_PATCHES/android_system_bt/377031.patch"; #R_asb_2023-12 BT: Fixing the rfc_slot_id overflow
applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
#applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
fi;

View File

@ -92,6 +92,7 @@ patchWorkspaceReal() {
repopick -t Q_asb_2023-10 -e 376554;
repopick -t Q_asb_2023-11 -e 376555,376595,376596,376563,376568;
repopick -t Q_asb_2023-12 -e 377251,378083,378084,378085,378086,378087,378088,378314,378315;
repopick -t Q_asb_2024-01;
sh "$DOS_SCRIPTS/Patch.sh";
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";

View File

@ -98,7 +98,6 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
sed -i 's/2023-12-05/2024-01-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-01
fi;
if enterAndClear "build/soong"; then
@ -161,18 +160,8 @@ if enterAndClear "external/zlib"; then
git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
fi;
if enterAndClear "frameworks/av"; then
applyPatch "$DOS_PATCHES/android_frameworks_av/379143.patch"; #R_asb_2024-01 Codec2BufferUtils: Use cropped dimensions in RGB to YUV conversion
applyPatch "$DOS_PATCHES/android_frameworks_av/379144.patch"; #R_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
fi;
if enterAndClear "frameworks/base"; then
applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
applyPatch "$DOS_PATCHES/android_frameworks_base/379146-backport.patch"; #R_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
applyPatch "$DOS_PATCHES/android_frameworks_base/379147-backport.patch"; #R_asb_2024-01 Truncate user data to a limit of 500 characters
applyPatch "$DOS_PATCHES/android_frameworks_base/379148-backport.patch"; #R_asb_2024-01 [CDM] Validate component name length before requesting notification access.
applyPatch "$DOS_PATCHES/android_frameworks_base/379149-backport.patch"; #R_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
applyPatch "$DOS_PATCHES/android_frameworks_base/379150.patch"; #R_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
@ -309,10 +298,6 @@ if enterAndClear "packages/apps/Bluetooth"; then
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi;
if enterAndClear "packages/apps/Camera2"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Camera2/379151.patch"; #R_asb_2024-01 Do not pass location info for startActivity case
fi;
#if enterAndClear "packages/apps/CarrierConfig"; then
#rm -rf assets/*.xml;
#cp $DOS_PATCHES_COMMON/android_packages_apps_CarrierConfig/*.xml assets/;
@ -342,7 +327,6 @@ applyPatch "$DOS_PATCHES_COMMON/android_packages_apps_Messaging/0002-missing-cha
fi;
if enterAndClear "packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/379152.patch"; #R_asb_2024-01 Possible deadlock on the NfcService object
if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
fi;
@ -355,7 +339,6 @@ fi;
if enterAndClear "packages/apps/Settings"; then
git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/379153-backport.patch"; #R_asb_2024-01 Validate ringtone URIs before setting
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@ -414,7 +397,6 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
fi;
if enterAndClear "system/bt"; then
applyPatch "$DOS_PATCHES/android_system_bt/379154.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -466,14 +448,6 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport-prereq.patch"; #R_
applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
fi;
if enterAndClear "vendor/nxp/opensource/commonsys/packages/apps/Nfc"; then
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/379155.patch"; #R_asb_2024-01 Possible deadlock on the NfcService object
fi;
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/379156.patch"; #R_asb_2024-01 Fix some OOB errors in BTM parsing
fi;
if enterAndClear "vendor/lineage"; then
rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys
rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics