mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-21 05:44:30 -05:00
17.1: Reconcile picks
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
9d1e208470
commit
fa6d1f7f90
@ -1,35 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Ashish Kumar Gupta <kumarashishg@google.com>
|
||||
Date: Tue, 21 Nov 2023 08:48:43 +0530
|
||||
Subject: [PATCH] Update mtp packet buffer
|
||||
|
||||
Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
|
||||
|
||||
Bug: 300007708
|
||||
Test: build and flash the device. Check MTP works
|
||||
Test: run fuzzer locally
|
||||
(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
|
||||
Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
|
||||
Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
|
||||
---
|
||||
media/mtp/MtpPacket.cpp | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
|
||||
index e4467bbfdc..87c5c0495b 100644
|
||||
--- a/media/mtp/MtpPacket.cpp
|
||||
+++ b/media/mtp/MtpPacket.cpp
|
||||
@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
|
||||
return;
|
||||
}
|
||||
int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
|
||||
- if (mPacketSize < offset + sizeof(uint32_t))
|
||||
+ if (mPacketSize < offset + sizeof(uint32_t)) {
|
||||
mPacketSize = offset + sizeof(uint32_t);
|
||||
+ allocate(mPacketSize);
|
||||
+ }
|
||||
putUInt32(offset, value);
|
||||
}
|
||||
|
@ -1,240 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Nan Wu <wnan@google.com>
|
||||
Date: Fri, 2 Dec 2022 19:08:54 +0000
|
||||
Subject: [PATCH] DO NOT MERGE Disallow Wallpaper service to launch activity
|
||||
from background.
|
||||
|
||||
Add a flag so that when a foreground client binds to a service,
|
||||
disallow the bound service to launch activity from background.
|
||||
Modify the WallpaperManagerService to take advantage of the new flag.
|
||||
|
||||
Test: atest BackgroundActivityLaunchTest WallpaperManagerServiceTests
|
||||
Bug: 261072174
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4c065abfaf59bdc237f65ceb9704d76bf0819d3a)
|
||||
Merged-In: Id4e4cb6144597cf3638f2aaa34ea455a239fa1a7
|
||||
Change-Id: Id4e4cb6144597cf3638f2aaa34ea455a239fa1a7
|
||||
---
|
||||
core/java/android/content/Context.java | 9 +++++
|
||||
.../server/activitymanagerservice.proto | 1 +
|
||||
.../android/server/am/ConnectionRecord.java | 5 +++
|
||||
.../com/android/server/am/ProcessRecord.java | 20 ++++++-----
|
||||
.../com/android/server/am/ServiceRecord.java | 2 +-
|
||||
.../wallpaper/WallpaperManagerService.java | 3 +-
|
||||
.../server/wm/WindowProcessController.java | 36 ++++++++++++++++---
|
||||
7 files changed, 61 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/Context.java b/core/java/android/content/Context.java
|
||||
index 414cc39f5310..6fb10c1c277c 100644
|
||||
--- a/core/java/android/content/Context.java
|
||||
+++ b/core/java/android/content/Context.java
|
||||
@@ -236,6 +236,7 @@ public abstract class Context {
|
||||
BIND_IMPORTANT,
|
||||
BIND_ADJUST_WITH_ACTIVITY,
|
||||
BIND_NOT_PERCEPTIBLE,
|
||||
+ BIND_DENY_ACTIVITY_STARTS,
|
||||
BIND_INCLUDE_CAPABILITIES
|
||||
})
|
||||
@Retention(RetentionPolicy.SOURCE)
|
||||
@@ -349,6 +350,14 @@ public abstract class Context {
|
||||
/*********** Public flags above this line ***********/
|
||||
/*********** Hidden flags below this line ***********/
|
||||
|
||||
+ /**
|
||||
+ * Flag for {@link #bindService}: If binding from an app that is visible, the bound service is
|
||||
+ * allowed to start an activity from background. Add a flag so that this behavior can be opted
|
||||
+ * out.
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static final int BIND_DENY_ACTIVITY_STARTS = 0X000004000;
|
||||
+
|
||||
/**
|
||||
* Flag for {@link #bindService}: This flag is intended to be used only by the system to adjust
|
||||
* the scheduling policy for IMEs (and any other out-of-process user-visible components that
|
||||
diff --git a/core/proto/android/server/activitymanagerservice.proto b/core/proto/android/server/activitymanagerservice.proto
|
||||
index 7fb6f98ab662..55c5705fe0f6 100644
|
||||
--- a/core/proto/android/server/activitymanagerservice.proto
|
||||
+++ b/core/proto/android/server/activitymanagerservice.proto
|
||||
@@ -593,6 +593,7 @@ message ConnectionRecordProto {
|
||||
DEAD = 15;
|
||||
NOT_PERCEPTIBLE = 16;
|
||||
INCLUDE_CAPABILITIES = 17;
|
||||
+ DENY_ACTIVITY_STARTS = 18;
|
||||
}
|
||||
repeated Flag flags = 3;
|
||||
optional string service_name = 4;
|
||||
diff --git a/services/core/java/com/android/server/am/ConnectionRecord.java b/services/core/java/com/android/server/am/ConnectionRecord.java
|
||||
index 459508486384..0b8b55cfdcc2 100644
|
||||
--- a/services/core/java/com/android/server/am/ConnectionRecord.java
|
||||
+++ b/services/core/java/com/android/server/am/ConnectionRecord.java
|
||||
@@ -67,6 +67,7 @@ final class ConnectionRecord {
|
||||
Context.BIND_NOT_VISIBLE,
|
||||
Context.BIND_NOT_PERCEPTIBLE,
|
||||
Context.BIND_INCLUDE_CAPABILITIES,
|
||||
+ Context.BIND_DENY_ACTIVITY_STARTS,
|
||||
};
|
||||
private static final int[] BIND_PROTO_ENUMS = new int[] {
|
||||
ConnectionRecordProto.AUTO_CREATE,
|
||||
@@ -86,6 +87,7 @@ final class ConnectionRecord {
|
||||
ConnectionRecordProto.NOT_VISIBLE,
|
||||
ConnectionRecordProto.NOT_PERCEPTIBLE,
|
||||
ConnectionRecordProto.INCLUDE_CAPABILITIES,
|
||||
+ ConnectionRecordProto.DENY_ACTIVITY_STARTS,
|
||||
};
|
||||
|
||||
void dump(PrintWriter pw, String prefix) {
|
||||
@@ -219,6 +221,9 @@ final class ConnectionRecord {
|
||||
if ((flags & Context.BIND_NOT_PERCEPTIBLE) != 0) {
|
||||
sb.append("!PRCP ");
|
||||
}
|
||||
+ if ((flags & Context.BIND_DENY_ACTIVITY_STARTS) != 0) {
|
||||
+ sb.append("BALFD ");
|
||||
+ }
|
||||
if ((flags & Context.BIND_INCLUDE_CAPABILITIES) != 0) {
|
||||
sb.append("CAPS ");
|
||||
}
|
||||
diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java
|
||||
index ea3084274ae0..6f8d9a1ef228 100644
|
||||
--- a/services/core/java/com/android/server/am/ProcessRecord.java
|
||||
+++ b/services/core/java/com/android/server/am/ProcessRecord.java
|
||||
@@ -1187,14 +1187,14 @@ class ProcessRecord implements WindowProcessListener {
|
||||
!mAllowBackgroundActivityStartsTokens.isEmpty());
|
||||
}
|
||||
|
||||
- void addBoundClientUid(int clientUid) {
|
||||
+ void addBoundClientUid(int clientUid, String clientPackageName, int bindFlags) {
|
||||
mBoundClientUids.add(clientUid);
|
||||
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
|
||||
+ mWindowProcessController.addBoundClientUid(clientUid, clientPackageName, bindFlags);
|
||||
}
|
||||
|
||||
void updateBoundClientUids() {
|
||||
+ clearBoundClientUids();
|
||||
if (services.isEmpty()) {
|
||||
- clearBoundClientUids();
|
||||
return;
|
||||
}
|
||||
// grab a set of clientUids of all connections of all services
|
||||
@@ -1207,12 +1207,14 @@ class ProcessRecord implements WindowProcessListener {
|
||||
for (int conni = 0; conni < N; conni++) {
|
||||
ArrayList<ConnectionRecord> c = conns.valueAt(conni);
|
||||
for (int i = 0; i < c.size(); i++) {
|
||||
- boundClientUids.add(c.get(i).clientUid);
|
||||
+ ConnectionRecord cr = c.get(i);
|
||||
+ boundClientUids.add(cr.clientUid);
|
||||
+ mWindowProcessController
|
||||
+ .addBoundClientUid(cr.clientUid, cr.clientPackageName, cr.flags);
|
||||
}
|
||||
}
|
||||
}
|
||||
mBoundClientUids = boundClientUids;
|
||||
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
|
||||
}
|
||||
|
||||
void addBoundClientUidsOfNewService(ServiceRecord sr) {
|
||||
@@ -1223,15 +1225,17 @@ class ProcessRecord implements WindowProcessListener {
|
||||
for (int conni = conns.size() - 1; conni >= 0; conni--) {
|
||||
ArrayList<ConnectionRecord> c = conns.valueAt(conni);
|
||||
for (int i = 0; i < c.size(); i++) {
|
||||
- mBoundClientUids.add(c.get(i).clientUid);
|
||||
+ ConnectionRecord cr = c.get(i);
|
||||
+ mBoundClientUids.add(cr.clientUid);
|
||||
+ mWindowProcessController
|
||||
+ .addBoundClientUid(cr.clientUid, cr.clientPackageName, cr.flags);
|
||||
}
|
||||
}
|
||||
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
|
||||
}
|
||||
|
||||
void clearBoundClientUids() {
|
||||
mBoundClientUids.clear();
|
||||
- mWindowProcessController.setBoundClientUids(mBoundClientUids);
|
||||
+ mWindowProcessController.clearBoundClientUids();
|
||||
}
|
||||
|
||||
void setActiveInstrumentation(ActiveInstrumentation instr) {
|
||||
diff --git a/services/core/java/com/android/server/am/ServiceRecord.java b/services/core/java/com/android/server/am/ServiceRecord.java
|
||||
index c408695bcb66..8262b9a334bf 100644
|
||||
--- a/services/core/java/com/android/server/am/ServiceRecord.java
|
||||
+++ b/services/core/java/com/android/server/am/ServiceRecord.java
|
||||
@@ -611,7 +611,7 @@ final class ServiceRecord extends Binder implements ComponentName.WithComponentN
|
||||
|
||||
// if we have a process attached, add bound client uid of this connection to it
|
||||
if (app != null) {
|
||||
- app.addBoundClientUid(c.clientUid);
|
||||
+ app.addBoundClientUid(c.clientUid, c.clientPackageName, c.flags);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java b/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
|
||||
index 37ae3340d319..ec7414bbf768 100644
|
||||
--- a/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
|
||||
+++ b/services/core/java/com/android/server/wallpaper/WallpaperManagerService.java
|
||||
@@ -2713,7 +2713,8 @@ public class WallpaperManagerService extends IWallpaperManager.Stub
|
||||
if (!mContext.bindServiceAsUser(intent, newConn,
|
||||
Context.BIND_AUTO_CREATE | Context.BIND_SHOWING_UI
|
||||
| Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE
|
||||
- | Context.BIND_INCLUDE_CAPABILITIES,
|
||||
+ | Context.BIND_INCLUDE_CAPABILITIES
|
||||
+ | Context.BIND_DENY_ACTIVITY_STARTS,
|
||||
new UserHandle(serviceUserId))) {
|
||||
String msg = "Unable to bind service: "
|
||||
+ componentName;
|
||||
diff --git a/services/core/java/com/android/server/wm/WindowProcessController.java b/services/core/java/com/android/server/wm/WindowProcessController.java
|
||||
index e0a9af543f99..39962216483c 100644
|
||||
--- a/services/core/java/com/android/server/wm/WindowProcessController.java
|
||||
+++ b/services/core/java/com/android/server/wm/WindowProcessController.java
|
||||
@@ -44,6 +44,7 @@ import android.app.ActivityThread;
|
||||
import android.app.IApplicationThread;
|
||||
import android.app.ProfilerInfo;
|
||||
import android.app.servertransaction.ConfigurationChangeItem;
|
||||
+import android.content.Context;
|
||||
import android.content.Intent;
|
||||
import android.content.pm.ActivityInfo;
|
||||
import android.content.pm.ApplicationInfo;
|
||||
@@ -436,16 +437,41 @@ public class WindowProcessController extends ConfigurationContainer<Configuratio
|
||||
}
|
||||
|
||||
private boolean isBoundByForegroundUid() {
|
||||
- for (int i = mBoundClientUids.size() - 1; i >= 0; --i) {
|
||||
- if (mAtm.isUidForeground(mBoundClientUids.valueAt(i))) {
|
||||
- return true;
|
||||
+ synchronized (this) {
|
||||
+ if (mBoundClientUids != null) {
|
||||
+ for (int i = mBoundClientUids.size() - 1; i >= 0; --i) {
|
||||
+ if (mAtm.isUidForeground(mBoundClientUids.valueAt(i))) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
- public void setBoundClientUids(ArraySet<Integer> boundClientUids) {
|
||||
- mBoundClientUids = boundClientUids;
|
||||
+ /**
|
||||
+ * Clear all bound client Uids.
|
||||
+ */
|
||||
+ public void clearBoundClientUids() {
|
||||
+ synchronized (this) {
|
||||
+ if (mBoundClientUids == null) {
|
||||
+ mBoundClientUids = new ArraySet<>();
|
||||
+ } else {
|
||||
+ mBoundClientUids.clear();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /**
|
||||
+ * Add bound client Uid.
|
||||
+ */
|
||||
+ public void addBoundClientUid(int clientUid, String clientPackageName, int bindFlags) {
|
||||
+ if ((bindFlags & Context.BIND_DENY_ACTIVITY_STARTS) == 0) {
|
||||
+ if (mBoundClientUids == null) {
|
||||
+ mBoundClientUids = new ArraySet<>();
|
||||
+ }
|
||||
+ mBoundClientUids.add(clientUid);
|
||||
+ }
|
||||
}
|
||||
|
||||
public void setInstrumenting(boolean instrumenting,
|
@ -1,110 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabi=C3=A1n=20Kozynski?= <kozynski@google.com>
|
||||
Date: Fri, 13 Oct 2023 16:19:27 -0400
|
||||
Subject: [PATCH] Unbind TileService onNullBinding
|
||||
|
||||
Test: atest TileLifecycleManagerTest
|
||||
Test: manual: adb shell dumpsys activity service
|
||||
Test: sts test
|
||||
Bug: 300903792
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7bf830ca0df71496cd47563e138b8712918e0476)
|
||||
Merged-In: Ia8126ac65432b124683960e3ebf47301ba6172a1
|
||||
Change-Id: Ia8126ac65432b124683960e3ebf47301ba6172a1
|
||||
---
|
||||
.../qs/external/TileLifecycleManager.java | 5 +++
|
||||
.../qs/external/TileLifecycleManagerTest.java | 33 ++++++++++++++++---
|
||||
2 files changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
index effea6a877b8..270b7dd9d936 100644
|
||||
--- a/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
+++ b/packages/SystemUI/src/com/android/systemui/qs/external/TileLifecycleManager.java
|
||||
@@ -194,6 +194,11 @@ public class TileLifecycleManager extends BroadcastReceiver implements
|
||||
handlePendingMessages();
|
||||
}
|
||||
|
||||
+ @Override
|
||||
+ public void onNullBinding(ComponentName name) {
|
||||
+ setBindService(false);
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
public void onServiceDisconnected(ComponentName name) {
|
||||
if (DEBUG) Log.d(TAG, "onServiceDisconnected " + name);
|
||||
diff --git a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
index f35295cf6f99..329af0f1fb57 100644
|
||||
--- a/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
+++ b/packages/SystemUI/tests/src/com/android/systemui/qs/external/TileLifecycleManagerTest.java
|
||||
@@ -22,13 +22,16 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.mockito.Mockito.any;
|
||||
import static org.mockito.Mockito.anyInt;
|
||||
import static org.mockito.Mockito.anyString;
|
||||
+import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import android.content.ComponentName;
|
||||
+import android.content.Context;
|
||||
import android.content.Intent;
|
||||
+import android.content.ServiceConnection;
|
||||
import android.content.pm.PackageInfo;
|
||||
import android.content.pm.ServiceInfo;
|
||||
import android.net.Uri;
|
||||
@@ -50,7 +53,7 @@ import org.junit.After;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
-import org.mockito.Mockito;
|
||||
+import org.mockito.ArgumentCaptor;
|
||||
|
||||
@SmallTest
|
||||
@RunWith(AndroidJUnit4.class)
|
||||
@@ -58,8 +61,8 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
private static final int TEST_FAIL_TIMEOUT = 5000;
|
||||
|
||||
private final PackageManagerAdapter mMockPackageManagerAdapter =
|
||||
- Mockito.mock(PackageManagerAdapter.class);
|
||||
- private final IQSTileService.Stub mMockTileService = Mockito.mock(IQSTileService.Stub.class);
|
||||
+ mock(PackageManagerAdapter.class);
|
||||
+ private final IQSTileService.Stub mMockTileService = mock(IQSTileService.Stub.class);
|
||||
private ComponentName mTileServiceComponentName;
|
||||
private Intent mTileServiceIntent;
|
||||
private UserHandle mUser;
|
||||
@@ -84,7 +87,7 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
mThread.start();
|
||||
mHandler = Handler.createAsync(mThread.getLooper());
|
||||
mStateManager = new TileLifecycleManager(mHandler, mContext,
|
||||
- Mockito.mock(IQSService.class), new Tile(),
|
||||
+ mock(IQSService.class), new Tile(),
|
||||
mTileServiceIntent,
|
||||
mUser,
|
||||
mMockPackageManagerAdapter);
|
||||
@@ -237,4 +240,26 @@ public class TileLifecycleManagerTest extends SysuiTestCase {
|
||||
verifyBind(2);
|
||||
verify(mMockTileService, times(2)).onStartListening();
|
||||
}
|
||||
+
|
||||
+ @Test
|
||||
+ public void testNullBindingCallsUnbind() {
|
||||
+ Context mockContext = mock(Context.class);
|
||||
+ // Binding has to succeed
|
||||
+ when(mockContext.bindServiceAsUser(any(), any(), anyInt(), any())).thenReturn(true);
|
||||
+ TileLifecycleManager manager = new TileLifecycleManager(mHandler, mockContext,
|
||||
+ mock(IQSService.class),
|
||||
+ new Tile(),
|
||||
+ mTileServiceIntent,
|
||||
+ mUser,
|
||||
+ mMockPackageManagerAdapter,
|
||||
+ mMockBroadcastDispatcher);
|
||||
+
|
||||
+ manager.setBindService(true);
|
||||
+
|
||||
+ ArgumentCaptor<ServiceConnection> captor = ArgumentCaptor.forClass(ServiceConnection.class);
|
||||
+ verify(mockContext).bindServiceAsUser(any(), captor.capture(), anyInt(), any());
|
||||
+
|
||||
+ captor.getValue().onNullBinding(mTileServiceComponentName);
|
||||
+ verify(mockContext).unbindService(captor.getValue());
|
||||
+ }
|
||||
}
|
@ -1,78 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Christophe Pinelli <cpinelli@google.com>
|
||||
Date: Tue, 16 May 2023 17:40:02 +0000
|
||||
Subject: [PATCH] Restrict activity launch when caller is running in the
|
||||
background
|
||||
|
||||
Test: test on device + atest-src BackgroundActivityLaunchTest#testBackgroundActivityBlockedInStartNextMatchingActivity
|
||||
Bug: 230492947
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d8368be4f8fb7019ea24b4798f029301c704092c)
|
||||
Merged-In: I7ae88eb62e435b9a77d2a724c5a953fe1f35b838
|
||||
Change-Id: I7ae88eb62e435b9a77d2a724c5a953fe1f35b838
|
||||
---
|
||||
.../server/wm/ActivityTaskManagerService.java | 51 +++++++++++--------
|
||||
1 file changed, 30 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
index 5bcc5975604a..7384ca7173d3 100644
|
||||
--- a/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
+++ b/services/core/java/com/android/server/wm/ActivityTaskManagerService.java
|
||||
@@ -1194,28 +1194,37 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub {
|
||||
|
||||
final long origId = Binder.clearCallingIdentity();
|
||||
// TODO(b/64750076): Check if calling pid should really be -1.
|
||||
- final int res = getActivityStartController()
|
||||
- .obtainStarter(intent, "startNextMatchingActivity")
|
||||
- .setCaller(r.app.getThread())
|
||||
- .setResolvedType(r.resolvedType)
|
||||
- .setActivityInfo(aInfo)
|
||||
- .setResultTo(resultTo != null ? resultTo.appToken : null)
|
||||
- .setResultWho(resultWho)
|
||||
- .setRequestCode(requestCode)
|
||||
- .setCallingPid(-1)
|
||||
- .setCallingUid(r.launchedFromUid)
|
||||
- .setCallingPackage(r.launchedFromPackage)
|
||||
- .setRealCallingPid(-1)
|
||||
- .setRealCallingUid(r.launchedFromUid)
|
||||
- .setActivityOptions(options)
|
||||
- .execute();
|
||||
- Binder.restoreCallingIdentity(origId);
|
||||
-
|
||||
- r.finishing = wasFinishing;
|
||||
- if (res != ActivityManager.START_SUCCESS) {
|
||||
- return false;
|
||||
+ try {
|
||||
+ if (options == null) {
|
||||
+ options = new SafeActivityOptions(ActivityOptions.makeBasic());
|
||||
+ }
|
||||
+ // Fixes b/230492947
|
||||
+ // Prevents background activity launch through #startNextMatchingActivity
|
||||
+ // An activity going into the background could still go back to the foreground
|
||||
+ // if the intent used matches both:
|
||||
+ // - the activity in the background
|
||||
+ // - a second activity.
|
||||
+ options.getOptions(r).setAvoidMoveToFront();
|
||||
+ final int res = getActivityStartController()
|
||||
+ .obtainStarter(intent, "startNextMatchingActivity")
|
||||
+ .setCaller(r.app.getThread())
|
||||
+ .setResolvedType(r.resolvedType)
|
||||
+ .setActivityInfo(aInfo)
|
||||
+ .setResultTo(resultTo != null ? resultTo.appToken : null)
|
||||
+ .setResultWho(resultWho)
|
||||
+ .setRequestCode(requestCode)
|
||||
+ .setCallingPid(-1)
|
||||
+ .setCallingUid(r.launchedFromUid)
|
||||
+ .setCallingPackage(r.launchedFromPackage)
|
||||
+ .setRealCallingPid(-1)
|
||||
+ .setRealCallingUid(r.launchedFromUid)
|
||||
+ .setActivityOptions(options)
|
||||
+ .execute();
|
||||
+ r.finishing = wasFinishing;
|
||||
+ return res == ActivityManager.START_SUCCESS;
|
||||
+ } finally {
|
||||
+ Binder.restoreCallingIdentity(origId);
|
||||
}
|
||||
- return true;
|
||||
}
|
||||
}
|
||||
|
@ -1,222 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Valentin Iftime <valiiftime@google.com>
|
||||
Date: Wed, 8 Nov 2023 11:01:32 +0100
|
||||
Subject: [PATCH] Enforce persisted snoozed notifications limits
|
||||
|
||||
Prevent DoS attack that causes boot-looping by serializing a huge amount of snoozed notifications:
|
||||
- Check snooze limits for persisted notifications
|
||||
- Remove persisted group summary notification when in-memory counterpart is removed
|
||||
- Prevent unpriviledged API calls that allow 3P apps to snooze notifications with context/criterion
|
||||
|
||||
Test: atest SnoozeHelperTest
|
||||
Test: atest NotificationManagerServiceTest
|
||||
Bug: 307948424
|
||||
Bug: 308414141
|
||||
|
||||
(cherry picked from commit 965ff2d3c5487f72a77f6153ed8542cb2621d93c)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:87c11b6df3d6ba696a8978a01ef5d66aeab45c8f)
|
||||
Merged-In: I3571fa9207b778def652130d3ca840183a9a8414
|
||||
Change-Id: I3571fa9207b778def652130d3ca840183a9a8414
|
||||
---
|
||||
.../server/notification/SnoozeHelper.java | 22 +++-
|
||||
.../server/notification/SnoozeHelperTest.java | 105 +++++++++++++++++-
|
||||
2 files changed, 124 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/notification/SnoozeHelper.java b/services/core/java/com/android/server/notification/SnoozeHelper.java
|
||||
index 4a6648f74194..2341a055580a 100644
|
||||
--- a/services/core/java/com/android/server/notification/SnoozeHelper.java
|
||||
+++ b/services/core/java/com/android/server/notification/SnoozeHelper.java
|
||||
@@ -94,12 +94,27 @@ public class SnoozeHelper {
|
||||
}
|
||||
|
||||
protected boolean canSnooze(int numberToSnooze) {
|
||||
- if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT) {
|
||||
+ if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT
|
||||
+ || (countPersistedNotificationsLocked() + numberToSnooze)
|
||||
+ > CONCURRENT_SNOOZE_LIMIT) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
+ private int countPersistedNotificationsLocked() {
|
||||
+ int numNotifications = 0;
|
||||
+ for (ArrayMap<String, String> persistedWithContext :
|
||||
+ mPersistedSnoozedNotificationsWithContext.values()) {
|
||||
+ numNotifications += persistedWithContext.size();
|
||||
+ }
|
||||
+ for (ArrayMap<String, Long> persistedWithDuration :
|
||||
+ mPersistedSnoozedNotifications.values()) {
|
||||
+ numNotifications += persistedWithDuration.size();
|
||||
+ }
|
||||
+ return numNotifications;
|
||||
+ }
|
||||
+
|
||||
protected boolean isSnoozed(int userId, String pkg, String key) {
|
||||
return mSnoozedNotifications.containsKey(userId)
|
||||
&& mSnoozedNotifications.get(userId).containsKey(pkg)
|
||||
@@ -300,6 +315,11 @@ public class SnoozeHelper {
|
||||
mPackages.remove(groupSummaryKey);
|
||||
mUsers.remove(groupSummaryKey);
|
||||
|
||||
+ final String trimmedKey = getTrimmedString(groupSummaryKey);
|
||||
+ removeRecordLocked(pkg, trimmedKey, userId, mPersistedSnoozedNotifications);
|
||||
+ removeRecordLocked(pkg, trimmedKey, userId,
|
||||
+ mPersistedSnoozedNotificationsWithContext);
|
||||
+
|
||||
if (record != null && !record.isCanceled) {
|
||||
MetricsLogger.action(record.getLogMaker()
|
||||
.setCategory(MetricsProto.MetricsEvent.NOTIFICATION_SNOOZED)
|
||||
diff --git a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
|
||||
index 6772c7df0aa1..0d5e1347a56a 100644
|
||||
--- a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
|
||||
+++ b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
|
||||
@@ -17,6 +17,8 @@ package com.android.server.notification;
|
||||
|
||||
import static com.android.server.notification.SnoozeHelper.CONCURRENT_SNOOZE_LIMIT;
|
||||
|
||||
+import static com.google.common.truth.Truth.assertThat;
|
||||
+
|
||||
import static junit.framework.Assert.assertEquals;
|
||||
import static junit.framework.Assert.assertFalse;
|
||||
import static junit.framework.Assert.assertTrue;
|
||||
@@ -57,6 +59,16 @@ import org.mockito.MockitoAnnotations;
|
||||
public class SnoozeHelperTest extends UiServiceTestCase {
|
||||
private static final String TEST_CHANNEL_ID = "test_channel_id";
|
||||
|
||||
+ private static final String XML_TAG_NAME = "snoozed-notifications";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION = "notification";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_CONTEXT = "context";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_KEY = "key";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_TIME = "time";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_CONTEXT_ID = "id";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_VERSION_LABEL = "version";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_PKG = "pkg";
|
||||
+ private static final String XML_SNOOZED_NOTIFICATION_USER_ID = "user-id";
|
||||
+
|
||||
@Mock SnoozeHelper.Callback mCallback;
|
||||
@Mock AlarmManager mAm;
|
||||
@Mock ManagedServices.UserProfiles mUserProfiles;
|
||||
@@ -121,6 +133,57 @@ public class SnoozeHelperTest extends UiServiceTestCase {
|
||||
assertFalse(mSnoozeHelper.canSnooze(1));
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void testSnoozeLimit_maximumPersisted() throws XmlPullParserException, IOException {
|
||||
+ final long snoozeTimeout = 1234;
|
||||
+ final String snoozeContext = "ctx";
|
||||
+ // Serialize & deserialize notifications so that only persisted lists are used
|
||||
+ XmlSerializer serializer = new FastXmlSerializer();
|
||||
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
+ serializer.setOutput(new BufferedOutputStream(baos), "utf-8");
|
||||
+ serializer.startDocument(null, true);
|
||||
+ serializer.startTag(null, XML_TAG_NAME);
|
||||
+ // Serialize maximum number of timed + context snoozed notifications, half of each
|
||||
+ for (int i = 0; i < CONCURRENT_SNOOZE_LIMIT; i++) {
|
||||
+ final boolean timedNotification = i % 2 == 0;
|
||||
+ if (timedNotification) {
|
||||
+ serializer.startTag(null, XML_SNOOZED_NOTIFICATION);
|
||||
+ } else {
|
||||
+ serializer.startTag(null, XML_SNOOZED_NOTIFICATION_CONTEXT);
|
||||
+ }
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_PKG, "pkg");
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_USER_ID,
|
||||
+ String.valueOf(UserHandle.USER_SYSTEM));
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_VERSION_LABEL, "1");
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_KEY, "key" + i);
|
||||
+ if (timedNotification) {
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_TIME,
|
||||
+ String.valueOf(snoozeTimeout));
|
||||
+ serializer.endTag(null, XML_SNOOZED_NOTIFICATION);
|
||||
+ } else {
|
||||
+ serializer.attribute(null, XML_SNOOZED_NOTIFICATION_CONTEXT_ID, snoozeContext);
|
||||
+ serializer.endTag(null, XML_SNOOZED_NOTIFICATION_CONTEXT);
|
||||
+ }
|
||||
+ }
|
||||
+ serializer.endTag(null, XML_TAG_NAME);
|
||||
+ serializer.endDocument();
|
||||
+ serializer.flush();
|
||||
+
|
||||
+ XmlPullParser parser = Xml.newPullParser();
|
||||
+ parser.setInput(new BufferedInputStream(
|
||||
+ new ByteArrayInputStream(baos.toByteArray())), "utf-8");
|
||||
+ mSnoozeHelper.readXml(parser, 1);
|
||||
+ // Verify that we can't snooze any more notifications
|
||||
+ // and that the limit is caused by persisted notifications
|
||||
+ assertThat(mSnoozeHelper.canSnooze(1)).isFalse();
|
||||
+ assertThat(mSnoozeHelper.isSnoozed(UserHandle.USER_SYSTEM, "pkg", "key0")).isFalse();
|
||||
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM,
|
||||
+ "pkg", "key0")).isEqualTo(snoozeTimeout);
|
||||
+ assertThat(
|
||||
+ mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
|
||||
+ "key1")).isEqualTo(snoozeContext);
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void testCancelByApp() throws Exception {
|
||||
NotificationRecord r = getNotificationRecord("pkg", 1, "one", UserHandle.SYSTEM);
|
||||
@@ -328,6 +391,7 @@ public class SnoozeHelperTest extends UiServiceTestCase {
|
||||
|
||||
@Test
|
||||
public void repostGroupSummary_repostsSummary() throws Exception {
|
||||
+ final int snoozeDuration = 1000;
|
||||
IntArray profileIds = new IntArray();
|
||||
profileIds.add(UserHandle.USER_SYSTEM);
|
||||
when(mUserProfiles.getCurrentProfileIds()).thenReturn(profileIds);
|
||||
@@ -335,10 +399,44 @@ public class SnoozeHelperTest extends UiServiceTestCase {
|
||||
"pkg", 1, "one", UserHandle.SYSTEM, "group1", true);
|
||||
NotificationRecord r2 = getNotificationRecord(
|
||||
"pkg", 2, "two", UserHandle.SYSTEM, "group1", false);
|
||||
- mSnoozeHelper.snooze(r, 1000);
|
||||
- mSnoozeHelper.snooze(r2, 1000);
|
||||
+ final long snoozeTime = System.currentTimeMillis() + snoozeDuration;
|
||||
+ mSnoozeHelper.snooze(r, snoozeDuration);
|
||||
+ mSnoozeHelper.snooze(r2, snoozeDuration);
|
||||
+ assertEquals(2, mSnoozeHelper.getSnoozed().size());
|
||||
+ assertEquals(2, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
|
||||
+ // Verify that summary notification was added to the persisted list
|
||||
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
|
||||
+ r.getKey())).isAtLeast(snoozeTime);
|
||||
+
|
||||
+ mSnoozeHelper.repostGroupSummary("pkg", UserHandle.USER_SYSTEM, r.getGroupKey());
|
||||
+
|
||||
+ verify(mCallback, times(1)).repost(UserHandle.USER_SYSTEM, r, false);
|
||||
+ verify(mCallback, never()).repost(UserHandle.USER_SYSTEM, r2, false);
|
||||
+
|
||||
+ assertEquals(1, mSnoozeHelper.getSnoozed().size());
|
||||
+ assertEquals(1, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
|
||||
+ // Verify that summary notification was removed from the persisted list
|
||||
+ assertThat(mSnoozeHelper.getSnoozeTimeForUnpostedNotification(UserHandle.USER_SYSTEM, "pkg",
|
||||
+ r.getKey())).isEqualTo(0);
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void snoozeWithContext_repostGroupSummary_removesPersisted() throws Exception {
|
||||
+ final String snoozeContext = "zzzzz";
|
||||
+ IntArray profileIds = new IntArray();
|
||||
+ profileIds.add(UserHandle.USER_SYSTEM);
|
||||
+ when(mUserProfiles.getCurrentProfileIds()).thenReturn(profileIds);
|
||||
+ NotificationRecord r = getNotificationRecord(
|
||||
+ "pkg", 1, "one", UserHandle.SYSTEM, "group1", true);
|
||||
+ NotificationRecord r2 = getNotificationRecord(
|
||||
+ "pkg", 2, "two", UserHandle.SYSTEM, "group1", false);
|
||||
+ mSnoozeHelper.snooze(r, snoozeContext);
|
||||
+ mSnoozeHelper.snooze(r2, snoozeContext);
|
||||
assertEquals(2, mSnoozeHelper.getSnoozed().size());
|
||||
assertEquals(2, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
|
||||
+ // Verify that summary notification was added to the persisted list
|
||||
+ assertThat(mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM,
|
||||
+ "pkg", r.getKey())).isEqualTo(snoozeContext);
|
||||
|
||||
mSnoozeHelper.repostGroupSummary("pkg", UserHandle.USER_SYSTEM, r.getGroupKey());
|
||||
|
||||
@@ -347,6 +445,9 @@ public class SnoozeHelperTest extends UiServiceTestCase {
|
||||
|
||||
assertEquals(1, mSnoozeHelper.getSnoozed().size());
|
||||
assertEquals(1, mSnoozeHelper.getSnoozed(UserHandle.USER_SYSTEM, "pkg").size());
|
||||
+ // Verify that summary notification was removed from the persisted list
|
||||
+ assertThat(mSnoozeHelper.getSnoozeContextForUnpostedNotification(UserHandle.USER_SYSTEM,
|
||||
+ "pkg", r.getKey())).isNull();
|
||||
}
|
||||
|
||||
@Test
|
@ -1,98 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Sergey Nikolaienkov <sergeynv@google.com>
|
||||
Date: Mon, 3 Jul 2023 17:09:28 +0200
|
||||
Subject: [PATCH] DO NOT MERGE: Consolidate queryChildDocumentsXxx()
|
||||
implementations
|
||||
|
||||
Make sure to override the single right variant of the
|
||||
FileSystemProvider#queryChildDocuments() method: the one that takes the
|
||||
"includeHidden" boolean argument.
|
||||
|
||||
Bug: 200034476
|
||||
Bug: 220066255
|
||||
Bug: 283962634
|
||||
Test: make, install and run manually
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e11e4ca6eef7e77042f2b27fce4fdb8a0b3d0371)
|
||||
Merged-In: I4c00693e28f3d50d716350a65e9e6bfd7482b085
|
||||
Change-Id: I4c00693e28f3d50d716350a65e9e6bfd7482b085
|
||||
---
|
||||
.../downloads/DownloadStorageProvider.java | 38 ++++++-------------
|
||||
1 file changed, 12 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/com/android/providers/downloads/DownloadStorageProvider.java b/src/com/android/providers/downloads/DownloadStorageProvider.java
|
||||
index 051cf35c..2bacc826 100644
|
||||
--- a/src/com/android/providers/downloads/DownloadStorageProvider.java
|
||||
+++ b/src/com/android/providers/downloads/DownloadStorageProvider.java
|
||||
@@ -304,39 +304,26 @@ public class DownloadStorageProvider extends FileSystemProvider {
|
||||
}
|
||||
|
||||
@Override
|
||||
- public Cursor queryChildDocuments(String parentDocId, String[] projection, String sortOrder)
|
||||
- throws FileNotFoundException {
|
||||
- return queryChildDocuments(parentDocId, projection, sortOrder, false);
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public Cursor queryChildDocumentsForManage(
|
||||
- String parentDocId, String[] projection, String sortOrder)
|
||||
- throws FileNotFoundException {
|
||||
- return queryChildDocuments(parentDocId, projection, sortOrder, true);
|
||||
- }
|
||||
-
|
||||
- private Cursor queryChildDocuments(String parentDocId, String[] projection,
|
||||
- String sortOrder, boolean manage) throws FileNotFoundException {
|
||||
-
|
||||
+ protected Cursor queryChildDocuments(String documentId, String[] projection, String sortOrder,
|
||||
+ boolean includeHidden) throws FileNotFoundException {
|
||||
// Delegate to real provider
|
||||
final long token = Binder.clearCallingIdentity();
|
||||
Cursor cursor = null;
|
||||
try {
|
||||
- if (RawDocumentsHelper.isRawDocId(parentDocId)) {
|
||||
- return super.queryChildDocuments(parentDocId, projection, sortOrder);
|
||||
+ if (RawDocumentsHelper.isRawDocId(documentId)) {
|
||||
+ return super.queryChildDocuments(documentId, projection, sortOrder, includeHidden);
|
||||
}
|
||||
|
||||
final DownloadsCursor result = new DownloadsCursor(projection,
|
||||
getContext().getContentResolver());
|
||||
final ArrayList<Uri> notificationUris = new ArrayList<>();
|
||||
- if (isMediaStoreDownloadDir(parentDocId)) {
|
||||
+ if (isMediaStoreDownloadDir(documentId)) {
|
||||
includeDownloadsFromMediaStore(result, null /* queryArgs */,
|
||||
null /* filePaths */, notificationUris,
|
||||
- getMediaStoreIdString(parentDocId), NO_LIMIT, manage);
|
||||
+ getMediaStoreIdString(documentId), NO_LIMIT, includeHidden);
|
||||
} else {
|
||||
- assert (DOC_ID_ROOT.equals(parentDocId));
|
||||
- if (manage) {
|
||||
+ assert (DOC_ID_ROOT.equals(documentId));
|
||||
+ if (includeHidden) {
|
||||
cursor = mDm.query(
|
||||
new DownloadManager.Query().setOnlyIncludeVisibleInDownloadsUi(true));
|
||||
} else {
|
||||
@@ -351,7 +338,7 @@ public class DownloadStorageProvider extends FileSystemProvider {
|
||||
notificationUris.add(cursor.getNotificationUri());
|
||||
includeDownloadsFromMediaStore(result, null /* queryArgs */,
|
||||
filePaths, notificationUris,
|
||||
- null /* parentId */, NO_LIMIT, manage);
|
||||
+ null /* parentId */, NO_LIMIT, includeHidden);
|
||||
includeFilesFromSharedStorage(result, filePaths, null);
|
||||
}
|
||||
result.setNotificationUris(getContext().getContentResolver(), notificationUris);
|
||||
@@ -472,12 +459,11 @@ public class DownloadStorageProvider extends FileSystemProvider {
|
||||
return result;
|
||||
}
|
||||
|
||||
- private void includeSearchFilesFromSharedStorage(DownloadsCursor result,
|
||||
- String[] projection, Set<String> filePaths,
|
||||
- Bundle queryArgs) throws FileNotFoundException {
|
||||
+ private void includeSearchFilesFromSharedStorage(DownloadsCursor result, String[] projection,
|
||||
+ Set<String> filePaths, Bundle queryArgs) throws FileNotFoundException {
|
||||
final File downloadDir = getPublicDownloadsDirectory();
|
||||
try (Cursor rawFilesCursor = super.querySearchDocuments(downloadDir,
|
||||
- projection, filePaths, queryArgs)) {
|
||||
+ projection, /* exclusion */ filePaths, queryArgs)) {
|
||||
|
||||
final boolean shouldExcludeMedia = queryArgs.getBoolean(
|
||||
DocumentsContract.QUERY_ARG_EXCLUDE_MEDIA, false /* defaultValue */);
|
@ -1,44 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 00:53:33 +0000
|
||||
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
|
||||
attp_build_value_cmd
|
||||
|
||||
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
|
||||
|
||||
Bug: 276898739
|
||||
Test: manual
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
|
||||
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
---
|
||||
btif/src/btif_gatt_util.cc | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
|
||||
index 16f227511..a0798df15 100644
|
||||
--- a/btif/src/btif_gatt_util.cc
|
||||
+++ b/btif/src/btif_gatt_util.cc
|
||||
@@ -18,6 +18,8 @@
|
||||
|
||||
#define LOG_TAG "bt_btif_gatt"
|
||||
|
||||
+#include <algorithm>
|
||||
+
|
||||
#include "btif_gatt_util.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
|
||||
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
|
||||
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
|
||||
p_dest->attr_value.handle = p_src->attr_value.handle;
|
||||
- p_dest->attr_value.len = p_src->attr_value.len;
|
||||
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
|
||||
p_dest->attr_value.offset = p_src->attr_value.offset;
|
||||
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
|
||||
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
@ -1,38 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 18:23:53 +0000
|
||||
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
|
||||
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
|
||||
|
||||
Bug: 297524203
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
|
||||
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
---
|
||||
stack/gatt/att_protocol.cc | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
|
||||
index 5d3d4a818..cdf472e40 100644
|
||||
--- a/stack/gatt/att_protocol.cc
|
||||
+++ b/stack/gatt/att_protocol.cc
|
||||
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
|
||||
tGATT_FIND_TYPE_VALUE* p_value_type) {
|
||||
uint8_t* p;
|
||||
uint16_t len = p_value_type->value_len;
|
||||
- BT_HDR* p_buf =
|
||||
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
+ BT_HDR* p_buf = nullptr;
|
||||
+
|
||||
+ if (payload_size < 5) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
+
|
||||
+ p_buf =
|
||||
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
|
||||
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
|
||||
p_buf->offset = L2CAP_MIN_OFFSET;
|
@ -1,71 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Keith Mok <keithmok@google.com>
|
||||
Date: Thu, 31 Aug 2023 00:31:35 +0000
|
||||
Subject: [PATCH] Add seal if ashmem-dev is backed by memfd
|
||||
|
||||
Need to seal the buffer size in align with ashmem if set to PROT_READ
|
||||
only to prevent untrusted remote process to shrink the buffer size and
|
||||
crash it.
|
||||
|
||||
Bug: 294609150
|
||||
Test: build
|
||||
Ignore-AOSP-First: Security
|
||||
(cherry picked from commit f83c5c8fecf89d9315945368aa20350c2f235cc0)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:61a2897733e15a12b7aa2dfd99957e83cbe59351)
|
||||
Merged-In: I9288cf30b41e84ad8d3247c204e20482912bff69
|
||||
Change-Id: I9288cf30b41e84ad8d3247c204e20482912bff69
|
||||
---
|
||||
libcutils/ashmem-dev.cpp | 29 +++++++++++++++++++++++++----
|
||||
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
|
||||
index e67b45808..a081837e5 100644
|
||||
--- a/libcutils/ashmem-dev.cpp
|
||||
+++ b/libcutils/ashmem-dev.cpp
|
||||
@@ -360,6 +360,12 @@ static int memfd_create_region(const char* name, size_t size) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ // forbid size changes to match ashmem behaviour
|
||||
+ if (fcntl(fd, F_ADD_SEALS, F_SEAL_GROW | F_SEAL_SHRINK) == -1) {
|
||||
+ ALOGE("memfd_create(%s, %zd) F_ADD_SEALS failed: %m", name, size);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (debug_log) {
|
||||
ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
|
||||
}
|
||||
@@ -411,14 +417,29 @@ error:
|
||||
}
|
||||
|
||||
static int memfd_set_prot_region(int fd, int prot) {
|
||||
- /* Only proceed if an fd needs to be write-protected */
|
||||
+ int seals = fcntl(fd, F_GET_SEALS);
|
||||
+ if (seals == -1) {
|
||||
+ ALOGE("memfd_set_prot_region(%d, %d): F_GET_SEALS failed: %s\n", fd, prot, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (prot & PROT_WRITE) {
|
||||
+ /* Now we want the buffer to be read-write, let's check if the buffer
|
||||
+ * has been previously marked as read-only before, if so return error
|
||||
+ */
|
||||
+ if (seals & F_SEAL_FUTURE_WRITE) {
|
||||
+ ALOGE("memfd_set_prot_region(%d, %d): region is write protected\n", fd, prot);
|
||||
+ errno = EINVAL; // inline with ashmem error code, if already in
|
||||
+ // read-only mode
|
||||
+ return -1;
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
|
||||
- ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE seal failed: %s\n", fd, prot,
|
||||
- strerror(errno));
|
||||
+ /* We would only allow read-only for any future file operations */
|
||||
+ if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE | F_SEAL_SEAL) == -1) {
|
||||
+ ALOGE("memfd_set_prot_region(%d, %d): F_SEAL_FUTURE_WRITE | F_SEAL_SEAL seal failed: %s\n",
|
||||
+ fd, prot, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
@ -1,44 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 00:53:33 +0000
|
||||
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
|
||||
attp_build_value_cmd
|
||||
|
||||
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
|
||||
|
||||
Bug: 276898739
|
||||
Test: manual
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
|
||||
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
|
||||
---
|
||||
btif/src/btif_gatt_util.cc | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
|
||||
index 6be1cb238..5b101450d 100644
|
||||
--- a/btif/src/btif_gatt_util.cc
|
||||
+++ b/btif/src/btif_gatt_util.cc
|
||||
@@ -18,6 +18,8 @@
|
||||
|
||||
#define LOG_TAG "bt_btif_gatt"
|
||||
|
||||
+#include <algorithm>
|
||||
+
|
||||
#include "btif_gatt_util.h"
|
||||
|
||||
#include <errno.h>
|
||||
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
|
||||
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
|
||||
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
|
||||
p_dest->attr_value.handle = p_src->attr_value.handle;
|
||||
- p_dest->attr_value.len = p_src->attr_value.len;
|
||||
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
|
||||
p_dest->attr_value.offset = p_src->attr_value.offset;
|
||||
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
|
||||
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
|
||||
}
|
||||
|
||||
/*******************************************************************************
|
@ -1,38 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hui Peng <phui@google.com>
|
||||
Date: Wed, 29 Nov 2023 18:23:53 +0000
|
||||
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
|
||||
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
|
||||
|
||||
Bug: 297524203
|
||||
Test: m com.android.btservices
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
|
||||
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
|
||||
---
|
||||
stack/gatt/att_protocol.cc | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
|
||||
index 2b800b716..d1e0ece59 100644
|
||||
--- a/stack/gatt/att_protocol.cc
|
||||
+++ b/stack/gatt/att_protocol.cc
|
||||
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
|
||||
tGATT_FIND_TYPE_VALUE* p_value_type) {
|
||||
uint8_t* p;
|
||||
uint16_t len = p_value_type->value_len;
|
||||
- BT_HDR* p_buf =
|
||||
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
+ BT_HDR* p_buf = nullptr;
|
||||
+
|
||||
+ if (payload_size < 5) {
|
||||
+ return nullptr;
|
||||
+ }
|
||||
+
|
||||
+ p_buf =
|
||||
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
|
||||
|
||||
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
|
||||
p_buf->offset = L2CAP_MIN_OFFSET;
|
@ -93,6 +93,7 @@ patchWorkspaceReal() {
|
||||
repopick -t Q_asb_2023-11 -e 376555,376595,376596,376563,376568;
|
||||
repopick -t Q_asb_2023-12 -e 377251,378083,378084,378085,378086,378087,378088,378314,378315;
|
||||
repopick -t Q_asb_2024-01;
|
||||
repopick -t Q_asb_2024-02;
|
||||
|
||||
sh "$DOS_SCRIPTS/Patch.sh";
|
||||
sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
|
||||
|
@ -98,8 +98,6 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
|
||||
awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
|
||||
sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
|
||||
#sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
|
||||
sed -i 's/2024-01-05/2024-02-05/' core/version_defaults.mk; #Bump Security String #R_asb_2024-02
|
||||
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -162,17 +160,12 @@ if enterAndClear "external/zlib"; then
|
||||
git fetch https://github.com/LineageOS/android_external_zlib refs/changes/70/352570/1 && git cherry-pick FETCH_HEAD; #Q_asb_2023-03
|
||||
fi;
|
||||
|
||||
if enterAndClear "frameworks/av"; then
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_av/381886.patch"; #R_asb_2024-02 Update mtp packet buffer
|
||||
fi;
|
||||
#if enterAndClear "frameworks/av"; then
|
||||
#fi;
|
||||
|
||||
if enterAndClear "frameworks/base"; then
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/379145.patch"; #R_asb_2024-01 Dismiss keyguard when simpin auth'd and...
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/379136.patch"; #R_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/381887-backport.patch"; #R_asb_2024-02 Disallow Wallpaper service to launch activity from background.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/381889-backport.patch"; #R_asb_2024-02 Unbind TileService onNullBinding
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/381890-backport.patch"; #R_asb_2024-02 Restrict activity launch when caller is running in the background
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/381892-backport.patch"; #R_asb_2024-02 Enforce persisted snoozed notifications limits #XXX: error: cannot find symbol
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
|
||||
@ -395,7 +388,6 @@ fi;
|
||||
#fi;
|
||||
|
||||
if enterAndClear "packages/providers/DownloadProvider"; then
|
||||
#applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/381893.patch"; #R_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations #XXX: DownloadStorageProvider.java:306: error: method does not override or implement a method from a supertype
|
||||
applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/0001-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS)
|
||||
fi;
|
||||
|
||||
@ -408,8 +400,6 @@ applyPatch "$DOS_PATCHES/android_prebuilts_abi-dumps_vndk/0001-protobuf-avi.patc
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/bt"; then
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/381894.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/381895.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
|
||||
#applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
|
||||
@ -425,7 +415,6 @@ if enterAndClear "system/core"; then
|
||||
if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
|
||||
git revert --no-edit 3032c7aa5ce90c0ae9c08fe271052c6e0304a1e7 01266f589e6deaef30b782531ae14435cdd2f18e; #insanity
|
||||
git revert --no-edit bd4142eab8b3cead0c25a2e660b4b048d1315d3c; #Always update recovery
|
||||
applyPatch "$DOS_PATCHES/android_system_core/381896.patch"; #R_asb_2024-02 Add seal if ashmem-dev is backed by memfd
|
||||
applyPatch "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysctl changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0002-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_system_core/0003-Zero_Sensitive_Info.patch"; fi; #Zero sensitive information with explicit_bzero (GrapheneOS)
|
||||
@ -462,10 +451,8 @@ applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport-prereq.patch"; #R_
|
||||
applyPatch "$DOS_PATCHES/android_tools_apksig/360973-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/381897.patch"; #R_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
|
||||
applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/381898.patch"; #R_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
|
||||
fi;
|
||||
#if enterAndClear "vendor/qcom/opensource/commonsys/system/bt/"; then
|
||||
#fi;
|
||||
|
||||
if enterAndClear "vendor/lineage"; then
|
||||
rm build/target/product/security/lineage.x509.pem; #Remove Lineage keys
|
||||
|
Loading…
Reference in New Issue
Block a user