From c1be661b6b2aec96215a29b86c958f13954a2921 Mon Sep 17 00:00:00 2001 From: AlamIntel Date: Mon, 18 Nov 2024 13:56:26 +0530 Subject: [PATCH] ASB DEC 2024 Security Patches integration Integrating Google Android Security Bulletin Patches Test done: STS r33 TCs Passed. Tracked-On: OAM-127578 Signed-off-by: AlamIntel --- ...9-Update-security_patch_level-string.patch | 2 +- ...ds-check-in-skia_alloc_func.bulletin.patch | 51 +++++++ ...erflow-before-allocating-Sk.bulletin.patch | 38 +++++ ...wing-an-SkRegion-s-RunArray.bulletin.patch | 38 +++++ ...more-URIs-in-notifications.bulletin.patch} | 0 ...pp-provided-shortcut-icons.bulletin.patch} | 0 ...rd-UI-when-device-is-locked.bulletin.patch | 130 ++++++++++++++++++ ...nding-in-appwidget-service-.bulletin.patch | 63 +++++++++ ...hen-not-used-for-management.bulletin.patch | 80 +++++++++++ ...p-reading-component-name-from-call-e.patch | 63 +++++++++ ...an-authentication-bypass-bug-in-SMP.patch} | 0 ...ead_multi_rsp-of-gatt_sr-cc.bulletin.patch | 59 ++++++++ ...e-Variable-Response-builder.bulletin.patch | 40 ++++++ ...immediately-on-reconnection.bulletin.patch | 46 +++++++ ...ix-OOB-writes-in-gatt_sr-cc.bulletin.patch | 86 ++++++++++++ 15 files changed, 695 insertions(+), 1 deletion(-) create mode 100644 aosp_diff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch create mode 100644 aosp_diff/preliminary/external/skia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch create mode 100644 aosp_diff/preliminary/external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch rename aosp_diff/preliminary/frameworks/base/{74_0074-Check-more-URIs-in-notifications.patch => 74_0074-Check-more-URIs-in-notifications.bulletin.patch} (100%) rename aosp_diff/preliminary/frameworks/base/{77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.patch => 77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.bulletin.patch} (100%) create mode 100644 aosp_diff/preliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch create mode 100644 aosp_diff/preliminary/frameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch create mode 100644 aosp_diff/preliminary/frameworks/base/81_0081-Allow-uninstalling-DMRH-when-not-used-for-management.bulletin.patch create mode 100644 aosp_diff/preliminary/packages/apps/Car/Launcher/0001-DO-NOT-MERGE-Stop-reading-component-name-from-call-e.patch rename aosp_diff/preliminary/packages/modules/Bluetooth/{0010-Fix-an-authentication-bypass-bug-in-SMP.bulletin.patch => 0010-Fix-an-authentication-bypass-bug-in-SMP.patch} (100%) create mode 100644 aosp_diff/preliminary/packages/modules/Bluetooth/0013-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch create mode 100644 aosp_diff/preliminary/packages/modules/Bluetooth/0014-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch create mode 100644 aosp_diff/preliminary/packages/modules/Bluetooth/0015-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch create mode 100644 aosp_diff/preliminary/packages/modules/Bluetooth/0016-Fix-OOB-writes-in-gatt_sr-cc.bulletin.patch diff --git a/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch index dc9b086ec0..a5f79ebed7 100644 --- a/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch +++ b/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch @@ -21,7 +21,7 @@ index dba897a9c3..a2dae42533 100644 # It must match one of the Android Security Patch Level strings of the Public Security Bulletins. # If there is no $PLATFORM_SECURITY_PATCH set, keep it empty. - PLATFORM_SECURITY_PATCH := 2024-02-05 -+ PLATFORM_SECURITY_PATCH := 2024-11-01 ++ PLATFORM_SECURITY_PATCH := 2024-12-01 endif include $(BUILD_SYSTEM)/version_util.mk diff --git a/aosp_diff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch b/aosp_diff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch new file mode 100644 index 0000000000..4be4f79e46 --- /dev/null +++ b/aosp_diff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch @@ -0,0 +1,51 @@ +From b5543cb8c6b95623743016055220378efe73eb93 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Mon, 12 Aug 2024 15:00:08 -0400 +Subject: [PATCH] [pdf] Bounds check in skia_alloc_func + +The allocator callback for zlib needs to check that items * size will +fit in size_t and return nullptr if not. + +Conflicts: +- src/pdf/SkDeflate.cpp: just in header includes + +Bug: 349678452 +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996 +Commit-Queue: Ben Wagner +Reviewed-by: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ac6d5834d4d701232e98745a58815fb2ac9cd75) +Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc +Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc +--- + src/pdf/SkDeflate.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp +index f044c140fa..157f5164ee 100644 +--- a/src/pdf/SkDeflate.cpp ++++ b/src/pdf/SkDeflate.cpp +@@ -9,6 +9,7 @@ + + #include "include/core/SkData.h" + #include "include/private/base/SkMalloc.h" ++#include "include/private/base/SkTFitsIn.h" + #include "include/private/base/SkTo.h" + #include "src/core/SkTraceEvent.h" + +@@ -21,6 +22,13 @@ namespace { + // Different zlib implementations use different T. + // We've seen size_t and unsigned. + template void* skia_alloc_func(void*, T items, T size) { ++ if (!SkTFitsIn(size)) { ++ return nullptr; ++ } ++ const size_t maxItems = SIZE_MAX / size; ++ if (maxItems < items) { ++ return nullptr; ++ } + return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size)); + } + +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/external/skia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch b/aosp_diff/preliminary/external/skia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch new file mode 100644 index 0000000000..d2836c9683 --- /dev/null +++ b/aosp_diff/preliminary/external/skia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch @@ -0,0 +1,38 @@ +From 796c2040f641bb287dba66c9823ce45e9f8b5807 Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Thu, 29 Aug 2024 12:47:48 -0400 +Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating + SkMask data + +Bug: 352631932 +Test: N/A -- not reproducible / speculative fix +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478 +Commit-Queue: Ben Wagner +Reviewed-by: Ben Wagner +Auto-Submit: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36) +Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2 +Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2 +--- + src/core/SkBlurMF.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp +index cd3cd5f3d9..7de3653779 100644 +--- a/src/core/SkBlurMF.cpp ++++ b/src/core/SkBlurMF.cpp +@@ -181,6 +181,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) { + mask->fRowBytes = SkAlign4(mask->fBounds.width()); + mask->fFormat = SkMask::kA8_Format; + const size_t size = mask->computeImageSize(); ++ if (size == 0) { ++ return false; ++ } + mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc); + if (nullptr == mask->fImage) { + return false; +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch b/aosp_diff/preliminary/external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch new file mode 100644 index 0000000000..14159996ec --- /dev/null +++ b/aosp_diff/preliminary/external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch @@ -0,0 +1,38 @@ +From 8d355fe1d0795fc30b84194b87563f75c6f8f2a7 Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Thu, 29 Aug 2024 11:52:35 -0400 +Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray + +Bug: 350118416 +Test: N/A -- speculative issue without repro case +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836 +Reviewed-by: Robert Phillips +Commit-Queue: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:521332e28acde551bb63dbd6829e7089d73533d8) +Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57 +Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57 +--- + src/core/SkRegion.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp +index 780a71c9ba..c46ffa44fe 100644 +--- a/src/core/SkRegion.cpp ++++ b/src/core/SkRegion.cpp +@@ -55,8 +55,10 @@ public: + /** Resize the array to a size greater-than-or-equal-to count. */ + void resizeToAtLeast(int count) { + if (count > fCount) { +- // leave at least 50% extra space for future growth. +- count += count >> 1; ++ // leave at least 50% extra space for future growth (unless adding would overflow) ++ SkSafeMath safe; ++ int newCount = safe.addInt(count, count >> 1); ++ count = safe ? newCount : SK_MaxS32; + fMalloc.realloc(count); + if (fPtr == fStack) { + memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType)); +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/frameworks/base/74_0074-Check-more-URIs-in-notifications.patch b/aosp_diff/preliminary/frameworks/base/74_0074-Check-more-URIs-in-notifications.bulletin.patch similarity index 100% rename from aosp_diff/preliminary/frameworks/base/74_0074-Check-more-URIs-in-notifications.patch rename to aosp_diff/preliminary/frameworks/base/74_0074-Check-more-URIs-in-notifications.bulletin.patch diff --git a/aosp_diff/preliminary/frameworks/base/77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.patch b/aosp_diff/preliminary/frameworks/base/77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.bulletin.patch similarity index 100% rename from aosp_diff/preliminary/frameworks/base/77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.patch rename to aosp_diff/preliminary/frameworks/base/77_0077-RESTRICT-AUTOMERGE-Clear-app-provided-shortcut-icons.bulletin.patch diff --git a/aosp_diff/preliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch b/aosp_diff/preliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch new file mode 100644 index 0000000000..a992be7099 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch @@ -0,0 +1,130 @@ +From 70eb75df7d342429c3ee225feb7c011df727442f Mon Sep 17 00:00:00 2001 +From: Miranda Kephart +Date: Fri, 16 Feb 2024 10:14:15 -0500 +Subject: [PATCH] Block clipboard UI when device is locked + +In some situations (see bug for details) it's possible to enter the +clipboard even while the device is locked, and from there access the +provided intents. Users should not be able to access intents from this +state; this change adds an additional check before showing the interactive UI. + +The behavior is identical to what we do when user setup is not complete +(b/251778420): we show a toast to note that content has been copied, but no interactive UI. + +Interactive UI is only blocked when device is locked (i.e. requiring pin +entry/password/biometric/etc), not if the keyguard is up but trivially +dismissable. + +Bug: 317048495 +Test: atest ClipboardListenerTest; verification using steps in linked +bug as well as forcing text content to appear client-side, to verify +that even if text content is received in the ClipboardListener, no +interactive UI appears. + +(cherry picked from commit 2976ca86d5c5be558191a1fe706d4cd0d7ccdecb) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c9adc41c71a604da29fe01be79f4172473dfe1c6) +Merged-In: I1a48cbe64852dce3fba69915ca11dad8878f66eb +Change-Id: I1a48cbe64852dce3fba69915ca11dad8878f66eb +--- + .../clipboardoverlay/ClipboardListener.java | 8 +++++++- + .../ClipboardListenerTest.java | 18 +++++++++++++++++- + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java +index 63b4288ce055..f0a980e0a30c 100644 +--- a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java ++++ b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java +@@ -24,6 +24,7 @@ import static com.android.systemui.clipboardoverlay.ClipboardOverlayEvent.CLIPBO + + import static com.google.android.setupcompat.util.WizardManagerHelper.SETTINGS_SECURE_USER_SETUP_COMPLETE; + ++import android.app.KeyguardManager; + import android.content.ClipData; + import android.content.ClipboardManager; + import android.content.Context; +@@ -57,6 +58,7 @@ public class ClipboardListener implements + private final Provider mOverlayProvider; + private final ClipboardToast mClipboardToast; + private final ClipboardManager mClipboardManager; ++ private final KeyguardManager mKeyguardManager; + private final UiEventLogger mUiEventLogger; + private ClipboardOverlay mClipboardOverlay; + +@@ -65,11 +67,13 @@ public class ClipboardListener implements + Provider clipboardOverlayControllerProvider, + ClipboardToast clipboardToast, + ClipboardManager clipboardManager, ++ KeyguardManager keyguardManager, + UiEventLogger uiEventLogger) { + mContext = context; + mOverlayProvider = clipboardOverlayControllerProvider; + mClipboardToast = clipboardToast; + mClipboardManager = clipboardManager; ++ mKeyguardManager = keyguardManager; + mUiEventLogger = uiEventLogger; + } + +@@ -92,7 +96,9 @@ public class ClipboardListener implements + return; + } + +- if (!isUserSetupComplete() // user should not access intents from this state ++ // user should not access intents before setup or while device is locked ++ if (mKeyguardManager.isDeviceLocked() ++ || !isUserSetupComplete() + || clipData == null // shouldn't happen, but just in case + || clipData.getItemCount() == 0) { + if (shouldShowToast(clipData)) { +diff --git a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java +index 18515825967f..9d02c86cfa7a 100644 +--- a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java ++++ b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java +@@ -27,6 +27,7 @@ import static org.mockito.Mockito.verify; + import static org.mockito.Mockito.verifyZeroInteractions; + import static org.mockito.Mockito.when; + ++import android.app.KeyguardManager; + import android.content.ClipData; + import android.content.ClipDescription; + import android.content.ClipboardManager; +@@ -59,6 +60,8 @@ public class ClipboardListenerTest extends SysuiTestCase { + @Mock + private ClipboardManager mClipboardManager; + @Mock ++ private KeyguardManager mKeyguardManager; ++ @Mock + private ClipboardOverlayController mOverlayController; + @Mock + private ClipboardToast mClipboardToast; +@@ -96,7 +99,7 @@ public class ClipboardListenerTest extends SysuiTestCase { + when(mClipboardManager.getPrimaryClipSource()).thenReturn(mSampleSource); + + mClipboardListener = new ClipboardListener(getContext(), mOverlayControllerProvider, +- mClipboardToast, mClipboardManager, mUiEventLogger); ++ mClipboardToast, mClipboardManager, mKeyguardManager, mUiEventLogger); + } + + +@@ -190,6 +193,19 @@ public class ClipboardListenerTest extends SysuiTestCase { + verifyZeroInteractions(mOverlayControllerProvider); + } + ++ @Test ++ public void test_deviceLocked_showsToast() { ++ when(mKeyguardManager.isDeviceLocked()).thenReturn(true); ++ ++ mClipboardListener.start(); ++ mClipboardListener.onPrimaryClipChanged(); ++ ++ verify(mUiEventLogger, times(1)).log( ++ ClipboardOverlayEvent.CLIPBOARD_TOAST_SHOWN, 0, mSampleSource); ++ verify(mClipboardToast, times(1)).showCopiedToast(); ++ verifyZeroInteractions(mOverlayControllerProvider); ++ } ++ + @Test + public void test_nullClipData_showsNothing() { + when(mClipboardManager.getPrimaryClip()).thenReturn(null); +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/frameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch b/aosp_diff/preliminary/frameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch new file mode 100644 index 0000000000..8e73325acb --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch @@ -0,0 +1,63 @@ +From ae43ac7f3d3d5112b0f54b5315a15b08208acf9c Mon Sep 17 00:00:00 2001 +From: Pinyao Ting +Date: Thu, 29 Aug 2024 17:01:55 +0000 +Subject: [PATCH] Properly handle onNullBinding() in appwidget service. + +Bug: 340239088 +Test: manually verified with the PoC app +Flag: EXEMPT CVE +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d406f4708e39d0da285da6cc11cc7aff30f75357) +Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7 +Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7 +--- + core/java/android/widget/RemoteViewsAdapter.java | 5 +++++ + .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java +index 61a7599e8f73..26c146c46917 100644 +--- a/core/java/android/widget/RemoteViewsAdapter.java ++++ b/core/java/android/widget/RemoteViewsAdapter.java +@@ -240,6 +240,11 @@ public class RemoteViewsAdapter extends BaseAdapter implements Handler.Callback + } + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ enqueueDeferredUnbindServiceMessage(); ++ } ++ + @Override + public void handleMessage(Message msg) { + RemoteViewsAdapter adapter = mAdapter.get(); +diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +index 2d60716104c1..4283d909e864 100644 +--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java ++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +@@ -1874,6 +1874,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku + mContext.unbindService(this); + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ mContext.unbindService(this); ++ } ++ + @Override + public void onServiceDisconnected(ComponentName name) { + // Do nothing +@@ -2014,6 +2019,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku + mContext.unbindService(this); + } + ++ @Override ++ public void onNullBinding(ComponentName name) { ++ mContext.unbindService(this); ++ } ++ + @Override + public void onServiceDisconnected(android.content.ComponentName name) { + // Do nothing +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/frameworks/base/81_0081-Allow-uninstalling-DMRH-when-not-used-for-management.bulletin.patch b/aosp_diff/preliminary/frameworks/base/81_0081-Allow-uninstalling-DMRH-when-not-used-for-management.bulletin.patch new file mode 100644 index 0000000000..a2bdbafc2c --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/81_0081-Allow-uninstalling-DMRH-when-not-used-for-management.bulletin.patch @@ -0,0 +1,80 @@ +From 619ffc299bf33566ba6daee8301ee0fc96e015f4 Mon Sep 17 00:00:00 2001 +From: Pavel Grafov +Date: Fri, 4 Oct 2024 17:05:01 +0100 +Subject: [PATCH] Allow uninstalling DMRH when not used for management + +Bug: 360807442 +Test: btest a.d.c.DevicePolicyManagementRoleHolderTest +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:da522df80568c158fe30896f9a571d05556ee51a) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:085f90a604ac24e45f44301257ae8a12da0054c1) +Merged-In: I023f78cef11fb7e8e9a92e2896cf94c9fcd1113b +Change-Id: I023f78cef11fb7e8e9a92e2896cf94c9fcd1113b +--- + .../server/pm/PackageManagerService.java | 31 ++++++++++++++----- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java +index cac96e544432..84f0057757dd 100644 +--- a/services/core/java/com/android/server/pm/PackageManagerService.java ++++ b/services/core/java/com/android/server/pm/PackageManagerService.java +@@ -60,6 +60,7 @@ import android.app.ApplicationExitInfo; + import android.app.ApplicationPackageManager; + import android.app.BroadcastOptions; + import android.app.IActivityManager; ++import android.app.admin.DevicePolicyManagerInternal; + import android.app.admin.IDevicePolicyManager; + import android.app.admin.SecurityLog; + import android.app.backup.IBackupManager; +@@ -3371,8 +3372,10 @@ public class PackageManagerService implements PackageSender, TestUtilityService + // TODO(b/261957226): centralise this logic in DPM + boolean isPackageDeviceAdmin(String packageName, int userId) { + final IDevicePolicyManager dpm = getDevicePolicyManager(); ++ final DevicePolicyManagerInternal dpmi = ++ mInjector.getLocalService(DevicePolicyManagerInternal.class); + try { +- if (dpm != null) { ++ if (dpm != null && dpmi != null) { + final ComponentName deviceOwnerComponentName = dpm.getDeviceOwnerComponent( + /* callingUserOnly =*/ false); + final String deviceOwnerPackageName = deviceOwnerComponentName == null ? null +@@ -3385,17 +3388,31 @@ public class PackageManagerService implements PackageSender, TestUtilityService + return true; + } + // Does it contain a device admin for any user? +- int[] users; ++ int[] allUsers = mUserManager.getUserIds(); ++ int[] targetUsers; + if (userId == UserHandle.USER_ALL) { +- users = mUserManager.getUserIds(); ++ targetUsers = allUsers; + } else { +- users = new int[]{userId}; ++ targetUsers = new int[]{userId}; + } +- for (int i = 0; i < users.length; ++i) { +- if (dpm.packageHasActiveAdmins(packageName, users[i])) { ++ ++ for (int i = 0; i < targetUsers.length; ++i) { ++ if (dpm.packageHasActiveAdmins(packageName, targetUsers[i])) { + return true; + } +- if (isDeviceManagementRoleHolder(packageName, users[i])) { ++ } ++ ++ // If a package is DMRH on a managed user, it should also be treated as an admin on ++ // that user. If that package is also a system package, it should also be protected ++ // on other users otherwise "uninstall updates" on an unmanaged user may break ++ // management on other users because apk version is shared between all users. ++ var packageState = snapshotComputer().getPackageStateInternal(packageName); ++ if (packageState == null) { ++ return false; ++ } ++ for (int user : packageState.isSystem() ? allUsers : targetUsers) { ++ if (isDeviceManagementRoleHolder(packageName, user) ++ && dpmi.isUserOrganizationManaged(user)) { + return true; + } + } +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/packages/apps/Car/Launcher/0001-DO-NOT-MERGE-Stop-reading-component-name-from-call-e.patch b/aosp_diff/preliminary/packages/apps/Car/Launcher/0001-DO-NOT-MERGE-Stop-reading-component-name-from-call-e.patch new file mode 100644 index 0000000000..33f324eae7 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Car/Launcher/0001-DO-NOT-MERGE-Stop-reading-component-name-from-call-e.patch @@ -0,0 +1,63 @@ +From f7b7923052dd93458e66a75da7576c57482df823 Mon Sep 17 00:00:00 2001 +From: Yiqun Wu +Date: Mon, 24 Jun 2024 19:50:11 +0000 +Subject: [PATCH] DO NOT MERGE: Stop reading component name from call extras + +Bug: 335585728 +Test: mma +Change-Id: I3f500a35a4615843601a1d6284d5de6d32b3d300 +Merged-In: I3f500a35a4615843601a1d6284d5de6d32b3d300 +--- + .../homescreen/audio/InCallModel.java | 29 +++++++------------ + 1 file changed, 10 insertions(+), 19 deletions(-) + +diff --git a/src/com/android/car/carlauncher/homescreen/audio/InCallModel.java b/src/com/android/car/carlauncher/homescreen/audio/InCallModel.java +index a36c0409..bbd5da37 100644 +--- a/src/com/android/car/carlauncher/homescreen/audio/InCallModel.java ++++ b/src/com/android/car/carlauncher/homescreen/audio/InCallModel.java +@@ -26,7 +26,6 @@ import android.content.Intent; + import android.content.pm.ApplicationInfo; + import android.content.pm.PackageManager; + import android.graphics.drawable.Drawable; +-import android.os.Bundle; + import android.telecom.Call; + import android.telecom.CallAudioState; + import android.telecom.PhoneAccountHandle; +@@ -169,24 +168,16 @@ public class InCallModel implements AudioModel, InCallServiceImpl.InCallListener + public Intent getIntent() { + Intent intent = null; + if (isSelfManagedCall()) { +- Bundle extras = mCurrentCall.getDetails().getExtras(); +- ComponentName componentName = extras == null ? null : extras.getParcelable( +- Intent.EXTRA_COMPONENT_NAME, ComponentName.class); +- if (componentName != null) { +- intent = new Intent(); +- intent.setComponent(componentName); +- } else { +- String callingAppPackageName = getCallingAppPackageName(); +- if (!TextUtils.isEmpty(callingAppPackageName)) { +- if (isCarAppCallingService(callingAppPackageName)) { +- intent = new Intent(); +- intent.setComponent( +- new ComponentName( +- callingAppPackageName, CAR_APP_ACTIVITY_INTERFACE)); +- intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); +- } else { +- intent = mPackageManager.getLaunchIntentForPackage(callingAppPackageName); +- } ++ String callingAppPackageName = getCallingAppPackageName(); ++ if (!TextUtils.isEmpty(callingAppPackageName)) { ++ if (isCarAppCallingService(callingAppPackageName)) { ++ intent = new Intent(); ++ intent.setComponent( ++ new ComponentName( ++ callingAppPackageName, CAR_APP_ACTIVITY_INTERFACE)); ++ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); ++ } else { ++ intent = mPackageManager.getLaunchIntentForPackage(callingAppPackageName); + } + } + } else { +-- +2.34.1 + diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0010-Fix-an-authentication-bypass-bug-in-SMP.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0010-Fix-an-authentication-bypass-bug-in-SMP.patch similarity index 100% rename from aosp_diff/preliminary/packages/modules/Bluetooth/0010-Fix-an-authentication-bypass-bug-in-SMP.bulletin.patch rename to aosp_diff/preliminary/packages/modules/Bluetooth/0010-Fix-an-authentication-bypass-bug-in-SMP.patch diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0013-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0013-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch new file mode 100644 index 0000000000..3f83ace6f4 --- /dev/null +++ b/aosp_diff/preliminary/packages/modules/Bluetooth/0013-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch @@ -0,0 +1,59 @@ +From bfe316cf9f026d5b48bcfb2f457685b537baa9a3 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 16 May 2024 20:47:44 +0000 +Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc + +build_read_multi_rsp is missing a bounds check, which can lead to an +OOB write when the mtu parameter is set to zero. + +Add that bounds check. + +Bug: 323850943 +Test: atest GattSrTest +Test: researcher POC +Tag: #security +Flag: EXEMPT trivial validity checks +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e5ab6c617683a00c4e2996f1bc15c4c6e7f70f48) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d5c170681e728ec3b72f6f0799207b2f7e5ea1d) +Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f +Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f +--- + system/stack/eatt/eatt.h | 1 + + system/stack/gatt/gatt_sr.cc | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/system/stack/eatt/eatt.h b/system/stack/eatt/eatt.h +index a029395a6f..ba1d47a627 100644 +--- a/system/stack/eatt/eatt.h ++++ b/system/stack/eatt/eatt.h +@@ -99,6 +99,7 @@ class EattChannel { + + void EattChannelSetTxMTU(uint16_t tx_mtu) { + this->tx_mtu_ = std::min(tx_mtu, EATT_MAX_TX_MTU); ++ this->tx_mtu_ = std::max(this->tx_mtu_, EATT_MIN_MTU_MPS); + } + }; + +diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc +index ad8f254054..8fc378703c 100644 +--- a/system/stack/gatt/gatt_sr.cc ++++ b/system/stack/gatt/gatt_sr.cc +@@ -149,6 +149,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) { + uint8_t* p; + bool is_overflow = false; + ++ // We need at least one extra byte for the opcode ++ if (mtu == 0) { ++ LOG(ERROR) << "Invalid MTU"; ++ p_cmd->status = GATT_ILLEGAL_PARAMETER; ++ return; ++ } ++ + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; + BT_HDR* p_buf = (BT_HDR*)osi_calloc(len); + p_buf->offset = L2CAP_MIN_OFFSET; +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0014-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0014-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch new file mode 100644 index 0000000000..61dcb41c2c --- /dev/null +++ b/aosp_diff/preliminary/packages/modules/Bluetooth/0014-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch @@ -0,0 +1,40 @@ +From ec76dc86a8e9a7c084abde140356d024c94109d3 Mon Sep 17 00:00:00 2001 +From: Jakub Pawlowski +Date: Thu, 1 Aug 2024 00:18:25 +0200 +Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder + +0 length value is perfectly fine, and should result in just length +added into the packet. +Currently, for 0 length value we just break out of loop, and don't add +any value. +This means, that if first characetristic in response had 0 length, we +would return empty packet. + +Ignore-AOSP-First: security fix +Test: mma -j32; +Bug: 352696105 +Bug: 356886209 +Flag: exempt, obvious logic fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ba907afffe1fdc00570f935ce3563d28ea45f5cd) +Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +--- + system/stack/gatt/gatt_sr.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc +index 8fc378703c..3b3fb342a7 100644 +--- a/system/stack/gatt/gatt_sr.cc ++++ b/system/stack/gatt/gatt_sr.cc +@@ -199,7 +199,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) { + + len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len); + +- if (len == 0) { ++ if (total_len == mtu && p_rsp->attr_value.len > 0) { + VLOG(1) << "Buffer space not enough for this data item, skipping"; + break; + } +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0015-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0015-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch new file mode 100644 index 0000000000..f5d8534580 --- /dev/null +++ b/aosp_diff/preliminary/packages/modules/Bluetooth/0015-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch @@ -0,0 +1,46 @@ +From 796182896347292a3cd2757d2074c792117539c5 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Wed, 4 Sep 2024 21:54:22 +0000 +Subject: [PATCH] Encrypt LE link immediately on reconnection + +LE link must be encrypted immediately on connection if device are +already bonded. + +This is a backport of ag/29056565, but the code needs to go in a +different location because that patch relies on recent feature work. + +Ignore-AOSP-First: security +Test: mmm packages/modules/Bluetooth +Bug: 288144143 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0064c0b351fc0902ebbf7bff2e84ce888abb396e) +Merged-In: I7147c837ecab6c67943fc6fd78a9949f3381df62 +Change-Id: I7147c837ecab6c67943fc6fd78a9949f3381df62 +--- + system/stack/acl/btm_acl.cc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/system/stack/acl/btm_acl.cc b/system/stack/acl/btm_acl.cc +index 75e3fcda89..33515d6ced 100644 +--- a/system/stack/acl/btm_acl.cc ++++ b/system/stack/acl/btm_acl.cc +@@ -1140,6 +1140,17 @@ void StackAclBtmAcl::btm_establish_continue(tACL_CONN* p_acl) { + ADDRESS_TO_LOGGABLE_CSTR(p_acl->RemoteAddress())); + } + btm_set_link_policy(p_acl, btm_cb.acl_cb_.DefaultLinkPolicy()); ++ } else if (p_acl->is_transport_ble()) { ++ tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_acl->remote_addr); ++ ++ if (p_dev_rec == nullptr) { ++ LOG_WARN("No security record for %s", ++ ADDRESS_TO_LOGGABLE_CSTR(p_acl->RemoteAddress())); ++ } else if (p_dev_rec->is_le_link_key_known()) { ++ btm_ble_set_encryption( ++ p_acl->remote_addr, BTM_BLE_SEC_ENCRYPT, ++ p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL); ++ } + } + NotifyAclLinkUp(*p_acl); + } +-- +2.46.1.824.gd892dcdcdd-goog + diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/0016-Fix-OOB-writes-in-gatt_sr-cc.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/0016-Fix-OOB-writes-in-gatt_sr-cc.bulletin.patch new file mode 100644 index 0000000000..f00bd55472 --- /dev/null +++ b/aosp_diff/preliminary/packages/modules/Bluetooth/0016-Fix-OOB-writes-in-gatt_sr-cc.bulletin.patch @@ -0,0 +1,86 @@ +From c7468e64bb5e821563a910ccd8e5693c179c9da4 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Thu, 12 Sep 2024 17:26:55 +0000 +Subject: [PATCH] Fix OOB writes in gatt_sr.cc + +At various points in gatt_sr.cc, the output of the +gatt_tcb_get_payload_size function is used without checking for a +positive length. However, in exceptional cases it is possible for the +channel to be closed at the time the function is called, which will lead +to a zero length and cause an OOB write in subsequent processing. + +Fix all of these. + +Bug: 364026473 +Bug: 364027038 +Bug: 364027949 +Bug: 364025411 +Test: m libbluetooth +Test: researcher POC +Flag: EXEMPT trivial validity checks +Tag: #security +Ignore-AOSP-First: Security +(cherry picked from commit 7de5617f7d5266fe57c990c428621b5d4e92728a) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc) +Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 +Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 +--- + system/stack/gatt/gatt_sr.cc | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc +index 3b3fb342a7..46aa4bb469 100644 +--- a/system/stack/gatt/gatt_sr.cc ++++ b/system/stack/gatt/gatt_sr.cc +@@ -734,6 +734,11 @@ void gatts_process_primary_service_req(tGATT_TCB& tcb, uint16_t cid, + + uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid); + ++ // This can happen if the channel is already closed. ++ if (payload_size == 0) { ++ return; ++ } ++ + uint16_t msg_len = + (uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len); +@@ -769,6 +774,12 @@ static void gatts_process_find_info(tGATT_TCB& tcb, uint16_t cid, + } + + uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid); ++ ++ // This can happen if the channel is already closed. ++ if (payload_size == 0) { ++ return; ++ } ++ + uint16_t buf_len = + (uint16_t)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); + +@@ -909,6 +920,11 @@ static void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint16_t cid, + + uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid); + ++ // This can happen if the channel is already closed. ++ if (payload_size == 0) { ++ return; ++ } ++ + size_t msg_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET; + BT_HDR* p_msg = (BT_HDR*)osi_calloc(msg_len); + uint8_t* p = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET; +@@ -1056,6 +1072,11 @@ static void gatts_process_read_req(tGATT_TCB& tcb, uint16_t cid, + uint8_t* p_data) { + uint16_t payload_size = gatt_tcb_get_payload_size_tx(tcb, cid); + ++ // This can happen if the channel is already closed. ++ if (payload_size == 0) { ++ return; ++ } ++ + size_t buf_len = sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET; + uint16_t offset = 0; + +-- +2.46.1.824.gd892dcdcdd-goog +