projectceladon · AlamIntel · Nov 18, 2024
diff --git a/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/0009-Update-security_patch_level-string.patch
@@ -21,7 +21,7 @@ index dba897a9c3..a2dae42533 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2024-02-05
-+    PLATFORM_SECURITY_PATCH := 2024-11-01
++    PLATFORM_SECURITY_PATCH := 2024-12-01
  endif
 
  include $(BUILD_SYSTEM)/version_util.mk

diff --git a/...iff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch b/...iff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch
@@ -0,0 +1,51 @@
+From b5543cb8c6b95623743016055220378efe73eb93 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <[email protected]>
+Date: Mon, 12 Aug 2024 15:00:08 -0400
+Subject: [PATCH] [pdf] Bounds check in skia_alloc_func
+
+The allocator callback for zlib needs to check that items * size will
+fit in size_t and return nullptr if not.
+
+Conflicts:
+- src/pdf/SkDeflate.cpp: just in header includes
+
+Bug: 349678452
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ac6d5834d4d701232e98745a58815fb2ac9cd75)
+Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+---
+ src/pdf/SkDeflate.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
+index f044c140fa..157f5164ee 100644
+--- a/src/pdf/SkDeflate.cpp
++++ b/src/pdf/SkDeflate.cpp
+@@ -9,6 +9,7 @@
+
+ #include "include/core/SkData.h"
+ #include "include/private/base/SkMalloc.h"
++#include "include/private/base/SkTFitsIn.h"
+ #include "include/private/base/SkTo.h"
+ #include "src/core/SkTraceEvent.h"
+
+@@ -21,6 +22,13 @@ namespace {
+ // Different zlib implementations use different T.
+ // We've seen size_t and unsigned.
+ template <typename T> void* skia_alloc_func(void*, T items, T size) {
++    if (!SkTFitsIn<size_t>(size)) {
++        return nullptr;
++    }
++    const size_t maxItems = SIZE_MAX / size;
++    if (maxItems < items) {
++        return nullptr;
++    }
+     return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
+ }
+
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...ia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch b/...ia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch
@@ -0,0 +1,38 @@
+From 796c2040f641bb287dba66c9823ce45e9f8b5807 Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 12:47:48 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
+ SkMask data
+
+Bug: 352631932
+Test: N/A -- not reproducible / speculative fix
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Ben Wagner <[email protected]>
+Auto-Submit: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36)
+Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+---
+ src/core/SkBlurMF.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp
+index cd3cd5f3d9..7de3653779 100644
+--- a/src/core/SkBlurMF.cpp
++++ b/src/core/SkBlurMF.cpp
+@@ -181,6 +181,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
+     mask->fRowBytes = SkAlign4(mask->fBounds.width());
+     mask->fFormat = SkMask::kA8_Format;
+     const size_t size = mask->computeImageSize();
++    if (size == 0) {
++        return false;
++    }
+     mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
+     if (nullptr == mask->fImage) {
+         return false;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch b/...external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch
@@ -0,0 +1,38 @@
+From 8d355fe1d0795fc30b84194b87563f75c6f8f2a7 Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 11:52:35 -0400
+Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
+
+Bug: 350118416
+Test: N/A -- speculative issue without repro case
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
+Reviewed-by: Robert Phillips <[email protected]>
+Commit-Queue: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:521332e28acde551bb63dbd6829e7089d73533d8)
+Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
+Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
+---
+ src/core/SkRegion.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
+index 780a71c9ba..c46ffa44fe 100644
+--- a/src/core/SkRegion.cpp
++++ b/src/core/SkRegion.cpp
+@@ -55,8 +55,10 @@ public:
+     /** Resize the array to a size greater-than-or-equal-to count. */
+     void resizeToAtLeast(int count) {
+         if (count > fCount) {
+-            // leave at least 50% extra space for future growth.
+-            count += count >> 1;
++            // leave at least 50% extra space for future growth (unless adding would overflow)
++            SkSafeMath safe;
++            int newCount = safe.addInt(count, count >> 1);
++            count = safe ? newCount : SK_MaxS32;
+             fMalloc.realloc(count);
+             if (fPtr == fStack) {
+                 memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...74-Check-more-URIs-in-notifications.patch → ...more-URIs-in-notifications.bulletin.patch b/...74-Check-more-URIs-in-notifications.patch → ...more-URIs-in-notifications.bulletin.patch
diff --git a/...E-Clear-app-provided-shortcut-icons.patch → ...pp-provided-shortcut-icons.bulletin.patch b/...E-Clear-app-provided-shortcut-icons.patch → ...pp-provided-shortcut-icons.bulletin.patch
diff --git a/...eliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch b/...eliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch
@@ -0,0 +1,130 @@
+From 70eb75df7d342429c3ee225feb7c011df727442f Mon Sep 17 00:00:00 2001
+From: Miranda Kephart <[email protected]>
+Date: Fri, 16 Feb 2024 10:14:15 -0500
+Subject: [PATCH] Block clipboard UI when device is locked
+
+In some situations (see bug for details) it's possible to enter the
+clipboard even while the device is locked, and from there access the
+provided intents. Users should not be able to access intents from this
+state; this change adds an additional check before showing the interactive UI.
+
+The behavior is identical to what we do when user setup is not complete
+(b/251778420): we show a toast to note that content has been copied, but no interactive UI.
+
+Interactive UI is only blocked when device is locked (i.e. requiring pin
+entry/password/biometric/etc), not if the keyguard is up but trivially
+dismissable.
+
+Bug: 317048495
+Test: atest ClipboardListenerTest; verification using steps in linked
+bug as well as forcing text content to appear client-side, to verify
+that even if text content is received in the ClipboardListener, no
+interactive UI appears.
+
+(cherry picked from commit 2976ca86d5c5be558191a1fe706d4cd0d7ccdecb)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c9adc41c71a604da29fe01be79f4172473dfe1c6)
+Merged-In: I1a48cbe64852dce3fba69915ca11dad8878f66eb
+Change-Id: I1a48cbe64852dce3fba69915ca11dad8878f66eb
+---
+ .../clipboardoverlay/ClipboardListener.java    |  8 +++++++-
+ .../ClipboardListenerTest.java                 | 18 +++++++++++++++++-
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
+index 63b4288ce055..f0a980e0a30c 100644
+--- a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
++++ b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
+@@ -24,6 +24,7 @@ import static com.android.systemui.clipboardoverlay.ClipboardOverlayEvent.CLIPBO
+
+ import static com.google.android.setupcompat.util.WizardManagerHelper.SETTINGS_SECURE_USER_SETUP_COMPLETE;
+
++import android.app.KeyguardManager;
+ import android.content.ClipData;
+ import android.content.ClipboardManager;
+ import android.content.Context;
+@@ -57,6 +58,7 @@ public class ClipboardListener implements
+     private final Provider<ClipboardOverlayController> mOverlayProvider;
+     private final ClipboardToast mClipboardToast;
+     private final ClipboardManager mClipboardManager;
++    private final KeyguardManager mKeyguardManager;
+     private final UiEventLogger mUiEventLogger;
+     private ClipboardOverlay mClipboardOverlay;
+
+@@ -65,11 +67,13 @@ public class ClipboardListener implements
+             Provider<ClipboardOverlayController> clipboardOverlayControllerProvider,
+             ClipboardToast clipboardToast,
+             ClipboardManager clipboardManager,
++            KeyguardManager keyguardManager,
+             UiEventLogger uiEventLogger) {
+         mContext = context;
+         mOverlayProvider = clipboardOverlayControllerProvider;
+         mClipboardToast = clipboardToast;
+         mClipboardManager = clipboardManager;
++        mKeyguardManager = keyguardManager;
+         mUiEventLogger = uiEventLogger;
+     }
+
+@@ -92,7 +96,9 @@ public class ClipboardListener implements
+             return;
+         }
+
+-        if (!isUserSetupComplete() // user should not access intents from this state
++        // user should not access intents before setup or while device is locked
++        if (mKeyguardManager.isDeviceLocked()
++                || !isUserSetupComplete()
+                 || clipData == null // shouldn't happen, but just in case
+                 || clipData.getItemCount() == 0) {
+             if (shouldShowToast(clipData)) {
+diff --git a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
+index 18515825967f..9d02c86cfa7a 100644
+--- a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
++++ b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
+@@ -27,6 +27,7 @@ import static org.mockito.Mockito.verify;
+ import static org.mockito.Mockito.verifyZeroInteractions;
+ import static org.mockito.Mockito.when;
+
++import android.app.KeyguardManager;
+ import android.content.ClipData;
+ import android.content.ClipDescription;
+ import android.content.ClipboardManager;
+@@ -59,6 +60,8 @@ public class ClipboardListenerTest extends SysuiTestCase {
+     @Mock
+     private ClipboardManager mClipboardManager;
+     @Mock
++    private KeyguardManager mKeyguardManager;
++    @Mock
+     private ClipboardOverlayController mOverlayController;
+     @Mock
+     private ClipboardToast mClipboardToast;
+@@ -96,7 +99,7 @@ public class ClipboardListenerTest extends SysuiTestCase {
+         when(mClipboardManager.getPrimaryClipSource()).thenReturn(mSampleSource);
+
+         mClipboardListener = new ClipboardListener(getContext(), mOverlayControllerProvider,
+-                mClipboardToast, mClipboardManager, mUiEventLogger);
++                mClipboardToast, mClipboardManager, mKeyguardManager, mUiEventLogger);
+     }
+
+
+@@ -190,6 +193,19 @@ public class ClipboardListenerTest extends SysuiTestCase {
+         verifyZeroInteractions(mOverlayControllerProvider);
+     }
+
++    @Test
++    public void test_deviceLocked_showsToast() {
++        when(mKeyguardManager.isDeviceLocked()).thenReturn(true);
++
++        mClipboardListener.start();
++        mClipboardListener.onPrimaryClipChanged();
++
++        verify(mUiEventLogger, times(1)).log(
++                ClipboardOverlayEvent.CLIPBOARD_TOAST_SHOWN, 0, mSampleSource);
++        verify(mClipboardToast, times(1)).showCopiedToast();
++        verifyZeroInteractions(mOverlayControllerProvider);
++    }
++
+     @Test
+     public void test_nullClipData_showsNothing() {
+         when(mClipboardManager.getPrimaryClip()).thenReturn(null);
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...rameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch b/...rameworks/base/80_0080-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch
@@ -0,0 +1,63 @@
+From ae43ac7f3d3d5112b0f54b5315a15b08208acf9c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <[email protected]>
+Date: Thu, 29 Aug 2024 17:01:55 +0000
+Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
+
+Bug: 340239088
+Test: manually verified with the PoC app
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d406f4708e39d0da285da6cc11cc7aff30f75357)
+Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+---
+ core/java/android/widget/RemoteViewsAdapter.java       |  5 +++++
+ .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
+index 61a7599e8f73..26c146c46917 100644
+--- a/core/java/android/widget/RemoteViewsAdapter.java
++++ b/core/java/android/widget/RemoteViewsAdapter.java
+@@ -240,6 +240,11 @@ public class RemoteViewsAdapter extends BaseAdapter implements Handler.Callback
+             }
+         }
+
++        @Override
++        public void onNullBinding(ComponentName name) {
++            enqueueDeferredUnbindServiceMessage();
++        }
++
+         @Override
+         public void handleMessage(Message msg) {
+             RemoteViewsAdapter adapter = mAdapter.get();
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index 2d60716104c1..4283d909e864 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1874,6 +1874,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                 mContext.unbindService(this);
+             }
+
++            @Override
++            public void onNullBinding(ComponentName name) {
++                mContext.unbindService(this);
++            }
++
+             @Override
+             public void onServiceDisconnected(ComponentName name) {
+                 // Do nothing
+@@ -2014,6 +2019,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                                 mContext.unbindService(this);
+                             }
+
++                            @Override
++                            public void onNullBinding(ComponentName name) {
++                                mContext.unbindService(this);
++                            }
++
+                             @Override
+                             public void onServiceDisconnected(android.content.ComponentName name) {
+                                 // Do nothing
+-- 
+2.46.1.824.gd892dcdcdd-goog
+