diff --git a/Patches/LineageOS-14.1/android_external_expat/348649.patch b/Patches/LineageOS-14.1/android_external_expat/348649.patch new file mode 100644 index 00000000..5016aa8b --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_expat/348649.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sadaf Ebrahimi +Date: Wed, 16 Nov 2022 16:31:05 +0000 +Subject: [PATCH] Fix overeager DTD destruction (fixes #649) + +Bug: http://b/255449293 +Test: TreeHugger +Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 +(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a) +Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6 +--- + lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 956c2677..57c93e05 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -855,6 +855,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && !protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ _dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } diff --git a/Patches/LineageOS-14.1/android_frameworks_base/348650.patch b/Patches/LineageOS-14.1/android_frameworks_base/348650.patch new file mode 100644 index 00000000..7354bd80 --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/348650.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jackal Guo +Date: Tue, 25 Oct 2022 15:03:55 +0800 +Subject: [PATCH] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED + +This action should be only broadcasted when the user data is cleared +successfully. Broadcasting this action when failed case may result in +unexpected result. + +Bug: 240267890 +Test: manually using the PoC in the buganizer to ensure the symptom + no longer exists. +Change-Id: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b +(cherry picked from commit 8b2e092146c7ab5c2952818dab6dcb6af9c417ce) +Merged-In: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b +--- + .../android/server/am/ActivityManagerService.java | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java +index 4e48f422a2fe..4b7cb9bac5af 100644 +--- a/services/core/java/com/android/server/am/ActivityManagerService.java ++++ b/services/core/java/com/android/server/am/ActivityManagerService.java +@@ -5746,12 +5746,14 @@ public final class ActivityManagerService extends ActivityManagerNative + finishForceStopPackageLocked(packageName, pkgUidF); + } + +- final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED, +- Uri.fromParts("package", packageName, null)); +- intent.putExtra(Intent.EXTRA_UID, pkgUidF); +- intent.putExtra(Intent.EXTRA_USER_HANDLE, UserHandle.getUserId(pkgUidF)); +- broadcastIntentInPackage("android", Process.SYSTEM_UID, intent, +- null, null, 0, null, null, null, null, false, false, userIdF); ++ if (succeeded) { ++ final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED, ++ Uri.fromParts("package", packageName, null)); ++ intent.putExtra(Intent.EXTRA_UID, pkgUidF); ++ intent.putExtra(Intent.EXTRA_USER_HANDLE, UserHandle.getUserId(pkgUidF)); ++ broadcastIntentInPackage("android", Process.SYSTEM_UID, intent, ++ null, null, 0, null, null, null, null, false, false, userIdF); ++ } + + if (observer != null) { + observer.onRemoveCompleted(packageName, succeeded); diff --git a/Patches/LineageOS-14.1/android_frameworks_base/348651.patch b/Patches/LineageOS-14.1/android_frameworks_base/348651.patch new file mode 100644 index 00000000..1e22754f --- /dev/null +++ b/Patches/LineageOS-14.1/android_frameworks_base/348651.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Tue, 22 Nov 2022 22:54:01 +0000 +Subject: [PATCH] Convert argument to intent in ChooseTypeAndAccountActivity + +Bug: 244154558 +Test: manual +Change-Id: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e +(cherry picked from commit ede0a767c26f144e38b4a0c1c2f530b05ffd29a8) +Merged-In: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e +--- + core/java/android/accounts/ChooseTypeAndAccountActivity.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/java/android/accounts/ChooseTypeAndAccountActivity.java b/core/java/android/accounts/ChooseTypeAndAccountActivity.java +index ca4a60e980b8..79cb17231525 100644 +--- a/core/java/android/accounts/ChooseTypeAndAccountActivity.java ++++ b/core/java/android/accounts/ChooseTypeAndAccountActivity.java +@@ -378,7 +378,7 @@ public class ChooseTypeAndAccountActivity extends Activity + mExistingAccounts = AccountManager.get(this).getAccountsForPackage(mCallingPackage, + mCallingUid); + intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK); +- startActivityForResult(intent, REQUEST_ADD_ACCOUNT); ++ startActivityForResult(new Intent(intent), REQUEST_ADD_ACCOUNT); + return; + } + } catch (OperationCanceledException e) { diff --git a/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/348652.patch b/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/348652.patch new file mode 100644 index 00000000..63224cc5 --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_Bluetooth/348652.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 8 Nov 2022 23:32:46 +0000 +Subject: [PATCH] Fix OPP comparison + +isBluetoothShareUri_correctlyCheckUri (under +com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing +on null input due to an incorrect comparison in +isBluetoothShareUri. Change the comparison to one which can +cope with null input. + +Bug: 257190999 +Test: atest: BluetoothOppUtilityTest +Tag: #security +Ignore-AOSP-First: Security +Change-Id: Ia6a08e7092c2084e1816b782317c13254e78719b +(cherry picked from commit 90dc6fcdcba6c0c2b0f9bdaad28457a81c9af4ba) +Merged-In: Ia6a08e7092c2084e1816b782317c13254e78719b +--- + src/com/android/bluetooth/opp/BluetoothOppUtility.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +index 3a4959fcd..365dfcc81 100644 +--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java ++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java +@@ -56,6 +56,7 @@ import java.io.File; + import java.io.IOException; + import java.util.ArrayList; + import java.util.List; ++import java.util.Objects; + import java.util.concurrent.ConcurrentHashMap; + + import android.support.v4.content.FileProvider; +@@ -72,10 +73,10 @@ public class BluetoothOppUtility { + + public static boolean isBluetoothShareUri(Uri uri) { + if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString()) +- && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) { ++ && !Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority())) { + EventLog.writeEvent(0x534e4554, "225880741", -1, ""); + } +- return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority()); ++ return Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority()); + } + + public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) { diff --git a/Patches/LineageOS-14.1/android_packages_apps_Nfc/348653.patch b/Patches/LineageOS-14.1/android_packages_apps_Nfc/348653.patch new file mode 100644 index 00000000..8d9b555f --- /dev/null +++ b/Patches/LineageOS-14.1/android_packages_apps_Nfc/348653.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 22 Nov 2022 15:49:11 -0800 +Subject: [PATCH] DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr + +Bug: 246932269 +Test: Build ok +Change-Id: I4dcd18da8b5145e218d070414da8997aff181364 +(cherry picked from commit 2e4dfa6c92de30907851914add6485f8b7920968) +Merged-In: I4dcd18da8b5145e218d070414da8997aff181364 +--- + nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +index 6c24bf83..91aec55c 100755 +--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c ++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c +@@ -1528,6 +1528,12 @@ phNciNfc_MfCreateXchgDataHdr(phNciNfc_TransceiveInfo_t tTranscvInfo, + NFCSTATUS status = NFCSTATUS_SUCCESS; + uint8_t i = 0; + ++ if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1)) ++ { ++ android_errorWriteLog(0x534e4554, "246932269"); ++ return NFCSTATUS_FAILED; ++ } ++ + buff[i++] = phNciNfc_e_MfRawDataXchgHdr; + memcpy(&buff[i],tTranscvInfo.tSendData.pBuff,tTranscvInfo.tSendData.wLen); + *buffSz = i + tTranscvInfo.tSendData.wLen; diff --git a/Patches/LineageOS-14.1/android_system_bt/348654.patch b/Patches/LineageOS-14.1/android_system_bt/348654.patch new file mode 100644 index 00000000..df69e85a --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/348654.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Tue, 27 Sep 2022 22:05:08 +0000 +Subject: [PATCH] Add bounds check in avdt_scb_act.cc + +Bug: 242535997 +Test: BT unit tests, validated against researcher POC +Tag: #security +Ignore-AOSP-First: Security +Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 +(cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd) +Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4 +--- + stack/avdt/avdt_scb_act.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c +index f61abd626..5537c3d1d 100644 +--- a/stack/avdt/avdt_scb_act.c ++++ b/stack/avdt/avdt_scb_act.c +@@ -1295,6 +1295,12 @@ void avdt_scb_hdl_write_req_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data) + /* Add RTP header if required */ + if ( !(p_data->apiwrite.opt & AVDT_DATA_OPT_NO_RTP) ) + { ++ if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) ++ { ++ android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0); ++ return; ++ } ++ + ssrc = avdt_scb_gen_ssrc(p_scb); + + p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE; diff --git a/PrebuiltApps b/PrebuiltApps index bf86ff13..f0d83f62 160000 --- a/PrebuiltApps +++ b/PrebuiltApps @@ -1 +1 @@ -Subproject commit bf86ff13f9f4e487bf3a38198589fc83ab7bc7f8 +Subproject commit f0d83f62a1485644e2d3967916171c1552612977 diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 80892e89..4c425b46 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-01 #XXX +sed -i 's/2021-06-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-02 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -93,6 +93,7 @@ if enterAndClear "external/expat"; then applyPatch "$DOS_PATCHES/android_external_expat/337987-backport.patch"; #n-asb-2022-09 Prevent XML_GetBuffer signed integer overflow applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows +applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649) fi; if enterAndClear "external/libavc"; then @@ -175,6 +176,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/346948.patch"; #n-asb-2023-01 L applyPatch "$DOS_PATCHES/android_frameworks_base/346949.patch"; #n-asb-2023-01 Disable all A11yServices from an uninstalled package. applyPatch "$DOS_PATCHES/android_frameworks_base/346950.patch"; #n-asb-2023-01 Trim any long string inputs that come in to AutomaticZenRule applyPatch "$DOS_PATCHES/android_frameworks_base/346951.patch"; #n-asb-2023-01 Fix conditionId string trimming in AutomaticZenRule +applyPatch "$DOS_PATCHES/android_frameworks_base/348650.patch"; #n-asb-2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED +applyPatch "$DOS_PATCHES/android_frameworks_base/348651.patch"; #n-asb-2023-02 Convert argument to intent in ChooseTypeAndAccountActivity git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP) applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS) @@ -289,6 +292,7 @@ if enterAndClear "packages/apps/Bluetooth"; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission. applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission. applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345525.patch"; #n-asb-2022-12 Fix URI check in BluetoothOppUtility.java +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/348652.patch"; #n-asb-2023-02 Fix OPP comparison fi; if enterAndClear "packages/apps/Contacts"; then @@ -319,6 +323,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/315715.patch"; #n-asb-2021-09 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328308.patch"; #n-asb-2022-04 Do not set default contactless application without user interaction applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp() applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive() +applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/348653.patch"; #n-asb-2023-02 DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr fi; if enterAndClear "packages/apps/PackageInstaller"; then @@ -421,6 +426,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/345529.patch"; #n-asb-2022-12 Add mis applyPatch "$DOS_PATCHES/android_system_bt/345530.patch"; #n-asb-2022-12 Add length check when copy AVDT and AVCT packet applyPatch "$DOS_PATCHES/android_system_bt/345531.patch"; #n-asb-2022-12 Fix integer overflow when parsing avrc response applyPatch "$DOS_PATCHES/android_system_bt/346952.patch"; #n-asb-2023-01 Once AT command is retrieved, return from method. +applyPatch "$DOS_PATCHES/android_system_bt/348654.patch"; #n-asb-2023-02 Add bounds check in avdt_scb_act.cc applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)