From 7005ff0073d227fc455f54a052c755e600a89266 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 11 Jun 2018 20:33:16 -0400 Subject: [PATCH] 15.1: Update CVE patchers + build fixes --- Scripts/Common/Functions.sh | 2 +- Scripts/LineageOS-14.1/Functions.sh | 3 +-- Scripts/LineageOS-14.1/Patch.sh | 2 +- .../CVE_Patchers/android_kernel_google_marlin.sh | 5 +---- .../CVE_Patchers/android_kernel_huawei_angler.sh | 3 +-- .../CVE_Patchers/android_kernel_lge_bullhead.sh | 3 +-- .../CVE_Patchers/android_kernel_moto_shamu.sh | 3 +-- Scripts/LineageOS-15.1/Functions.sh | 6 +++--- Scripts/LineageOS-15.1/Patch.sh | 1 + Scripts/LineageOS-15.1/Rebrand.sh | 1 + 10 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index abe8e351..833a5caa 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -190,7 +190,7 @@ hardenDefconfig() { #Enable supported options #Disabled: CONFIG_DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981) - declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_PARTIALRESUME" "CONFIG_CRYPTO_DEV_QCRYPTO" "CONFIG_CRYPTO_PCRYPT") + declare -a optionsYes=("CONFIG_ARM64_SW_TTBR0_PAN" "CONFIG_BUG" "CONFIG_BUG_ON_DATA_CORRUPTION" "CONFIG_CC_STACKPROTECTOR" "CONFIG_CC_STACKPROTECTOR_STRONG" "CONFIG_CPU_SW_DOMAIN_PAN" "CONFIG_DEBUG_CREDENTIALS" "CONFIG_DEBUG_KERNEL" "CONFIG_DEBUG_LIST" "CONFIG_DEBUG_NOTIFIERS" "CONFIG_DEBUG_RODATA" "CONFIG_DEBUG_WX" "CONFIG_FORTIFY_SOURCE" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_HARDENED_USERCOPY" "CONFIG_IO_STRICT_DEVMEM" "CONFIG_KAISER" "CONFIG_LEGACY_VSYSCALL_NONE" "CONFIG_PAGE_POISONING" "CONFIG_PAGE_POISONING_NO_SANITY" "CONFIG_PAGE_POISONING_ZERO" "CONFIG_PAGE_TABLE_ISOLATION" "CONFIG_PANIC_ON_OOPS" "CONFIG_RANDOMIZE_BASE" "CONFIG_REFCOUNT_FULL" "CONFIG_RETPOLINE" "CONFIG_SCHED_STACK_END_CHECK" "CONFIG_SECCOMP" "CONFIG_SECCOMP_FILTER" "CONFIG_SECURITY" "CONFIG_SECURITY_PERF_EVENTS_RESTRICT" "CONFIG_SECURITY_YAMA" "CONFIG_SECURITY_YAMA_STACKED" "CONFIG_SLAB_FREELIST_RANDOM" "CONFIG_SLAB_HARDENED" "CONFIG_SLUB_DEBUG" "CONFIG_STRICT_DEVMEM" "CONFIG_STRICT_KERNEL_RWX" "CONFIG_STRICT_MEMORY_RWX" "CONFIG_SYN_COOKIES" "CONFIG_UNMAP_KERNEL_AT_EL0" "CONFIG_VMAP_STACK" "CONFIG_SECURITY_DMESG_RESTRICT" "CONFIG_SLAB_FREELIST_HARDENED" "CONFIG_GCC_PLUGINS" "CONFIG_GCC_PLUGIN_LATENT_ENTROPY" "CONFIG_GCC_PLUGIN_STRUCTLEAK" "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL" "CONFIG_GCC_PLUGIN_RANDSTRUCT" "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "CONFIG_WLAN_FEATURE_MEMDUMP" "CONFIG_PARTIALRESUME" "CONFIG_CRYPTO_DEV_QCRYPTO" "CONFIG_CRYPTO_PCRYPT") for option in "${optionsYes[@]}" do sed -i 's/# '$option' is not set/'$option'=y/' $defconfigPath &>/dev/null || true; diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index 243c3f65..7c95f8a5 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -71,8 +71,7 @@ export -f buildAll; patchWorkspace() { if [ "$MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$prebuiltApps $base/build $base/device $base/vendor/cm"; fi; - source build/envsetup.sh; - repopick -t n_asb_06-2018; + #source build/envsetup.sh; source $scripts/Patch.sh; source $scripts/Defaults.sh; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 41277d54..90747373 100755 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -234,8 +234,8 @@ cd $base; #Fixes #Fix broken options enabled by hardenDefconfig() -sed -i "s/CONFIG_PARTIALRESUME=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8992/arch/arm64/configs/*defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile +sed -i "s/CONFIG_PARTIALRESUME=y/# CONFIG_PARTIALRESUME is not set/" kernel/motorola/msm8992/arch/arm64/configs/*defconfig; #Breaks on compile # #END OF DEVICE CHANGES # diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh index f1119bf7..e9a07e31 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_marlin.sh @@ -90,8 +90,6 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0003.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0009.patch -git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-17806/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18150/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18161/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18165/ANY/0001.patch @@ -101,7 +99,6 @@ git apply $cvePatchesLinux/CVE-2017-6348/^4.9/0001.patch git apply $cvePatchesLinux/CVE-2017-7371/3.18/0001.patch git apply $cvePatchesLinux/CVE-2017-7372/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-9707/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2018-5831/ANY/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0002-ozwpan-Use-unsigned-ints-to-prevent-heap-overflow.patch git apply $cvePatchesLinux/Untracked/ANY/0005-tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch git apply $cvePatchesLinux/CVE-2016-5853/3.18/0002.patch @@ -110,5 +107,5 @@ git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0610/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-14883/ANY/0001.patch -editKernelLocalversion "-dos.p110" +editKernelLocalversion "-dos.p107" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh index f59caca1..d90a454c 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_huawei_angler.sh @@ -90,7 +90,6 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-17806/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18161/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18165/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-2618/3.10/0001.patch @@ -113,5 +112,5 @@ git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-15845/ANY/0001.patch -editKernelLocalversion "-dos.p113" +editKernelLocalversion "-dos.p112" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh index 97b9c2fd..d9819b27 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_bullhead.sh @@ -83,7 +83,6 @@ git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0005.patch git apply $cvePatchesLinux/CVE-2017-16USB/ANY/0006.patch git apply $cvePatchesLinux/CVE-2017-17558/ANY/0001.patch -git apply $cvePatchesLinux/CVE-2017-17806/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18161/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-18165/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-2618/3.10/0001.patch @@ -102,5 +101,5 @@ git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch git apply $cvePatchesLinux/Untracked/ANY/0008-nfsd-check-for-oversized-NFSv2-v3-arguments.patch git apply $cvePatchesLinux/CVE-2016-6693/ANY/0001.patch git apply $cvePatchesLinux/CVE-2016-6696/ANY/0001.patch -editKernelLocalversion "-dos.p102" +editKernelLocalversion "-dos.p101" cd $base diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_moto_shamu.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_moto_shamu.sh index 9a2bf64c..dd28f501 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_moto_shamu.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_moto_shamu.sh @@ -13,7 +13,6 @@ git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0015.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0016.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0017.patch git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/3.10/0018.patch -git apply $cvePatchesLinux/0007-Copperhead-Kernel_Hardening/ANY/0003.patch git apply $cvePatchesLinux/CVE-2015-1420/3.2-^3.19/0001.patch git apply $cvePatchesLinux/CVE-2015-7515/^4.4/0002.patch git apply $cvePatchesLinux/CVE-2015-8215/ANY/0001.patch @@ -63,5 +62,5 @@ git apply $cvePatchesLinux/CVE-2018-3584/ANY/0001.patch git apply $cvePatchesLinux/LVT-2017-0003/3.10/0001.patch git apply $cvePatchesLinux/CVE-2016-2475/ANY/0001.patch git apply $cvePatchesLinux/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p63" +editKernelLocalversion "-dos.p62" cd $base diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index b1f12505..92442f3f 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -56,14 +56,14 @@ buildAll() { #brunch lineage_clark-user; #requires blobs from https://androidfilehost.com/?w=files&flid=244563 and permissive and broken brunch lineage_angler-user; brunch lineage_bullhead-user; - brunch lineage_d802-user; - brunch lineage_d855-user; + brunch lineage_d802-user; #broken upstream - error: 'vendor/lge/g2-common/proprietary/vendor/etc/acdbdata/Bluetooth_cal.acdb' + brunch lineage_d855-user; #broken upstream - recovery updater brunch lineage_ether-user; brunch lineage_flo-user; brunch lineage_flounder-user; brunch lineage_griffin-user; #brunch lineage_h850-userdebug; - brunch lineage_hammerhead-user; + brunch lineage_hammerhead-user; #broken upstream - fatal error: 'linux/msm_audio_calibration.h' file not found brunch lineage_marlin-user; brunch lineage_m8-user; brunch lineage_sailfish-user; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 46b09d85..66138b96 100755 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -236,6 +236,7 @@ cd $base; #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile +sed -i "s/CONFIG_CRYPTO_DEV_QCRYPTO=y/# CONFIG_CRYPTO_DEV_QCRYPTO is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/motorola/msm8996/arch/arm64/configs/*_defconfig; #Breaks on compile # diff --git a/Scripts/LineageOS-15.1/Rebrand.sh b/Scripts/LineageOS-15.1/Rebrand.sh index 1b6e3c53..56ee7915 100644 --- a/Scripts/LineageOS-15.1/Rebrand.sh +++ b/Scripts/LineageOS-15.1/Rebrand.sh @@ -21,6 +21,7 @@ echo "Rebranding..."; enter "bootable/recovery"; +git revert 6ac3bb48f9d10e604d4b2d6c4152be9d35d17ea0; patch -p1 < $patches"android_bootable_recovery/0001-Remove_Logo.patch"; #Remove logo rendering code rm res*/images/logo_image.png; #Remove logo images sed -i 's|Android Recovery|DivestOS Recovery|' *_ui.cpp;