From a56e3a30169e5aaa74aecdd682a64adda41a9b58 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 19 Mar 2022 15:46:00 -0400 Subject: [PATCH] Disable the bionic hardening patchset to fix boot issues 10+4 devices tested working with bionic hardening patches enabled but hammerhead and shamu do not boot... 2 of the patches were already found to have issues and disabled 3 other patches were ruled out: - Stop implicitly marking mappings as mergeable - Make __stack_chk_guard read-only at runtime - On 64-bit, zero the leading stack canary byte Leaves 11+1 patches remaining that need to be tested But I don't have either of the two known impacted devices. Signed-off-by: Tad --- Patches/Linux | 2 +- .../CVE_Patchers/android_kernel_samsung_universal8890.sh | 3 +-- .../CVE_Patchers/android_kernel_google_dragon.sh | 3 +-- .../CVE_Patchers/android_kernel_lge_msm8996.sh | 3 +-- .../CVE_Patchers/android_kernel_zte_msm8996.sh | 3 +-- .../CVE_Patchers/android_kernel_asus_msm8953.sh | 3 +-- .../CVE_Patchers/android_kernel_xiaomi_msm8937.sh | 3 +-- Scripts/LineageOS-16.0/Patch.sh | 4 ++-- .../CVE_Patchers/android_kernel_motorola_msm8996.sh | 3 +-- Scripts/LineageOS-17.1/Patch.sh | 4 ++-- .../CVE_Patchers/android_kernel_google_marlin.sh | 3 +-- .../CVE_Patchers/android_kernel_lge_msm8996.sh | 3 +-- .../CVE_Patchers/android_kernel_oneplus_msm8996.sh | 3 +-- Scripts/LineageOS-18.1/Patch.sh | 5 ++--- Scripts/init.sh | 2 +- 15 files changed, 18 insertions(+), 29 deletions(-) diff --git a/Patches/Linux b/Patches/Linux index e62615b4..9a960526 160000 --- a/Patches/Linux +++ b/Patches/Linux @@ -1 +1 @@ -Subproject commit e62615b4a06b1fc7b16a49e50a292553176d9ee8 +Subproject commit 9a960526a5d73ec6b619d4fca0d4073829916a82 diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh index 76ae094a..34ee1393 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh @@ -25,7 +25,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0036.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0018.patch @@ -699,5 +698,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p699" +editKernelLocalversion "-dos.p698" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh index 5a67a35a..6f4445d8 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_google_dragon.sh @@ -21,7 +21,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0036.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0037.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0018.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.9/0041.patch @@ -662,5 +661,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p662" +editKernelLocalversion "-dos.p661" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh index f62f60c8..ccac347e 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_lge_msm8996.sh @@ -23,7 +23,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -551,5 +550,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p551" +editKernelLocalversion "-dos.p550" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_zte_msm8996.sh b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_zte_msm8996.sh index 03a7eecf..f5d402df 100644 --- a/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_zte_msm8996.sh +++ b/Scripts/LineageOS-15.1/CVE_Patchers/android_kernel_zte_msm8996.sh @@ -24,7 +24,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -641,5 +640,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-26145/qcacld-2.0/0008.patch --directory=drivers/staging/qcacld-2.0 git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p641" +editKernelLocalversion "-dos.p640" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_asus_msm8953.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_asus_msm8953.sh index 7e93fb93..7ae26670 100644 --- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_asus_msm8953.sh +++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_asus_msm8953.sh @@ -21,7 +21,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -410,5 +409,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-26145/qcacld-2.0/0008.patch --directory=drivers/staging/qcacld-2.0 git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p410" +editKernelLocalversion "-dos.p409" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_xiaomi_msm8937.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_xiaomi_msm8937.sh index 77800541..c406518c 100644 --- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_xiaomi_msm8937.sh +++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_xiaomi_msm8937.sh @@ -21,7 +21,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -410,5 +409,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-26145/qcacld-2.0/0008.patch --directory=drivers/staging/qcacld-2.0 git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p410" +editKernelLocalversion "-dos.p409" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 4694cc6e..ea50a2e7 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -63,8 +63,8 @@ if enterAndClear "bionic"; then if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-1.patch"; #Add a real explicit_bzero implementation (GrapheneOS) -applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) -#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: boot issues +#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) #XXX: some vendor blobs use sbrk +#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: some kernels do not have (working) getrandom applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-4.patch"; #Fix undefined out-of-bounds accesses in sched.h (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-5.patch"; #Stop implicitly marking mappings as mergeable (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-6.patch"; #Replace VLA formatting buffer with dprintf (GrapheneOS) diff --git a/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_motorola_msm8996.sh b/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_motorola_msm8996.sh index caca53b5..9fe6051e 100644 --- a/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_motorola_msm8996.sh +++ b/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_motorola_msm8996.sh @@ -22,7 +22,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -559,5 +558,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p559" +editKernelLocalversion "-dos.p558" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index fe382d8c..567f3687 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -68,8 +68,8 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_bion if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0002-Symbol_Ordering.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-1.patch"; #Add a real explicit_bzero implementation (GrapheneOS) -applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) -#applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: boot issues +#applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) #XXX: some vendor blobs use sbrk +#applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: some kernels do not have (working) getrandom applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-4.patch"; #Fix undefined out-of-bounds accesses in sched.h (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-5.patch"; #Stop implicitly marking mappings as mergeable (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0003-Graphene_Bionic_Hardening-6.patch"; #Replace VLA formatting buffer with dprintf (GrapheneOS) diff --git a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_google_marlin.sh b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_google_marlin.sh index 305543b7..ca9165f8 100644 --- a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_google_marlin.sh +++ b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_google_marlin.sh @@ -24,7 +24,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0044.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch #git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0048.patch #git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0049.patch @@ -456,5 +455,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p456" +editKernelLocalversion "-dos.p455" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_lge_msm8996.sh b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_lge_msm8996.sh index 72cdd6b5..2b8b5145 100644 --- a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_lge_msm8996.sh +++ b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_lge_msm8996.sh @@ -23,7 +23,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -538,5 +537,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-14283/3.18/0004.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p538" +editKernelLocalversion "-dos.p537" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_oneplus_msm8996.sh b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_oneplus_msm8996.sh index 1b6f35e1..9bc2e027 100644 --- a/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_oneplus_msm8996.sh +++ b/Scripts/LineageOS-18.1/CVE_Patchers/android_kernel_oneplus_msm8996.sh @@ -21,7 +21,6 @@ git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/00 git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0041.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0042.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0043.patch -git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0045.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0046.patch git apply $DOS_PATCHES_LINUX_CVES/0006-AndroidHardening-Kernel_Hardening/3.18/0050.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/4.4/0002.patch @@ -455,5 +454,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-0466/3.18/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-26145/qcacld-2.0/0008.patch --directory=drivers/staging/qcacld-2.0 git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-29660/3.18/0007.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2021-37159/4.4/0006.patch -editKernelLocalversion "-dos.p455" +editKernelLocalversion "-dos.p454" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 55b12ecc..581bfb36 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -63,8 +63,8 @@ if enterAndClear "bionic"; then if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_BIONIC" = true ]; then applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-1.patch"; #Add a real explicit_bzero implementation (GrapheneOS) -applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) -#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: boot issues +#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-2.patch"; #Replace brk and sbrk with stubs (GrapheneOS) #XXX: some vendor blobs use sbrk +#applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-3.patch"; #Use blocking getrandom and avoid urandom fallback (GrapheneOS) #XXX: some kernels do not have (working) getrandom applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-4.patch"; #Fix undefined out-of-bounds accesses in sched.h (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-5.patch"; #Stop implicitly marking mappings as mergeable (GrapheneOS) applyPatch "$DOS_PATCHES/android_bionic/0002-Graphene_Bionic_Hardening-6.patch"; #Replace VLA formatting with dprintf-like function (GrapheneOS) @@ -450,7 +450,6 @@ fi; if enterAndClear "device/htc/msm8974-common"; then applyPatch "$DOS_PATCHES/android_device_htc_msm8974-common/295147.patch"; #Enable ZRAM -echo "MALLOC_SVELTE_FOR_LIBC32 := true" >> BoardConfigCommon.mk; #Fix video recording fi; if enterAndClear "device/lge/g2-common"; then diff --git a/Scripts/init.sh b/Scripts/init.sh index bc0a15be..4fea7f5c 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -57,7 +57,7 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv #Features export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices -export DOS_GRAPHENE_BIONIC=true; #Enables the bionic hardening patchset on 16.0+17.1+18.1 +export DOS_GRAPHENE_BIONIC=false; #Enables the bionic hardening patchset on 16.0+17.1+18.1 export DOS_GRAPHENE_CONSTIFY=true; #Enables 'Constify JNINativeMethod tables' patchset on 16.0+17.1+18.1 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms on 16.0+17.1+18.1 export DOS_GRAPHENE_EXEC=false; #Enables use of GrapheneOS' exec spawning feature on 16.0+17.1+18.1 XXX: breaks things like VoLTE