-
Notifications
You must be signed in to change notification settings - Fork 245
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB - December 2023 Security Patches integration
Integrating Security Patches Test done: STS r21 TCs Passed Tracked-On: OAM-113582 Signed-off-by: Alam, SahibeX <[email protected]>
- Loading branch information
Showing
33 changed files
with
3,209 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
aosp_diff/preliminary/frameworks/av/29_0029-httplive-fix-use-after-free.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| From cfd4960f97e80809c0ae14b04547c18be6cd4b31 Mon Sep 17 00:00:00 2001 | ||
| From: Toni Heidenreich <[email protected]> | ||
| Date: Wed, 6 Sep 2023 12:49:33 +0000 | ||
| Subject: [PATCH] httplive: fix use-after-free | ||
|
|
||
| Implement a mutex to ensure secure multi-threaded | ||
| access to the KeyedVector in MetaDataBase. | ||
| Concurrent access by different threads can lead | ||
| to accessing the wrong memory location due to | ||
| potential changes in the vector | ||
|
|
||
| Bug: 298057702 | ||
| Test: HTTP Live Streaming test | ||
| (cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) | ||
| Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a | ||
| Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a | ||
| --- | ||
| media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++ | ||
| 1 file changed, 11 insertions(+) | ||
|
|
||
| diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp | ||
| index 3f050ea6aa..aa6ca10967 100644 | ||
| --- a/media/libstagefright/foundation/MetaDataBase.cpp | ||
| +++ b/media/libstagefright/foundation/MetaDataBase.cpp | ||
| @@ -23,6 +23,8 @@ | ||
| #include <stdlib.h> | ||
| #include <string.h> | ||
|
|
||
| +#include <mutex> | ||
| + | ||
| #include <media/stagefright/foundation/ADebug.h> | ||
| #include <media/stagefright/foundation/AString.h> | ||
| #include <media/stagefright/foundation/hexdump.h> | ||
| @@ -78,6 +80,7 @@ struct MetaDataBase::Rect { | ||
|
|
||
|
|
||
| struct MetaDataBase::MetaDataInternal { | ||
| + std::mutex mLock; | ||
| KeyedVector<uint32_t, MetaDataBase::typed_data> mItems; | ||
| }; | ||
|
|
||
| @@ -102,10 +105,12 @@ MetaDataBase::~MetaDataBase() { | ||
| } | ||
|
|
||
| void MetaDataBase::clear() { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| mInternalData->mItems.clear(); | ||
| } | ||
|
|
||
| bool MetaDataBase::remove(uint32_t key) { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -252,6 +257,7 @@ bool MetaDataBase::setData( | ||
| uint32_t key, uint32_t type, const void *data, size_t size) { | ||
| bool overwrote_existing = true; | ||
|
|
||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
| if (i < 0) { | ||
| typed_data item; | ||
| @@ -269,6 +275,7 @@ bool MetaDataBase::setData( | ||
|
|
||
| bool MetaDataBase::findData(uint32_t key, uint32_t *type, | ||
| const void **data, size_t *size) const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -283,6 +290,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, | ||
| } | ||
|
|
||
| bool MetaDataBase::hasData(uint32_t key) const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -429,6 +437,7 @@ static void MakeFourCCString(uint32_t x, char *s) { | ||
|
|
||
| String8 MetaDataBase::toString() const { | ||
| String8 s; | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| for (int i = mInternalData->mItems.size(); --i >= 0;) { | ||
| int32_t key = mInternalData->mItems.keyAt(i); | ||
| char cc[5]; | ||
| @@ -443,6 +452,7 @@ String8 MetaDataBase::toString() const { | ||
| } | ||
|
|
||
| void MetaDataBase::dumpToLog() const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| for (int i = mInternalData->mItems.size(); --i >= 0;) { | ||
| int32_t key = mInternalData->mItems.keyAt(i); | ||
| char cc[5]; | ||
| @@ -455,6 +465,7 @@ void MetaDataBase::dumpToLog() const { | ||
| #if !defined(__ANDROID_VNDK__) && !defined(__ANDROID_APEX__) | ||
| status_t MetaDataBase::writeToParcel(Parcel &parcel) { | ||
| status_t ret; | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| size_t numItems = mInternalData->mItems.size(); | ||
| ret = parcel.writeUint32(uint32_t(numItems)); | ||
| if (ret) { | ||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
54 changes: 54 additions & 0 deletions
54
...eliminary/frameworks/av/30_0030-Correct-attribution-source-for-MMAP-thread.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| From b4910062d576833cf0c99b3fb2f0e685faafc9d0 Mon Sep 17 00:00:00 2001 | ||
| From: Atneya Nair <[email protected]> | ||
| Date: Wed, 10 May 2023 21:37:41 -0700 | ||
| Subject: [PATCH] Correct attribution source for MMAP thread | ||
|
|
||
| Ensure that the package name, which is used for listening for appops | ||
| below getInputForAttr, is corrected for MMAP threads. | ||
|
|
||
| Bug: 268724205 | ||
| Test: AudioRecordTest | ||
| Test: Oboetester MMAP record silenced when backgrounded - 6s | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f59db5cb1be38abce4c3c4f553090e527a6d4513) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5be19e855d2a9b772d43aacf0af2848d862a1b90) | ||
| Merged-In: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b | ||
| Change-Id: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b | ||
| --- | ||
| services/audioflinger/Threads.cpp | 7 +++++-- | ||
| 1 file changed, 5 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/services/audioflinger/Threads.cpp b/services/audioflinger/Threads.cpp | ||
| index 7f2680014d..0c0c618e99 100644 | ||
| --- a/services/audioflinger/Threads.cpp | ||
| +++ b/services/audioflinger/Threads.cpp | ||
| @@ -9188,6 +9188,9 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; | ||
|
|
||
| audio_io_handle_t io = mId; | ||
| + AttributionSourceState adjAttributionSource = AudioFlinger::checkAttributionSourcePackage( | ||
| + client.attributionSource); | ||
| + | ||
| if (isOutput()) { | ||
| audio_config_t config = AUDIO_CONFIG_INITIALIZER; | ||
| config.sample_rate = mSampleRate; | ||
| @@ -9201,7 +9204,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| ret = AudioSystem::getOutputForAttr(&mAttr, &io, | ||
| mSessionId, | ||
| &stream, | ||
| - client.attributionSource, | ||
| + adjAttributionSource, | ||
| &config, | ||
| flags, | ||
| &deviceId, | ||
| @@ -9218,7 +9221,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| ret = AudioSystem::getInputForAttr(&mAttr, &io, | ||
| RECORD_RIID_INVALID, | ||
| mSessionId, | ||
| - client.attributionSource, | ||
| + adjAttributionSource, | ||
| &config, | ||
| AUDIO_INPUT_FLAG_MMAP_NOIRQ, | ||
| &deviceId, | ||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
78 changes: 78 additions & 0 deletions
78
...inary/frameworks/av/31_0031-Condition-background-record-restriction-on-Sdk.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| From 302959a3f62dd7f4dcc5fac20d44ede9d09ff567 Mon Sep 17 00:00:00 2001 | ||
| From: Atneya Nair <[email protected]> | ||
| Date: Wed, 9 Aug 2023 16:21:48 -0700 | ||
| Subject: [PATCH] Condition background record restriction on Sdk | ||
|
|
||
| To prevent breaking existing apps, modify the checks around when | ||
| an app should have its recording silenced to retain prior behavior | ||
| unless an app has targetSdk U or greater. | ||
|
|
||
| Test: oboetester conditionally restricted based on targetSdk level | ||
| Bug: 268724205 | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc4f375d570965775634d90856719b812aee9865) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5ed2002773feb3dd371cc473fc0a6ff2dfd21b6) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:382a9eaf46cf53b986494a694c9a87b8be8a28e4) | ||
| Merged-In: I42b6cbca60db6ce1a073254239b48e9104c4ebfb | ||
| Change-Id: I42b6cbca60db6ce1a073254239b48e9104c4ebfb | ||
| --- | ||
| .../service/AudioPolicyService.cpp | 26 +++++++++++++++++++ | ||
| 1 file changed, 26 insertions(+) | ||
|
|
||
| diff --git a/services/audiopolicy/service/AudioPolicyService.cpp b/services/audiopolicy/service/AudioPolicyService.cpp | ||
| index 4d0e1f12a6..eb6666165d 100644 | ||
| --- a/services/audiopolicy/service/AudioPolicyService.cpp | ||
| +++ b/services/audiopolicy/service/AudioPolicyService.cpp | ||
| @@ -25,6 +25,7 @@ | ||
| #include <sys/time.h> | ||
| #include <dlfcn.h> | ||
|
|
||
| +#include <android/content/pm/IPackageManagerNative.h> | ||
| #include <audio_utils/clock.h> | ||
| #include <binder/IServiceManager.h> | ||
| #include <utils/Log.h> | ||
| @@ -77,6 +78,27 @@ static void destroyAudioPolicyManager(AudioPolicyInterface *interface) | ||
| { | ||
| delete interface; | ||
| } | ||
| + | ||
| +namespace { | ||
| +int getTargetSdkForPackageName(std::string_view packageName) { | ||
| + const auto binder = defaultServiceManager()->checkService(String16{"package_native"}); | ||
| + int targetSdk = -1; | ||
| + if (binder != nullptr) { | ||
| + const auto pm = interface_cast<content::pm::IPackageManagerNative>(binder); | ||
| + if (pm != nullptr) { | ||
| + const auto status = pm->getTargetSdkVersionForPackage( | ||
| + String16{packageName.data(), packageName.size()}, &targetSdk); | ||
| + return status.isOk() ? targetSdk : -1; | ||
| + } | ||
| + } | ||
| + return targetSdk; | ||
| +} | ||
| + | ||
| +bool doesPackageTargetAtLeastU(std::string_view packageName) { | ||
| + constexpr int ANDROID_API_U = 34; | ||
| + return getTargetSdkForPackageName(packageName) >= ANDROID_API_U; | ||
| +} | ||
| +} // anonymous | ||
| // ---------------------------------------------------------------------------- | ||
|
|
||
| AudioPolicyService::AudioPolicyService() | ||
| @@ -1482,10 +1504,14 @@ void AudioPolicyService::OpRecordAudioMonitor::onFirstRef() | ||
| checkOp(); | ||
| mOpCallback = new RecordAudioOpCallback(this); | ||
| ALOGV("start watching op %d for %s", mAppOp, mAttributionSource.toString().c_str()); | ||
| + int flags = doesPackageTargetAtLeastU( | ||
| + mAttributionSource.packageName.value_or("")) ? | ||
| + AppOpsManager::WATCH_FOREGROUND_CHANGES : 0; | ||
| // TODO: We need to always watch AppOpsManager::OP_RECORD_AUDIO too | ||
| // since it controls the mic permission for legacy apps. | ||
| mAppOpsManager.startWatchingMode(mAppOp, VALUE_OR_FATAL(aidl2legacy_string_view_String16( | ||
| mAttributionSource.packageName.value_or(""))), | ||
| + flags, | ||
| mOpCallback); | ||
| } | ||
|
|
||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
54 changes: 54 additions & 0 deletions
54
...minary/frameworks/base/99_0209-On-device-lockdown-always-show-the-keyguard.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| From f88afd13d35ee1d105ae538f990319de704d2741 Mon Sep 17 00:00:00 2001 | ||
| From: Beverly <[email protected]> | ||
| Date: Mon, 8 May 2023 16:33:12 +0000 | ||
| Subject: [PATCH] On device lockdown, always show the keyguard | ||
|
|
||
| Manual test steps: | ||
| 1. Enable app pinning and disable "Ask for PIN before unpinning" setting | ||
| 2. Pin an app (ie: Settings) | ||
| 3. Lockdown from the power menu | ||
| Observe: user is brought to the keyguard, primary auth is required | ||
| to enter the device. After entering credential, the device is still in | ||
| app pinning mode. | ||
|
|
||
| Test: atest KeyguardViewMediatorTest | ||
| Test: manual steps outlined above | ||
| Bug: 218495634 | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94) | ||
| Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2 | ||
| Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2 | ||
| --- | ||
| .../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++- | ||
| 1 file changed, 9 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| index 37c26187176c..6cfd5e0ec5f8 100644 | ||
| --- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| +++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| @@ -678,6 +678,13 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable, | ||
| notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); | ||
| } | ||
| } | ||
| + | ||
| + @Override | ||
| + public void onStrongAuthStateChanged(int userId) { | ||
| + if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { | ||
| + doKeyguardLocked(null); | ||
| + } | ||
| + } | ||
| }; | ||
|
|
||
| ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { | ||
| @@ -1524,7 +1531,8 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable, | ||
| } | ||
|
|
||
| // if another app is disabling us, don't show | ||
| - if (!mExternallyEnabled) { | ||
| + if (!mExternallyEnabled | ||
| + && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { | ||
| if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); | ||
|
|
||
| mNeedToReshowWhenReenabled = true; | ||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
Oops, something went wrong.