-
Notifications
You must be signed in to change notification settings - Fork 246
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB - December 2023 Security Patches integration
Integrating Security Patches Test done: STS r21 TCs Passed Tracked-On: OAM-113582 Signed-off-by: Alam, SahibeX <[email protected]>
- Loading branch information
Showing
33 changed files
with
3,200 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
aosp_diff/preliminary/frameworks/av/29_0029-httplive-fix-use-after-free.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| From 76225338a8be623cb7db32213192fbbc7c73895e Mon Sep 17 00:00:00 2001 | ||
| From: Toni Heidenreich <[email protected]> | ||
| Date: Wed, 6 Sep 2023 12:49:33 +0000 | ||
| Subject: [PATCH] httplive: fix use-after-free | ||
|
|
||
| Implement a mutex to ensure secure multi-threaded | ||
| access to the KeyedVector in MetaDataBase. | ||
| Concurrent access by different threads can lead | ||
| to accessing the wrong memory location due to | ||
| potential changes in the vector | ||
|
|
||
| Bug: 298057702 | ||
| Test: HTTP Live Streaming test | ||
| (cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9) | ||
| Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a | ||
| Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a | ||
| --- | ||
| media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++ | ||
| 1 file changed, 11 insertions(+) | ||
|
|
||
| diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp | ||
| index 3f050ea6aa..aa6ca10967 100644 | ||
| --- a/media/libstagefright/foundation/MetaDataBase.cpp | ||
| +++ b/media/libstagefright/foundation/MetaDataBase.cpp | ||
| @@ -23,6 +23,8 @@ | ||
| #include <stdlib.h> | ||
| #include <string.h> | ||
|
|
||
| +#include <mutex> | ||
| + | ||
| #include <media/stagefright/foundation/ADebug.h> | ||
| #include <media/stagefright/foundation/AString.h> | ||
| #include <media/stagefright/foundation/hexdump.h> | ||
| @@ -78,6 +80,7 @@ struct MetaDataBase::Rect { | ||
|
|
||
|
|
||
| struct MetaDataBase::MetaDataInternal { | ||
| + std::mutex mLock; | ||
| KeyedVector<uint32_t, MetaDataBase::typed_data> mItems; | ||
| }; | ||
|
|
||
| @@ -102,10 +105,12 @@ MetaDataBase::~MetaDataBase() { | ||
| } | ||
|
|
||
| void MetaDataBase::clear() { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| mInternalData->mItems.clear(); | ||
| } | ||
|
|
||
| bool MetaDataBase::remove(uint32_t key) { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -252,6 +257,7 @@ bool MetaDataBase::setData( | ||
| uint32_t key, uint32_t type, const void *data, size_t size) { | ||
| bool overwrote_existing = true; | ||
|
|
||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
| if (i < 0) { | ||
| typed_data item; | ||
| @@ -269,6 +275,7 @@ bool MetaDataBase::setData( | ||
|
|
||
| bool MetaDataBase::findData(uint32_t key, uint32_t *type, | ||
| const void **data, size_t *size) const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -283,6 +290,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type, | ||
| } | ||
|
|
||
| bool MetaDataBase::hasData(uint32_t key) const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| ssize_t i = mInternalData->mItems.indexOfKey(key); | ||
|
|
||
| if (i < 0) { | ||
| @@ -429,6 +437,7 @@ static void MakeFourCCString(uint32_t x, char *s) { | ||
|
|
||
| String8 MetaDataBase::toString() const { | ||
| String8 s; | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| for (int i = mInternalData->mItems.size(); --i >= 0;) { | ||
| int32_t key = mInternalData->mItems.keyAt(i); | ||
| char cc[5]; | ||
| @@ -443,6 +452,7 @@ String8 MetaDataBase::toString() const { | ||
| } | ||
|
|
||
| void MetaDataBase::dumpToLog() const { | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| for (int i = mInternalData->mItems.size(); --i >= 0;) { | ||
| int32_t key = mInternalData->mItems.keyAt(i); | ||
| char cc[5]; | ||
| @@ -455,6 +465,7 @@ void MetaDataBase::dumpToLog() const { | ||
| #if !defined(__ANDROID_VNDK__) && !defined(__ANDROID_APEX__) | ||
| status_t MetaDataBase::writeToParcel(Parcel &parcel) { | ||
| status_t ret; | ||
| + std::lock_guard<std::mutex> guard(mInternalData->mLock); | ||
| size_t numItems = mInternalData->mItems.size(); | ||
| ret = parcel.writeUint32(uint32_t(numItems)); | ||
| if (ret) { | ||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
54 changes: 54 additions & 0 deletions
54
...eliminary/frameworks/av/30_0030-Correct-attribution-source-for-MMAP-thread.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| From f7b5a2f8c3fb7daa1213fce472df3cd2c05e535f Mon Sep 17 00:00:00 2001 | ||
| From: Atneya Nair <[email protected]> | ||
| Date: Wed, 10 May 2023 21:37:41 -0700 | ||
| Subject: [PATCH] Correct attribution source for MMAP thread | ||
|
|
||
| Ensure that the package name, which is used for listening for appops | ||
| below getInputForAttr, is corrected for MMAP threads. | ||
|
|
||
| Bug: 268724205 | ||
| Test: AudioRecordTest | ||
| Test: Oboetester MMAP record silenced when backgrounded - 6s | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f59db5cb1be38abce4c3c4f553090e527a6d4513) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5be19e855d2a9b772d43aacf0af2848d862a1b90) | ||
| Merged-In: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b | ||
| Change-Id: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b | ||
| --- | ||
| services/audioflinger/Threads.cpp | 7 +++++-- | ||
| 1 file changed, 5 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/services/audioflinger/Threads.cpp b/services/audioflinger/Threads.cpp | ||
| index 6dfaf7e068..670f1a09a9 100644 | ||
| --- a/services/audioflinger/Threads.cpp | ||
| +++ b/services/audioflinger/Threads.cpp | ||
| @@ -9504,6 +9504,9 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE; | ||
|
|
||
| audio_io_handle_t io = mId; | ||
| + AttributionSourceState adjAttributionSource = AudioFlinger::checkAttributionSourcePackage( | ||
| + client.attributionSource); | ||
| + | ||
| if (isOutput()) { | ||
| audio_config_t config = AUDIO_CONFIG_INITIALIZER; | ||
| config.sample_rate = mSampleRate; | ||
| @@ -9517,7 +9520,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| ret = AudioSystem::getOutputForAttr(&mAttr, &io, | ||
| mSessionId, | ||
| &stream, | ||
| - client.attributionSource, | ||
| + adjAttributionSource, | ||
| &config, | ||
| flags, | ||
| &deviceId, | ||
| @@ -9534,7 +9537,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client, | ||
| ret = AudioSystem::getInputForAttr(&mAttr, &io, | ||
| RECORD_RIID_INVALID, | ||
| mSessionId, | ||
| - client.attributionSource, | ||
| + adjAttributionSource, | ||
| &config, | ||
| AUDIO_INPUT_FLAG_MMAP_NOIRQ, | ||
| &deviceId, | ||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
78 changes: 78 additions & 0 deletions
78
...inary/frameworks/av/31_0031-Condition-background-record-restriction-on-Sdk.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| From 3c28a81aa632b38329c824e6eb500c3940834d8b Mon Sep 17 00:00:00 2001 | ||
| From: Atneya Nair <[email protected]> | ||
| Date: Wed, 9 Aug 2023 16:21:48 -0700 | ||
| Subject: [PATCH] Condition background record restriction on Sdk | ||
|
|
||
| To prevent breaking existing apps, modify the checks around when | ||
| an app should have its recording silenced to retain prior behavior | ||
| unless an app has targetSdk U or greater. | ||
|
|
||
| Test: oboetester conditionally restricted based on targetSdk level | ||
| Bug: 268724205 | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc4f375d570965775634d90856719b812aee9865) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5ed2002773feb3dd371cc473fc0a6ff2dfd21b6) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:382a9eaf46cf53b986494a694c9a87b8be8a28e4) | ||
| Merged-In: I42b6cbca60db6ce1a073254239b48e9104c4ebfb | ||
| Change-Id: I42b6cbca60db6ce1a073254239b48e9104c4ebfb | ||
| --- | ||
| .../service/AudioPolicyService.cpp | 26 +++++++++++++++++++ | ||
| 1 file changed, 26 insertions(+) | ||
|
|
||
| diff --git a/services/audiopolicy/service/AudioPolicyService.cpp b/services/audiopolicy/service/AudioPolicyService.cpp | ||
| index 102b376ded..d74c3546ec 100644 | ||
| --- a/services/audiopolicy/service/AudioPolicyService.cpp | ||
| +++ b/services/audiopolicy/service/AudioPolicyService.cpp | ||
| @@ -25,6 +25,7 @@ | ||
| #include <sys/time.h> | ||
| #include <dlfcn.h> | ||
|
|
||
| +#include <android/content/pm/IPackageManagerNative.h> | ||
| #include <audio_utils/clock.h> | ||
| #include <binder/IServiceManager.h> | ||
| #include <utils/Log.h> | ||
| @@ -77,6 +78,27 @@ static void destroyAudioPolicyManager(AudioPolicyInterface *interface) | ||
| { | ||
| delete interface; | ||
| } | ||
| + | ||
| +namespace { | ||
| +int getTargetSdkForPackageName(std::string_view packageName) { | ||
| + const auto binder = defaultServiceManager()->checkService(String16{"package_native"}); | ||
| + int targetSdk = -1; | ||
| + if (binder != nullptr) { | ||
| + const auto pm = interface_cast<content::pm::IPackageManagerNative>(binder); | ||
| + if (pm != nullptr) { | ||
| + const auto status = pm->getTargetSdkVersionForPackage( | ||
| + String16{packageName.data(), packageName.size()}, &targetSdk); | ||
| + return status.isOk() ? targetSdk : -1; | ||
| + } | ||
| + } | ||
| + return targetSdk; | ||
| +} | ||
| + | ||
| +bool doesPackageTargetAtLeastU(std::string_view packageName) { | ||
| + constexpr int ANDROID_API_U = 34; | ||
| + return getTargetSdkForPackageName(packageName) >= ANDROID_API_U; | ||
| +} | ||
| +} // anonymous | ||
| // ---------------------------------------------------------------------------- | ||
|
|
||
| AudioPolicyService::AudioPolicyService() | ||
| @@ -1550,10 +1572,14 @@ void AudioPolicyService::OpRecordAudioMonitor::onFirstRef() | ||
| checkOp(); | ||
| mOpCallback = new RecordAudioOpCallback(this); | ||
| ALOGV("start watching op %d for %s", mAppOp, mAttributionSource.toString().c_str()); | ||
| + int flags = doesPackageTargetAtLeastU( | ||
| + mAttributionSource.packageName.value_or("")) ? | ||
| + AppOpsManager::WATCH_FOREGROUND_CHANGES : 0; | ||
| // TODO: We need to always watch AppOpsManager::OP_RECORD_AUDIO too | ||
| // since it controls the mic permission for legacy apps. | ||
| mAppOpsManager.startWatchingMode(mAppOp, VALUE_OR_FATAL(aidl2legacy_string_view_String16( | ||
| mAttributionSource.packageName.value_or(""))), | ||
| + flags, | ||
| mOpCallback); | ||
| } | ||
|
|
||
| -- | ||
| 2.42.0.820.g83a721a137-goog | ||
|
|
54 changes: 54 additions & 0 deletions
54
...iff/preliminary/frameworks/base/99_0209-On-device-lockdown-always-show-the-keyguard.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| From 65f3760253722d932ce9cf99497748332b49c219 Mon Sep 17 00:00:00 2001 | ||
| From: Beverly <[email protected]> | ||
| Date: Mon, 8 May 2023 16:33:12 +0000 | ||
| Subject: [PATCH] On device lockdown, always show the keyguard | ||
|
|
||
| Manual test steps: | ||
| 1. Enable app pinning and disable "Ask for PIN before unpinning" setting | ||
| 2. Pin an app (ie: Settings) | ||
| 3. Lockdown from the power menu | ||
| Observe: user is brought to the keyguard, primary auth is required | ||
| to enter the device. After entering credential, the device is still in | ||
| app pinning mode. | ||
|
|
||
| Test: atest KeyguardViewMediatorTest | ||
| Test: manual steps outlined above | ||
| Bug: 218495634 | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:100ae42365d7fc8ba7d241e8c9a7ef6aa0cdb961) | ||
| Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2 | ||
| Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2 | ||
| --- | ||
| .../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++- | ||
| 1 file changed, 9 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| index 2c596d1b97e8..9c7d9f9f13c5 100644 | ||
| --- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| +++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java | ||
| @@ -678,6 +678,13 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable, | ||
| notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper); | ||
| } | ||
| } | ||
| + | ||
| + @Override | ||
| + public void onStrongAuthStateChanged(int userId) { | ||
| + if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { | ||
| + doKeyguardLocked(null); | ||
| + } | ||
| + } | ||
| }; | ||
|
|
||
| ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() { | ||
| @@ -1525,7 +1532,8 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable, | ||
| } | ||
|
|
||
| // if another app is disabling us, don't show | ||
| - if (!mExternallyEnabled) { | ||
| + if (!mExternallyEnabled | ||
| + && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) { | ||
| if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled"); | ||
|
|
||
| mNeedToReshowWhenReenabled = true; | ||
| -- | ||
| 2.17.1 | ||
|
|
Oops, something went wrong.