-
Notifications
You must be signed in to change notification settings - Fork 245
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB-SEP 2024 Security Patches integration
Integrating Google Android Security Bulletin Patches Test done: STS r30 TCs Passed. Tracked-On: OAM-124429 Signed-off-by: AlamIntel <[email protected]>
- Loading branch information
Showing
10 changed files
with
611 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
aosp_diff/preliminary/frameworks/av/0009-omx-check-HDR10-info-param-size.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| From 6d23fa05a40e5462d4b9bad28afa932e6e12a4f3 Mon Sep 17 00:00:00 2001 | ||
| From: Wonsik Kim <[email protected]> | ||
| Date: Fri, 28 Jun 2024 00:33:51 +0000 | ||
| Subject: [PATCH] omx: check HDR10+ info param size | ||
|
|
||
| Bug: 329641908 | ||
| Test: presubmit | ||
| Flag: EXEMPT security fix | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53298956ba6bb8f147a632d7aaed8566dfc203ee) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f816148a719d2a3bbf432f11da98b3d5fa7de74f) | ||
| Merged-In: I72523e1de61e5f947174272b732e170e1c2964df | ||
| Change-Id: I72523e1de61e5f947174272b732e170e1c2964df | ||
| --- | ||
| media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 7 +++++++ | ||
| 1 file changed, 7 insertions(+) | ||
|
|
||
| diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | ||
| index 418302389d..4ab5d10609 100644 | ||
| --- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | ||
| +++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | ||
| @@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig( | ||
| if (!isValidOMXParam(outParams)) { | ||
| return OMX_ErrorBadParameter; | ||
| } | ||
| + if (offsetof(DescribeHDR10PlusInfoParams, nValue) + outParams->nParamSize > | ||
| + outParams->nSize) { | ||
| + ALOGE("b/329641908: too large param size; nParamSize=%u nSize=%u", | ||
| + outParams->nParamSize, outParams->nSize); | ||
| + android_errorWriteLog(0x534e4554, "329641908"); | ||
| + return OMX_ErrorBadParameter; | ||
| + } | ||
|
|
||
| outParams->nParamSizeUsed = info->size(); | ||
|
|
||
| -- | ||
| 2.46.0.rc2.264.g509ed76dc8-goog | ||
|
|
85 changes: 85 additions & 0 deletions
85
...minary/frameworks/base/67_0067-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| From f81e43dee0dc6c77ea4a05a3cf946b1b2612c96a Mon Sep 17 00:00:00 2001 | ||
| From: Kiran Ramachandra <[email protected]> | ||
| Date: Thu, 30 May 2024 21:21:12 +0000 | ||
| Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme | ||
| delimiter | ||
|
|
||
| Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption | ||
|
|
||
| Bug: 261721900 | ||
| Test: atest FrameworksCoreTests:android.net.UriTest | ||
|
|
||
| No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo | ||
|
|
||
| NOTE FOR REVIEWERS - original patch and result patch are not identical. | ||
| PLEASE REVIEW CAREFULLY. | ||
| Diffs between the patches: | ||
| @AsbSecurityTest(cveBugId = 261721900) | ||
| > + @SmallTest | ||
| > + public void testSchemeSanitization() { | ||
| > + Uri uri = new Uri.Builder() | ||
| > + .scheme("http://https://evil.com:/te:st/") | ||
| > + .authority("google.com").path("one/way").build(); | ||
| > + assertEquals("httphttpsevil.com:/te:st/", uri.getScheme()); | ||
| > + assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString()); | ||
| > + } | ||
| > + | ||
|
|
||
| Original patch: | ||
| diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java | ||
| old mode 100644 | ||
| new mode 100644 | ||
| --- | ||
| core/java/android/net/Uri.java | 6 +++++- | ||
| core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++ | ||
| 2 files changed, 16 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java | ||
| index 3da696ad0bc7..f0262e9f7566 100644 | ||
| --- a/core/java/android/net/Uri.java | ||
| +++ b/core/java/android/net/Uri.java | ||
| @@ -1388,7 +1388,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> { | ||
| * @param scheme name or {@code null} if this is a relative Uri | ||
| */ | ||
| public Builder scheme(String scheme) { | ||
| - this.scheme = scheme; | ||
| + if (scheme != null) { | ||
| + this.scheme = scheme.replace("://", ""); | ||
| + } else { | ||
| + this.scheme = null; | ||
| + } | ||
| return this; | ||
| } | ||
|
|
||
| diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java | ||
| index 89632a46267e..fd12e519e8f8 100644 | ||
| --- a/core/tests/coretests/src/android/net/UriTest.java | ||
| +++ b/core/tests/coretests/src/android/net/UriTest.java | ||
| @@ -18,6 +18,7 @@ package android.net; | ||
|
|
||
| import android.content.ContentUris; | ||
| import android.os.Parcel; | ||
| +import android.platform.test.annotations.AsbSecurityTest; | ||
|
|
||
| import androidx.test.filters.SmallTest; | ||
|
|
||
| @@ -88,6 +89,16 @@ public class UriTest extends TestCase { | ||
| assertNull(u.getHost()); | ||
| } | ||
|
|
||
| + @AsbSecurityTest(cveBugId = 261721900) | ||
| + @SmallTest | ||
| + public void testSchemeSanitization() { | ||
| + Uri uri = new Uri.Builder() | ||
| + .scheme("http://https://evil.com:/te:st/") | ||
| + .authority("google.com").path("one/way").build(); | ||
| + assertEquals("httphttpsevil.com:/te:st/", uri.getScheme()); | ||
| + assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString()); | ||
| + } | ||
| + | ||
| @SmallTest | ||
| public void testStringUri() { | ||
| assertEquals("bob lee", | ||
| -- | ||
| 2.34.1 | ||
|
|
140 changes: 140 additions & 0 deletions
140
...e/68_0068-Delete-keystore-keys-from-RecoveryService-rebootRecoveryWithComm.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,140 @@ | ||
| From 8b7b2c66ca96d711fb364cbcc9d655197d9743e0 Mon Sep 17 00:00:00 2001 | ||
| From: Nikolay Elenkov <[email protected]> | ||
| Date: Wed, 26 Jun 2024 07:16:29 +0000 | ||
| Subject: [PATCH] Delete keystore keys from | ||
| RecoveryService.rebootRecoveryWithCommand() | ||
|
|
||
| Adds deleteSecrets() to RecoverySystemService. This method is called | ||
| from rebootRecoveryWithCommand () before the --wipe_data command is | ||
| passed to recovery and the device is force-rebooted. | ||
|
|
||
| deleteSecerts() calls IKeystoreMaintenance.deleteAllKeys() in order to | ||
| quickly destroy the keys protecting the synthetic password blobs | ||
| used to derive FBE encryption keys. | ||
|
|
||
| The intent is to make FBE-encrypted data unrecoverable even if the full | ||
| data wipe in recovery is interrupted or skipped. | ||
|
|
||
| Bug: 324321147 | ||
| Test: Manual - System -> Reset options -> Erase all data. | ||
| Test: Hold VolDown key to interrupt reboot and stop at bootloader | ||
| screen. | ||
| Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery | ||
| Test: fastboot reboot | ||
| Test: Device reboots into recovery and prompts to factory reset: | ||
| Test: 'Cannot load Android system. Your data may be corrupt. ...' | ||
| (cherry picked from https://android-review.googlesource.com/q/commit:0d00031851e9f5d8ef93947205a7e8b5257f0d8d) | ||
| Ignore-AOSP-First: Security fix backport | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c85d5febdc186f7fa1af2d0a6bdf705683437a98) | ||
| Merged-In: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a | ||
| Change-Id: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a | ||
| --- | ||
| .../security/AndroidKeyStoreMaintenance.java | 22 +++++++++++++++++++ | ||
| .../recoverysystem/RecoverySystemService.java | 19 ++++++++++++++++ | ||
| 2 files changed, 41 insertions(+) | ||
|
|
||
| diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java | ||
| index 919a93b8f107..b2d1755bb860 100644 | ||
| --- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java | ||
| +++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java | ||
| @@ -18,8 +18,10 @@ package android.security; | ||
|
|
||
| import android.annotation.NonNull; | ||
| import android.annotation.Nullable; | ||
| +import android.os.RemoteException; | ||
| import android.os.ServiceManager; | ||
| import android.os.ServiceSpecificException; | ||
| +import android.os.StrictMode; | ||
| import android.security.maintenance.IKeystoreMaintenance; | ||
| import android.system.keystore2.Domain; | ||
| import android.system.keystore2.KeyDescriptor; | ||
| @@ -183,4 +185,24 @@ public class AndroidKeyStoreMaintenance { | ||
| return SYSTEM_ERROR; | ||
| } | ||
| } | ||
| + | ||
| + /** | ||
| + * Deletes all keys in all KeyMint devices. | ||
| + * Called by RecoverySystem before rebooting to recovery in order to delete all KeyMint keys, | ||
| + * including synthetic password protector keys (used by LockSettingsService), as well as keys | ||
| + * protecting DE and metadata encryption keys (used by vold). This ensures that FBE-encrypted | ||
| + * data is unrecoverable even if the data wipe in recovery is interrupted or skipped. | ||
| + */ | ||
| + public static void deleteAllKeys() throws KeyStoreException { | ||
| + StrictMode.noteDiskWrite(); | ||
| + try { | ||
| + getService().deleteAllKeys(); | ||
| + } catch (RemoteException | NullPointerException e) { | ||
| + throw new KeyStoreException(SYSTEM_ERROR, | ||
| + "Failure to connect to Keystore while trying to delete all keys."); | ||
| + } catch (ServiceSpecificException e) { | ||
| + throw new KeyStoreException(e.errorCode, | ||
| + "Keystore error while trying to delete all keys."); | ||
| + } | ||
| + } | ||
| } | ||
| diff --git a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java | ||
| index 9d5173a8da09..91e2803427a8 100644 | ||
| --- a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java | ||
| +++ b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java | ||
| @@ -53,6 +53,7 @@ import android.os.ShellCallback; | ||
| import android.os.SystemProperties; | ||
| import android.provider.DeviceConfig; | ||
| import android.sysprop.ApexProperties; | ||
| +import android.security.AndroidKeyStoreMaintenance; | ||
| import android.util.ArrayMap; | ||
| import android.util.ArraySet; | ||
| import android.util.FastImmutableArraySet; | ||
| @@ -68,6 +69,7 @@ import com.android.server.LocalServices; | ||
| import com.android.server.SystemService; | ||
| import com.android.server.pm.ApexManager; | ||
| import com.android.server.recoverysystem.hal.BootControlHIDL; | ||
| +import com.android.server.utils.Slogf; | ||
|
|
||
| import libcore.io.IoUtils; | ||
|
|
||
| @@ -119,6 +121,8 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo | ||
| static final String LSKF_CAPTURED_TIMESTAMP_PREF = "lskf_captured_timestamp"; | ||
| static final String LSKF_CAPTURED_COUNT_PREF = "lskf_captured_count"; | ||
|
|
||
| + static final String RECOVERY_WIPE_DATA_COMMAND = "--wipe_data"; | ||
| + | ||
| private final Injector mInjector; | ||
| private final Context mContext; | ||
|
|
||
| @@ -522,17 +526,32 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo | ||
| @Override // Binder call | ||
| public void rebootRecoveryWithCommand(String command) { | ||
| if (DEBUG) Slog.d(TAG, "rebootRecoveryWithCommand: [" + command + "]"); | ||
| + | ||
| + boolean isForcedWipe = command != null && command.contains(RECOVERY_WIPE_DATA_COMMAND); | ||
| synchronized (sRequestLock) { | ||
| if (!setupOrClearBcb(true, command)) { | ||
| return; | ||
| } | ||
|
|
||
| + if (isForcedWipe) { | ||
| + deleteSecrets(); | ||
| + } | ||
| + | ||
| // Having set up the BCB, go ahead and reboot. | ||
| PowerManager pm = mInjector.getPowerManager(); | ||
| pm.reboot(PowerManager.REBOOT_RECOVERY); | ||
| } | ||
| } | ||
|
|
||
| + private static void deleteSecrets() { | ||
| + Slogf.w(TAG, "deleteSecrets"); | ||
| + try { | ||
| + AndroidKeyStoreMaintenance.deleteAllKeys(); | ||
| + } catch (android.security.KeyStoreException e) { | ||
| + Log.wtf(TAG, "Failed to delete all keys from keystore.", e); | ||
| + } | ||
| + } | ||
| + | ||
| private void enforcePermissionForResumeOnReboot() { | ||
| if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.RECOVERY) | ||
| != PackageManager.PERMISSION_GRANTED | ||
| -- | ||
| 2.46.0.rc2.264.g509ed76dc8-goog | ||
|
|
31 changes: 31 additions & 0 deletions
31
...ges/apps/Settings/14_0014-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| From 2968ccc911956fa5813a9a6a5e5c8970e383a60f Mon Sep 17 00:00:00 2001 | ||
| From: Chaohui Wang <[email protected]> | ||
| Date: Thu, 2 Nov 2023 11:43:00 +0800 | ||
| Subject: [PATCH] Limit wifi item edit content's max length to 500 | ||
|
|
||
| Bug: 293199910 | ||
| Test: manual - on "Add network" | ||
|
|
||
| (cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d) | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad) | ||
| Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae | ||
| Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae | ||
| --- | ||
| res/values/styles.xml | 1 + | ||
| 1 file changed, 1 insertion(+) | ||
|
|
||
| diff --git a/res/values/styles.xml b/res/values/styles.xml | ||
| index fe152266f9..2696d9b475 100644 | ||
| --- a/res/values/styles.xml | ||
| +++ b/res/values/styles.xml | ||
| @@ -121,6 +121,7 @@ | ||
| <item name="android:textAppearance">@android:style/TextAppearance.DeviceDefault.Medium</item> | ||
| <item name="android:textColorHint">?android:attr/textColorSecondary</item> | ||
| <item name="android:minHeight">@dimen/min_tap_target_size</item> | ||
| + <item name="android:maxLength">500</item> | ||
| </style> | ||
|
|
||
| <style name="wifi_section"> | ||
| -- | ||
| 2.46.0.rc2.264.g509ed76dc8-goog | ||
|
|
Oops, something went wrong.