Skip to content

Commit

Permalink
ASB-May 2024 Security Patches integration
Browse files Browse the repository at this point in the history 
Integrating Google Android Security Bulletin Patches

Test done: STS r26 TCs Passed.

Tracked-On: OAM-117886
Signed-off-by: Alam, Sahibex <[email protected]>
  • Loading branch information
@AlamIntel @sysopenci
AlamIntel authored and sysopenci committed May 6, 2024
1 parent 971dd01 commit 77f2438
Show file tree
Hide file tree
Showing 8 changed files with 947 additions and 1 deletion.
2 changes: 1 addition & 1 deletion aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ index 0daae6bdcb..d14bd65167 100644
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2022-07-05
+ PLATFORM_SECURITY_PATCH := 2024-04-01
+ PLATFORM_SECURITY_PATCH := 2024-05-01
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH

Expand Down
124 changes: 124 additions & 0 deletions aosp_diff/base_aaos/external/sonivox/0001-fix-buffer-overrun-in-eas_wtengine.bulletin.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
From f596b65cf404f01c5e33dcc9d69e329054b9912b Mon Sep 17 00:00:00 2001
From: Ray Essick <[email protected]>
Date: Wed, 14 Feb 2024 11:10:41 -0600
Subject: [PATCH] fix buffer overrun in eas_wtengine

avoid a buffer overrun in eas_wtengine.
Check buffer limits during application of gain
Clip calculated length in eas_wtsynth

Bug: 317780080
Test: POC with bug
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6b66e7665dbcd891ff23081c13ab0b1637bb1dda)
backporting fix from main
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fbd27460e1d58eca351a331ce7347fec2323d068)
Merged-In: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
Change-Id: I3609d6a36d89b26ae7eb3ae84cbe7772f6c3bee0
---
arm-wt-22k/lib_src/eas_wtengine.c | 24 ++++++++++++++++++++++++
arm-wt-22k/lib_src/eas_wtsynth.c | 12 +++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/arm-wt-22k/lib_src/eas_wtengine.c b/arm-wt-22k/lib_src/eas_wtengine.c
index b1ee749..dc8d864 100644
--- a/arm-wt-22k/lib_src/eas_wtengine.c
+++ b/arm-wt-22k/lib_src/eas_wtengine.c
@@ -99,6 +99,10 @@ void WT_VoiceGain (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pMixBuffer = pWTIntFrame->pMixBuffer;
pInputBuffer = pWTIntFrame->pAudioBuffer;
@@ -196,6 +200,10 @@ void WT_Interpolate (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pOutputBuffer = pWTIntFrame->pAudioBuffer;

@@ -297,6 +305,10 @@ void WT_InterpolateNoLoop (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pOutputBuffer = pWTIntFrame->pAudioBuffer;

@@ -397,6 +409,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pAudioBuffer = pWTIntFrame->pAudioBuffer;

@@ -465,6 +481,10 @@ void WT_VoiceFilter (S_FILTER_CONTROL *pFilter, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pOutputBuffer = pWTIntFrame->pAudioBuffer;
phaseInc = pWTIntFrame->frame.phaseIncrement;
@@ -613,6 +633,10 @@ void WT_InterpolateMono (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame)
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
return;
+ } else if (numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d", numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}
pMixBuffer = pWTIntFrame->pMixBuffer;

diff --git a/arm-wt-22k/lib_src/eas_wtsynth.c b/arm-wt-22k/lib_src/eas_wtsynth.c
index 74f78f5..ea1fe78 100644
--- a/arm-wt-22k/lib_src/eas_wtsynth.c
+++ b/arm-wt-22k/lib_src/eas_wtsynth.c
@@ -484,7 +484,12 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
/*lint -e{703} use shift for performance */
numSamples = (numSamples << NUM_PHASE_FRAC_BITS) - (EAS_I32) pWTVoice->phaseFrac;
if (pWTIntFrame->frame.phaseIncrement) {
- pWTIntFrame->numSamples = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+ EAS_I32 oldMethod = 1 + (numSamples / pWTIntFrame->frame.phaseIncrement);
+ pWTIntFrame->numSamples =
+ (numSamples + pWTIntFrame->frame.phaseIncrement - 1) / pWTIntFrame->frame.phaseIncrement;
+ if (oldMethod != pWTIntFrame->numSamples) {
+ ALOGE("b/317780080 old %ld new %ld", oldMethod, pWTIntFrame->numSamples);
+ }
} else {
pWTIntFrame->numSamples = numSamples;
}
@@ -492,6 +497,11 @@ EAS_BOOL WT_CheckSampleEnd (S_WT_VOICE *pWTVoice, S_WT_INT_FRAME *pWTIntFrame, E
ALOGE("b/26366256");
android_errorWriteLog(0x534e4554, "26366256");
pWTIntFrame->numSamples = 0;
+ } else if (pWTIntFrame->numSamples > BUFFER_SIZE_IN_MONO_SAMPLES) {
+ ALOGE("b/317780080 clip numSamples %ld -> %d",
+ pWTIntFrame->numSamples, BUFFER_SIZE_IN_MONO_SAMPLES);
+ android_errorWriteLog(0x534e4554, "317780080");
+ pWTIntFrame->numSamples = BUFFER_SIZE_IN_MONO_SAMPLES;
}

/* sound will be done this frame */
--
2.44.0.396.g6e790dbe36-goog

71 changes: 71 additions & 0 deletions ...ameworks/base/99_0262--SettingsProvider-verify-ringtone-URI-before-setting.bulletin.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
From da9dd005ceaf2cd681411ff646efd17e1ac75230 Mon Sep 17 00:00:00 2001
From: Songchun Fan <[email protected]>
Date: Mon, 14 Aug 2023 15:24:11 -0700
Subject: [PATCH] [SettingsProvider] verify ringtone URI before setting

Similar to ag/24422287, but the same URI verification should be done in
SettingsProvider as well, which can be called by apps via
Settings.System API or ContentProvider APIs without using
RingtoneManager.

BUG: 227201030
Test: manual with a test app. Will add a CTS test.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b234678ec122994ccbfc52ac48aafdad7fdb1ed)
Merged-In: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b
Change-Id: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b
---
.../providers/settings/SettingsProvider.java | 31 +++++++++++++++++++
1 file changed, 31 insertions(+)

diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 8dd77a675d6e..4df565045e82 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -1906,6 +1906,9 @@ public class SettingsProvider extends ContentProvider {
cacheName = Settings.System.ALARM_ALERT_CACHE;
}
if (cacheName != null) {
+ if (!isValidAudioUri(name, value)) {
+ return false;
+ }
final File cacheFile = new File(
getRingtoneCacheDir(owningUserId), cacheName);
cacheFile.delete();
@@ -1938,6 +1941,34 @@ public class SettingsProvider extends ContentProvider {
}
}

+ private boolean isValidAudioUri(String name, String uri) {
+ if (uri != null) {
+ Uri audioUri = Uri.parse(uri);
+ if (Settings.AUTHORITY.equals(
+ ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) {
+ // Don't accept setting the default uri to self-referential URIs like
+ // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this
+ // setting.
+ return false;
+ }
+ final String mimeType = getContext().getContentResolver().getType(audioUri);
+ if (mimeType == null) {
+ Slog.e(LOG_TAG,
+ "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+ + " ignored: failure to find mimeType (no access from this context?)");
+ return false;
+ }
+ if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+ || mimeType.equals("application/x-flac"))) {
+ Slog.e(LOG_TAG,
+ "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+ + " ignored: associated mimeType: " + mimeType + " is not an audio type");
+ return false;
+ }
+ }
+ return true;
+ }
+
private boolean hasWriteSecureSettingsPermission() {
// Write secure settings is a more protected permission. If caller has it we are good.
return getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS)
--
2.44.0.396.g6e790dbe36-goog

109 changes: 109 additions & 0 deletions ...os/frameworks/base/99_0263-Truncate-user-data-to-a-limit-of-500-characters.bulletin.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
From 049d942fe683630f97c650a1dbc8f5e8d99e1ffd Mon Sep 17 00:00:00 2001
From: Tetiana Meronyk <[email protected]>
Date: Thu, 24 Aug 2023 16:27:30 +0000
Subject: [PATCH] Truncate user data to a limit of 500 characters

Fix vulnerability that allows creating users with no restrictions. This is done by creating an intent to create a user and putting extras that are too long to be serialized. It causes IOException and the restrictions are not written in the file.

By truncating the string values when writing them to the file, we ensure that the exception does not happen and it can be recorded correctly.

Bug: 293602317
Test: install app provided in the bug, open app and click add. Check logcat to see there is no more IOException. Reboot the device by either opening User details page or running adb shell dumpsys user | grep -A12 heen and see that the restrictions are in place.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59042a32c7e192d160c295ecb6477a09bb5da0bb)
Merged-In: I633dc10974a64ef2abd07e67ff2d209847129989
Change-Id: I633dc10974a64ef2abd07e67ff2d209847129989
---
.../android/server/pm/UserManagerService.java | 29 ++++++++++++++-----
1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 92abc486386a..3b6bcc052726 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -248,6 +248,8 @@ public class UserManagerService extends IUserManager.Stub {

private static final int USER_VERSION = 9;

+ private static final int MAX_USER_STRING_LENGTH = 500;
+
private static final long EPOCH_PLUS_30_YEARS = 30L * 365 * 24 * 60 * 60 * 1000L; // ms

static final int WRITE_USER_MSG = 1;
@@ -3157,15 +3159,17 @@ public class UserManagerService extends IUserManager.Stub {
// Write seed data
if (userData.persistSeedData) {
if (userData.seedAccountName != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME, userData.seedAccountName);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_NAME,
+ truncateString(userData.seedAccountName));
}
if (userData.seedAccountType != null) {
- serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE, userData.seedAccountType);
+ serializer.attribute(null, ATTR_SEED_ACCOUNT_TYPE,
+ truncateString(userData.seedAccountType));
}
}
if (userInfo.name != null) {
serializer.startTag(null, TAG_NAME);
- serializer.text(userInfo.name);
+ serializer.text(truncateString(userInfo.name));
serializer.endTag(null, TAG_NAME);
}
synchronized (mRestrictionsLock) {
@@ -3205,6 +3209,13 @@ public class UserManagerService extends IUserManager.Stub {
serializer.endDocument();
}

+ private String truncateString(String original) {
+ if (original == null || original.length() <= MAX_USER_STRING_LENGTH) {
+ return original;
+ }
+ return original.substring(0, MAX_USER_STRING_LENGTH);
+ }
+
/*
* Writes the user list file in this format:
*
@@ -3565,6 +3576,8 @@ public class UserManagerService extends IUserManager.Stub {
boolean preCreate, @Nullable String[] disallowedPackages,
@NonNull TimingsTraceAndSlog t, @Nullable Object token)
throws UserManager.CheckedUserOperationException {
+
+ String truncatedName = truncateString(name);
final UserTypeDetails userTypeDetails = mUserTypes.get(userType);
if (userTypeDetails == null) {
Slog.e(LOG_TAG, "Cannot create user of invalid user type: " + userType);
@@ -3590,8 +3603,8 @@ public class UserManagerService extends IUserManager.Stub {

// Try to use a pre-created user (if available).
if (!preCreate && parentId < 0 && isUserTypeEligibleForPreCreation(userTypeDetails)) {
- final UserInfo preCreatedUser = convertPreCreatedUserIfPossible(userType, flags, name,
- token);
+ final UserInfo preCreatedUser = convertPreCreatedUserIfPossible(userType, flags,
+ truncatedName, token);
if (preCreatedUser != null) {
return preCreatedUser;
}
@@ -3684,7 +3697,7 @@ public class UserManagerService extends IUserManager.Stub {
flags &= ~UserInfo.FLAG_EPHEMERAL;
}

- userInfo = new UserInfo(userId, name, null, flags, userType);
+ userInfo = new UserInfo(userId, truncatedName, null, flags, userType);
userInfo.serialNumber = mNextSerialNumber++;
userInfo.creationTime = getCreationTime();
userInfo.partial = true;
@@ -4981,8 +4994,8 @@ public class UserManagerService extends IUserManager.Stub {
Slog.e(LOG_TAG, "No such user for settings seed data u=" + userId);
return;
}
- userData.seedAccountName = accountName;
- userData.seedAccountType = accountType;
+ userData.seedAccountName = truncateString(accountName);
+ userData.seedAccountType = truncateString(accountType);
userData.seedAccountOptions = accountOptions;
userData.persistSeedData = persist;
}
--
2.44.0.396.g6e790dbe36-goog

54 changes: 54 additions & 0 deletions ...e/99_0264-RESTRICT-AUTOMERGE-Log-to-detect-usage-of-whitelistToken-when-se.bulletin.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
From eb4aa8717dcfe02d984225ea06063dd781062480 Mon Sep 17 00:00:00 2001
From: Nan Wu <[email protected]>
Date: Fri, 25 Aug 2023 15:02:28 +0000
Subject: [PATCH] RESTRICT AUTOMERGE Log to detect usage of whitelistToken when
sending non-PI target

Log ActivityManagerService.sendIntentSender if the target is not a
PendingIntent and a non-null whitelistToken is sent to the client.
This is simply to detect if there are real cases this would happen
before we decide simply remove whitelistToken in that case.

Do not pass whitelistToken when sending non-PI target

In ActivityManagerService.sendIntentSender, if the target is not a
PendingIntent, do not send whitelistToken to the client.

Bug: 279428283
Test: Manual test
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7a76717b61d8cb90a4987454f34e88417d68608b)
Merged-In: I017486354a1ab2f14d0472c355583d53c27c4810
Change-Id: I017486354a1ab2f14d0472c355583d53c27c4810
---
.../android/server/am/ActivityManagerService.java | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 322ffd551da3..97343b87480d 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -5034,7 +5034,20 @@ public class ActivityManagerService extends IActivityManager.Stub
intent = new Intent(Intent.ACTION_MAIN);
}
try {
- target.send(code, intent, resolvedType, allowlistToken, null,
+ if (allowlistToken != null) {
+ final int callingUid = Binder.getCallingUid();
+ final String packageName;
+ final long token = Binder.clearCallingIdentity();
+ try {
+ packageName = AppGlobals.getPackageManager().getNameForUid(callingUid);
+ } finally {
+ Binder.restoreCallingIdentity(token);
+ }
+ Slog.wtf(TAG, "Send a non-null allowlistToken to a non-PI target."
+ + " Calling package: " + packageName + "; intent: " + intent
+ + "; options: " + options);
+ }
+ target.send(code, intent, resolvedType, null, null,
requiredPermission, options);
} catch (RemoteException e) {
}
--
2.44.0.396.g6e790dbe36-goog

Loading

0 comments on commit 77f2438

Please sign in to comment.