ASB-OCT 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches Test done: STS r31 TCs Passed. Tracked-On: OAM-125586 Signed-off-by: AlamIntel <[email protected]>
projectceladon · Sep 25, 2024 · ed75a94 · ed75a94
1 parent df75202
commit ed75a94
Show file tree

Hide file tree

Showing 7 changed files with 264 additions and 1 deletion.
diff --git a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 0daae6bdcb..d14bd65167 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2022-06-05
-+    PLATFORM_SECURITY_PATCH := 2024-09-01
++    PLATFORM_SECURITY_PATCH := 2024-10-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

diff --git a/aosp_diff/base_aaos/frameworks/base/99_0291-Fail-parseUri-if-end-is-missing.bulletin.patch b/aosp_diff/base_aaos/frameworks/base/99_0291-Fail-parseUri-if-end-is-missing.bulletin.patch
@@ -0,0 +1,33 @@
+From ffaac4a576939731de7dc13429ec961aec1ae0e0 Mon Sep 17 00:00:00 2001
+From: William Loh <[email protected]>
+Date: Mon, 3 Jun 2024 12:56:47 -0700
+Subject: [PATCH] Fail parseUri if end is missing
+
+Bug: 318683126
+Test: atest IntentTest
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967)
+Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
+Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea
+---
+ core/java/android/content/Intent.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index 6224758ce71a..ec67c7239df2 100644
+--- a/core/java/android/content/Intent.java
++++ b/core/java/android/content/Intent.java
+@@ -7322,6 +7322,9 @@ public class Intent implements Parcelable, Cloneable {
+                 int eq = uri.indexOf('=', i);
+                 if (eq < 0) eq = i-1;
+                 int semi = uri.indexOf(';', i);
++                if (semi < 0) {
++                    throw new URISyntaxException(uri, "uri end not found");
++                }
+                 String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : "";
+
+                 // action
+-- 
+2.46.0.469.g59c65b2a67-goog
+
diff --git a/..._aaos/frameworks/base/99_0292-Update-AccountManagerService-checkKeyIntent-.bulletin.patch b/..._aaos/frameworks/base/99_0292-Update-AccountManagerService-checkKeyIntent-.bulletin.patch
@@ -0,0 +1,35 @@
+From 638ddfbcdc68bb9a103927d447e2b7a12a9e4a7d Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <[email protected]>
+Date: Thu, 11 Jul 2024 12:39:22 -0700
+Subject: [PATCH] Update AccountManagerService checkKeyIntent.
+
+Block intents with "content" data scheme.
+
+Bug: 349780950
+Test: manual
+Flag: EXEMPT bugfix
+(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5)
+Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c
+---
+ .../com/android/server/accounts/AccountManagerService.java     | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 43944b050de4..d55be44f62cd 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4895,6 +4895,9 @@ public class AccountManagerService
+                 if (resolveInfo == null) {
+                     return false;
+                 }
++                if ("content".equals(intent.getScheme())) {
++                    return false;
++                }
+                 ActivityInfo targetActivityInfo = resolveInfo.activityInfo;
+                 int targetUid = targetActivityInfo.applicationInfo.uid;
+                 PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class);
+-- 
+2.46.0.469.g59c65b2a67-goog
+
diff --git a/.../frameworks/base/99_0293-Prevent-Sharing-when-FRP-enforcement-is-in-effect.bulletin.patch b/.../frameworks/base/99_0293-Prevent-Sharing-when-FRP-enforcement-is-in-effect.bulletin.patch
@@ -0,0 +1,42 @@
+From edd911388ced1d5d8783f0f91068a01970e01ed7 Mon Sep 17 00:00:00 2001
+From: Mark Renouf <[email protected]>
+Date: Thu, 20 Jun 2024 16:37:42 -0400
+Subject: [PATCH] Prevent Sharing when FRP enforcement is in effect
+
+ADB command to trigger sharing:
+
+```
+adb shell 'am start -a android.intent.action.CHOOSER --eu android.intent.extra.INTENT "intent:#Intent;action=android.intent.action.SEND;type=text/plain;S.android.intent.extra.TEXT=Shared%20text;end"'
+```
+
+Bug: 327645387
+Test: manual; trigger FRP; attempt to open share sheet using adb
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5080af26387a18d5638d5a42eadfb8d4d700518c)
+Merged-In: I1db78ab74babe71b516f601be35cf476b5e43271
+Change-Id: I1db78ab74babe71b516f601be35cf476b5e43271
+---
+ core/java/com/android/internal/app/ChooserActivity.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java
+index a204dc0112c9..2fa16ffd94e9 100644
+--- a/core/java/com/android/internal/app/ChooserActivity.java
++++ b/core/java/com/android/internal/app/ChooserActivity.java
+@@ -600,6 +600,14 @@ public class ChooserActivity extends ResolverActivity implements
+
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
++        if (Settings.Secure.getIntForUser(getContentResolver(),
++                Settings.Secure.SECURE_FRP_MODE, 0,
++                getUserId()) == 1) {
++            Log.e(TAG, "Sharing disabled due to active FRP lock.");
++            super.onCreate(savedInstanceState);
++            finish();
++            return;
++        }
+         final long intentReceivedTime = System.currentTimeMillis();
+         getChooserActivityLogger().logSharesheetTriggered();
+         // This is the only place this value is being set. Effectively final.
+-- 
+2.46.0.469.g59c65b2a67-goog
+
diff --git a/...ase/99_0294-RESTRICT-AUTOMERGE-Check-whether-installerPackageName-contains.bulletin.patch b/...ase/99_0294-RESTRICT-AUTOMERGE-Check-whether-installerPackageName-contains.bulletin.patch
@@ -0,0 +1,42 @@
+From 601929fb8d236a7e60cb65d2a53409447e62a923 Mon Sep 17 00:00:00 2001
+From: Sumedh Sen <[email protected]>
+Date: Wed, 17 Jul 2024 01:00:55 +0000
+Subject: [PATCH] [RESTRICT AUTOMERGE] Check whether installerPackageName
+ contains only valid characters
+
+Bug: 341256391
+Bug: 307532206
+Test: sts-tradefed run sts-dynamic-develop -m CtsSecurityTestCases -t android.security.cts.CVE_2024_0044
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b850b6f68e63288f240439601723412324381bb)
+Merged-In: I74a172c617d6f5b13f0708092156b657b73b5891
+Change-Id: I74a172c617d6f5b13f0708092156b657b73b5891
+---
+ .../com/android/server/pm/PackageInstallerService.java     | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java
+index 02515cfdc16a..310c56ef1260 100644
+--- a/services/core/java/com/android/server/pm/PackageInstallerService.java
++++ b/services/core/java/com/android/server/pm/PackageInstallerService.java
+@@ -609,12 +609,17 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements
+         params.appLabel = TextUtils.trimToSize(params.appLabel,
+                 PackageItemInfo.MAX_SAFE_LABEL_LENGTH);
+
+-        // Validate installer package name.
++        // Validate requested installer package name.
+         if (params.installerPackageName != null && !isValidPackageName(
+                 params.installerPackageName)) {
+             params.installerPackageName = null;
+         }
+
++        // Validate installer package name.
++        if (installerPackageName != null && !isValidPackageName(installerPackageName)) {
++            installerPackageName = null;
++        }
++
+         String requestedInstallerPackageName =
+                 params.installerPackageName != null ? params.installerPackageName
+                         : installerPackageName;
+-- 
+2.46.0.469.g59c65b2a67-goog
+
diff --git a/...ff/base_aaos/libcore/02_0002-Do-not-accept-zip-files-with-invalid-headers-.bulletin.patch b/...ff/base_aaos/libcore/02_0002-Do-not-accept-zip-files-with-invalid-headers-.bulletin.patch
@@ -0,0 +1,56 @@
+From 9649db56157cafe575f997d9c207498eda987775 Mon Sep 17 00:00:00 2001
+From: Almaz Mingaleev <[email protected]>
+Date: Wed, 10 Jul 2024 13:38:35 +0100
+Subject: [PATCH] Do not accept zip files with invalid headers.
+
+According to Section 4.3.6 in [1] non-empty zip file starts with
+local file header. 4.3.1 allows empty files, and in such case
+file starts with "end of central directory record".
+
+This aligns ZipFile with libziparchive modulo empty zip files -
+libziparchive rejects them.
+
+Tests are skipped because sc-dev branch uses ART module
+prebuilts, but builds tests from sources which leads to presubmit
+failures.
+
+Ignore-AOSP-First: b/309938635#comment1
+
+[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt
+
+Bug: 309938635
+Test: CtsLibcoreTestCases
+Test: CtsLibcoreOjTestCases
+(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88)
+Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b
+Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b
+---
+ ojluni/src/main/native/zip_util.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c
+index aa9c5cede9e..16951a78ede 100644
+--- a/ojluni/src/main/native/zip_util.c
++++ b/ojluni/src/main/native/zip_util.c
+@@ -878,6 +878,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified,
+             zip->locsig = JNI_TRUE;
+         else
+             zip->locsig = JNI_FALSE;
++
++        // BEGIN Android-changed: do not accept files with invalid header.
++        if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) {
++            if (pmsg) {
++                *pmsg = strdup("Entry at offset zero has invalid LFH signature.");
++            }
++            ZFILE_Close(zfd);
++            freeZip(zip);
++            return NULL;
++        }
++        // END Android-changed: do not accept files with invalid header.
+     }
+
+     // This lseek is safe because it happens during construction of the ZipFile
+-- 
+2.46.0.469.g59c65b2a67-goog
+
diff --git a/...gs/42_0042-RESTRICT-AUTOMERGE-FRP-bypass-defense-in-App-battery-usage-page.bulletin.patch b/...gs/42_0042-RESTRICT-AUTOMERGE-FRP-bypass-defense-in-App-battery-usage-page.bulletin.patch
@@ -0,0 +1,55 @@
+From 375a30ad50053aa5edae357c8ee127fb759fe3bb Mon Sep 17 00:00:00 2001
+From: Yiling Chuang <[email protected]>
+Date: Mon, 8 Jul 2024 03:09:50 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage
+ page
+
+Before the setup flow completion, don't allow the app info page in App battery usage to be launched.
+
+Bug: 327748846
+Test: atest SettingsRoboTests + manual test
+- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes
+Flag : EXEMPT bugfix
+
+(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429)
+Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0
+Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0
+---
+ .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++
+ .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java     | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+index 3741bfe804..d89286d4e4 100644
+--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
++++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java
+@@ -283,6 +283,11 @@ public class AdvancedPowerUsageDetail extends DashboardFragment implements
+         }
+     }
+
++    @Override
++    protected boolean shouldSkipForInitialSUW() {
++        return true;
++    }
++
+     @Override
+     public void onPause() {
+         super.onPause();
+diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+index 0a48cd1b12..212ac21cd0 100644
+--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
++++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java
+@@ -859,4 +859,9 @@ public class AdvancedPowerUsageDetailTest {
+
+         verifyZeroInteractions(mBackupManager);
+     }
++
++    @Test
++    public void shouldSkipForInitialSUW_returnTrue() {
++        assertThat(mFragment.shouldSkipForInitialSUW()).isTrue();
++    }
+ }
+-- 
+2.46.0.469.g59c65b2a67-goog
+