diff --git a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch index 5688ae882b..041c7da27e 100644 --- a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch +++ b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch @@ -20,7 +20,7 @@ index 0daae6bdcb..d14bd65167 100644 # It must match one of the Android Security Patch Level strings of the Public Security Bulletins. # If there is no $PLATFORM_SECURITY_PATCH set, keep it empty. - PLATFORM_SECURITY_PATCH := 2022-06-05 -+ PLATFORM_SECURITY_PATCH := 2024-09-01 ++ PLATFORM_SECURITY_PATCH := 2024-10-01 endif .KATI_READONLY := PLATFORM_SECURITY_PATCH diff --git a/aosp_diff/base_aaos/frameworks/base/99_0291-Fail-parseUri-if-end-is-missing.bulletin.patch b/aosp_diff/base_aaos/frameworks/base/99_0291-Fail-parseUri-if-end-is-missing.bulletin.patch new file mode 100644 index 0000000000..6d4141a631 --- /dev/null +++ b/aosp_diff/base_aaos/frameworks/base/99_0291-Fail-parseUri-if-end-is-missing.bulletin.patch @@ -0,0 +1,33 @@ +From ffaac4a576939731de7dc13429ec961aec1ae0e0 Mon Sep 17 00:00:00 2001 +From: William Loh +Date: Mon, 3 Jun 2024 12:56:47 -0700 +Subject: [PATCH] Fail parseUri if end is missing + +Bug: 318683126 +Test: atest IntentTest +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967) +Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +--- + core/java/android/content/Intent.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index 6224758ce71a..ec67c7239df2 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -7322,6 +7322,9 @@ public class Intent implements Parcelable, Cloneable { + int eq = uri.indexOf('=', i); + if (eq < 0) eq = i-1; + int semi = uri.indexOf(';', i); ++ if (semi < 0) { ++ throw new URISyntaxException(uri, "uri end not found"); ++ } + String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : ""; + + // action +-- +2.46.0.469.g59c65b2a67-goog + diff --git a/aosp_diff/base_aaos/frameworks/base/99_0292-Update-AccountManagerService-checkKeyIntent-.bulletin.patch b/aosp_diff/base_aaos/frameworks/base/99_0292-Update-AccountManagerService-checkKeyIntent-.bulletin.patch new file mode 100644 index 0000000000..408eeee032 --- /dev/null +++ b/aosp_diff/base_aaos/frameworks/base/99_0292-Update-AccountManagerService-checkKeyIntent-.bulletin.patch @@ -0,0 +1,35 @@ +From 638ddfbcdc68bb9a103927d447e2b7a12a9e4a7d Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Thu, 11 Jul 2024 12:39:22 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntent. + +Block intents with "content" data scheme. + +Bug: 349780950 +Test: manual +Flag: EXEMPT bugfix +(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5) +Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 43944b050de4..d55be44f62cd 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4895,6 +4895,9 @@ public class AccountManagerService + if (resolveInfo == null) { + return false; + } ++ if ("content".equals(intent.getScheme())) { ++ return false; ++ } + ActivityInfo targetActivityInfo = resolveInfo.activityInfo; + int targetUid = targetActivityInfo.applicationInfo.uid; + PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class); +-- +2.46.0.469.g59c65b2a67-goog + diff --git a/aosp_diff/base_aaos/frameworks/base/99_0293-Prevent-Sharing-when-FRP-enforcement-is-in-effect.bulletin.patch b/aosp_diff/base_aaos/frameworks/base/99_0293-Prevent-Sharing-when-FRP-enforcement-is-in-effect.bulletin.patch new file mode 100644 index 0000000000..c305aaffe1 --- /dev/null +++ b/aosp_diff/base_aaos/frameworks/base/99_0293-Prevent-Sharing-when-FRP-enforcement-is-in-effect.bulletin.patch @@ -0,0 +1,42 @@ +From edd911388ced1d5d8783f0f91068a01970e01ed7 Mon Sep 17 00:00:00 2001 +From: Mark Renouf +Date: Thu, 20 Jun 2024 16:37:42 -0400 +Subject: [PATCH] Prevent Sharing when FRP enforcement is in effect + +ADB command to trigger sharing: + +``` +adb shell 'am start -a android.intent.action.CHOOSER --eu android.intent.extra.INTENT "intent:#Intent;action=android.intent.action.SEND;type=text/plain;S.android.intent.extra.TEXT=Shared%20text;end"' +``` + +Bug: 327645387 +Test: manual; trigger FRP; attempt to open share sheet using adb +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5080af26387a18d5638d5a42eadfb8d4d700518c) +Merged-In: I1db78ab74babe71b516f601be35cf476b5e43271 +Change-Id: I1db78ab74babe71b516f601be35cf476b5e43271 +--- + core/java/com/android/internal/app/ChooserActivity.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java +index a204dc0112c9..2fa16ffd94e9 100644 +--- a/core/java/com/android/internal/app/ChooserActivity.java ++++ b/core/java/com/android/internal/app/ChooserActivity.java +@@ -600,6 +600,14 @@ public class ChooserActivity extends ResolverActivity implements + + @Override + protected void onCreate(Bundle savedInstanceState) { ++ if (Settings.Secure.getIntForUser(getContentResolver(), ++ Settings.Secure.SECURE_FRP_MODE, 0, ++ getUserId()) == 1) { ++ Log.e(TAG, "Sharing disabled due to active FRP lock."); ++ super.onCreate(savedInstanceState); ++ finish(); ++ return; ++ } + final long intentReceivedTime = System.currentTimeMillis(); + getChooserActivityLogger().logSharesheetTriggered(); + // This is the only place this value is being set. Effectively final. +-- +2.46.0.469.g59c65b2a67-goog + diff --git a/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Check-whether-installerPackageName-contains.bulletin.patch b/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Check-whether-installerPackageName-contains.bulletin.patch new file mode 100644 index 0000000000..693d428537 --- /dev/null +++ b/aosp_diff/base_aaos/frameworks/base/99_0294-RESTRICT-AUTOMERGE-Check-whether-installerPackageName-contains.bulletin.patch @@ -0,0 +1,42 @@ +From 601929fb8d236a7e60cb65d2a53409447e62a923 Mon Sep 17 00:00:00 2001 +From: Sumedh Sen +Date: Wed, 17 Jul 2024 01:00:55 +0000 +Subject: [PATCH] [RESTRICT AUTOMERGE] Check whether installerPackageName + contains only valid characters + +Bug: 341256391 +Bug: 307532206 +Test: sts-tradefed run sts-dynamic-develop -m CtsSecurityTestCases -t android.security.cts.CVE_2024_0044 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b850b6f68e63288f240439601723412324381bb) +Merged-In: I74a172c617d6f5b13f0708092156b657b73b5891 +Change-Id: I74a172c617d6f5b13f0708092156b657b73b5891 +--- + .../com/android/server/pm/PackageInstallerService.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java +index 02515cfdc16a..310c56ef1260 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerService.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerService.java +@@ -609,12 +609,17 @@ public class PackageInstallerService extends IPackageInstaller.Stub implements + params.appLabel = TextUtils.trimToSize(params.appLabel, + PackageItemInfo.MAX_SAFE_LABEL_LENGTH); + +- // Validate installer package name. ++ // Validate requested installer package name. + if (params.installerPackageName != null && !isValidPackageName( + params.installerPackageName)) { + params.installerPackageName = null; + } + ++ // Validate installer package name. ++ if (installerPackageName != null && !isValidPackageName(installerPackageName)) { ++ installerPackageName = null; ++ } ++ + String requestedInstallerPackageName = + params.installerPackageName != null ? params.installerPackageName + : installerPackageName; +-- +2.46.0.469.g59c65b2a67-goog + diff --git a/aosp_diff/base_aaos/libcore/02_0002-Do-not-accept-zip-files-with-invalid-headers-.bulletin.patch b/aosp_diff/base_aaos/libcore/02_0002-Do-not-accept-zip-files-with-invalid-headers-.bulletin.patch new file mode 100644 index 0000000000..bb497fcab5 --- /dev/null +++ b/aosp_diff/base_aaos/libcore/02_0002-Do-not-accept-zip-files-with-invalid-headers-.bulletin.patch @@ -0,0 +1,56 @@ +From 9649db56157cafe575f997d9c207498eda987775 Mon Sep 17 00:00:00 2001 +From: Almaz Mingaleev +Date: Wed, 10 Jul 2024 13:38:35 +0100 +Subject: [PATCH] Do not accept zip files with invalid headers. + +According to Section 4.3.6 in [1] non-empty zip file starts with +local file header. 4.3.1 allows empty files, and in such case +file starts with "end of central directory record". + +This aligns ZipFile with libziparchive modulo empty zip files - +libziparchive rejects them. + +Tests are skipped because sc-dev branch uses ART module +prebuilts, but builds tests from sources which leads to presubmit +failures. + +Ignore-AOSP-First: b/309938635#comment1 + +[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt + +Bug: 309938635 +Test: CtsLibcoreTestCases +Test: CtsLibcoreOjTestCases +(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88) +Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b +Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b +--- + ojluni/src/main/native/zip_util.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c +index aa9c5cede9e..16951a78ede 100644 +--- a/ojluni/src/main/native/zip_util.c ++++ b/ojluni/src/main/native/zip_util.c +@@ -878,6 +878,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified, + zip->locsig = JNI_TRUE; + else + zip->locsig = JNI_FALSE; ++ ++ // BEGIN Android-changed: do not accept files with invalid header. ++ if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) { ++ if (pmsg) { ++ *pmsg = strdup("Entry at offset zero has invalid LFH signature."); ++ } ++ ZFILE_Close(zfd); ++ freeZip(zip); ++ return NULL; ++ } ++ // END Android-changed: do not accept files with invalid header. + } + + // This lseek is safe because it happens during construction of the ZipFile +-- +2.46.0.469.g59c65b2a67-goog + diff --git a/aosp_diff/base_aaos/packages/apps/Settings/42_0042-RESTRICT-AUTOMERGE-FRP-bypass-defense-in-App-battery-usage-page.bulletin.patch b/aosp_diff/base_aaos/packages/apps/Settings/42_0042-RESTRICT-AUTOMERGE-FRP-bypass-defense-in-App-battery-usage-page.bulletin.patch new file mode 100644 index 0000000000..21e0aee4e2 --- /dev/null +++ b/aosp_diff/base_aaos/packages/apps/Settings/42_0042-RESTRICT-AUTOMERGE-FRP-bypass-defense-in-App-battery-usage-page.bulletin.patch @@ -0,0 +1,55 @@ +From 375a30ad50053aa5edae357c8ee127fb759fe3bb Mon Sep 17 00:00:00 2001 +From: Yiling Chuang +Date: Mon, 8 Jul 2024 03:09:50 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage + page + +Before the setup flow completion, don't allow the app info page in App battery usage to be launched. + +Bug: 327748846 +Test: atest SettingsRoboTests + manual test +- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes +Flag : EXEMPT bugfix + +(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429) +Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0 +Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0 +--- + .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++ + .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +index 3741bfe804..d89286d4e4 100644 +--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java ++++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +@@ -283,6 +283,11 @@ public class AdvancedPowerUsageDetail extends DashboardFragment implements + } + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + @Override + public void onPause() { + super.onPause(); +diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +index 0a48cd1b12..212ac21cd0 100644 +--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java ++++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +@@ -859,4 +859,9 @@ public class AdvancedPowerUsageDetailTest { + + verifyZeroInteractions(mBackupManager); + } ++ ++ @Test ++ public void shouldSkipForInitialSUW_returnTrue() { ++ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue(); ++ } + } +-- +2.46.0.469.g59c65b2a67-goog +