diff --git a/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch index d0d90b9f44..4658511c7c 100644 --- a/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch +++ b/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch @@ -20,7 +20,7 @@ index 13b85c0663..084f400e67 100644 # It must match one of the Android Security Patch Level strings of the Public Security Bulletins. # If there is no $PLATFORM_SECURITY_PATCH set, keep it empty. - PLATFORM_SECURITY_PATCH := 2021-07-05 -+ PLATFORM_SECURITY_PATCH := 2021-11-01 ++ PLATFORM_SECURITY_PATCH := 2021-12-01 endif .KATI_READONLY := PLATFORM_SECURITY_PATCH diff --git a/aosp_diff/preliminary/external/tremolo/0001-handle-cases-where-order-isn-t-a-multiple-of-dimensi.patch b/aosp_diff/preliminary/external/tremolo/0001-handle-cases-where-order-isn-t-a-multiple-of-dimensi.patch new file mode 100644 index 0000000000..c01731c2c6 --- /dev/null +++ b/aosp_diff/preliminary/external/tremolo/0001-handle-cases-where-order-isn-t-a-multiple-of-dimensi.patch @@ -0,0 +1,81 @@ +From e5988a8dac6a20fc61d610f5ebe1f85fc12820f6 Mon Sep 17 00:00:00 2001 +From: Harish Mahendrakar +Date: Wed, 15 Sep 2021 18:40:53 -0700 +Subject: [PATCH] handle cases where order isn't a multiple of dimension + +loop around vorbis_book_decodev_set() didn't support a case where +info->order wasn't an integer multple of dimension. + +vorbis_book_decodev_set() is now updated to handle the loop inside +with appropriate checks added. + +Other functions vorbis_book_decode_*() have appropriate checks where +they are called. So added a comment for those. + +This fix is similar to the one in Xiph tremor project's +commit 80661a13c93a01f25b8df4e89fecad0eee69ddcc + +Bug: 199065614 +Test: clusterfuzz generated poc in bug +Test: atest VorbisDecoderTest -- --enable-module-dynamic-download=true +Test: atest VtsHalMediaC2V1_0TargetAudioDecTest +Test: atest CtsMediaV2TestCases -- --module-arg CtsMediaV2TestCases:\ + instrumentation-arg:codec-prefix:=c2.android.vorbis.decoder + +Change-Id: Ibb94e7fc361e843caad7f7620229377dc1f8dd73 +(cherry picked from commit 42aa2b936a078e2f69725e95009affcc93cb0f98) +--- + Tremolo/codebook.c | 5 +++++ + Tremolo/floor0.c | 5 ++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c +index 43c4917..326a9bc 100644 +--- a/Tremolo/codebook.c ++++ b/Tremolo/codebook.c +@@ -848,6 +848,7 @@ static int decode_map(codebook *s, oggpack_buffer *b, ogg_int32_t *v, int point) + #endif + + /* returns 0 on OK or -1 on eof *************************************/ ++/* decode vector / dim granularity gaurding is done in the upper layer */ + long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a, + oggpack_buffer *b,int n,int point){ + if(book->used_entries>0){ +@@ -865,6 +866,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a, + return 0; + } + ++/* decode vector / dim granularity gaurding is done in the upper layer */ + long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, + oggpack_buffer *b,int n,int point){ + if(book->used_entries>0){ +@@ -881,6 +883,9 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, + return 0; + } + ++/* unlike the others, we guard against n not being an integer number ++ of internally rather than in the upper layer (called only by ++ floor0) */ + long vorbis_book_decodev_set(codebook *book,ogg_int32_t *a, + oggpack_buffer *b,int n,int point){ + if(book->used_entries>0){ +diff --git a/Tremolo/floor0.c b/Tremolo/floor0.c +index 7e74d1e..ea814e5 100644 +--- a/Tremolo/floor0.c ++++ b/Tremolo/floor0.c +@@ -426,10 +426,9 @@ ogg_int32_t *floor0_inverse1(vorbis_dsp_state *vd,vorbis_info_floor *i, + } + ogg_int32_t last=0; + +- for(j=0;jorder;j+=b->dim) +- if(vorbis_book_decodev_set(b,lsp+j,&vd->opb,b->dim,-24)==-1)goto eop; ++ if(vorbis_book_decodev_set(b,lsp,&vd->opb,info->order,-24)==-1)goto eop; + for(j=0;jorder;){ +- for(k=0;kdim;k++,j++)lsp[j]+=last; ++ for(k=0;kdim && jorder;k++,j++)lsp[j]+=last; + last=lsp[j-1]; + } + +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/av/08_0008-Fix-heap-buffer-overflow-in-MPEG4Extractor-am-d13a4e.patch b/aosp_diff/preliminary/frameworks/av/08_0008-Fix-heap-buffer-overflow-in-MPEG4Extractor-am-d13a4e.patch new file mode 100644 index 0000000000..723eb8df62 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/av/08_0008-Fix-heap-buffer-overflow-in-MPEG4Extractor-am-d13a4e.patch @@ -0,0 +1,81 @@ +From d9dfa6429696c6ae18804b0326e582335cff3723 Mon Sep 17 00:00:00 2001 +From: Santiago Seifert +Date: Thu, 30 Sep 2021 13:15:21 +0000 +Subject: [PATCH] Fix heap-buffer-overflow in MPEG4Extractor am: d13a4efc7a + +Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15747591 + +Bug: 201632451 +Bug: 188893559 +Change-Id: Ie775311a46cb1ddddd30e8cfa882d549b9ddfd05 +Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a +(cherry picked from commit 3c5de138ed3b697e0119e7526ae7f6ed09f357cc) +--- + media/extractors/mp4/MPEG4Extractor.cpp | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + mode change 100755 => 100644 media/extractors/mp4/MPEG4Extractor.cpp + +diff --git a/media/extractors/mp4/MPEG4Extractor.cpp b/media/extractors/mp4/MPEG4Extractor.cpp +old mode 100755 +new mode 100644 +index a976a2b12a..f157d359b2 +--- a/media/extractors/mp4/MPEG4Extractor.cpp ++++ b/media/extractors/mp4/MPEG4Extractor.cpp +@@ -146,6 +146,7 @@ private: + + MediaBufferHelper *mBuffer; + ++ size_t mSrcBufferSize; + uint8_t *mSrcBuffer; + + bool mIsHeif; +@@ -4882,6 +4883,7 @@ MPEG4Source::MPEG4Source( + mNALLengthSize(0), + mStarted(false), + mBuffer(NULL), ++ mSrcBufferSize(0), + mSrcBuffer(NULL), + mIsHeif(itemTable != NULL), + mItemTable(itemTable), +@@ -5060,6 +5062,7 @@ media_status_t MPEG4Source::start() { + // file probably specified a bad max size + return AMEDIA_ERROR_MALFORMED; + } ++ mSrcBufferSize = max_size; + + mStarted = true; + +@@ -5076,6 +5079,7 @@ media_status_t MPEG4Source::stop() { + mBuffer = NULL; + } + ++ mSrcBufferSize = 0; + delete[] mSrcBuffer; + mSrcBuffer = NULL; + +@@ -6242,13 +6246,20 @@ media_status_t MPEG4Source::read( + // Whole NAL units are returned but each fragment is prefixed by + // the start code (0x00 00 00 01). + ssize_t num_bytes_read = 0; +- num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size); ++ bool mSrcBufferFitsDataToRead = size <= mSrcBufferSize; ++ if (mSrcBufferFitsDataToRead) { ++ num_bytes_read = mDataSource->readAt(offset, mSrcBuffer, size); ++ } else { ++ // We are trying to read a sample larger than the expected max sample size. ++ // Fall through and let the failure be handled by the following if. ++ android_errorWriteLog(0x534e4554, "188893559"); ++ } + + if (num_bytes_read < (ssize_t)size) { + mBuffer->release(); + mBuffer = NULL; + +- return AMEDIA_ERROR_IO; ++ return mSrcBufferFitsDataToRead ? AMEDIA_ERROR_IO : AMEDIA_ERROR_MALFORMED; + } + + uint8_t *dstData = (uint8_t *)mBuffer->data(); +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/av/09_0009-C2SoftMp3Dec-fix-OOB-write-in-output-buffer.patch b/aosp_diff/preliminary/frameworks/av/09_0009-C2SoftMp3Dec-fix-OOB-write-in-output-buffer.patch new file mode 100644 index 0000000000..c3c42ec001 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/av/09_0009-C2SoftMp3Dec-fix-OOB-write-in-output-buffer.patch @@ -0,0 +1,38 @@ +From eb39860fd06575aab3a9d2ba11f4a44acabddc21 Mon Sep 17 00:00:00 2001 +From: Manisha Jajoo +Date: Fri, 23 Jul 2021 23:03:50 +0530 +Subject: [PATCH] C2SoftMp3Dec: fix OOB write in output buffer + +outputFrameSize, calOutSize and outSize are calculated at 8bit level +However, the library expects outputFrameSize in int16 samples. +One of the initialization of outputFrameSize was in bytes. +This is now corrected. + +Test: clusterfuzz generated poc in bug +Test: atest android.mediav2.cts.CodecDecoderTest +Test: atest VtsHalMediaC2V1_0TargetAudioDecTest + +Bug: 193363621 + +Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb +(cherry picked from commit dc32721e28e79df4dd2f5bb896bcf586ebeda5e9) +--- + media/codec2/components/mp3/C2SoftMp3Dec.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/media/codec2/components/mp3/C2SoftMp3Dec.cpp b/media/codec2/components/mp3/C2SoftMp3Dec.cpp +index 5ba7e3d78f..3984f62278 100644 +--- a/media/codec2/components/mp3/C2SoftMp3Dec.cpp ++++ b/media/codec2/components/mp3/C2SoftMp3Dec.cpp +@@ -405,7 +405,7 @@ void C2SoftMP3::process( + mConfig->inputBufferCurrentLength = (inSize - inPos); + mConfig->inputBufferMaxLength = 0; + mConfig->inputBufferUsedLength = 0; +- mConfig->outputFrameSize = (calOutSize - outSize); ++ mConfig->outputFrameSize = (calOutSize - outSize) / sizeof(int16_t); + mConfig->pOutputBuffer = reinterpret_cast (wView.data() + outSize); + + ERROR_CODE decoderErr; +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/base/40_0040-Change-ownership-of-the-account-request-notification.patch b/aosp_diff/preliminary/frameworks/base/40_0040-Change-ownership-of-the-account-request-notification.patch new file mode 100644 index 0000000000..6ab9deb4a7 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/40_0040-Change-ownership-of-the-account-request-notification.patch @@ -0,0 +1,105 @@ +From 77e678b8aa1278058537f3df10347535ffeaf8bd Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Thu, 17 Jun 2021 13:16:38 -0700 +Subject: [PATCH] Change ownership of the account request notification. + +Add "Permission requested by Application..." string. +Test: manual +Bug: 179338675 + +Change-Id: Ib66ccc1b39bd1f3f8fa3b1efc38a9d413b72a321 +(cherry picked from commit 26de0c231ffb9fd8d22e80ca120c766c26276779) +--- + core/res/res/values/strings.xml | 2 ++ + core/res/res/values/symbols.xml | 1 + + .../accounts/AccountManagerService.java | 21 +++++++++++++------ + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml +index d6ee28b93f92..5c659123b027 100644 +--- a/core/res/res/values/strings.xml ++++ b/core/res/res/values/strings.xml +@@ -3780,6 +3780,8 @@ + Deny + Permission requested + Permission requested\nfor account %s. ++ ++ Permission requested by %1$s\nfor account %2$s. + + + You\'re using this app outside of your work profile +diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml +index 3ef0a8dc9daa..3c2aa621864b 100644 +--- a/core/res/res/values/symbols.xml ++++ b/core/res/res/values/symbols.xml +@@ -548,6 +548,7 @@ + + + ++ + + + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 2e04f9c2bcd1..db3c25a7e43a 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -449,7 +449,7 @@ public class AccountManagerService + if (!checkAccess || hasAccountAccess(account, packageName, + UserHandle.getUserHandleForUid(uid))) { + cancelNotification(getCredentialPermissionNotificationId(account, +- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName, ++ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), + UserHandle.getUserHandleForUid(uid)); + } + } +@@ -3051,8 +3051,8 @@ public class AccountManagerService + String authTokenType = intent.getStringExtra( + GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE); + final String titleAndSubtitle = +- mContext.getString(R.string.permission_request_notification_with_subtitle, +- account.name); ++ mContext.getString(R.string.permission_request_notification_for_app_with_subtitle, ++ getApplicationLabel(packageName), account.name); + final int index = titleAndSubtitle.indexOf('\n'); + String title = titleAndSubtitle; + String subtitle = ""; +@@ -3075,7 +3075,16 @@ public class AccountManagerService + null, user)) + .build(); + installNotification(getCredentialPermissionNotificationId( +- account, authTokenType, uid), n, packageName, user.getIdentifier()); ++ account, authTokenType, uid), n, "android", user.getIdentifier()); ++ } ++ ++ private String getApplicationLabel(String packageName) { ++ try { ++ return mPackageManager.getApplicationLabel( ++ mPackageManager.getApplicationInfo(packageName, 0)).toString(); ++ } catch (PackageManager.NameNotFoundException e) { ++ return packageName; ++ } + } + + private Intent newGrantCredentialsPermissionIntent(Account account, String packageName, +@@ -3111,7 +3120,7 @@ public class AccountManagerService + nId = accounts.credentialsPermissionNotificationIds.get(key); + if (nId == null) { + String tag = TAG + ":" + SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION +- + ":" + account.hashCode() + ":" + authTokenType.hashCode(); ++ + ":" + account.hashCode() + ":" + authTokenType.hashCode() + ":" + uid; + int id = SystemMessage.NOTE_ACCOUNT_CREDENTIAL_PERMISSION; + nId = new NotificationId(tag, id); + accounts.credentialsPermissionNotificationIds.put(key, nId); +@@ -4064,7 +4073,7 @@ public class AccountManagerService + + private void handleAuthenticatorResponse(boolean accessGranted) throws RemoteException { + cancelNotification(getCredentialPermissionNotificationId(account, +- AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), packageName, ++ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE, uid), + UserHandle.getUserHandleForUid(uid)); + if (callback != null) { + Bundle result = new Bundle(); +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/base/41_0041-Fix-NPE-on-getTitle.patch b/aosp_diff/preliminary/frameworks/base/41_0041-Fix-NPE-on-getTitle.patch new file mode 100644 index 0000000000..0f87104823 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/41_0041-Fix-NPE-on-getTitle.patch @@ -0,0 +1,66 @@ +From 07acc39b7b1eb19fd7522c9764e5174cf22c86b5 Mon Sep 17 00:00:00 2001 +From: cnchen +Date: Mon, 6 Jul 2020 19:58:44 +0800 +Subject: [PATCH] Fix NPE on getTitle() + +Bug: 199922685 +Test: make RunSettingsLibRoboTests -j40 +Change-Id: I35bf6f5911dc0ee56e43af7faddaceb479362863 +(cherry picked from commit f00f2203b578e919e56f21f3a4119a974b942243) +Merged-In: I35bf6f5911dc0ee56e43af7faddaceb479362863 +(cherry picked from commit c006ad915aea348043446a45cc019f522c83928c) +--- + .../src/com/android/settingslib/wifi/AccessPoint.java | 10 ++++++---- + .../com/android/settingslib/wifi/AccessPointTest.java | 11 +++++++++++ + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java b/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java +index 8968340b65f4..c5e66bef9653 100644 +--- a/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java ++++ b/packages/SettingsLib/src/com/android/settingslib/wifi/AccessPoint.java +@@ -1117,14 +1117,16 @@ public class AccessPoint implements Comparable { + * Returns the display title for the AccessPoint, such as for an AccessPointPreference's title. + */ + public String getTitle() { +- if (isPasspoint()) { ++ if (isPasspoint() && !TextUtils.isEmpty(mConfig.providerFriendlyName)) { + return mConfig.providerFriendlyName; +- } else if (isPasspointConfig()) { ++ } else if (isPasspointConfig() && !TextUtils.isEmpty(mProviderFriendlyName)) { + return mProviderFriendlyName; +- } else if (isOsuProvider()) { ++ } else if (isOsuProvider() && !TextUtils.isEmpty(mOsuProvider.getFriendlyName())) { + return mOsuProvider.getFriendlyName(); +- } else { ++ } else if (!TextUtils.isEmpty(getSsidStr())) { + return getSsidStr(); ++ } else { ++ return ""; + } + } + +diff --git a/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java b/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java +index bcabec858487..46ecbd45a860 100644 +--- a/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java ++++ b/packages/SettingsLib/tests/integ/src/com/android/settingslib/wifi/AccessPointTest.java +@@ -147,6 +147,17 @@ public class AccessPointTest { + assertThat(ssid instanceof SpannableString).isFalse(); + } + ++ @Test ++ public void testCompareTo_GivesNull() { ++ WifiConfiguration spyConfig = spy(new WifiConfiguration()); ++ ++ when(spyConfig.isPasspoint()).thenReturn(true); ++ spyConfig.providerFriendlyName = null; ++ AccessPoint passpointAp = new AccessPoint(mContext, spyConfig); ++ ++ assertThat(passpointAp.getTitle()).isEqualTo(""); ++ } ++ + @Test + public void testCompareTo_GivesActiveBeforeInactive() { + AccessPoint activeAp = new TestAccessPointBuilder(mContext).setActive(true).build(); +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/base/42_0042-Fix-serialization-bug-in-GpsNavigationMessage.patch b/aosp_diff/preliminary/frameworks/base/42_0042-Fix-serialization-bug-in-GpsNavigationMessage.patch new file mode 100644 index 0000000000..35366fc0c8 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/42_0042-Fix-serialization-bug-in-GpsNavigationMessage.patch @@ -0,0 +1,35 @@ +From 37e819c0ff223c200ea5605e2d2490ed45805a20 Mon Sep 17 00:00:00 2001 +From: Yu-Han Yang +Date: Tue, 21 Sep 2021 12:29:34 -0700 +Subject: [PATCH] Fix serialization bug in GpsNavigationMessage + +Bug: 196970023 +Test: presubmits passing. +Change-Id: I69f51eb2faac0cf2ee9f7a5f94f7100925f7221c +(cherry picked from commit 1903539154df194722ce5f0dbbd38e18f8c1fc12) +--- + location/java/android/location/GpsNavigationMessage.java | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/location/java/android/location/GpsNavigationMessage.java b/location/java/android/location/GpsNavigationMessage.java +index dc1e99fd6a4f..2b978f759a13 100644 +--- a/location/java/android/location/GpsNavigationMessage.java ++++ b/location/java/android/location/GpsNavigationMessage.java +@@ -262,12 +262,8 @@ public class GpsNavigationMessage implements Parcelable { + parcel.readByteArray(data); + navigationMessage.setData(data); + +- if (parcel.dataAvail() >= Integer.SIZE) { +- int status = parcel.readInt(); +- navigationMessage.setStatus((short) status); +- } else { +- navigationMessage.setStatus(STATUS_UNKNOWN); +- } ++ int status = parcel.readInt(); ++ navigationMessage.setStatus((short) status); + + return navigationMessage; + } +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/base/43_0043-Do-not-show-the-notification-footer-until-the-user-i.patch b/aosp_diff/preliminary/frameworks/base/43_0043-Do-not-show-the-notification-footer-until-the-user-i.patch new file mode 100644 index 0000000000..cf29d16a01 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/43_0043-Do-not-show-the-notification-footer-until-the-user-i.patch @@ -0,0 +1,172 @@ +From 583ecb1a78e7a2fecf1933b1ac1acf2d2d3cb1f1 Mon Sep 17 00:00:00 2001 +From: Jeff DeCew +Date: Fri, 17 Sep 2021 16:32:58 -0400 +Subject: [PATCH] Do not show the notification footer until the user is set up. + +Bug: 193149550 +Test: follow repro steps +Merged-In: I49e2b8bcec7b2ce0a9776ff30a64c07f24949da7 +Change-Id: I49e2b8bcec7b2ce0a9776ff30a64c07f24949da7 +(cherry picked from commit 73c3c0a7d649b725da0459cc55c6418e0f2ba175) +--- + .../stack/NotificationStackScrollLayout.java | 39 +++++++++++++++++++ + .../NotificationStackScrollLayoutTest.java | 27 +++++++++++++ + 2 files changed, 66 insertions(+) + +diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayout.java b/packages/SystemUI/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayout.java +index a4a58194a46b..6986ad754596 100644 +--- a/packages/SystemUI/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayout.java ++++ b/packages/SystemUI/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayout.java +@@ -157,6 +157,8 @@ import com.android.systemui.statusbar.phone.ShadeController; + import com.android.systemui.statusbar.phone.StatusBar; + import com.android.systemui.statusbar.policy.ConfigurationController; + import com.android.systemui.statusbar.policy.ConfigurationController.ConfigurationListener; ++import com.android.systemui.statusbar.policy.DeviceProvisionedController; ++import com.android.systemui.statusbar.policy.DeviceProvisionedController.DeviceProvisionedListener; + import com.android.systemui.statusbar.policy.HeadsUpUtil; + import com.android.systemui.statusbar.policy.ScrollAdapter; + import com.android.systemui.statusbar.policy.ZenModeController; +@@ -300,6 +302,7 @@ public class NotificationStackScrollLayout extends ViewGroup implements ScrollAd + private boolean mExpandedInThisMotion; + private boolean mShouldShowShelfOnly; + protected boolean mScrollingEnabled; ++ private boolean mIsCurrentUserSetup; + protected FooterView mFooterView; + protected EmptyShadeView mEmptyShadeView; + private boolean mDismissAllInProgress; +@@ -508,6 +511,8 @@ public class NotificationStackScrollLayout extends ViewGroup implements ScrollAd + private final NotifPipeline mNotifPipeline; + private final NotifCollection mNotifCollection; + private final NotificationEntryManager mEntryManager; ++ private final DeviceProvisionedController mDeviceProvisionedController = ++ Dependency.get(DeviceProvisionedController.class); + private final IStatusBarService mBarService = IStatusBarService.Stub.asInterface( + ServiceManager.getService(Context.STATUS_BAR_SERVICE)); + @VisibleForTesting +@@ -648,6 +653,29 @@ public class NotificationStackScrollLayout extends ViewGroup implements ScrollAd + }, HIGH_PRIORITY, Settings.Secure.NOTIFICATION_DISMISS_RTL, + Settings.Secure.NOTIFICATION_HISTORY_ENABLED); + ++ mDeviceProvisionedController.addCallback( ++ new DeviceProvisionedListener() { ++ @Override ++ public void onDeviceProvisionedChanged() { ++ updateCurrentUserIsSetup(); ++ } ++ ++ @Override ++ public void onUserSwitched() { ++ updateCurrentUserIsSetup(); ++ } ++ ++ @Override ++ public void onUserSetupChanged() { ++ updateCurrentUserIsSetup(); ++ } ++ ++ private void updateCurrentUserIsSetup() { ++ setCurrentUserSetup(mDeviceProvisionedController.isCurrentUserSetup()); ++ } ++ }); ++ ++ + mFeatureFlags = featureFlags; + mNotifPipeline = notifPipeline; + mEntryManager = entryManager; +@@ -772,6 +800,7 @@ public class NotificationStackScrollLayout extends ViewGroup implements ScrollAd + } + boolean showDismissView = mClearAllEnabled && hasActiveClearableNotifications(ROWS_ALL); + boolean showFooterView = (showDismissView || hasActiveNotifications()) ++ && mIsCurrentUserSetup // see: b/193149550 + && mStatusBarState != StatusBarState.KEYGUARD + && !mRemoteInputManager.getController().isRemoteInputActive(); + boolean showHistory = Settings.Secure.getIntForUser(mContext.getContentResolver(), +@@ -5923,6 +5952,16 @@ public class NotificationStackScrollLayout extends ViewGroup implements ScrollAd + return MathUtils.smoothStep(0, totalDistance, dragDownAmount); + } + ++ /** ++ * Sets whether the current user is set up, which is required to show the footer (b/193149550) ++ */ ++ public void setCurrentUserSetup(boolean isCurrentUserSetup) { ++ if (mIsCurrentUserSetup != isCurrentUserSetup) { ++ mIsCurrentUserSetup = isCurrentUserSetup; ++ updateFooter(); ++ } ++ } ++ + /** + * A listener that is notified when the empty space below the notifications is clicked on + */ +diff --git a/packages/SystemUI/tests/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayoutTest.java b/packages/SystemUI/tests/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayoutTest.java +index 2ae4caeca963..ba3d95f9b178 100644 +--- a/packages/SystemUI/tests/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayoutTest.java ++++ b/packages/SystemUI/tests/src/com/android/systemui/statusbar/notification/stack/NotificationStackScrollLayoutTest.java +@@ -354,6 +354,7 @@ public class NotificationStackScrollLayoutTest extends SysuiTestCase { + @Test + public void testUpdateFooter_noNotifications() { + setBarStateForTest(StatusBarState.SHADE); ++ mStackScroller.setCurrentUserSetup(true); + assertEquals(0, mEntryManager.getActiveNotificationsCount()); + + FooterView view = mock(FooterView.class); +@@ -365,6 +366,8 @@ public class NotificationStackScrollLayoutTest extends SysuiTestCase { + @Test + public void testUpdateFooter_remoteInput() { + setBarStateForTest(StatusBarState.SHADE); ++ mStackScroller.setCurrentUserSetup(true); ++ + ArrayList entries = new ArrayList<>(); + entries.add(new NotificationEntryBuilder().build()); + addEntriesToEntryManager(entries); +@@ -384,6 +387,7 @@ public class NotificationStackScrollLayoutTest extends SysuiTestCase { + @Test + public void testUpdateFooter_oneClearableNotification() { + setBarStateForTest(StatusBarState.SHADE); ++ mStackScroller.setCurrentUserSetup(true); + + ArrayList entries = new ArrayList<>(); + entries.add(new NotificationEntryBuilder().build()); +@@ -400,9 +404,30 @@ public class NotificationStackScrollLayoutTest extends SysuiTestCase { + verify(mStackScroller).updateFooterView(true, true, true); + } + ++ @Test ++ public void testUpdateFooter_oneClearableNotification_beforeUserSetup() { ++ setBarStateForTest(StatusBarState.SHADE); ++ mStackScroller.setCurrentUserSetup(false); ++ ++ ArrayList entries = new ArrayList<>(); ++ entries.add(new NotificationEntryBuilder().build()); ++ addEntriesToEntryManager(entries); ++ ++ ExpandableNotificationRow row = mock(ExpandableNotificationRow.class); ++ when(row.canViewBeDismissed()).thenReturn(true); ++ when(mStackScroller.getChildCount()).thenReturn(1); ++ when(mStackScroller.getChildAt(anyInt())).thenReturn(row); ++ ++ FooterView view = mock(FooterView.class); ++ mStackScroller.setFooterView(view); ++ mStackScroller.updateFooter(); ++ verify(mStackScroller).updateFooterView(false, true, true); ++ } ++ + @Test + public void testUpdateFooter_oneNonClearableNotification() { + setBarStateForTest(StatusBarState.SHADE); ++ mStackScroller.setCurrentUserSetup(true); + + ArrayList entries = new ArrayList<>(); + entries.add(new NotificationEntryBuilder().build()); +@@ -416,6 +441,8 @@ public class NotificationStackScrollLayoutTest extends SysuiTestCase { + + @Test + public void testUpdateFooter_atEnd() { ++ mStackScroller.setCurrentUserSetup(true); ++ + // add footer + mStackScroller.inflateFooterView(); + +-- +2.17.1 + diff --git a/aosp_diff/preliminary/frameworks/base/45_0045-Disallow-overlays-for-ResolverActivity.patch b/aosp_diff/preliminary/frameworks/base/45_0045-Disallow-overlays-for-ResolverActivity.patch new file mode 100644 index 0000000000..be4b91e4a7 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/45_0045-Disallow-overlays-for-ResolverActivity.patch @@ -0,0 +1,73 @@ +From 46ea0415431abd565d9ae0c02728e319c1d923c7 Mon Sep 17 00:00:00 2001 +From: Collin Fijalkovich +Date: Mon, 5 Oct 2020 13:10:33 -0700 +Subject: [PATCH] Disallow overlays for ResolverActivity + +Prevents non-system apps from placing a window over the app selection +screen. + +Bug: 143559931 +Test: Installed test app and attempted to overlay +Change-Id: Ied05088a5007e0f10cd3e1abd8d7da8ffeb3b674 +Merged-In: Ied05088a5007e0f10cd3e1abd8d7da8ffeb3b674 +(cherry picked from commit 34534e1fd2057ea6d858ce82f8505cbdb1026d9a) +(cherry picked from commit 978809e428bf44be1f9a86d1284aa61103b6f1cf) +--- + .../com/android/internal/app/ResolverActivity.java | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/core/java/com/android/internal/app/ResolverActivity.java b/core/java/com/android/internal/app/ResolverActivity.java +index fadc15912dc1..24bbe749aaef 100644 +--- a/core/java/com/android/internal/app/ResolverActivity.java ++++ b/core/java/com/android/internal/app/ResolverActivity.java +@@ -19,6 +19,7 @@ package com.android.internal.app; + import static android.Manifest.permission.INTERACT_ACROSS_PROFILES; + import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK; + import static android.content.PermissionChecker.PID_UNKNOWN; ++import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS; + + import android.annotation.Nullable; + import android.annotation.StringRes; +@@ -69,7 +70,9 @@ import android.view.LayoutInflater; + import android.view.View; + import android.view.ViewGroup; + import android.view.ViewGroup.LayoutParams; ++import android.view.Window; + import android.view.WindowInsets; ++import android.view.WindowManager; + import android.widget.AbsListView; + import android.widget.AdapterView; + import android.widget.Button; +@@ -101,7 +104,6 @@ import java.util.List; + import java.util.Objects; + import java.util.Set; + +- + /** + * This activity is displayed when the system attempts to start an Intent for + * which there is more than one matching activity, allowing the user to decide +@@ -822,6 +824,8 @@ public class ResolverActivity extends Activity implements + @Override + protected void onStart() { + super.onStart(); ++ ++ this.getWindow().addSystemFlags(SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS); + if (shouldShowTabs()) { + mWorkProfileStateReceiver = createWorkProfileStateReceiver(); + registerWorkProfileStateReceiver(); +@@ -849,6 +853,12 @@ public class ResolverActivity extends Activity implements + @Override + protected void onStop() { + super.onStop(); ++ ++ final Window window = this.getWindow(); ++ final WindowManager.LayoutParams attrs = window.getAttributes(); ++ attrs.privateFlags &= ~SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS; ++ window.setAttributes(attrs); ++ + if (mRegistered) { + mPersonalPackageMonitor.unregister(); + if (mWorkPackageMonitor != null) { +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/apps/Contacts/03_0003-Address-photo-editing-security-bug.patch b/aosp_diff/preliminary/packages/apps/Contacts/03_0003-Address-photo-editing-security-bug.patch new file mode 100644 index 0000000000..6ffc7798de --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Contacts/03_0003-Address-photo-editing-security-bug.patch @@ -0,0 +1,98 @@ +From b6477d54f4aacea0c9cc5351f827018805744ee2 Mon Sep 17 00:00:00 2001 +From: Gary Mai +Date: Wed, 15 Sep 2021 16:20:01 -0700 +Subject: [PATCH] Address photo editing security bug + +Filter to only system apps that can handle cropping. +Otherwise, save the photo as is. + +Bug: 195748381 +Test: Manual test with the PoC. Verified only the system installed app +was able to crop the photo and no crop was offered when it was disabled + +Change-Id: Id1527f589064aa278715afcb060647ec6841e6da +(cherry picked from commit 8b19ca470847f5f77d5b2e5dd086aae9ad4ea389) +--- + .../contacts/activities/AttachPhotoActivity.java | 13 ++++++++----- + .../contacts/detail/PhotoSelectionHandler.java | 13 ++++++++----- + 2 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/src/com/android/contacts/activities/AttachPhotoActivity.java b/src/com/android/contacts/activities/AttachPhotoActivity.java +index b25c306c3..bfa25e6ba 100644 +--- a/src/com/android/contacts/activities/AttachPhotoActivity.java ++++ b/src/com/android/contacts/activities/AttachPhotoActivity.java +@@ -197,7 +197,8 @@ public class AttachPhotoActivity extends ContactsActivity { + } + ContactPhotoUtils.addPhotoPickerExtras(intent, mCroppedPhotoUri); + ContactPhotoUtils.addCropExtras(intent, mPhotoDim != 0 ? mPhotoDim : mDefaultPhotoDim); +- if (!hasIntentHandler(intent)) { ++ final ResolveInfo intentHandler = getIntentHandler(intent); ++ if (intentHandler == null) { + // No activity supports the crop action. So skip cropping and set the photo + // without performing any cropping. + mCroppedPhotoUri = mTempPhotoUri; +@@ -211,6 +212,7 @@ public class AttachPhotoActivity extends ContactsActivity { + return; + } + ++ intent.setPackage(intentHandler.activityInfo.packageName); + try { + startActivityForResult(intent, REQUEST_CROP_PHOTO); + } catch (ActivityNotFoundException ex) { +@@ -237,10 +239,11 @@ public class AttachPhotoActivity extends ContactsActivity { + } + } + +- private boolean hasIntentHandler(Intent intent) { +- final List resolveInfo = getPackageManager() +- .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY); +- return resolveInfo != null && resolveInfo.size() > 0; ++ private ResolveInfo getIntentHandler(Intent intent) { ++ final List resolveInfos = getPackageManager() ++ .queryIntentActivities(intent, ++ PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY); ++ return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null; + } + + // TODO: consider moving this to ContactLoader, especially if we keep adding similar +diff --git a/src/com/android/contacts/detail/PhotoSelectionHandler.java b/src/com/android/contacts/detail/PhotoSelectionHandler.java +index 053ee2216..1567116d4 100644 +--- a/src/com/android/contacts/detail/PhotoSelectionHandler.java ++++ b/src/com/android/contacts/detail/PhotoSelectionHandler.java +@@ -242,7 +242,8 @@ public abstract class PhotoSelectionHandler implements OnClickListener { + */ + private void doCropPhoto(Uri inputUri, Uri outputUri) { + final Intent intent = getCropImageIntent(inputUri, outputUri); +- if (!hasIntentHandler(intent)) { ++ final ResolveInfo intentHandler = getIntentHandler(intent); ++ if (intentHandler == null) { + try { + getListener().onPhotoSelected(inputUri); + } catch (FileNotFoundException e) { +@@ -252,6 +253,7 @@ public abstract class PhotoSelectionHandler implements OnClickListener { + } + return; + } ++ intent.setPackage(intentHandler.activityInfo.packageName); + try { + // Launch gallery to crop the photo + startPhotoActivity(intent, REQUEST_CROP_PHOTO, inputUri); +@@ -322,10 +324,11 @@ public abstract class PhotoSelectionHandler implements OnClickListener { + return intent; + } + +- private boolean hasIntentHandler(Intent intent) { +- final List resolveInfo = mContext.getPackageManager() +- .queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY); +- return resolveInfo != null && resolveInfo.size() > 0; ++ private ResolveInfo getIntentHandler(Intent intent) { ++ final List resolveInfos = mContext.getPackageManager() ++ .queryIntentActivities(intent, ++ PackageManager.MATCH_DEFAULT_ONLY | PackageManager.MATCH_SYSTEM_ONLY); ++ return (resolveInfos != null && resolveInfos.size() > 0) ? resolveInfos.get(0) : null; + } + + /** +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/apps/KeyChain/01_0001-DO-NOT-MERGE-Hide-overlay-on-KeyChainActivity.patch b/aosp_diff/preliminary/packages/apps/KeyChain/01_0001-DO-NOT-MERGE-Hide-overlay-on-KeyChainActivity.patch new file mode 100644 index 0000000000..0a2fd3d8bf --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/KeyChain/01_0001-DO-NOT-MERGE-Hide-overlay-on-KeyChainActivity.patch @@ -0,0 +1,67 @@ +From 8cb98881a4d369ddf390e5ef35ea398d1e0baa43 Mon Sep 17 00:00:00 2001 +From: Tianyi Hu +Date: Wed, 15 Sep 2021 21:43:18 +0800 +Subject: [PATCH] DO NOT MERGE Hide overlay on KeyChainActivity + +Hide non system overlay to improve security. + +Test: N/A +Bug: 199754277 +Merged-In: Ia0e97f40d79a7f89035572e0175990694870938f +Change-Id: Ia0e97f40d79a7f89035572e0175990694870938f +(cherry picked from commit 3de513868e45f022fce83d738032fc69b8c6b0f5) +--- + AndroidManifest.xml | 1 + + src/com/android/keychain/KeyChainActivity.java | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 9d1601f..44f5463 100755 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -6,6 +6,7 @@ + + ++ + + +Date: Wed, 15 Sep 2021 21:43:18 +0800 +Subject: [PATCH] DO NOT MERGE KeyChain protect against overlays. + +Set setFilterTouchesWhenObsucred on positive confirmation button. + +Test: N/A +Bug: 199754277 +Change-Id: I096afafb74b69e86e82f89f6121ba52d65c99564 +(cherry picked from commit 90c6182ef5933ec69383115e2703a177a0c5929b) +--- + src/com/android/keychain/KeyChainActivity.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/com/android/keychain/KeyChainActivity.java b/src/com/android/keychain/KeyChainActivity.java +index 1279ab2..7165a09 100644 +--- a/src/com/android/keychain/KeyChainActivity.java ++++ b/src/com/android/keychain/KeyChainActivity.java +@@ -438,6 +438,9 @@ public class KeyChainActivity extends Activity { + finish(null); + } + }); ++ dialog.create(); ++ // Prevents screen overlay attack. ++ dialog.getButton(DialogInterface.BUTTON_POSITIVE).setFilterTouchesWhenObscured(true); + dialog.show(); + } + +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/apps/Nfc/05_0005-OOBW-due-to-incorrect-error-handling.patch b/aosp_diff/preliminary/packages/apps/Nfc/05_0005-OOBW-due-to-incorrect-error-handling.patch new file mode 100644 index 0000000000..4423a96f24 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Nfc/05_0005-OOBW-due-to-incorrect-error-handling.patch @@ -0,0 +1,48 @@ +From deab0216ba66bfee6dce55289eb53d681c66f285 Mon Sep 17 00:00:00 2001 +From: Alisher Alikhodjaev +Date: Tue, 5 Oct 2021 19:54:01 -0700 +Subject: [PATCH] OOBW due to incorrect error handling + +Out-Of-Bounds Write due to increase mNumTechList without bounds checking + +Bug: 189942532 +Test: build ok +Change-Id: I26e3c84bc572b6341692794d1bee2bc9be1b1160 +(cherry picked from commit 7d90cc6e0556057571f9fde9785dd0658c1a3eb0) +--- + nci/jni/NfcTag.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/nci/jni/NfcTag.cpp b/nci/jni/NfcTag.cpp +index b9d8d555..5af2b79e 100755 +--- a/nci/jni/NfcTag.cpp ++++ b/nci/jni/NfcTag.cpp +@@ -289,6 +289,10 @@ void NfcTag::discoverTechnologies(tNFA_ACTIVATED& activationData) { + + if (mTechListTail < (MAX_NUM_TECHNOLOGY - 1)) { + mNumTechList = mTechListTail; ++ } else { ++ LOG(ERROR) << StringPrintf("%s: exceed max=%d", fn, MAX_NUM_TECHNOLOGY); ++ android_errorWriteLog(0x534e4554, "189942532"); ++ goto TheEnd; + } + mTechHandles[mNumTechList] = rfDetail.rf_disc_id; + mTechLibNfcTypes[mNumTechList] = rfDetail.protocol; +@@ -413,6 +417,7 @@ void NfcTag::discoverTechnologies(tNFA_ACTIVATED& activationData) { + << StringPrintf("%s: index=%d; tech=%d; handle=%d; nfc type=%d", fn, i, + mTechList[i], mTechHandles[i], mTechLibNfcTypes[i]); + } ++TheEnd: + DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("%s: exit", fn); + } + +@@ -1624,4 +1629,4 @@ void NfcTag::setNumDiscNtf(int numDiscNtfValue) { + ** Returns: number of discovery notifications received from NFCC + ** + *******************************************************************************/ +-int NfcTag::getNumDiscNtf() { return mNumDiscNtf; } +\ No newline at end of file ++int NfcTag::getNumDiscNtf() { return mNumDiscNtf; } +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/apps/QuickSearchBox/01_0001-Secure-the-pendingIntent-in-SearchWidgetProvider.patch b/aosp_diff/preliminary/packages/apps/QuickSearchBox/01_0001-Secure-the-pendingIntent-in-SearchWidgetProvider.patch new file mode 100644 index 0000000000..726b2f6840 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/QuickSearchBox/01_0001-Secure-the-pendingIntent-in-SearchWidgetProvider.patch @@ -0,0 +1,84 @@ +From e77772c4186474cf0a9b1b39ea970a4432ee330d Mon Sep 17 00:00:00 2001 +From: Raman Tenneti +Date: Fri, 10 Sep 2021 21:40:57 +0000 +Subject: [PATCH] Secure the pendingIntent in SearchWidgetProvider. + +Fixes - "PendingIntent in QuickSearchBox Widget ..." security bug. + +This change is similar to the fix to Settings changes. + ++ Assign the package name for pending intent, so that the intent + only can launch the QuicSearchBox app. + +https://googleplex-android-review.git.corp.google.com/c/platform/packages/apps/Settings/+/10526147/2/src/com/android/settings/slices/SettingsSliceProvider.java + +git_qt-dev: + https://android-build.googleplex.com/builds/abtd/run/L35800000951088353 + +git_rvc-dev: + https://android-build.googleplex.com/builds/abtd/run/L61000000951079598 + +git_sc-dev: + https://android-build.googleplex.com/builds/abtd/run/L60400000951091431 + ++ Assign the package name for pending intent, so that the intent + only can launch the QuicSearchBox app. + +Original aosp-master cl: aosp/1818517 + +Fix: 184046278 +Test: manual ++ Verified the above bug is fixes the above bug, ++ Installed the app and verified search is working. + +$ m +$ ls -l ./out/target/product/bonito/product/app/QuickSearchBox/QuickSearchBox.apk-rw-r--r-- 1 rtenneti primarygroup 701136 Sep 3 14:52 ./out/target/product/bonito/product/app/QuickSearchBox/QuickSearchBox.apk + +$ adb install -t ./out/target/product/bonito/product/app/QuickSearchBox/QuickSearchBox.apk +Performing Streamed Install +Success + +$ make QuickSearchBoxTests +$ ls -l out/target/product/bonito/testcases/QuickSearchBoxTests/arm64/QuickSearchBox* +-rw-r--r-- 1 rtenneti primarygroup 33175 Sep 3 16:40 out/target/product/bonito/testcases/QuickSearchBoxTests/arm64/QuickSearchBoxTests.apk + +$ adb shell am instrument -w com.android.quicksearchbox.tests + +com.android.quicksearchbox.CachingIconLoaderTest:. +com.android.quicksearchbox.LevenshteinFormatterTest:......................... +com.android.quicksearchbox.PackageIconLoaderTest:.. +com.android.quicksearchbox.SuggestionUtilsTest:...... +com.android.quicksearchbox.util.CachedLaterTest:...... +com.android.quicksearchbox.util.LevenshteinDistanceTest:..... +com.android.quicksearchbox.util.PerNameExecutorTest:... +com.android.quicksearchbox.util.PriorityThreadFactoryTest:. +com.android.quicksearchbox.util.SingleThreadNamedTaskExecutorTest:. +Test results for InstrumentationTestRunner=......................................... +......... +Time: 0.277 + +OK (50 tests) + +Bug: 184046278 + +Change-Id: Idf5592b14967c6567e898b0b23a5e18f8209f639 +(cherry picked from commit ae2c873754cd8c54ce8a76aacbc0e1a0bf827188) +--- + src/com/android/quicksearchbox/SearchWidgetProvider.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/com/android/quicksearchbox/SearchWidgetProvider.java b/src/com/android/quicksearchbox/SearchWidgetProvider.java +index 205e7cc..fdd8cf3 100644 +--- a/src/com/android/quicksearchbox/SearchWidgetProvider.java ++++ b/src/com/android/quicksearchbox/SearchWidgetProvider.java +@@ -178,6 +178,7 @@ public class SearchWidgetProvider extends BroadcastReceiver { + + private void setOnClickActivityIntent(Context context, RemoteViews views, int viewId, + Intent intent) { ++ intent.setPackage(context.getPackageName()); + PendingIntent pendingIntent = PendingIntent.getActivity(context, 0, intent, 0); + views.setOnClickPendingIntent(viewId, pendingIntent); + } +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/apps/Settings/11_0011-BluetoothSecurity-Add-BLUETOOTH_PRIVILEGED-permissio.patch b/aosp_diff/preliminary/packages/apps/Settings/11_0011-BluetoothSecurity-Add-BLUETOOTH_PRIVILEGED-permissio.patch new file mode 100644 index 0000000000..b3dbbaa121 --- /dev/null +++ b/aosp_diff/preliminary/packages/apps/Settings/11_0011-BluetoothSecurity-Add-BLUETOOTH_PRIVILEGED-permissio.patch @@ -0,0 +1,30 @@ +From ad3ebac3837861dc07e713a9aee2978e0eb35c39 Mon Sep 17 00:00:00 2001 +From: Chen Chen +Date: Tue, 5 Oct 2021 17:46:02 -0700 +Subject: [PATCH] BluetoothSecurity: Add BLUETOOTH_PRIVILEGED permission for + pairing dialog + +Bug: 194300867 +Test: Build + +Change-Id: I5a496df50550ea7ee6986c960e28ae3e4a056b4b +(cherry picked from commit e5ccfba9962f22d05cbf9cc6097ef7b74938ecf0) +--- + AndroidManifest.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/AndroidManifest.xml b/AndroidManifest.xml +index 4e0f9155b0..c6341767fe 100644 +--- a/AndroidManifest.xml ++++ b/AndroidManifest.xml +@@ -2035,6 +2035,7 @@ + + + +Date: Tue, 25 May 2021 16:43:23 -0700 +Subject: [PATCH] Fix issue with call log last modified not being updated. + +In the past a security update was done which replaced usage of the +DbModifierWithNotification class with SQLiteQueryBuilders. +This solved the security issue but caused all the code in the +DbModifierWithNotification update and delete methods to no longer run. +This includes notifying of new written voicemails, updating the last +modified date for rows, and notifying content observers. +We cleaned up the content observer issue in QPR, so it was time to swing +back and clean the rest up. + +In the end it just makes more sense to use SQLiteQueryBuilder instances +in DbModifierWithNotification for the user-provided queries; this lets +the rest of the update code which resided in that class still operate +in the same manner as it used to. + +Test: Run unit tests +Test: Run CTS tests +Test: Add new CTS test to verify call log last modified gets updated. +Fixes: 177421643 +Change-Id: Idc73df91cb1a0f4e77a4c5d2a288ab6ff2f6fc77 +Merged-In: I3cddf913dec54f40358de095659673d4623518db +(cherry picked from commit 7f70b88e9759b2cdbe3c18a8321df569bbb8d509) +(cherry picked from commit 0ac4a3c0f45e31469898a22a283cc2dc1b44ee6d) +--- + .../providers/contacts/CallLogProvider.java | 52 +++++-------------- + .../contacts/DbModifierWithNotification.java | 32 ++++++++++-- + 2 files changed, 41 insertions(+), 43 deletions(-) + +diff --git a/src/com/android/providers/contacts/CallLogProvider.java b/src/com/android/providers/contacts/CallLogProvider.java +index 7a610151..3ee4ae9f 100644 +--- a/src/com/android/providers/contacts/CallLogProvider.java ++++ b/src/com/android/providers/contacts/CallLogProvider.java +@@ -121,7 +121,7 @@ public class CallLogProvider extends ContentProvider { + sURIMatcher.addURI(CallLog.SHADOW_AUTHORITY, "calls", CALLS); + } + +- private static final ArrayMap sCallsProjectionMap; ++ public static final ArrayMap sCallsProjectionMap; + static { + + // Calls projection map +@@ -536,19 +536,8 @@ public class CallLogProvider extends ContentProvider { + + SelectionBuilder selectionBuilder = new SelectionBuilder(selection); + checkVoicemailPermissionAndAddRestriction(uri, selectionBuilder, false /*isQuery*/); +- +- final SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); +- qb.setTables(Tables.CALLS); +- qb.setProjectionMap(sCallsProjectionMap); +- qb.setStrict(true); +- // If the caller doesn't have READ_VOICEMAIL, make sure they can't +- // do any SQL shenanigans to get access to the voicemails. If the caller does have the +- // READ_VOICEMAIL permission, then they have sufficient permissions to access any data in +- // the database, so the strict check is unnecessary. +- if (!mVoicemailPermissions.callerHasReadAccess(getCallingPackage())) { +- qb.setStrictGrammar(true); +- } +- ++ boolean hasReadVoicemailPermission = mVoicemailPermissions.callerHasReadAccess( ++ getCallingPackage()); + final SQLiteDatabase db = mDbHelper.getWritableDatabase(); + final int matchedUriId = sURIMatcher.match(uri); + switch (matchedUriId) { +@@ -563,11 +552,8 @@ public class CallLogProvider extends ContentProvider { + throw new UnsupportedOperationException("Cannot update URL: " + uri); + } + +- int rowsUpdated = qb.update(db, values, selectionBuilder.build(), selectionArgs); +- if (rowsUpdated > 0) { +- DbModifierWithNotification.notifyCallLogChange(getContext()); +- } +- return rowsUpdated; ++ return createDatabaseModifier(db, hasReadVoicemailPermission).update(uri, Tables.CALLS, ++ values, selectionBuilder.build(), selectionArgs); + } + + private int deleteInternal(Uri uri, String selection, String[] selectionArgs) { +@@ -582,29 +568,14 @@ public class CallLogProvider extends ContentProvider { + SelectionBuilder selectionBuilder = new SelectionBuilder(selection); + checkVoicemailPermissionAndAddRestriction(uri, selectionBuilder, false /*isQuery*/); + +- final SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); +- qb.setTables(Tables.CALLS); +- qb.setProjectionMap(sCallsProjectionMap); +- qb.setStrict(true); +- // If the caller doesn't have READ_VOICEMAIL, make sure they can't +- // do any SQL shenanigans to get access to the voicemails. If the caller does have the +- // READ_VOICEMAIL permission, then they have sufficient permissions to access any data in +- // the database, so the strict check is unnecessary. +- if (!mVoicemailPermissions.callerHasReadAccess(getCallingPackage())) { +- qb.setStrictGrammar(true); +- } +- ++ boolean hasReadVoicemailPermission = ++ mVoicemailPermissions.callerHasReadAccess(getCallingPackage()); + final SQLiteDatabase db = mDbHelper.getWritableDatabase(); + final int matchedUriId = sURIMatcher.match(uri); + switch (matchedUriId) { + case CALLS: +- // TODO: Special case - We may want to forward the delete request on user 0 to the +- // shadow provider too. +- int deletedCount = qb.delete(db, selectionBuilder.build(), selectionArgs); +- if (deletedCount > 0) { +- DbModifierWithNotification.notifyCallLogChange(getContext()); +- } +- return deletedCount; ++ return createDatabaseModifier(db, hasReadVoicemailPermission).delete(Tables.CALLS, ++ selectionBuilder.build(), selectionArgs); + default: + throw new UnsupportedOperationException("Cannot delete that URL: " + uri); + } +@@ -618,8 +589,9 @@ public class CallLogProvider extends ContentProvider { + * Returns a {@link DatabaseModifier} that takes care of sending necessary notifications + * after the operation is performed. + */ +- private DatabaseModifier createDatabaseModifier(SQLiteDatabase db) { +- return new DbModifierWithNotification(Tables.CALLS, db, getContext()); ++ private DatabaseModifier createDatabaseModifier(SQLiteDatabase db, boolean hasReadVoicemail) { ++ return new DbModifierWithNotification(Tables.CALLS, db, null, hasReadVoicemail, ++ getContext()); + } + + /** +diff --git a/src/com/android/providers/contacts/DbModifierWithNotification.java b/src/com/android/providers/contacts/DbModifierWithNotification.java +index 03ebd1f1..dc74c0ab 100644 +--- a/src/com/android/providers/contacts/DbModifierWithNotification.java ++++ b/src/com/android/providers/contacts/DbModifierWithNotification.java +@@ -27,6 +27,7 @@ import android.content.Intent; + import android.database.Cursor; + import android.database.DatabaseUtils.InsertHelper; + import android.database.sqlite.SQLiteDatabase; ++import android.database.sqlite.SQLiteQueryBuilder; + import android.net.Uri; + import android.os.Binder; + import android.provider.CallLog.Calls; +@@ -65,6 +66,7 @@ public class DbModifierWithNotification implements DatabaseModifier { + Voicemails.DELETED + " == 0"; + private final String mTableName; + private final SQLiteDatabase mDb; ++ private final boolean mHasReadVoicemailPermission; + private final InsertHelper mInsertHelper; + private final Context mContext; + private final Uri mBaseUri; +@@ -86,8 +88,14 @@ public class DbModifierWithNotification implements DatabaseModifier { + + private DbModifierWithNotification(String tableName, SQLiteDatabase db, + InsertHelper insertHelper, Context context) { ++ this(tableName, db, insertHelper, true /* hasReadVoicemail */, context); ++ } ++ ++ public DbModifierWithNotification(String tableName, SQLiteDatabase db, ++ InsertHelper insertHelper, boolean hasReadVoicemailPermission, Context context) { + mTableName = tableName; + mDb = db; ++ mHasReadVoicemailPermission = hasReadVoicemailPermission; + mInsertHelper = insertHelper; + mContext = context; + mBaseUri = mTableName.equals(Tables.VOICEMAIL_STATUS) ? +@@ -196,7 +204,16 @@ public class DbModifierWithNotification implements DatabaseModifier { + if (values.isEmpty()) { + return 0; + } +- int count = mDb.update(table, values, whereClause, whereArgs); ++ ++ final SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); ++ qb.setTables(mTableName); ++ qb.setProjectionMap(CallLogProvider.sCallsProjectionMap); ++ qb.setStrict(true); ++ if (!mHasReadVoicemailPermission) { ++ qb.setStrictGrammar(true); ++ } ++ int count = qb.update(mDb, values, whereClause, whereArgs); ++ + if (count > 0 && isVoicemailContent || Tables.VOICEMAIL_STATUS.equals(table)) { + notifyVoicemailChange(mBaseUri, packagesModified); + } +@@ -269,14 +286,23 @@ public class DbModifierWithNotification implements DatabaseModifier { + // If the deletion is being made by the package that inserted the voicemail or by + // CP2 (cleanup after uninstall), then we don't need to wait for sync, so just delete it. + final int count; ++ ++ final SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); ++ qb.setTables(mTableName); ++ qb.setProjectionMap(CallLogProvider.sCallsProjectionMap); ++ qb.setStrict(true); ++ if (!mHasReadVoicemailPermission) { ++ qb.setStrictGrammar(true); ++ } ++ + if (mIsCallsTable && isVoicemail && !isSelfModifyingOrInternal(packagesModified)) { + ContentValues values = new ContentValues(); + values.put(VoicemailContract.Voicemails.DIRTY, 1); + values.put(VoicemailContract.Voicemails.DELETED, 1); + values.put(VoicemailContract.Voicemails.LAST_MODIFIED, getTimeMillis()); +- count = mDb.update(table, values, whereClause, whereArgs); ++ count = qb.update(mDb, values, whereClause, whereArgs); + } else { +- count = mDb.delete(table, whereClause, whereArgs); ++ count = qb.delete(mDb, whereClause, whereArgs); + } + + if (count > 0 && isVoicemail) { +-- +2.17.1 + diff --git a/aosp_diff/preliminary/packages/providers/MediaProvider/01_0001-Fix-use-after-free-bug-in-FuseDaemon.patch b/aosp_diff/preliminary/packages/providers/MediaProvider/01_0001-Fix-use-after-free-bug-in-FuseDaemon.patch new file mode 100644 index 0000000000..b081e79e33 --- /dev/null +++ b/aosp_diff/preliminary/packages/providers/MediaProvider/01_0001-Fix-use-after-free-bug-in-FuseDaemon.patch @@ -0,0 +1,44 @@ +From 02eb80205fb74df18d619ccef9aac4812132eb8a Mon Sep 17 00:00:00 2001 +From: Zim +Date: Thu, 5 Aug 2021 15:29:02 +0100 +Subject: [PATCH] Fix use-after-free bug in FuseDaemon + +The FuseDaemon periodically runs fadvise on the lower file system to +avoid double caching. As part of 'recording' the write for the fadvise +queue we sometimes raced and had the following ordering of events: + +T1: fuse_reply_write +T2: pf_release (destroy handle) +T1: Record (using already destroyed handle) + +Now we, call Record before fuse_reply_write + +Test: Manual +Bug: 192085766 +Bug: 195615818 +Change-Id: Iba7598d40aa03d082af10935552ac7db7e28c5b6 +(cherry picked from commit f38de0b09885b8766de2b351d90cc86ce7d9240c) +(cherry picked from commit 9b7488a6ab3f4c8f5cfc30ff7d04a972643c1ff9) +--- + jni/FuseDaemon.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/jni/FuseDaemon.cpp b/jni/FuseDaemon.cpp +index ecb7092e..52ac5f79 100644 +--- a/jni/FuseDaemon.cpp ++++ b/jni/FuseDaemon.cpp +@@ -1189,8 +1189,10 @@ static void pf_write_buf(fuse_req_t req, + if (size < 0) + fuse_reply_err(req, -size); + else { +- fuse_reply_write(req, size); ++ // Execute Record *before* fuse_reply_write to avoid the following ordering: ++ // fuse_reply_write -> pf_release (destroy handle) -> Record (use handle after free) + fuse->fadviser.Record(h->fd, size); ++ fuse_reply_write(req, size); + } + } + // Haven't tested this one. Not sure what calls it. +-- +2.17.1 + diff --git a/aosp_diff/preliminary/system/bt/04_0004-osi-Prevent-memory-allocations-with-MSB-set.patch b/aosp_diff/preliminary/system/bt/04_0004-osi-Prevent-memory-allocations-with-MSB-set.patch new file mode 100644 index 0000000000..6aec30061d --- /dev/null +++ b/aosp_diff/preliminary/system/bt/04_0004-osi-Prevent-memory-allocations-with-MSB-set.patch @@ -0,0 +1,41 @@ +From 471ffd949d4b0dad44cf206f9c66fad0895e19d3 Mon Sep 17 00:00:00 2001 +From: Chris Manton +Date: Wed, 29 Sep 2021 17:49:25 -0700 +Subject: [PATCH] osi: Prevent memory allocations with MSB set + +Limit allocations on 32bit to 2 GB +Limit allocations on 64bit to 8 Exabyte + +Bug: 197868577 +Tag: #refactor +Test: gd/cert/run +Ignore-AOSP-First: Security +Change-Id: I1c347084d7617b1e364a3241f1b37b398a2a6c6a +(cherry picked from commit e435404a7d2afa6b4cb9a59319667bf72af4df1f) +--- + osi/src/allocator.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/osi/src/allocator.cc b/osi/src/allocator.cc +index 1c0449e14..e2c356dd3 100644 +--- a/osi/src/allocator.cc ++++ b/osi/src/allocator.cc +@@ -56,6 +56,7 @@ char* osi_strndup(const char* str, size_t len) { + } + + void* osi_malloc(size_t size) { ++ CHECK(static_cast(size) >= 0); + size_t real_size = allocation_tracker_resize_for_canary(size); + void* ptr = malloc(real_size); + CHECK(ptr); +@@ -63,6 +64,7 @@ void* osi_malloc(size_t size) { + } + + void* osi_calloc(size_t size) { ++ CHECK(static_cast(size) >= 0); + size_t real_size = allocation_tracker_resize_for_canary(size); + void* ptr = calloc(1, real_size); + CHECK(ptr); +-- +2.17.1 + diff --git a/aosp_diff/preliminary/system/tools/aidl/01_0001-An-enum-is-initialized-as-zero-if-it-doesn-t-have-de.patch b/aosp_diff/preliminary/system/tools/aidl/01_0001-An-enum-is-initialized-as-zero-if-it-doesn-t-have-de.patch new file mode 100644 index 0000000000..cd6e2c6969 --- /dev/null +++ b/aosp_diff/preliminary/system/tools/aidl/01_0001-An-enum-is-initialized-as-zero-if-it-doesn-t-have-de.patch @@ -0,0 +1,61 @@ +From 80782db98bfe2bc316764209c2c65cfa7423c4a1 Mon Sep 17 00:00:00 2001 +From: Jeongik Cha +Date: Sat, 25 Sep 2021 01:19:56 +0900 +Subject: [PATCH] An enum is initialized as zero if it doesn't have default + value + +In C++, NDK backend, an enum value hasn't been initialized if it doesn't +have default value. In that case, initialize an enum with zero for the +backends. + +Bug: 198346478 +Test: check golden output and m +Ignore-AOSP-First: security patch +Change-Id: I6cb67258cc4aacc41ae80c46ccee10a3cfe723f6 +Merged-In: I6cb67258cc4aacc41ae80c46ccee10a3cfe723f6 +(cherry picked from commit f39b16442ad832f2921ad0eec298b7c333936dc1) +(cherry picked from commit f2e752316b0d9d2708bc56d20c1649e704bca030) +--- + generate_cpp.cpp | 7 +++++++ + generate_ndk.cpp | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/generate_cpp.cpp b/generate_cpp.cpp +index cc256573..bbee9b3a 100644 +--- a/generate_cpp.cpp ++++ b/generate_cpp.cpp +@@ -1111,6 +1111,13 @@ std::unique_ptr BuildParcelHeader(const AidlTypenames& typenames, + if (variable->GetDefaultValue()) { + out << " = " << cppType.c_str() << "(" << variable->ValueString(ConstantValueDecorator) + << ")"; ++ } else if (auto type = typenames.TryGetDefinedType(variable->GetType().GetName()); type) { ++ if (auto enum_type = type->AsEnumDeclaration(); enum_type) { ++ if (!variable->GetType().IsArray()) { ++ // if an enum doesn't have explicit default value, do zero-initialization ++ out << " = " << cppType << "(0)"; ++ } ++ } + } + out << ";\n"; + +diff --git a/generate_ndk.cpp b/generate_ndk.cpp +index 274d283f..0efd7eb7 100644 +--- a/generate_ndk.cpp ++++ b/generate_ndk.cpp +@@ -879,6 +879,13 @@ void GenerateParcelHeader(CodeWriter& out, const AidlTypenames& types, + out << NdkNameOf(types, variable->GetType(), StorageMode::STACK) << " " << variable->GetName(); + if (variable->GetDefaultValue()) { + out << " = " << variable->ValueString(ConstantValueDecorator); ++ } else if (auto type = types.TryGetDefinedType(variable->GetType().GetName()); type) { ++ if (auto enum_type = type->AsEnumDeclaration(); enum_type) { ++ if (!variable->GetType().IsArray()) { ++ // if an enum doesn't have explicit default value, do zero-initialization ++ out << " = " << NdkNameOf(types, variable->GetType(), StorageMode::STACK) << "(0)"; ++ } ++ } + } + out << ";\n"; + } +-- +2.17.1 +