Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASB - December 2023 Security Patches integration #2228

Merged
merged 1 commit into from
Dec 4, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2022-02-05
+ PLATFORM_SECURITY_PATCH := 2023-11-01
+ PLATFORM_SECURITY_PATCH := 2023-12-01
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
From cfd4960f97e80809c0ae14b04547c18be6cd4b31 Mon Sep 17 00:00:00 2001
From: Toni Heidenreich <[email protected]>
Date: Wed, 6 Sep 2023 12:49:33 +0000
Subject: [PATCH] httplive: fix use-after-free

Implement a mutex to ensure secure multi-threaded
access to the KeyedVector in MetaDataBase.
Concurrent access by different threads can lead
to accessing the wrong memory location due to
potential changes in the vector

Bug: 298057702
Test: HTTP Live Streaming test
(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)
Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
---
media/libstagefright/foundation/MetaDataBase.cpp | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/media/libstagefright/foundation/MetaDataBase.cpp b/media/libstagefright/foundation/MetaDataBase.cpp
index 3f050ea6aa..aa6ca10967 100644
--- a/media/libstagefright/foundation/MetaDataBase.cpp
+++ b/media/libstagefright/foundation/MetaDataBase.cpp
@@ -23,6 +23,8 @@
#include <stdlib.h>
#include <string.h>

+#include <mutex>
+
#include <media/stagefright/foundation/ADebug.h>
#include <media/stagefright/foundation/AString.h>
#include <media/stagefright/foundation/hexdump.h>
@@ -78,6 +80,7 @@ struct MetaDataBase::Rect {


struct MetaDataBase::MetaDataInternal {
+ std::mutex mLock;
KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;
};

@@ -102,10 +105,12 @@ MetaDataBase::~MetaDataBase() {
}

void MetaDataBase::clear() {
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
mInternalData->mItems.clear();
}

bool MetaDataBase::remove(uint32_t key) {
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
ssize_t i = mInternalData->mItems.indexOfKey(key);

if (i < 0) {
@@ -252,6 +257,7 @@ bool MetaDataBase::setData(
uint32_t key, uint32_t type, const void *data, size_t size) {
bool overwrote_existing = true;

+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
ssize_t i = mInternalData->mItems.indexOfKey(key);
if (i < 0) {
typed_data item;
@@ -269,6 +275,7 @@ bool MetaDataBase::setData(

bool MetaDataBase::findData(uint32_t key, uint32_t *type,
const void **data, size_t *size) const {
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
ssize_t i = mInternalData->mItems.indexOfKey(key);

if (i < 0) {
@@ -283,6 +290,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
}

bool MetaDataBase::hasData(uint32_t key) const {
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
ssize_t i = mInternalData->mItems.indexOfKey(key);

if (i < 0) {
@@ -429,6 +437,7 @@ static void MakeFourCCString(uint32_t x, char *s) {

String8 MetaDataBase::toString() const {
String8 s;
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
for (int i = mInternalData->mItems.size(); --i >= 0;) {
int32_t key = mInternalData->mItems.keyAt(i);
char cc[5];
@@ -443,6 +452,7 @@ String8 MetaDataBase::toString() const {
}

void MetaDataBase::dumpToLog() const {
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
for (int i = mInternalData->mItems.size(); --i >= 0;) {
int32_t key = mInternalData->mItems.keyAt(i);
char cc[5];
@@ -455,6 +465,7 @@ void MetaDataBase::dumpToLog() const {
#if !defined(__ANDROID_VNDK__) && !defined(__ANDROID_APEX__)
status_t MetaDataBase::writeToParcel(Parcel &parcel) {
status_t ret;
+ std::lock_guard<std::mutex> guard(mInternalData->mLock);
size_t numItems = mInternalData->mItems.size();
ret = parcel.writeUint32(uint32_t(numItems));
if (ret) {
--
2.42.0.820.g83a721a137-goog

Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
From b4910062d576833cf0c99b3fb2f0e685faafc9d0 Mon Sep 17 00:00:00 2001
From: Atneya Nair <[email protected]>
Date: Wed, 10 May 2023 21:37:41 -0700
Subject: [PATCH] Correct attribution source for MMAP thread

Ensure that the package name, which is used for listening for appops
below getInputForAttr, is corrected for MMAP threads.

Bug: 268724205
Test: AudioRecordTest
Test: Oboetester MMAP record silenced when backgrounded - 6s
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f59db5cb1be38abce4c3c4f553090e527a6d4513)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5be19e855d2a9b772d43aacf0af2848d862a1b90)
Merged-In: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b
Change-Id: Ia6fc1bff815bbbb2fee8bc1a60569a663a713e4b
---
services/audioflinger/Threads.cpp | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/services/audioflinger/Threads.cpp b/services/audioflinger/Threads.cpp
index 7f2680014d..0c0c618e99 100644
--- a/services/audioflinger/Threads.cpp
+++ b/services/audioflinger/Threads.cpp
@@ -9188,6 +9188,9 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client,
audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE;

audio_io_handle_t io = mId;
+ AttributionSourceState adjAttributionSource = AudioFlinger::checkAttributionSourcePackage(
+ client.attributionSource);
+
if (isOutput()) {
audio_config_t config = AUDIO_CONFIG_INITIALIZER;
config.sample_rate = mSampleRate;
@@ -9201,7 +9204,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client,
ret = AudioSystem::getOutputForAttr(&mAttr, &io,
mSessionId,
&stream,
- client.attributionSource,
+ adjAttributionSource,
&config,
flags,
&deviceId,
@@ -9218,7 +9221,7 @@ status_t AudioFlinger::MmapThread::start(const AudioClient& client,
ret = AudioSystem::getInputForAttr(&mAttr, &io,
RECORD_RIID_INVALID,
mSessionId,
- client.attributionSource,
+ adjAttributionSource,
&config,
AUDIO_INPUT_FLAG_MMAP_NOIRQ,
&deviceId,
--
2.42.0.820.g83a721a137-goog

Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
From 302959a3f62dd7f4dcc5fac20d44ede9d09ff567 Mon Sep 17 00:00:00 2001
From: Atneya Nair <[email protected]>
Date: Wed, 9 Aug 2023 16:21:48 -0700
Subject: [PATCH] Condition background record restriction on Sdk

To prevent breaking existing apps, modify the checks around when
an app should have its recording silenced to retain prior behavior
unless an app has targetSdk U or greater.

Test: oboetester conditionally restricted based on targetSdk level
Bug: 268724205
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc4f375d570965775634d90856719b812aee9865)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5ed2002773feb3dd371cc473fc0a6ff2dfd21b6)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:382a9eaf46cf53b986494a694c9a87b8be8a28e4)
Merged-In: I42b6cbca60db6ce1a073254239b48e9104c4ebfb
Change-Id: I42b6cbca60db6ce1a073254239b48e9104c4ebfb
---
.../service/AudioPolicyService.cpp | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)

diff --git a/services/audiopolicy/service/AudioPolicyService.cpp b/services/audiopolicy/service/AudioPolicyService.cpp
index 4d0e1f12a6..eb6666165d 100644
--- a/services/audiopolicy/service/AudioPolicyService.cpp
+++ b/services/audiopolicy/service/AudioPolicyService.cpp
@@ -25,6 +25,7 @@
#include <sys/time.h>
#include <dlfcn.h>

+#include <android/content/pm/IPackageManagerNative.h>
#include <audio_utils/clock.h>
#include <binder/IServiceManager.h>
#include <utils/Log.h>
@@ -77,6 +78,27 @@ static void destroyAudioPolicyManager(AudioPolicyInterface *interface)
{
delete interface;
}
+
+namespace {
+int getTargetSdkForPackageName(std::string_view packageName) {
+ const auto binder = defaultServiceManager()->checkService(String16{"package_native"});
+ int targetSdk = -1;
+ if (binder != nullptr) {
+ const auto pm = interface_cast<content::pm::IPackageManagerNative>(binder);
+ if (pm != nullptr) {
+ const auto status = pm->getTargetSdkVersionForPackage(
+ String16{packageName.data(), packageName.size()}, &targetSdk);
+ return status.isOk() ? targetSdk : -1;
+ }
+ }
+ return targetSdk;
+}
+
+bool doesPackageTargetAtLeastU(std::string_view packageName) {
+ constexpr int ANDROID_API_U = 34;
+ return getTargetSdkForPackageName(packageName) >= ANDROID_API_U;
+}
+} // anonymous
// ----------------------------------------------------------------------------

AudioPolicyService::AudioPolicyService()
@@ -1482,10 +1504,14 @@ void AudioPolicyService::OpRecordAudioMonitor::onFirstRef()
checkOp();
mOpCallback = new RecordAudioOpCallback(this);
ALOGV("start watching op %d for %s", mAppOp, mAttributionSource.toString().c_str());
+ int flags = doesPackageTargetAtLeastU(
+ mAttributionSource.packageName.value_or("")) ?
+ AppOpsManager::WATCH_FOREGROUND_CHANGES : 0;
// TODO: We need to always watch AppOpsManager::OP_RECORD_AUDIO too
// since it controls the mic permission for legacy apps.
mAppOpsManager.startWatchingMode(mAppOp, VALUE_OR_FATAL(aidl2legacy_string_view_String16(
mAttributionSource.packageName.value_or(""))),
+ flags,
mOpCallback);
}

--
2.42.0.820.g83a721a137-goog

Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
From f88afd13d35ee1d105ae538f990319de704d2741 Mon Sep 17 00:00:00 2001
From: Beverly <[email protected]>
Date: Mon, 8 May 2023 16:33:12 +0000
Subject: [PATCH] On device lockdown, always show the keyguard

Manual test steps:
1. Enable app pinning and disable "Ask for PIN before unpinning" setting
2. Pin an app (ie: Settings)
3. Lockdown from the power menu
Observe: user is brought to the keyguard, primary auth is required
to enter the device. After entering credential, the device is still in
app pinning mode.

Test: atest KeyguardViewMediatorTest
Test: manual steps outlined above
Bug: 218495634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b23c2d5fb6630ea0da503b937f62880594b13e94)
Merged-In: I9a7c5e1acadabd4484e58573331f98dba895f2a2
Change-Id: I9a7c5e1acadabd4484e58573331f98dba895f2a2
---
.../systemui/keyguard/KeyguardViewMediator.java | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index 37c26187176c..6cfd5e0ec5f8 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -678,6 +678,13 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable,
notifyHasLockscreenWallpaperChanged(hasLockscreenWallpaper);
}
}
+
+ @Override
+ public void onStrongAuthStateChanged(int userId) {
+ if (mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
+ doKeyguardLocked(null);
+ }
+ }
};

ViewMediatorCallback mViewMediatorCallback = new ViewMediatorCallback() {
@@ -1524,7 +1531,8 @@ public class KeyguardViewMediator extends SystemUI implements Dumpable,
}

// if another app is disabling us, don't show
- if (!mExternallyEnabled) {
+ if (!mExternallyEnabled
+ && !mLockPatternUtils.isUserInLockdown(KeyguardUpdateMonitor.getCurrentUser())) {
if (DEBUG) Log.d(TAG, "doKeyguard: not showing because externally disabled");

mNeedToReshowWhenReenabled = true;
--
2.42.0.820.g83a721a137-goog

Loading
Loading