ASB DEC 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches Test done: STS r33 TCs Passed. Tracked-On: OAM-127592 Signed-off-by: AlamIntel <[email protected]>
projectceladon · Dec 3, 2024 · 21e59d4 · 21e59d4
1 parent 7cfc412
commit 21e59d4
Show file tree

Hide file tree

Showing 9 changed files with 433 additions and 1 deletion.
diff --git a/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/base_aaos/build/make/0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 0daae6bdcb..d14bd65167 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2022-07-05
-+    PLATFORM_SECURITY_PATCH := 2024-11-01
++    PLATFORM_SECURITY_PATCH := 2024-12-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

diff --git a/aosp_diff/base_aaos/external/skia/0002-pdf-Bounds-check-in-skia_alloc_func.bulletin.patch b/aosp_diff/base_aaos/external/skia/0002-pdf-Bounds-check-in-skia_alloc_func.bulletin.patch
@@ -0,0 +1,51 @@
+From fa512f8749e5aaee06a7d6bcedcbbcf8c98bd673 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <[email protected]>
+Date: Mon, 12 Aug 2024 15:00:08 -0400
+Subject: [PATCH] [pdf] Bounds check in skia_alloc_func
+
+The allocator callback for zlib needs to check that items * size will
+fit in size_t and return nullptr if not.
+
+Conflicts:
+- src/pdf/SkDeflate.cpp: just in header includes
+
+Bug: 349678452
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56)
+Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+---
+ src/pdf/SkDeflate.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
+index a8bd667cc0..f243f94b40 100644
+--- a/src/pdf/SkDeflate.cpp
++++ b/src/pdf/SkDeflate.cpp
+@@ -9,6 +9,7 @@
+
+ #include "include/core/SkData.h"
+ #include "include/private/SkMalloc.h"
++#include "include/private/SkTFitsIn.h"
+ #include "include/private/SkTo.h"
+ #include "src/core/SkTraceEvent.h"
+
+@@ -21,6 +22,13 @@ namespace {
+ // Different zlib implementations use different T.
+ // We've seen size_t and unsigned.
+ template <typename T> void* skia_alloc_func(void*, T items, T size) {
++    if (!SkTFitsIn<size_t>(size)) {
++        return nullptr;
++    }
++    const size_t maxItems = SIZE_MAX / size;
++    if (maxItems < items) {
++        return nullptr;
++    }
+     return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
+ }
+
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/.../skia/0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch b/.../skia/0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch
@@ -0,0 +1,38 @@
+From 18bcdb2f95a266c285ad47e6830dd4e5ebe93edd Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 12:47:48 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
+ SkMask data
+
+Bug: 352631932
+Test: N/A -- not reproducible / speculative fix
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Ben Wagner <[email protected]>
+Auto-Submit: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:767ef0ae44902bb84ef0bf6f6beb601c283ade01)
+Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+---
+ src/core/SkBlurMF.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp
+index 0b8486a587..6e951f7c82 100644
+--- a/src/core/SkBlurMF.cpp
++++ b/src/core/SkBlurMF.cpp
+@@ -175,6 +175,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
+     mask->fRowBytes = SkAlign4(mask->fBounds.width());
+     mask->fFormat = SkMask::kA8_Format;
+     const size_t size = mask->computeImageSize();
++    if (size == 0) {
++        return false;
++    }
+     mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
+     if (nullptr == mask->fImage) {
+         return false;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...os/external/skia/0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch b/...os/external/skia/0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch
@@ -0,0 +1,38 @@
+From ad726e1562b54e08f991dd08e3afadec7f3b9e3a Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 11:52:35 -0400
+Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
+
+Bug: 350118416
+Test: N/A -- speculative issue without repro case
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
+Reviewed-by: Robert Phillips <[email protected]>
+Commit-Queue: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ed907c5f18a646c9150e41b74ef45ca08518830)
+Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
+Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
+---
+ src/core/SkRegion.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
+index 86c38bd5d9..b1ec9f4df8 100644
+--- a/src/core/SkRegion.cpp
++++ b/src/core/SkRegion.cpp
+@@ -52,8 +52,10 @@ public:
+     /** Resize the array to a size greater-than-or-equal-to count. */
+     void resizeToAtLeast(int count) {
+         if (count > fCount) {
+-            // leave at least 50% extra space for future growth.
+-            count += count >> 1;
++            // leave at least 50% extra space for future growth (unless adding would overflow)
++            SkSafeMath safe;
++            int newCount = safe.addInt(count, count >> 1);
++            count = safe ? newCount : SK_MaxS32;
+             fMalloc.realloc(count);
+             if (fPtr == fStack) {
+                 memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...rameworks/base/99_0306-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch b/...rameworks/base/99_0306-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch
@@ -0,0 +1,63 @@
+From 1b4fee70bd6c7f836f91002ba722c5c88d38491c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <[email protected]>
+Date: Thu, 29 Aug 2024 17:01:55 +0000
+Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
+
+Bug: 340239088
+Test: manually verified with the PoC app
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5b076641fc517b37f1689697130de3cbc22a4c92)
+Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+---
+ core/java/android/widget/RemoteViewsAdapter.java       |  5 +++++
+ .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
+index 8e293f4b356d..f8bffa7a842e 100644
+--- a/core/java/android/widget/RemoteViewsAdapter.java
++++ b/core/java/android/widget/RemoteViewsAdapter.java
+@@ -240,6 +240,11 @@ public class RemoteViewsAdapter extends BaseAdapter implements Handler.Callback
+             }
+         }
+
++        @Override
++        public void onNullBinding(ComponentName name) {
++            enqueueDeferredUnbindServiceMessage();
++        }
++
+         @Override
+         public void handleMessage(Message msg) {
+             RemoteViewsAdapter adapter = mAdapter.get();
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index f5063ac4a023..61a86560178a 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1776,6 +1776,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                 mContext.unbindService(this);
+             }
+
++            @Override
++            public void onNullBinding(ComponentName name) {
++                mContext.unbindService(this);
++            }
++
+             @Override
+             public void onServiceDisconnected(ComponentName name) {
+                 // Do nothing
+@@ -1916,6 +1921,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                                 mContext.unbindService(this);
+                             }
+
++                            @Override
++                            public void onNullBinding(ComponentName name) {
++                                mContext.unbindService(this);
++                            }
++
+                             @Override
+                             public void onServiceDisconnected(android.content.ComponentName name) {
+                                 // Do nothing
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...aaos/system/bt/64_0064-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch b/...aaos/system/bt/64_0064-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch
@@ -0,0 +1,71 @@
+From 1f638883d45c8da80154e6e6a32d2f408784f54b Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <[email protected]>
+Date: Mon, 8 Jul 2024 22:42:18 +0000
+Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc
+
+build_read_multi_rsp is missing a bounds check, which can lead to an
+OOB write when the mtu parameter is set to zero.
+
+Add that bounds check.
+
+Bug: 323850943
+Test: atest GattSrTest
+Test: researcher POC
+Tag: #security
+Flag: EXEMPT trivial validity checks
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd)
+Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+---
+ stack/eatt/eatt.h     | 7 ++++++-
+ stack/gatt/gatt_sr.cc | 7 +++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/stack/eatt/eatt.h b/stack/eatt/eatt.h
+index 0af2fe3de..31af5cb32 100644
+--- a/stack/eatt/eatt.h
++++ b/stack/eatt/eatt.h
+@@ -23,6 +23,7 @@
+
+ #define EATT_MIN_MTU_MPS (64)
+ #define EATT_DEFAULT_MTU (256)
++#define EATT_MAX_TX_MTU (1024)
+
+ namespace bluetooth {
+ namespace eatt {
+@@ -91,7 +92,11 @@ class EattChannel {
+     }
+     state_ = state;
+   }
+-  void EattChannelSetTxMTU(uint16_t tx_mtu) { this->tx_mtu_ = tx_mtu; }
++
++  void EattChannelSetTxMTU(uint16_t tx_mtu) {
++    this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
++    this->tx_mtu_ = std::max<uint16_t>(this->tx_mtu_, EATT_MIN_MTU_MPS);
++  }
+ };
+
+ /* Interface class */
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index d689acf16..b08995493 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -143,6 +143,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+   uint8_t* p;
+   bool is_overflow = false;
+
++  // We need at least one extra byte for the opcode
++  if (mtu == 0) {
++    LOG(ERROR) << "Invalid MTU";
++    p_cmd->status = GATT_ILLEGAL_PARAMETER;
++    return;
++  }
++
+   len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
+   BT_HDR* p_buf = (BT_HDR*)osi_calloc(len);
+   p_buf->offset = L2CAP_MIN_OFFSET;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...se_aaos/system/bt/65_0065-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch b/...se_aaos/system/bt/65_0065-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch
@@ -0,0 +1,40 @@
+From b07754a16f7241ff2c9b626602584416e19150b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <[email protected]>
+Date: Thu, 1 Aug 2024 14:12:58 +0000
+Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder
+
+0 length value is perfectly fine, and should result in just length
+added into the packet.
+Currently, for 0 length value we just break out of loop, and don't add
+any value.
+This means, that if first characetristic in response had 0 length, we
+would return empty packet.
+
+Ignore-AOSP-First: security fix
+Test: mma -j32;
+Bug: 352696105
+Bug: 356886209
+Flag: exempt, obvious logic fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf)
+Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+---
+ stack/gatt/gatt_sr.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index b08995493..96cbb646c 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -193,7 +193,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+
+       len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+-      if (len == 0) {
++      if (total_len == mtu && p_rsp->attr_value.len > 0) {
+         VLOG(1) << "Buffer space not enough for this data item, skipping";
+         break;
+       }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...ff/base_aaos/system/bt/66_0066-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch b/...ff/base_aaos/system/bt/66_0066-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch
@@ -0,0 +1,46 @@
+From ba29e132822c8d23a9567495f47f949cd3942a17 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <[email protected]>
+Date: Wed, 4 Sep 2024 22:01:58 +0000
+Subject: [PATCH] Encrypt LE link immediately on reconnection
+
+LE link must be encrypted immediately on connection if device are
+already bonded.
+
+This is a backport of ag/29056565, but the code needs to go in a
+different location because that patch relies on recent feature work.
+
+Ignore-AOSP-First: security
+Test: mmm packages/modules/Bluetooth
+Bug: 288144143
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1cb2dc039d5d084a4a44e8ce283c1b21b9868354)
+Merged-In: Ibb6d651fe53835260ecc6d08215b2a3bd235bced
+Change-Id: Ibb6d651fe53835260ecc6d08215b2a3bd235bced
+---
+ stack/acl/btm_acl.cc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/stack/acl/btm_acl.cc b/stack/acl/btm_acl.cc
+index 4c7e06696..80eed2aef 100644
+--- a/stack/acl/btm_acl.cc
++++ b/stack/acl/btm_acl.cc
+@@ -1112,6 +1112,17 @@ void StackAclBtmAcl::btm_establish_continue(tACL_CONN* p_acl) {
+                 PRIVATE_ADDRESS(p_acl->RemoteAddress()));
+     }
+     btm_set_link_policy(p_acl, btm_cb.acl_cb_.DefaultLinkPolicy());
++  } else if (p_acl->is_transport_ble()) {
++    tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_acl->remote_addr);
++
++    if (p_dev_rec == nullptr) {
++      LOG_WARN("No security record for %s",
++               PRIVATE_ADDRESS(p_acl->RemoteAddress()));
++    } else if (p_dev_rec->is_le_link_key_known()) {
++      btm_ble_set_encryption(
++          p_acl->remote_addr, BTM_BLE_SEC_ENCRYPT,
++          p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL);
++    }
+   }
+   NotifyAclLinkUp(*p_acl);
+ }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+