14.1: December ASB picks

Signed-off-by: Tad <[email protected]>

Author: SkewedZeppelin

Patches/LineageOS-14.1/android_frameworks_base/376458.patch

@@ -0,0 +1,123 @@
+From 0d5107c9fa5780919b18cd15c1a4a073ac6ed7cd Mon Sep 17 00:00:00 2001
+From: Kweku Adams <[email protected]>
+Date: Fri, 23 Sep 2022 21:06:53 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE: Drop invalid data.
+
+Drop invalid data when writing or reading from XML. PersistableBundle
+does lazy unparcelling, so checking the values during unparcelling would
+remove the benefit of the lazy unparcelling. Checking the validity when
+writing to or reading from XML seems like the best alternative.
+
+Bug: 246542285
+Bug: 247513680
+Test: install test app with invalid job config, start app to schedule job, then check logcat and jobscheduler persisted file
+(cherry picked from commit 666e8ac60a31e2cc52b335b41004263f28a8db06)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b37ab21ce27746a79a2071deee98c61b23c8d9)
+Merged-In: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
+Change-Id: Ie817aa0993e9046cb313a750d2323cadc8c1ef15
+---
+ core/java/android/os/PersistableBundle.java | 42 +++++++++++++++++----
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/core/java/android/os/PersistableBundle.java b/core/java/android/os/PersistableBundle.java
+index db9f4b14a345e..c3e4b759b103c 100644
+--- a/core/java/android/os/PersistableBundle.java
++++ b/core/java/android/os/PersistableBundle.java
+@@ -18,6 +18,7 @@
+ 
+ import android.annotation.Nullable;
+ import android.util.ArrayMap;
++import android.util.Slog;
+ 
+ import com.android.internal.util.XmlUtils;
+ 
+@@ -36,6 +37,8 @@
+  */
+ public final class PersistableBundle extends BaseBundle implements Cloneable, Parcelable,
+         XmlUtils.WriteMapCallback {
++    private static final String TAG = "PersistableBundle";
++
+     private static final String TAG_PERSISTABLEMAP = "pbundle_as_map";
+     public static final PersistableBundle EMPTY;
+ 
+@@ -95,7 +98,11 @@ public PersistableBundle(PersistableBundle b) {
+      * @hide
+      */
+     public PersistableBundle(Bundle b) {
+-        this(b.getMap());
++        this(b, true);
++    }
++
++    private PersistableBundle(Bundle b, boolean throwException) {
++        this(b.getMap(), throwException);
+     }
+ 
+     /**
+@@ -104,7 +111,7 @@ public PersistableBundle(Bundle b) {
+      * @param map a Map containing only those items that can be persisted.
+      * @throws IllegalArgumentException if any element of #map cannot be persisted.
+      */
+-    private PersistableBundle(ArrayMap<String, Object> map) {
++    private PersistableBundle(ArrayMap<String, Object> map, boolean throwException) {
+         super();
+         mFlags = FLAG_DEFUSABLE;
+ 
+@@ -113,16 +120,23 @@ private PersistableBundle(ArrayMap<String, Object> map) {
+ 
+         // Now verify each item throwing an exception if there is a violation.
+         final int N = mMap.size();
+-        for (int i=0; i<N; i++) {
++        for (int i = N - 1; i >= 0; --i) {
+             Object value = mMap.valueAt(i);
+             if (value instanceof ArrayMap) {
+                 // Fix up any Maps by replacing them with PersistableBundles.
+-                mMap.setValueAt(i, new PersistableBundle((ArrayMap<String, Object>) value));
++                mMap.setValueAt(i,
++                        new PersistableBundle((ArrayMap<String, Object>) value, throwException));
+             } else if (value instanceof Bundle) {
+-                mMap.setValueAt(i, new PersistableBundle(((Bundle) value)));
++                mMap.setValueAt(i, new PersistableBundle((Bundle) value, throwException));
+             } else if (!isValidType(value)) {
+-                throw new IllegalArgumentException("Bad value in PersistableBundle key="
+-                        + mMap.keyAt(i) + " value=" + value);
++                final String errorMsg = "Bad value in PersistableBundle key="
++                        + mMap.keyAt(i) + " value=" + value;
++                if (throwException) {
++                    throw new IllegalArgumentException(errorMsg);
++                } else {
++                    Slog.wtfStack(TAG, errorMsg);
++                    mMap.removeAt(i);
++                }
+             }
+         }
+     }
+@@ -217,6 +231,15 @@ public void writeUnknownObject(Object v, String name, XmlSerializer out)
+     /** @hide */
+     public void saveToXml(XmlSerializer out) throws IOException, XmlPullParserException {
+         unparcel();
++        // Explicitly drop invalid types an attacker may have added before persisting.
++        for (int i = mMap.size() - 1; i >= 0; --i) {
++            final Object value = mMap.valueAt(i);
++            if (!isValidType(value)) {
++                Slog.e(TAG, "Dropping bad data before persisting: "
++                        + mMap.keyAt(i) + "=" + value);
++                mMap.removeAt(i);
++            }
++        }
+         XmlUtils.writeMapXml(mMap, out, this);
+     }
+ 
+@@ -265,9 +288,12 @@ public static PersistableBundle restoreFromXml(XmlPullParser in) throws IOExcept
+         while (((event = in.next()) != XmlPullParser.END_DOCUMENT) &&
+                 (event != XmlPullParser.END_TAG || in.getDepth() < outerDepth)) {
+             if (event == XmlPullParser.START_TAG) {
++                // Don't throw an exception when restoring from XML since an attacker could try to
++                // input invalid data in the persisted file.
+                 return new PersistableBundle((ArrayMap<String, Object>)
+                         XmlUtils.readThisArrayMapXml(in, startTag, tagName,
+-                        new MyReadMapCallback()));
++                        new MyReadMapCallback()),
++                        /* throwException */ false);
+             }
+         }
+         return EMPTY;

Patches/LineageOS-14.1/android_frameworks_base/376459.patch

@@ -0,0 +1,29 @@
+From a341bc7b7ae161f4a87e996d8a5e8b1ad005fb6b Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <[email protected]>
+Date: Mon, 24 Jul 2023 14:58:56 -0700
+Subject: [PATCH] Validate userId when publishing shortcuts
+
+Bug: 288110451
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfd04ff445db6290ae430d44ea1bf1a115fe3c)
+Merged-In: Idbde676f871db83825155730e3714f3727e25762
+Change-Id: Idbde676f871db83825155730e3714f3727e25762
+---
+ services/core/java/com/android/server/pm/ShortcutService.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutService.java b/services/core/java/com/android/server/pm/ShortcutService.java
+index 944f75345df6f..2cfc3461c6977 100644
+--- a/services/core/java/com/android/server/pm/ShortcutService.java
++++ b/services/core/java/com/android/server/pm/ShortcutService.java
+@@ -1528,6 +1528,10 @@ private void verifyShortcutInfoPackage(String callerPackage, ShortcutInfo si) {
+             android.util.EventLog.writeEvent(0x534e4554, "109824443", -1, "");
+             throw new SecurityException("Shortcut package name mismatch");
+         }
++        final int callingUid = injectBinderCallingUid();
++        if (UserHandle.getUserId(callingUid) != si.getUserId()) {
++            throw new SecurityException("User-ID in shortcut doesn't match the caller");
++        }
+     }
+ 
+     private void verifyShortcutInfoPackages(

Patches/LineageOS-14.1/android_frameworks_base/376460.patch

@@ -0,0 +1,33 @@
+From cb95e01ba40c3b8c70f5810efb7abfd85bfd0b1f Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <[email protected]>
+Date: Thu, 2 Feb 2023 23:48:27 +0000
+Subject: [PATCH] Adding in verification of calling UID in onShellCommand
+
+Test: manual testing on device
+Bug: b/261709193
+(cherry picked from commit b651d295b44eb82d664861b77f33dbde1bce9453)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3ef3f18ba3094c4cc4f954ba23d1da421f9ca8b0)
+Merged-In: I68903ebd6d3d85f4bc820b745e3233a448b62273
+Change-Id: I68903ebd6d3d85f4bc820b745e3233a448b62273
+---
+ .../java/com/android/server/am/ActivityManagerService.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 4e48f422a2fe3..7cda7571df70d 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -14349,6 +14349,13 @@ public int getMemoryTrimLevel() {
+     @Override
+     public void onShellCommand(FileDescriptor in, FileDescriptor out,
+             FileDescriptor err, String[] args, ResultReceiver resultReceiver) {
++        final int callingUid = Binder.getCallingUid();
++        if (callingUid != Process.ROOT_UID && callingUid != Process.SHELL_UID) {
++            if (resultReceiver != null) {
++                resultReceiver.send(-1, null);
++            }
++            throw new SecurityException("Shell commands are only callable by root or shell");
++        }
+         (new ActivityManagerShellCommand(this, false)).exec(
+                 this, in, out, err, args, resultReceiver);
+     }

Patches/LineageOS-14.1/android_packages_apps_Bluetooth/376469.patch

@@ -0,0 +1,38 @@
+From fd90a5342af9b9ead4026a70a694d3f31908d5ea Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <[email protected]>
+Date: Thu, 5 Oct 2023 00:01:03 +0000
+Subject: [PATCH] Fix UAF in ~CallbackEnv
+
+com_android_bluetooth_btservice_AdapterService does not null its local
+JNI environment variable after detaching the thread (which frees the
+environment context), allowing UAF under certain conditions.
+
+Null the variable in this case.
+
+Testing here was done through a custom unit test; see patchsets 4-6 for
+contents.  However, unit testing of the JNI layer is problematic in
+production, so that part of the patch is omitted for final merge.
+
+Bug: 291500341
+Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5f543d919c4067f2f4925580fd8a690ba3440e80)
+Merged-In: I3e5e3c51412640aa19f0981caaa809313d6ad030
+Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030
+---
+ jni/com_android_bluetooth_btservice_AdapterService.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jni/com_android_bluetooth_btservice_AdapterService.cpp b/jni/com_android_bluetooth_btservice_AdapterService.cpp
+index 1768ef51b..4a579e0ca 100644
+--- a/jni/com_android_bluetooth_btservice_AdapterService.cpp
++++ b/jni/com_android_bluetooth_btservice_AdapterService.cpp
+@@ -465,6 +465,7 @@ static void callback_thread_event(bt_cb_thread_evt event) {
+             return;
+         }
+         vm->DetachCurrentThread();
++        callbackEnv = NULL;
+     }
+ }
+ 

Patches/LineageOS-14.1/android_system_bt/376461.patch

@@ -0,0 +1,35 @@
+From e54bad92576d31fc959342e4c35d73abaf29d926 Mon Sep 17 00:00:00 2001
+From: balakrishna <[email protected]>
+Date: Tue, 7 Mar 2023 16:53:46 +0530
+Subject: [PATCH] BT: Fixing the rfc_slot_id overflow
+
+Root cause:
+overflow causing leak in slot fds.
+As slot id 0 not valid, we are not able to release these fds later.
+
+Fix:
+Changes are made to avoid overflow while allocate rfc slots.
+
+CRs-Fixed: 3417458
+Change-Id: I5d7efa34bfb97a6dd8e9d68615d29120a0ae51f0
+---
+ btif/src/btif_sock_rfc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/btif/src/btif_sock_rfc.c b/btif/src/btif_sock_rfc.c
+index d5522b739eb..d77c3f44253 100644
+--- a/btif/src/btif_sock_rfc.c
++++ b/btif/src/btif_sock_rfc.c
+@@ -225,8 +225,11 @@ static rfc_slot_t *alloc_rfc_slot(const bt_bdaddr_t *addr, const char *name, con
+   }
+ 
+   // Increment slot id and make sure we don't use id=0.
+-  if (++rfc_slot_id == 0)
++  if (UINT32_MAX == rfc_slot_id) {
+     rfc_slot_id = 1;
++  } else {
++    ++rfc_slot_id;
++  }
+ 
+   slot->fd = fds[0];
+   slot->app_fd = fds[1];

Patches/LineageOS-14.1/android_system_bt/376462.patch

@@ -0,0 +1,31 @@
+From e446be9bf42b2559add74d48b91bae52b828e24f Mon Sep 17 00:00:00 2001
+From: balakrishna <[email protected]>
+Date: Wed, 24 May 2023 13:28:21 +0530
+Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
+
+Root cause:
+if the length of "pin_code" is greater than 16,
+an OOBW will be triggered due to a missing bounds check.
+
+Fix:
+Check is added to avoid Out of Bound Write.
+
+CRs-Fixed: 3507292
+Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
+---
+ btif/src/bluetooth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/btif/src/bluetooth.c b/btif/src/bluetooth.c
+index d2f81733da4..5fc6c880db0 100644
+--- a/btif/src/bluetooth.c
++++ b/btif/src/bluetooth.c
+@@ -345,6 +345,8 @@ static int pin_reply(const bt_bdaddr_t *bd_addr, uint8_t accept,
+     /* sanity check */
+     if (interface_ready() == FALSE)
+         return BT_STATUS_NOT_READY;
++    if (pin_code == NULL || pin_len > PIN_CODE_LEN)
++        return BT_STATUS_FAIL;
+ 
+     return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code);
+ }

Patches/LineageOS-14.1/android_system_bt/376463.patch

@@ -0,0 +1,103 @@
+From 277464e315d43f3d66e2444744dfa9e42977c64c Mon Sep 17 00:00:00 2001
+From: Hui Peng <[email protected]>
+Date: Sat, 2 Sep 2023 04:20:10 +0000
+Subject: [PATCH] Reject access to secure service authenticated from a temp
+ bonding [1]
+
+Rejecct access to services running on l2cap
+
+Backport of
+Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+
+Bug: 294854926
+Test: m com.android.btservices
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
+Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
+---
+ stack/btm/btm_sec.c | 41 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c
+index b27b7e071c7..23b334ce27f 100644
+--- a/stack/btm/btm_sec.c
++++ b/stack/btm/btm_sec.c
+@@ -106,7 +106,7 @@ static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_
+                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
+                                             UINT32 mx_chan_id);
+ 
+-static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
++static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec);
+ static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
+ static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
+ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
+@@ -145,7 +145,7 @@ static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
+ ** Returns          BOOLEAN TRUE or FALSE
+ **
+ *******************************************************************************/
+-static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
++static BOOLEAN btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec)
+ {
+     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
+     {
+@@ -229,6 +229,26 @@ static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *
+     return(FALSE);
+ }
+ 
++/*******************************************************************************
++**
++** Function         access_secure_service_from_temp_bond
++**
++** Description      a utility function to test whether an access to
++**                  secure service from temp bonding is happening
++**
++** Returns          true if the aforementioned condition holds,
++**                  false otherwise
++**
++*******************************************************************************/
++static BOOLEAN access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec,
++                                                    bool locally_initiated,
++                                                    uint16_t security_req)
++{
++    return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) &&
++    btm_dev_authenticated(p_dev_rec) &&
++     p_dev_rec->bond_type == BOND_TYPE_TEMPORARY;
++}
++
+ /*******************************************************************************
+ **
+ ** Function         BTM_SecRegister
+@@ -2215,10 +2235,15 @@ tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle
+ 
+         if (rc == BTM_SUCCESS)
+         {
++            if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required))
++            {
++                LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
++                rc = BTM_FAILED_ON_SECURITY;
++            }
+             if (p_callback)
+-                (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
++                (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc);
+ 
+-            return(BTM_SUCCESS);
++            return (rc);
+         }
+     }
+     else
+@@ -5587,6 +5612,14 @@ extern tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
+         }
+     }
+ 
++    if (access_secure_service_from_temp_bond(p_dev_rec,
++                                             p_dev_rec->is_originator,
++                                             p_dev_rec->security_required))
++    {
++        LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting");
++        return (BTM_FAILED_ON_SECURITY);
++    }
++
+     /* All required  security procedures already established */
+     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
+                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |