-
Notifications
You must be signed in to change notification settings - Fork 250
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB DEC 2024 Security Patches integration
Integrating Google Android Security Bulletin Patches Test done: STS r34 TCs Passed. Tracked-On: OAM-129116 Signed-off-by: Alam, Sahibex <[email protected]>
- Loading branch information
Showing
15 changed files
with
861 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
...iff/preliminary/external/skia/02_0002--pdf-Bounds-check-in-skia_alloc_func.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From b5543cb8c6b95623743016055220378efe73eb93 Mon Sep 17 00:00:00 2001 | ||
From: Ben Wagner <[email protected]> | ||
Date: Mon, 12 Aug 2024 15:00:08 -0400 | ||
Subject: [PATCH] [pdf] Bounds check in skia_alloc_func | ||
|
||
The allocator callback for zlib needs to check that items * size will | ||
fit in size_t and return nullptr if not. | ||
|
||
Conflicts: | ||
- src/pdf/SkDeflate.cpp: just in header includes | ||
|
||
Bug: 349678452 | ||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996 | ||
Commit-Queue: Ben Wagner <[email protected]> | ||
Reviewed-by: Brian Osman <[email protected]> | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ac6d5834d4d701232e98745a58815fb2ac9cd75) | ||
Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc | ||
Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc | ||
--- | ||
src/pdf/SkDeflate.cpp | 8 ++++++++ | ||
1 file changed, 8 insertions(+) | ||
|
||
diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp | ||
index f044c140fa..157f5164ee 100644 | ||
--- a/src/pdf/SkDeflate.cpp | ||
+++ b/src/pdf/SkDeflate.cpp | ||
@@ -9,6 +9,7 @@ | ||
|
||
#include "include/core/SkData.h" | ||
#include "include/private/base/SkMalloc.h" | ||
+#include "include/private/base/SkTFitsIn.h" | ||
#include "include/private/base/SkTo.h" | ||
#include "src/core/SkTraceEvent.h" | ||
|
||
@@ -21,6 +22,13 @@ namespace { | ||
// Different zlib implementations use different T. | ||
// We've seen size_t and unsigned. | ||
template <typename T> void* skia_alloc_func(void*, T items, T size) { | ||
+ if (!SkTFitsIn<size_t>(size)) { | ||
+ return nullptr; | ||
+ } | ||
+ const size_t maxItems = SIZE_MAX / size; | ||
+ if (maxItems < items) { | ||
+ return nullptr; | ||
+ } | ||
return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size)); | ||
} | ||
|
||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
38 changes: 38 additions & 0 deletions
38
...ia/03_0003-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
From 796c2040f641bb287dba66c9823ce45e9f8b5807 Mon Sep 17 00:00:00 2001 | ||
From: Brian Osman <[email protected]> | ||
Date: Thu, 29 Aug 2024 12:47:48 -0400 | ||
Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating | ||
SkMask data | ||
|
||
Bug: 352631932 | ||
Test: N/A -- not reproducible / speculative fix | ||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478 | ||
Commit-Queue: Ben Wagner <[email protected]> | ||
Reviewed-by: Ben Wagner <[email protected]> | ||
Auto-Submit: Brian Osman <[email protected]> | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36) | ||
Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2 | ||
Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2 | ||
--- | ||
src/core/SkBlurMF.cpp | 3 +++ | ||
1 file changed, 3 insertions(+) | ||
|
||
diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp | ||
index cd3cd5f3d9..7de3653779 100644 | ||
--- a/src/core/SkBlurMF.cpp | ||
+++ b/src/core/SkBlurMF.cpp | ||
@@ -181,6 +181,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) { | ||
mask->fRowBytes = SkAlign4(mask->fBounds.width()); | ||
mask->fFormat = SkMask::kA8_Format; | ||
const size_t size = mask->computeImageSize(); | ||
+ if (size == 0) { | ||
+ return false; | ||
+ } | ||
mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc); | ||
if (nullptr == mask->fImage) { | ||
return false; | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
38 changes: 38 additions & 0 deletions
38
...external/skia/04_0004-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
From 8d355fe1d0795fc30b84194b87563f75c6f8f2a7 Mon Sep 17 00:00:00 2001 | ||
From: Brian Osman <[email protected]> | ||
Date: Thu, 29 Aug 2024 11:52:35 -0400 | ||
Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray | ||
|
||
Bug: 350118416 | ||
Test: N/A -- speculative issue without repro case | ||
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836 | ||
Reviewed-by: Robert Phillips <[email protected]> | ||
Commit-Queue: Brian Osman <[email protected]> | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:521332e28acde551bb63dbd6829e7089d73533d8) | ||
Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57 | ||
Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57 | ||
--- | ||
src/core/SkRegion.cpp | 6 ++++-- | ||
1 file changed, 4 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp | ||
index 780a71c9ba..c46ffa44fe 100644 | ||
--- a/src/core/SkRegion.cpp | ||
+++ b/src/core/SkRegion.cpp | ||
@@ -55,8 +55,10 @@ public: | ||
/** Resize the array to a size greater-than-or-equal-to count. */ | ||
void resizeToAtLeast(int count) { | ||
if (count > fCount) { | ||
- // leave at least 50% extra space for future growth. | ||
- count += count >> 1; | ||
+ // leave at least 50% extra space for future growth (unless adding would overflow) | ||
+ SkSafeMath safe; | ||
+ int newCount = safe.addInt(count, count >> 1); | ||
+ count = safe ? newCount : SK_MaxS32; | ||
fMalloc.realloc(count); | ||
if (fPtr == fStack) { | ||
memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType)); | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
85 changes: 85 additions & 0 deletions
85
aosp_diff/preliminary/frameworks/base/74_0074-Check-more-URIs-in-notifications.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
From 26c99b6c7f20f9eae943358e09732441341d166b Mon Sep 17 00:00:00 2001 | ||
From: Ioana Alexandru <[email protected]> | ||
Date: Wed, 31 Jul 2024 13:46:30 +0000 | ||
Subject: [PATCH] Check more URIs in notifications | ||
|
||
Bug: 281044385 | ||
Test: presubmit + tested in current release | ||
|
||
(cherry picked from commit f47b41a138ebd60f7b518fb6a9d8aa8230488422, | ||
includes changes from commit 57bf60dd7b6a0a0e9785231f8ec25a458fedde64 | ||
and commit 47fa2f79584b0a4e9ca7e9c6b237c4e5cf699032) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b50af4f855899a63a6b85c5cbfbde8e8236a933e) | ||
Merged-In: I1ce6bebd9452466d005505dc5b99a0fdc0e05e80 | ||
Change-Id: I1ce6bebd9452466d005505dc5b99a0fdc0e05e80 | ||
--- | ||
core/java/android/app/Person.java | 3 +++ | ||
core/java/android/widget/RemoteViews.java | 24 +++++++++++++++++++++++ | ||
2 files changed, 27 insertions(+) | ||
|
||
diff --git a/core/java/android/app/Person.java b/core/java/android/app/Person.java | ||
index 18fc0ce6af15..c7432c571e43 100644 | ||
--- a/core/java/android/app/Person.java | ||
+++ b/core/java/android/app/Person.java | ||
@@ -189,6 +189,9 @@ public final class Person implements Parcelable { | ||
*/ | ||
public void visitUris(@NonNull Consumer<Uri> visitor) { | ||
visitor.accept(getIconUri()); | ||
+ if (mUri != null && !mUri.isEmpty()) { | ||
+ visitor.accept(Uri.parse(mUri)); | ||
+ } | ||
} | ||
|
||
/** Builder for the immutable {@link Person} class. */ | ||
diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java | ||
index a740b651142d..6ba08f4f1b97 100644 | ||
--- a/core/java/android/widget/RemoteViews.java | ||
+++ b/core/java/android/widget/RemoteViews.java | ||
@@ -1084,6 +1084,13 @@ public class RemoteViews implements Parcelable, Filter { | ||
return SET_REMOTE_VIEW_ADAPTER_LIST_TAG; | ||
} | ||
|
||
+ @Override | ||
+ public void visitUris(@NonNull Consumer<Uri> visitor) { | ||
+ for (RemoteViews remoteViews : list) { | ||
+ remoteViews.visitUris(visitor); | ||
+ } | ||
+ } | ||
+ | ||
@Override | ||
public String getUniqueKey() { | ||
return (SET_REMOTE_ADAPTER_TAG + "_" + viewId); | ||
@@ -1287,6 +1294,14 @@ public class RemoteViews implements Parcelable, Filter { | ||
return SET_REMOTE_COLLECTION_ITEMS_ADAPTER_TAG; | ||
} | ||
|
||
+ @Override | ||
+ public void visitUris(@NonNull Consumer<Uri> visitor) { | ||
+ RemoteCollectionItems items = getCollectionItemsFromFuture(mItemsFuture); | ||
+ if (items != null) { | ||
+ items.visitUris(visitor); | ||
+ } | ||
+ } | ||
+ | ||
@Override | ||
public String getUniqueKey() { | ||
return (SET_REMOTE_ADAPTER_TAG + "_" + viewId); | ||
@@ -7275,6 +7290,15 @@ public class RemoteViews implements Parcelable, Filter { | ||
Math.max(mViewTypeCount, 1)); | ||
} | ||
} | ||
+ | ||
+ /** | ||
+ * See {@link RemoteViews#visitUris(Consumer)}. | ||
+ */ | ||
+ private void visitUris(@NonNull Consumer<Uri> visitor) { | ||
+ for (RemoteViews view : mViews) { | ||
+ view.visitUris(visitor); | ||
+ } | ||
+ } | ||
} | ||
|
||
/** | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 0e6a688eace12df1a8d890c541bd35aa15715025 Mon Sep 17 00:00:00 2001 | ||
From a35198900d41c23431195758b25623a21c1c24c5 Mon Sep 17 00:00:00 2001 | ||
From: Ben Murdoch <[email protected]> | ||
Date: Fri, 30 Aug 2024 17:22:59 +0000 | ||
Subject: [PATCH] RESTRICT AUTOMERGE Clear app-provided shortcut icons | ||
|
@@ -14,8 +14,9 @@ Merged-In: If7e291eb2254c3cbec23673c65e7477e6ad45b09 | |
Change-Id: If7e291eb2254c3cbec23673c65e7477e6ad45b09 | ||
--- | ||
core/java/android/view/KeyboardShortcutInfo.java | 13 +++++++++++-- | ||
.../statusbar/KeyboardShortcutListSearch.java | 1 + | ||
.../systemui/statusbar/KeyboardShortcuts.java | 8 ++++++++ | ||
2 files changed, 19 insertions(+), 2 deletions(-) | ||
3 files changed, 20 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/core/java/android/view/KeyboardShortcutInfo.java b/core/java/android/view/KeyboardShortcutInfo.java | ||
index 118b03ce5504..3a79e5b13a8b 100644 | ||
|
@@ -53,6 +54,18 @@ index 118b03ce5504..3a79e5b13a8b 100644 | |
-} | ||
\ No newline at end of file | ||
+} | ||
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcutListSearch.java b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcutListSearch.java | ||
index ec66e994b58a..e82cd93c8c18 100644 | ||
--- a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcutListSearch.java | ||
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcutListSearch.java | ||
@@ -429,6 +429,7 @@ public final class KeyboardShortcutListSearch { | ||
if (result.isEmpty()) { | ||
mKeySearchResultMap.put(SHORTCUT_SPECIFICAPP_INDEX, false); | ||
} else { | ||
+ KeyboardShortcuts.sanitiseShortcuts(result); | ||
mSpecificAppGroup.addAll(reMapToKeyboardShortcutMultiMappingGroup(result)); | ||
mKeySearchResultMap.put(SHORTCUT_SPECIFICAPP_INDEX, true); | ||
} | ||
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java b/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java | ||
index a3fd82e9b140..d4b8c0f228b9 100644 | ||
--- a/packages/SystemUI/src/com/android/systemui/statusbar/KeyboardShortcuts.java | ||
|
130 changes: 130 additions & 0 deletions
130
...eliminary/frameworks/base/79_0079-Block-clipboard-UI-when-device-is-locked.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
From 70eb75df7d342429c3ee225feb7c011df727442f Mon Sep 17 00:00:00 2001 | ||
From: Miranda Kephart <[email protected]> | ||
Date: Fri, 16 Feb 2024 10:14:15 -0500 | ||
Subject: [PATCH] Block clipboard UI when device is locked | ||
|
||
In some situations (see bug for details) it's possible to enter the | ||
clipboard even while the device is locked, and from there access the | ||
provided intents. Users should not be able to access intents from this | ||
state; this change adds an additional check before showing the interactive UI. | ||
|
||
The behavior is identical to what we do when user setup is not complete | ||
(b/251778420): we show a toast to note that content has been copied, but no interactive UI. | ||
|
||
Interactive UI is only blocked when device is locked (i.e. requiring pin | ||
entry/password/biometric/etc), not if the keyguard is up but trivially | ||
dismissable. | ||
|
||
Bug: 317048495 | ||
Test: atest ClipboardListenerTest; verification using steps in linked | ||
bug as well as forcing text content to appear client-side, to verify | ||
that even if text content is received in the ClipboardListener, no | ||
interactive UI appears. | ||
|
||
(cherry picked from commit 2976ca86d5c5be558191a1fe706d4cd0d7ccdecb) | ||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c9adc41c71a604da29fe01be79f4172473dfe1c6) | ||
Merged-In: I1a48cbe64852dce3fba69915ca11dad8878f66eb | ||
Change-Id: I1a48cbe64852dce3fba69915ca11dad8878f66eb | ||
--- | ||
.../clipboardoverlay/ClipboardListener.java | 8 +++++++- | ||
.../ClipboardListenerTest.java | 18 +++++++++++++++++- | ||
2 files changed, 24 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java | ||
index 63b4288ce055..f0a980e0a30c 100644 | ||
--- a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java | ||
+++ b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java | ||
@@ -24,6 +24,7 @@ import static com.android.systemui.clipboardoverlay.ClipboardOverlayEvent.CLIPBO | ||
|
||
import static com.google.android.setupcompat.util.WizardManagerHelper.SETTINGS_SECURE_USER_SETUP_COMPLETE; | ||
|
||
+import android.app.KeyguardManager; | ||
import android.content.ClipData; | ||
import android.content.ClipboardManager; | ||
import android.content.Context; | ||
@@ -57,6 +58,7 @@ public class ClipboardListener implements | ||
private final Provider<ClipboardOverlayController> mOverlayProvider; | ||
private final ClipboardToast mClipboardToast; | ||
private final ClipboardManager mClipboardManager; | ||
+ private final KeyguardManager mKeyguardManager; | ||
private final UiEventLogger mUiEventLogger; | ||
private ClipboardOverlay mClipboardOverlay; | ||
|
||
@@ -65,11 +67,13 @@ public class ClipboardListener implements | ||
Provider<ClipboardOverlayController> clipboardOverlayControllerProvider, | ||
ClipboardToast clipboardToast, | ||
ClipboardManager clipboardManager, | ||
+ KeyguardManager keyguardManager, | ||
UiEventLogger uiEventLogger) { | ||
mContext = context; | ||
mOverlayProvider = clipboardOverlayControllerProvider; | ||
mClipboardToast = clipboardToast; | ||
mClipboardManager = clipboardManager; | ||
+ mKeyguardManager = keyguardManager; | ||
mUiEventLogger = uiEventLogger; | ||
} | ||
|
||
@@ -92,7 +96,9 @@ public class ClipboardListener implements | ||
return; | ||
} | ||
|
||
- if (!isUserSetupComplete() // user should not access intents from this state | ||
+ // user should not access intents before setup or while device is locked | ||
+ if (mKeyguardManager.isDeviceLocked() | ||
+ || !isUserSetupComplete() | ||
|| clipData == null // shouldn't happen, but just in case | ||
|| clipData.getItemCount() == 0) { | ||
if (shouldShowToast(clipData)) { | ||
diff --git a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java | ||
index 18515825967f..9d02c86cfa7a 100644 | ||
--- a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java | ||
+++ b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java | ||
@@ -27,6 +27,7 @@ import static org.mockito.Mockito.verify; | ||
import static org.mockito.Mockito.verifyZeroInteractions; | ||
import static org.mockito.Mockito.when; | ||
|
||
+import android.app.KeyguardManager; | ||
import android.content.ClipData; | ||
import android.content.ClipDescription; | ||
import android.content.ClipboardManager; | ||
@@ -59,6 +60,8 @@ public class ClipboardListenerTest extends SysuiTestCase { | ||
@Mock | ||
private ClipboardManager mClipboardManager; | ||
@Mock | ||
+ private KeyguardManager mKeyguardManager; | ||
+ @Mock | ||
private ClipboardOverlayController mOverlayController; | ||
@Mock | ||
private ClipboardToast mClipboardToast; | ||
@@ -96,7 +99,7 @@ public class ClipboardListenerTest extends SysuiTestCase { | ||
when(mClipboardManager.getPrimaryClipSource()).thenReturn(mSampleSource); | ||
|
||
mClipboardListener = new ClipboardListener(getContext(), mOverlayControllerProvider, | ||
- mClipboardToast, mClipboardManager, mUiEventLogger); | ||
+ mClipboardToast, mClipboardManager, mKeyguardManager, mUiEventLogger); | ||
} | ||
|
||
|
||
@@ -190,6 +193,19 @@ public class ClipboardListenerTest extends SysuiTestCase { | ||
verifyZeroInteractions(mOverlayControllerProvider); | ||
} | ||
|
||
+ @Test | ||
+ public void test_deviceLocked_showsToast() { | ||
+ when(mKeyguardManager.isDeviceLocked()).thenReturn(true); | ||
+ | ||
+ mClipboardListener.start(); | ||
+ mClipboardListener.onPrimaryClipChanged(); | ||
+ | ||
+ verify(mUiEventLogger, times(1)).log( | ||
+ ClipboardOverlayEvent.CLIPBOARD_TOAST_SHOWN, 0, mSampleSource); | ||
+ verify(mClipboardToast, times(1)).showCopiedToast(); | ||
+ verifyZeroInteractions(mOverlayControllerProvider); | ||
+ } | ||
+ | ||
@Test | ||
public void test_nullClipData_showsNothing() { | ||
when(mClipboardManager.getPrimaryClip()).thenReturn(null); | ||
-- | ||
2.46.1.824.gd892dcdcdd-goog | ||
|
Oops, something went wrong.