ASB DEC 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches Test done: STS r33 TCs Passed. Tracked-On: OAM-127559 Signed-off-by: Alam, Sahibex <[email protected]>
projectceladon · Dec 3, 2024 · a0cdf61 · a0cdf61
1 parent 327b1d4
commit a0cdf61
Show file tree

Hide file tree

Showing 11 changed files with 631 additions and 1 deletion.
diff --git a/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 419ff1aadc..fbbe777754 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2023-05-05
-+    PLATFORM_SECURITY_PATCH := 2024-11-01
++    PLATFORM_SECURITY_PATCH := 2024-12-01
  endif
 
  include $(BUILD_SYSTEM)/version_util.mk

diff --git a/aosp_diff/preliminary/external/skia/0003-pdf-Bounds-check-in-skia_alloc_func.bulletin.patch b/aosp_diff/preliminary/external/skia/0003-pdf-Bounds-check-in-skia_alloc_func.bulletin.patch
@@ -0,0 +1,51 @@
+From b4074e64320ec578fc4dd9b77e7337956a536499 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <[email protected]>
+Date: Mon, 12 Aug 2024 15:00:08 -0400
+Subject: [PATCH] [pdf] Bounds check in skia_alloc_func
+
+The allocator callback for zlib needs to check that items * size will
+fit in size_t and return nullptr if not.
+
+Conflicts:
+- src/pdf/SkDeflate.cpp: just in header includes
+
+Bug: 349678452
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df6f7f55b7865e54979f6f272082deafbb344e9d)
+Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+---
+ src/pdf/SkDeflate.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
+index a8bd667cc0..f243f94b40 100644
+--- a/src/pdf/SkDeflate.cpp
++++ b/src/pdf/SkDeflate.cpp
+@@ -9,6 +9,7 @@
+
+ #include "include/core/SkData.h"
+ #include "include/private/SkMalloc.h"
++#include "include/private/SkTFitsIn.h"
+ #include "include/private/SkTo.h"
+ #include "src/core/SkTraceEvent.h"
+
+@@ -21,6 +22,13 @@ namespace {
+ // Different zlib implementations use different T.
+ // We've seen size_t and unsigned.
+ template <typename T> void* skia_alloc_func(void*, T items, T size) {
++    if (!SkTFitsIn<size_t>(size)) {
++        return nullptr;
++    }
++    const size_t maxItems = SIZE_MAX / size;
++    if (maxItems < items) {
++        return nullptr;
++    }
+     return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
+ }
+
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/.../skia/0004-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch b/.../skia/0004-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch
@@ -0,0 +1,38 @@
+From bd07426afd00013a3b250e77d1d159f1a3c359f1 Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 12:47:48 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
+ SkMask data
+
+Bug: 352631932
+Test: N/A -- not reproducible / speculative fix
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
+Commit-Queue: Ben Wagner <[email protected]>
+Reviewed-by: Ben Wagner <[email protected]>
+Auto-Submit: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a2379d6b603277bf735fd111e86bfdafcb40702a)
+Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+---
+ src/core/SkBlurMF.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp
+index 54216973bb..5c3b94b4af 100644
+--- a/src/core/SkBlurMF.cpp
++++ b/src/core/SkBlurMF.cpp
+@@ -178,6 +178,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
+     mask->fRowBytes = SkAlign4(mask->fBounds.width());
+     mask->fFormat = SkMask::kA8_Format;
+     const size_t size = mask->computeImageSize();
++    if (size == 0) {
++        return false;
++    }
+     mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
+     if (nullptr == mask->fImage) {
+         return false;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/...ry/external/skia/0005-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch b/...ry/external/skia/0005-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch
@@ -0,0 +1,38 @@
+From bd7fc111d3cd10e3af122276e6669019753afbe9 Mon Sep 17 00:00:00 2001
+From: Brian Osman <[email protected]>
+Date: Thu, 29 Aug 2024 11:52:35 -0400
+Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
+
+Bug: 350118416
+Test: N/A -- speculative issue without repro case
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
+Reviewed-by: Robert Phillips <[email protected]>
+Commit-Queue: Brian Osman <[email protected]>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3300434c1b9b172c7ba370dbee98f58f0d5d8ee3)
+Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
+Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
+---
+ src/core/SkRegion.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
+index 86c38bd5d9..b1ec9f4df8 100644
+--- a/src/core/SkRegion.cpp
++++ b/src/core/SkRegion.cpp
+@@ -52,8 +52,10 @@ public:
+     /** Resize the array to a size greater-than-or-equal-to count. */
+     void resizeToAtLeast(int count) {
+         if (count > fCount) {
+-            // leave at least 50% extra space for future growth.
+-            count += count >> 1;
++            // leave at least 50% extra space for future growth (unless adding would overflow)
++            SkSafeMath safe;
++            int newCount = safe.addInt(count, count >> 1);
++            count = safe ? newCount : SK_MaxS32;
+             fMalloc.realloc(count);
+             if (fPtr == fStack) {
+                 memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
+-- 
+2.46.1.824.gd892dcdcdd-goog
+
diff --git a/aosp_diff/preliminary/frameworks/base/99_0224-Block-clipboard-UI-when-device-is-locked.patch b/aosp_diff/preliminary/frameworks/base/99_0224-Block-clipboard-UI-when-device-is-locked.patch
@@ -0,0 +1,160 @@
+From f04947dde53d7b7c0022cfa69f10282ca5275ac1 Mon Sep 17 00:00:00 2001
+From: Miranda Kephart <[email protected]>
+Date: Fri, 16 Feb 2024 10:14:15 -0500
+Subject: [PATCH] Block clipboard UI when device is locked
+
+In some situations (see bug for details) it's possible to enter the
+clipboard even while the device is locked, and from there access the
+provided intents. Users should not be able to access intents from this
+state; this change adds an additional check before showing the interactive UI.
+
+The behavior is identical to what we do when user setup is not complete
+(b/251778420): we show a toast to note that content has been copied, but no interactive UI.
+
+Interactive UI is only blocked when device is locked (i.e. requiring pin
+entry/password/biometric/etc), not if the keyguard is up but trivially
+dismissable.
+
+Bug: 317048495
+Test: atest ClipboardListenerTest; verification using steps in linked
+bug as well as forcing text content to appear client-side, to verify
+that even if text content is received in the ClipboardListener, no
+interactive UI appears.
+
+(cherry picked from commit 2976ca86d5c5be558191a1fe706d4cd0d7ccdecb)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b9ffec803b31f1b57756105c9fbfd0cb672fcfde)
+Merged-In: I1a48cbe64852dce3fba69915ca11dad8878f66eb
+Change-Id: I1a48cbe64852dce3fba69915ca11dad8878f66eb
+---
+ .../clipboardoverlay/ClipboardListener.java   | 11 ++++-
+ .../ClipboardListenerTest.java                | 45 ++++++++++++++++++-
+ 2 files changed, 53 insertions(+), 3 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
+index 805a20a6d965..0a6f9554e059 100644
+--- a/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
++++ b/packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java
+@@ -25,6 +25,7 @@ import static com.android.systemui.clipboardoverlay.ClipboardOverlayEvent.CLIPBO
+
+ import static com.google.android.setupcompat.util.WizardManagerHelper.SETTINGS_SECURE_USER_SETUP_COMPLETE;
+
++import android.app.KeyguardManager;
+ import android.content.ClipData;
+ import android.content.ClipboardManager;
+ import android.content.Context;
+@@ -64,6 +65,7 @@ public class ClipboardListener implements
+     private final ClipboardOverlayControllerLegacyFactory mOverlayFactory;
+     private final ClipboardToast mClipboardToast;
+     private final ClipboardManager mClipboardManager;
++    private final KeyguardManager mKeyguardManager;
+     private final UiEventLogger mUiEventLogger;
+     private final FeatureFlags mFeatureFlags;
+     private boolean mUsingNewOverlay;
+@@ -75,6 +77,7 @@ public class ClipboardListener implements
+             ClipboardOverlayControllerLegacyFactory overlayFactory,
+             ClipboardToast clipboardToast,
+             ClipboardManager clipboardManager,
++	    KeyguardManager keyguardManager,
+             UiEventLogger uiEventLogger,
+             FeatureFlags featureFlags) {
+         mContext = context;
+@@ -83,6 +86,7 @@ public class ClipboardListener implements
+         mOverlayFactory = overlayFactory;
+         mClipboardToast = clipboardToast;
+         mClipboardManager = clipboardManager;
++	mKeyguardManager = keyguardManager;
+         mUiEventLogger = uiEventLogger;
+         mFeatureFlags = featureFlags;
+
+@@ -111,8 +115,11 @@ public class ClipboardListener implements
+             return;
+         }
+
+-        if (!isUserSetupComplete()) {
+-            // just show a toast, user should not access intents from this state
++        // user should not access intents before setup or while device is locked
++        if (mKeyguardManager.isDeviceLocked()
++                || !isUserSetupComplete()
++                || clipData == null // shouldn't happen, but just in case
++                || clipData.getItemCount() == 0) {
+             if (shouldShowToast(clipData)) {
+                 mUiEventLogger.log(CLIPBOARD_TOAST_SHOWN, 0, clipSource);
+                 mClipboardToast.showCopiedToast();
+diff --git a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
+index bdd496ec219b..7f625e66b57c 100644
+--- a/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
++++ b/packages/SystemUI/tests/src/com/android/systemui/clipboardoverlay/ClipboardListenerTest.java
+@@ -29,6 +29,7 @@ import static org.mockito.Mockito.verify;
+ import static org.mockito.Mockito.verifyZeroInteractions;
+ import static org.mockito.Mockito.when;
+
++import android.app.KeyguardManager;
+ import android.content.ClipData;
+ import android.content.ClipDescription;
+ import android.content.ClipboardManager;
+@@ -67,6 +68,8 @@ public class ClipboardListenerTest extends SysuiTestCase {
+     @Mock
+     private ClipboardOverlayControllerLegacy mOverlayControllerLegacy;
+     @Mock
++    private KeyguardManager mKeyguardManager;
++    @Mock
+     private ClipboardOverlayController mOverlayController;
+     @Mock
+     private ClipboardToast mClipboardToast;
+@@ -112,7 +115,7 @@ public class ClipboardListenerTest extends SysuiTestCase {
+
+         mClipboardListener = new ClipboardListener(getContext(), mDeviceConfigProxy,
+                 mOverlayControllerProvider, mClipboardOverlayControllerLegacyFactory,
+-                mClipboardToast, mClipboardManager, mUiEventLogger, mFeatureFlags);
++                mClipboardToast, mClipboardManager, mKeyguardManager, mUiEventLogger, mFeatureFlags);
+     }
+
+     @Test
+@@ -273,4 +276,44 @@ public class ClipboardListenerTest extends SysuiTestCase {
+         verifyZeroInteractions(mOverlayControllerProvider);
+         verifyZeroInteractions(mClipboardOverlayControllerLegacyFactory);
+     }
++
++    @Test
++    public void test_deviceLocked_showsToast() {
++        when(mKeyguardManager.isDeviceLocked()).thenReturn(true);
++
++        mClipboardListener.start();
++        mClipboardListener.onPrimaryClipChanged();
++
++        verify(mUiEventLogger, times(1)).log(
++                ClipboardOverlayEvent.CLIPBOARD_TOAST_SHOWN, 0, mSampleSource);
++        verify(mClipboardToast, times(1)).showCopiedToast();
++        verifyZeroInteractions(mClipboardOverlayControllerFactory);
++    }
++
++    @Test
++    public void test_nullClipData_showsNothing() {
++        when(mClipboardManager.getPrimaryClip()).thenReturn(null);
++
++        mClipboardListener.start();
++        mClipboardListener.onPrimaryClipChanged();
++
++        verifyZeroInteractions(mUiEventLogger);
++        verifyZeroInteractions(mClipboardToast);
++        verifyZeroInteractions(mClipboardOverlayControllerFactory);
++    }
++
++    @Test
++    public void test_emptyClipData_showsToast() {
++        ClipDescription description = new ClipDescription("Test", new String[0]);
++        ClipData noItems = new ClipData(description, new ArrayList<>());
++        when(mClipboardManager.getPrimaryClip()).thenReturn(noItems);
++
++        mClipboardListener.start();
++        mClipboardListener.onPrimaryClipChanged();
++
++        verify(mUiEventLogger, times(1)).log(
++                ClipboardOverlayEvent.CLIPBOARD_TOAST_SHOWN, 0, mSampleSource);
++        verify(mClipboardToast, times(1)).showCopiedToast();
++        verifyZeroInteractions(mClipboardOverlayControllerFactory);
++    }
+ }
+-- 
+2.34.1
+
diff --git a/...rameworks/base/99_0225-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch b/...rameworks/base/99_0225-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch
@@ -0,0 +1,63 @@
+From 20209e9c324fd8498273eee074217eb239d3aae8 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <[email protected]>
+Date: Thu, 29 Aug 2024 17:01:55 +0000
+Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
+
+Bug: 340239088
+Test: manually verified with the PoC app
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9e1c31ba46178a8cfc68a2dd9984b8223f694c81)
+Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+---
+ core/java/android/widget/RemoteViewsAdapter.java       |  5 +++++
+ .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
+index 8e293f4b356d..f8bffa7a842e 100644
+--- a/core/java/android/widget/RemoteViewsAdapter.java
++++ b/core/java/android/widget/RemoteViewsAdapter.java
+@@ -240,6 +240,11 @@ public class RemoteViewsAdapter extends BaseAdapter implements Handler.Callback
+             }
+         }
+
++        @Override
++        public void onNullBinding(ComponentName name) {
++            enqueueDeferredUnbindServiceMessage();
++        }
++
+         @Override
+         public void handleMessage(Message msg) {
+             RemoteViewsAdapter adapter = mAdapter.get();
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index 7ad4e0ad59de..4a7f378b2f43 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1798,6 +1798,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                 mContext.unbindService(this);
+             }
+
++            @Override
++            public void onNullBinding(ComponentName name) {
++                mContext.unbindService(this);
++            }
++
+             @Override
+             public void onServiceDisconnected(ComponentName name) {
+                 // Do nothing
+@@ -1938,6 +1943,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                                 mContext.unbindService(this);
+                             }
+
++                            @Override
++                            public void onNullBinding(ComponentName name) {
++                                mContext.unbindService(this);
++                            }
++
+                             @Override
+                             public void onServiceDisconnected(android.content.ComponentName name) {
+                                 // Do nothing
+-- 
+2.46.1.824.gd892dcdcdd-goog
+