Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

November patches #16

Open
wants to merge 42 commits into
base: 12.1
Choose a base branch
from
Open

Conversation

OhMyVenyx
Copy link

No description provided.

Aseem Kumar and others added 30 commits November 13, 2022 14:00
Move accountname and typeName length check from Account.java to AccountManagerService.

Bug: 169762606
Test: atest AccountManagerServiceTest
Change-Id: I80fabf3a64c55837db98ff316e7e5420129c001b
(cherry picked from commit 0adcadb)
(cherry picked from commit c48f540)
Merged-In: I80fabf3a64c55837db98ff316e7e5420129c001b
It was shown that given a large phoneAccountHandles that are
over 1 mb, a TransactionTooLarge exception can be silently thrown
causing an empty list to be returned.

In order to prevent this behavior, all Lists that return a
PhoneAccountHandle or PhoneAccount have been switched to
ParceledListSlice.

bug: 236263294
Test: atest android.telecom.cts.PhoneAccountRegistrarTest
             #testRegisterPhoneAccountHandleWithFieldOverLimit
Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
(cherry picked from commit d54a48f)
Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
…when navigateUpTo

The new Intent was delivered to a non-exported activity while
#navigateUpTo was called from an Activity of a different uid.

Bug: 238605611
Test: atest StartActivityTests
Change-Id: I854dd825bfd9a2c08851980d480d1f3a177af6cf
Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
(cherry picked from commit 89ebc8c)
Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
Bug: 237540408
Test: BuzzBeepBlinkTest#testA11yCrossUserEventNotSent
Change-Id: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
(cherry picked from commit a367c0a)
Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
…rading from pre-Q

Test: Manually install app apks targeting Q and verifying that AR permission is not auto-granted
Test: atest ActivityRecognitionPermissionTest
Bug: 210065877
Change-Id: I5b2f25218fcbb34a940dfa2ff722cc6595732cfa
(cherry picked from commit 23aac9c)
Merged-In: I5b2f25218fcbb34a940dfa2ff722cc6595732cfa
instead of checking that of the configuration activity, which is potentially spoofable. The package name is verified to be the same app as the caller by NMS.

This change removes isSystemRule (called only once) in favor of checking the provided package name directly.

Bug: 242537431
Test: ZenModeHelperTest, manual by verifying via provided exploit apk
Change-Id: Ic7f350618c26a613df455a4128c9195f4b424a4d
(cherry picked from commit 59732d6)
Merged-In: Ic7f350618c26a613df455a4128c9195f4b424a4d
This change both prevents any rules from being unable to be written to disk and also avoids risk of running out of memory while handling all the zen rules.

Bug: 242703460
Bug: 242703505
Bug: 242703780
Bug: 242704043
Bug: 243794204
Test: cts AutomaticZenRuleTest; atest android.app.AutomaticZenRuleTest; manually confirmed each exploit example either saves the rule successfully with a truncated string (in the case of name & conditionId) or may fail to save the rule at all (if the owner/configactivity is invalid). Additionally ran the memory-exhausting PoC without device crashes.

Change-Id: I110172a43f28528dd274b3b346eb29c3796ff2c6
Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
(cherry picked from commit de172ba)
(cherry picked from commit 19bc2c3)
Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
Previously were unable to add new zen rules because rules added via the settings pages were getting registered under package "com.android.settings", which then were not considered "system rules". These rules should have package android, so when we can trust the caller (via checking that the caller is system) we should be taking the package name from the owner of the rule.

Bug: 245236706
Bug: 242537431
Test: NMSTest; manual

Change-Id: Id69b671592396ac3304862dadbe73de328a8e27a
Merged-In: Id69b671592396ac3304862dadbe73de328a8e27a
(cherry picked from commit 7824556)
Merged-In: Id69b671592396ac3304862dadbe73de328a8e27a
Bug: 211029161
Bug: 210118427
Test: atest android.content.cts.ContextWrapperTest#testSendBroadcastRequireNoneOfPermissions_receiverHasExcludedPermissions
Merged-In: Ib4fafe2423c7ded1daf1b763f8103601c0e2c852
Change-Id: Ib4fafe2423c7ded1daf1b763f8103601c0e2c852
(cherry picked from commit 0eee4fa)
Merged-In: Ib4fafe2423c7ded1daf1b763f8103601c0e2c852
Test: atest FrameworksUiServicesTests
Bug: 234441463
Change-Id: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
(cherry picked from commit 7c38394)
(cherry picked from commit bc808de)
Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
This reverts commit 6c870e1.

Reason for revert: Regression, DELETE_SYSTEM_APP flag no longer works

Change-Id: Id3eb9e08a5404e88c39235d0d47337ed41bc6139
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
(cherry picked from commit d9089fb)
Merged-In: Id3eb9e08a5404e88c39235d0d47337ed41bc6139
This reverts commit bfb1cd5.

Reason for revert: regression if multiple crop system crop handlers are present

Change-Id: I570c736ffbd55891bcb2e08110ee4111c5e88d59
Merged-In: Idf1ab60878d619ee30505d71e8afe31d8b0c0ebe
(cherry picked from commit 3cfba99)
Merged-In: I570c736ffbd55891bcb2e08110ee4111c5e88d59
This addresses a security issue where the guest user can remove updates
for system apps.

With this CL, attempts to uninstall/downgrade system apps will fail if
attempted by a non-admin user, unless the DELETE_SYSTEM_APP flag is
specified.

This is a fixed version of ag/17408864, to address b/236578018.

Bug: 170646036
Test: manual, try uninstalling system app update as guest
Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
Change-Id: I6ecfef50294c9000a6ce539bdec6f372c872a40b
(cherry picked from commit fbfa268)
Merged-In: I6ecfef50294c9000a6ce539bdec6f372c872a40b
Test: android.app.NotificationChannelGroupTest
Test: android.app.NotificationChannelTest
Test: cts NotificationChannelTest
Test: cts NotificationChannelGroupTest
Bug: 241764350
Bug: 241764340
Bug: 241764135
Bug: 242702935
Bug: 242703118
Bug: 242703202
Bug: 242702851
Bug: 242703217
Bug: 242703556
Change-Id: I0925583ab54d6c81c415859618f6b907ab7baada
(cherry picked from commit 3850857)
(cherry picked from commit b664159)
Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada
Bug: 243849844
Test: m sts;
      sts-tradefed run sts-dynamic-develop -m CtsAccessibilityTestCases
Change-Id: I4f93e06d1066085bd64e8f09882de2f4a72a0633
(cherry picked from commit 2bc4d49)
Merged-In: I4f93e06d1066085bd64e8f09882de2f4a72a0633
BUG: 242996180
Test: adb shell pm uninstall --user 0 com.google.android.apps.work.oobconfig
Test: Verified with the command above. Before this CL, the package can
be deleted. After this CL, the deletion will fail.

Change-Id: Iba408e536b340ea5d66ab499442c0c4f828fa36f
(cherry picked from commit 15f85c7)
Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
(cherry picked from commit dba7ceb)
Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
This app-generated input needs to not be too long to avoid errors in the process of writing to disk.

Bug: 242846316
Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK

Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
(cherry picked from commit 81352c3)
(cherry picked from commit 7059638)
Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
Test: NotificationChannelGroupTest
Test: view notification settings for an app that doesn't use groups
Fixes: 244574602
Bug: 241764350
Bug: 241764340
Bug: 241764135
Bug: 242702935
Bug: 242703118
Bug: 242703202
Bug: 242702851
Bug: 242703217
Bug: 242703556
Change-Id: I9c681106f6d645e62b0e44903d40aa523fee0e95
(cherry picked from commit 6f02c07)
Merged-In: I9c681106f6d645e62b0e44903d40aa523fee0e95
(cherry picked from commit e51c402)
Merged-In: I9c681106f6d645e62b0e44903d40aa523fee0e95
Bug: 234013191
Test: atest RemoteViewsAdapterTest
Change-Id: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
(cherry picked from commit 263d7d0)
(cherry picked from commit 0ee21ef)
Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
…arenting is applied

Any malicious application could hijack tasks by
android:allowTaskReparenting. This vulnerability can perform UI
spoofing or spying on user’s activities.

This CL only allows activities to be reparent while
android:allowTaskReparenting is applied and the affinity of activity
is same with the target task.

Bug: 240663194
Test: atest IntentTests
Change-Id: I73abb9ec05af95bc14f887ae825a9ada9600f771
(cherry picked from commit 7af50c4)
Merged-In: I73abb9ec05af95bc14f887ae825a9ada9600f771
This will prevent bouncer interactions from showing up in
screenrecords or screenshots.

Fixes: 215005011
Test: atest NotificationShadeWindowControllerImpl && take screenshot
with bouncer up

Change-Id: I3f59df865dc2dd13d4b9ac54bb2dacb7b23f0aa1
Merged-In: I3f59df865dc2dd13d4b9ac54bb2dacb7b23f0aa1
(cherry picked from commit 6888543)
(cherry picked from commit 18ddad1)
Merged-In: I3f59df865dc2dd13d4b9ac54bb2dacb7b23f0aa1
This adds mitigations to prevent system files being exfiltrated
via the settings content provider when a content URI is provided
as a chosen user image.

The mitigations are:

1) Copy the image to a new URI rather than the existing takePictureUri
prior to cropping.

2) Only allow a system handler to respond to the CROP intent.

This is a fixed version of ag/17071224, to address b/239513606.

Bug: 187702830
Test: build and check functionality
Change-Id: Ie352d07bbcfc7e0b0a1db1dbe3fd43085e0ecbb6
Merged-In: Idf1ab60878d619ee30505d71e8afe31d8b0c0ebe
(cherry picked from commit 1b48ca6)
Merged-In: Ie352d07bbcfc7e0b0a1db1dbe3fd43085e0ecbb6
After an app publishes a shortcut that contains malformed intent, the
system can be stuck in boot-loop due to uncaught exception caused by
parsing the malformed intent.

This CL ignores that particular malformed entry. Since shortcuts are
constantly writes back into the xml from system memory, the malformed
entry will be removed from the xml the next time system persists
shortcuts from memory to file system.

Bug: 246540168
Change-Id: Ibbfd0891eabdce72f76571798382fe949d8f453d
Test: manual
(cherry picked from commit 36338a3)
Merged-In: Ibbfd0891eabdce72f76571798382fe949d8f453d
Test: PreferencesHelperTest
Bug: 240422263
Change-Id: I8c12e3fc73e4a88842af275feaf2acffcced0402
(cherry picked from commit f528b33)
Merged-In: I8c12e3fc73e4a88842af275feaf2acffcced0402
(cherry picked from commit 36acdd6)
Merged-In: I8c12e3fc73e4a88842af275feaf2acffcced0402
…dSetting

Do not update invalid component enabled settings to prevent the
malicious apps from exhausting system server memory.

Bug: 240936919
Test: atest android.security.cts.PackageManagerTest
Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d
(cherry picked from commit 2447359)
Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d
For many years, Parcel mismatch typed exploits has been using the
AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of
launching arbitrary intents. We are adding an extra check on the service
side to simulate the final deserialization of the KEY_INTENT value, to
make sure the client side won't get a mismatched KEY_INTENT value.

Bug: 250588548
Bug: 240138294
Test: atest CtsAccountManagerTestCases
Test: local test, also see b/250588548
Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc
(cherry picked from commit eb9a056)
Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc
This adds validation that the package name passed to
setApplicationRestrictions is in the correct format. This will avoid
an issue where a path could be entered resulting in a file being
written to an unexpected place.

Bug: 239701237
Test: atest UserManagerServiceTest
Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
(cherry picked from commit 31a5824)
Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
(cherry picked from commit cfcfe6c)
(cherry picked from commit 91a821d2e4d80558cf39a6d728213d3df0826908)
Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
…me if caller is system"

This reverts commit 7824556.

Reason for revert: broke DND schedules in multi-user mode b/257477671

Change-Id: I8a244a6ad0457ef2679b5216f48611d4025b9983
(cherry picked from commit 7deb6e4)
Merged-In: I8a244a6ad0457ef2679b5216f48611d4025b9983
…tomaticRule"

This reverts commit 59732d6.

Reason for revert: broke DND schedules in multi-user mode b/257477671

Change-Id: I33dd64f8686e60db332361b6cde2955c33cff8d0
(cherry picked from commit 3bba7fb)
Merged-In: I33dd64f8686e60db332361b6cde2955c33cff8d0
Limit character length of MIME types to 255. If this length is exceeded
then a IllegalArugmentException is thrown. The number of MIME types that
can be set is also limited to 500 per MIME group with the number of
total MIME Groups also limited to 500. A IllegalStateException is thrown if this number is exceeded.

Bug: 237291548
Test: Installed and ran POC app from b/237291548
Change-Id: I1d57e674f778cfacdc89225ac3273c432a39af63
Merged-In: I1d57e674f778cfacdc89225ac3273c432a39af63
(cherry picked from commit 3ae3406)
Merged-In: I1d57e674f778cfacdc89225ac3273c432a39af63
Daniel-Norman and others added 12 commits January 19, 2023 16:43
Previous logic would exit the loop after removing the first service
matching the uninstalled package.

Bug: 243378132
Test: atest AccessibilityEndToEndTest
Test: m sts;
      sts-tradefed run sts-dynamic-develop -m \
        CtsAccessibilityServiceTestCases
Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
(cherry picked from commit e1f343a)
Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
This change only applies to S branches and earlier.

Bug: 253085433
Bug: 242703460
Bug: 242703505
Bug: 242703780
Bug: 242704043
Bug: 243794204
Test: AutomaticZenRuleTest
Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
(cherry picked from commit 7533d04)
Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
…efore settings are updated

Previously, a setting is updated before the memory usage limit
check, which can be exploited by malicious apps and cause OoM DoS.

This CL changes the logic to checkMemLimit -> update -> updateMemUsage.

BUG: 239415861
Test: atest com.android.providers.settings.SettingsStateTest

(cherry picked from commit 8eeb929)
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4
(cherry picked from commit 966b597)
Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
- This was fixed in T in ag/16820166, but the original code was
  submitted in S.  This ensures that the caller of this method
  is either holding the ACCESS_SHORTCUTS permission or is the
  default launcher.

Bug: 229256049
Test: atest WMShellUnitTests

Change-Id: Ib233ad754a6c6e3c4e0d0e10ed788ab8e055cccc
Merged-In: Ib233ad754a6c6e3c4e0d0e10ed788ab8e055cccc
(cherry picked from commit f4ed441)
(cherry picked from commit b319280)
Merged-In: Ib233ad754a6c6e3c4e0d0e10ed788ab8e055cccc
Bug: 242537498
Test: manual
Change-Id: I15343e84c1802d6b89249106263319a6539fa73b
(cherry picked from commit 1d86c8b)
Merged-In: I15343e84c1802d6b89249106263319a6539fa73b
…ttings

Prior to targetSdk 22, apps could add random system settings keys which
opens an opportunity for OOM attacks. This CL adds a key size limit.

BUG: 239415997
Test: manual; will add cts test
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
(cherry picked from commit 783bcba)
(cherry picked from commit 0123e87)
Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
…ilege

The activity info could be from another uid which is different
from the app that hosts the task. The information should be
trimmed if the caller app doesn't have the privilege.

Bug: 243130512
Test: verified locally
Test: atest RecentTasksTest
Change-Id: Ia343ac70e5bb9aeae718fca6674e1ca491a14512
Merged-In: Ia343ac70e5bb9aeae718fca6674e1ca491a14512
(cherry picked from commit fa8d636)
Merged-In: Ia343ac70e5bb9aeae718fca6674e1ca491a14512
Bug: 221040577
Test: atest PermissionTest23#testPre23AppsWithSystemAlertWindowGetDeniedOnUpgrade
Change-Id: I4b4605aaae107875811070dea6d031c5d9f25c96
(cherry picked from commit 5e80fcf)
Merged-In: I4b4605aaae107875811070dea6d031c5d9f25c96
…DeviceConnection is closed.

Bug: 204584366
Test: CTS Verifier: USB Accessory Test & USB Device Test
Test: No HWASan use-after-free reports with a test app
Change-Id: Ia3a9b10349efc0236b1539c81465f479cb32e02b
(cherry picked from commit 1691b54)
Merged-In: Ia3a9b10349efc0236b1539c81465f479cb32e02b
Moves the fixUris call from onTargetSelected directly to the intent
launch to ensure the intent which is actually started is updated with
userId specific URIs.

This is a backport of ag/19657256 and ag/20063949.

Bug:242165528
Bug:244876518
Bug:242605257
Test: manually share image from personal profile to work gmail,
first with chat target then backing up and selecting the main target
Test: manually share image from work Photos app to personal WhatsApp's
frequent contact target.

Change-Id: Id815984e691bf962e19e30a54f7247d16060b3b8
Merged-In: Id815984e691bf962e19e30a54f7247d16060b3b8
Merged-In: Ib41c8a3c46afcc2d62a4c1a924212bcd98bcfbe4
Merged-In: Iabf5dcf2612fe718f2f0886e2e5e9b76f37af1e1
(cherry picked from commit f50ced5)
Merged-In: Id815984e691bf962e19e30a54f7247d16060b3b8
- Originally added in ag/5139951, this method ensured that activities
  launched from widgets are always started in a new task (if the
  activity is launched in the home task, the task is not brough forward
  with the recents transition).  We can restrict this to only recents
  callers since this only applies to 1p launchers in gesture nav
  (both the gesture with 3p launchers and button nav in general will
  always start the home intent directly, which makes adding the
  NEW_TASK flag unnecessary).

Bug: 243794108
Test: Ensure that the original bug b/112508020 still works (with the
      test app in the bug, swipe up still works after launching an
      activity from the widget, and fails without applying the
      override flags)
Change-Id: Id53c6a2aa6da5933d488ca06a0bfc4ef89a4c343
(cherry picked from commit c4d3106)
Merged-In: Id53c6a2aa6da5933d488ca06a0bfc4ef89a4c343
@OhMyVenyx OhMyVenyx force-pushed the 12.1 branch 2 times, most recently from 7fa74c6 to 02a4ef7 Compare January 19, 2023 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants