20.0: July 2024 ASB picks

GrapheneOS/platform_packages_providers_MediaProvider@ce7b9fd
GrapheneOS/platform_packages_modules_Bluetooth@d39bbaa
GrapheneOS/platform_packages_apps_Settings@df49ae6
GrapheneOS/platform_frameworks_base@a0afe17
GrapheneOS/platform_frameworks_base@cb2db12
GrapheneOS/platform_frameworks_base@93a2c9a
GrapheneOS/platform_frameworks_base@ed52683
GrapheneOS/platform_packages_modules_StatsD@09e6330

Signed-off-by: Tavi <[email protected]>

Author: SkewedZeppelin

Patches/LineageOS-20.0/ASB-2024-07/bluetooth-01.patch

@@ -0,0 +1,63 @@
+From d39bbaa57ea3e636aa581478ae27ef9829b75718 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <[email protected]>
+Date: Mon, 22 Apr 2024 21:10:09 +0000
+Subject: [PATCH] Fix an authentication bypass bug in SMP
+
+When pairing with BLE legacy pairing initiated
+from remote, authentication can be bypassed.
+This change fixes it.
+
+Bug: 251514170
+Test: m com.android.btservices
+Test: manual run against PoC
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:25a3fcd487c799d5d9029b8646159a0b10143d97)
+Merged-In: I369a8fdd675eca731a7a488ed6a2be645058b795
+Change-Id: I369a8fdd675eca731a7a488ed6a2be645058b795
+---
+ system/stack/smp/smp_act.cc | 12 ++++++++++++
+ system/stack/smp/smp_int.h  |  1 +
+ 2 files changed, 13 insertions(+)
+
+diff --git a/system/stack/smp/smp_act.cc b/system/stack/smp/smp_act.cc
+index 868c7b53118..d6021bbecd2 100644
+--- a/system/stack/smp/smp_act.cc
++++ b/system/stack/smp/smp_act.cc
+@@ -291,6 +291,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+ void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+   SMP_TRACE_DEBUG("%s", __func__);
+   smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
++  p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
+ }
+ 
+ /*******************************************************************************
+@@ -665,6 +666,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
+     return;
+   }
+ 
++  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
++        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
++      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {
++    // in legacy pairing, the peer should send its rand after
++    // we send our confirm
++    tSMP_INT_DATA smp_int_data{};
++    smp_int_data.status = SMP_INVALID_PARAMETERS;
++    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
++    return;
++  }
++
+   /* save the SRand for comparison */
+   STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);
+ }
+diff --git a/system/stack/smp/smp_int.h b/system/stack/smp/smp_int.h
+index 5e731806de7..b2ab4776421 100644
+--- a/system/stack/smp/smp_int.h
++++ b/system/stack/smp/smp_int.h
+@@ -222,6 +222,7 @@ typedef union {
+   (1 << 7) /* used to resolve race condition */
+ #define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \
+   (1 << 8) /* used on peripheral to resolve race condition */
++#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
+ 
+ /* check if authentication requirement need MITM protection */
+ #define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

Patches/LineageOS-20.0/ASB-2024-07/fwb-01.patch

@@ -0,0 +1,51 @@
+From a0afe17e817eb39f3de3251f7b040a5f6eebc577 Mon Sep 17 00:00:00 2001
+From: Ivan Chiang <[email protected]>
+Date: Mon, 18 Mar 2024 02:46:56 +0000
+Subject: [PATCH] [PM] Send ACTION_PACKAGE_CHANGED when mimeGroups are changed
+
+Test: atest CtsPackageManagerTestCases:PackageManagerShellCommandMultiUserTest
+Test: atest CtsPackageManagerTestCases:PackageManagerTest
+Bug: 297517712
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:81eb9f8294645684ce1fad39d5d4a00ef11736e4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c160424ef22bffd25a9cc9bc7b901ae1b9721a72)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6d9520bb9be2e31fd43bb08f0017838bbd389883)
+Merged-In: I271a3526ea4555249e3a2797605269257330e0e9
+Change-Id: I271a3526ea4555249e3a2797605269257330e0e9
+---
+ .../server/pm/PackageManagerService.java      | 23 ++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index f41b9fc540f6..a34693b7cb12 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -5869,9 +5869,26 @@ public void setMimeGroup(String packageName, String mimeGroup, List<String> mime
+                 packageStateWrite.setMimeGroup(mimeGroup, mimeTypesSet);
+             });
+             if (mComponentResolver.updateMimeGroup(snapshotComputer(), packageName, mimeGroup)) {
+-                Binder.withCleanCallingIdentity(() ->
+-                        mPreferredActivityHelper.clearPackagePreferredActivities(packageName,
+-                                UserHandle.USER_ALL));
++                Binder.withCleanCallingIdentity(() -> {
++                    mPreferredActivityHelper.clearPackagePreferredActivities(packageName,
++                            UserHandle.USER_ALL);
++                    // Send the ACTION_PACKAGE_CHANGED when the mimeGroup has changes
++                    final Computer snapShot = snapshotComputer();
++                    final ArrayList<String> components = new ArrayList<>(
++                            Collections.singletonList(packageName));
++                    final int appId = packageState.getAppId();
++                    final int[] userIds = resolveUserIds(UserHandle.USER_ALL);
++                    final String reason = "The mimeGroup is changed";
++                    for (int i = 0; i < userIds.length; i++) {
++                        final PackageUserStateInternal pkgUserState =
++                                packageState.getUserStates().get(userIds[i]);
++                        if (pkgUserState != null && pkgUserState.isInstalled()) {
++                            final int packageUid = UserHandle.getUid(userIds[i], appId);
++                            sendPackageChangedBroadcast(snapShot, packageName,
++                                    true /* dontKillApp */, components, packageUid, reason);
++                        }
++                    }
++                });
+             }
+ 
+             scheduleWriteSettings();

Patches/LineageOS-20.0/ASB-2024-07/fwb-02.patch

@@ -0,0 +1,82 @@
+From cb2db1244c4668fe8b3d6cf36d0078190fa8f0af Mon Sep 17 00:00:00 2001
+From: Bishoy Gendy <[email protected]>
+Date: Thu, 11 Apr 2024 16:37:10 +0000
+Subject: [PATCH] Fix security vulnerability allowing apps to start from
+ background
+
+Bug: 317048338
+Test: Using the steps in b/317048338#comment12
+(cherry picked from commit c5fc8ea92c0aabbb2fdccc23b743c18a8bf62e64)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df3584bb93ab89d7e174f7d39e42d4b22cb92fe0)
+Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
+Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
+---
+ .../media/session/ParcelableListBinder.java        | 13 +++++++++++--
+ .../android/server/media/MediaSessionRecord.java   | 14 ++++++++------
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/media/java/android/media/session/ParcelableListBinder.java b/media/java/android/media/session/ParcelableListBinder.java
+index bbf1e0889b68..d78828462b1e 100644
+--- a/media/java/android/media/session/ParcelableListBinder.java
++++ b/media/java/android/media/session/ParcelableListBinder.java
+@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
+     private static final int END_OF_PARCEL = 0;
+     private static final int ITEM_CONTINUED = 1;
+ 
++    private final Class<T> mListElementsClass;
+     private final Consumer<List<T>> mConsumer;
+ 
+     private final Object mLock = new Object();
+@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder {
+     /**
+      * Creates an instance.
+      *
++     * @param listElementsClass the class of the list elements.
+      * @param consumer a consumer that consumes the list received
+      */
+-    public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {
++    public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {
++        mListElementsClass = listElementsClass;
+         mConsumer = consumer;
+     }
+ 
+@@ -83,7 +86,13 @@ protected boolean onTransact(int code, Parcel data, Parcel reply, int flags)
+                 mCount = data.readInt();
+             }
+             while (i < mCount && data.readInt() != END_OF_PARCEL) {
+-                mList.add(data.readParcelable(null));
++                Object object = data.readParcelable(null);
++                if (mListElementsClass.isAssignableFrom(object.getClass())) {
++                    // Checking list items are of compaitible types to validate against malicious
++                    // apps calling it directly via reflection with non compilable items.
++                    // See b/317048338 for more details
++                    mList.add((T) object);
++                }
+                 i++;
+             }
+             if (i >= mCount) {
+diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
+index b459cfe6b44e..8f07b3924da0 100644
+--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
++++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
+@@ -1100,12 +1100,14 @@ public void resetQueue() throws RemoteException {
+ 
+         @Override
+         public IBinder getBinderForSetQueue() throws RemoteException {
+-            return new ParcelableListBinder<QueueItem>((list) -> {
+-                synchronized (mLock) {
+-                    mQueue = list;
+-                }
+-                mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
+-            });
++            return new ParcelableListBinder<QueueItem>(
++                    QueueItem.class,
++                    (list) -> {
++                        synchronized (mLock) {
++                            mQueue = list;
++                        }
++                        mHandler.post(MessageHandler.MSG_UPDATE_QUEUE);
++                    });
+         }
+ 
+         @Override

Patches/LineageOS-20.0/ASB-2024-07/fwb-03.patch

@@ -0,0 +1,37 @@
+From 93a2c9a876b978db4109a5360479e793eba5bf95 Mon Sep 17 00:00:00 2001
+From: Yi-an Chen <[email protected]>
+Date: Tue, 23 Apr 2024 21:17:44 +0000
+Subject: [PATCH] Fix security vulnerability of non-dynamic permission removal
+
+The original removePermission() code in PermissionManagerServiceImpl
+missed a logical negation operator when handling non-dynamic
+permissions, causing both
+testPermissionPermission_nonDynamicPermission_permissionUnchanged and
+testRemovePermission_dynamicPermission_permissionRemoved tests in
+DynamicPermissionsTest to fail.
+
+The corresponding test DynamicPermissionsTest is also updated in the
+other CL: ag/27073864
+
+Bug: 321711213
+Test: DynamicPermissionsTest on sc-dev and tm-dev locally
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0ead58f69f5de82b00406316b333366d556239f1)
+Merged-In: Ia146d4098643d9c473f8c83d33a8a125a53101fc
+Change-Id: Ia146d4098643d9c473f8c83d33a8a125a53101fc
+---
+ .../server/pm/permission/PermissionManagerServiceImpl.java      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+index 1ec3403a9d46..3e06df908858 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java
+@@ -677,7 +677,7 @@ public void removePermission(String permName) {
+             if (bp == null) {
+                 return;
+             }
+-            if (bp.isDynamic()) {
++            if (!bp.isDynamic()) {
+                 // TODO: switch this back to SecurityException
+                 Slog.wtf(TAG, "Not allowed to modify non-dynamic permission "
+                         + permName);