[STS] Fixing STS failures

Including fixes for CVE_2025_22429 and CVE_2025_26436

Tracked-On: OAM-134642
Signed-off-by: kancharx <kancharlax.suresh@intel.com>

Author: kancharx

aosp_diff/caas/frameworks/base/0029-BaseBundle-fix-unparcel-error-logic.patch

@@ -0,0 +1,102 @@
+From 019112a98cf17e98911f4d2fed080b237bdedce7 Mon Sep 17 00:00:00 2001
+From: kancharx <kancharlax.suresh@intel.com>
+Date: Wed, 3 Dec 2025 12:29:49 +0000
+Subject: [PATCH] [CVE_2025_22429]BaseBundle: fix unparcel error logic
+
+Tracked-On: OAM-134642
+Signed-off-by: kancharx <kancharlax.suresh@intel.com>
+
+This code considered a success case to be an unsuccessful
+case.
+
+Bug: 373357090
+Test: repro in bug no longer works
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6063eb2b1eb076fb3d73e1403ca81fcb6e0d04ee)
+Merged-In: Id423936872cbb0e0265ccf2855092357cb175d47
+Change-Id: Id423936872cbb0e0265ccf2855092357cb175d47
+---
+ core/java/android/os/BaseBundle.java | 10 +++++-----
+ core/java/android/os/Parcel.java     | 12 +++++-------
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/core/java/android/os/BaseBundle.java b/core/java/android/os/BaseBundle.java
+index 50121278f0e6..e2315d52e6b4 100644
+--- a/core/java/android/os/BaseBundle.java
++++ b/core/java/android/os/BaseBundle.java
+@@ -475,10 +475,10 @@ public class BaseBundle {
+             map.erase();
+             map.ensureCapacity(count);
+         }
+-        int numLazyValues = 0;
++        int[] numLazyValues = new int[]{0};
+         try {
+-            numLazyValues = parcelledData.readArrayMap(map, count, !parcelledByNative,
+-                    /* lazy */ ownsParcel, mClassLoader);
++            parcelledData.readArrayMap(map, count, !parcelledByNative,
++                    /* lazy */ ownsParcel, mClassLoader, numLazyValues);
+         } catch (BadParcelableException e) {
+             if (sShouldDefuse) {
+                 Log.w(TAG, "Failed to parse Bundle, but defusing quietly", e);
+@@ -489,14 +489,14 @@ public class BaseBundle {
+         } finally {
+             mWeakParcelledData = null;
+             if (ownsParcel) {
+-                if (numLazyValues == 0) {
++                if (numLazyValues[0] == 0) {
+                     recycleParcel(parcelledData);
+                 } else {
+                     mWeakParcelledData = new WeakReference<>(parcelledData);
+                 }
+             }
+ 
+-            mLazyValues = numLazyValues;
++            mLazyValues = numLazyValues[0];
+             mParcelledByNative = false;
+             mMap = map;
+             // Set field last as it is volatile
+diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
+index cf473ec9c3ea..26f768cc49f7 100644
+--- a/core/java/android/os/Parcel.java
++++ b/core/java/android/os/Parcel.java
+@@ -5538,7 +5538,7 @@ public final class Parcel {
+ 
+     private void readArrayMapInternal(@NonNull ArrayMap<? super String, Object> outVal,
+             int size, @Nullable ClassLoader loader) {
+-        readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader);
++        readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader, null);
+     }
+ 
+     /**
+@@ -5548,17 +5548,16 @@ public final class Parcel {
+      * @param lazy   Whether to populate the map with lazy {@link Function} objects for
+      *               length-prefixed values. See {@link Parcel#readLazyValue(ClassLoader)} for more
+      *               details.
+-     * @return a count of the lazy values in the map
++     * @param lazyValueCount number of lazy values added here
+      * @hide
+      */
+-    int readArrayMap(ArrayMap<? super String, Object> map, int size, boolean sorted,
+-            boolean lazy, @Nullable ClassLoader loader) {
+-        int lazyValues = 0;
++    void readArrayMap(ArrayMap<? super String, Object> map, int size, boolean sorted,
++            boolean lazy, @Nullable ClassLoader loader, int[] lazyValueCount) {
+         while (size > 0) {
+             String key = readString();
+             Object value = (lazy) ? readLazyValue(loader) : readValue(loader);
+             if (value instanceof LazyValue) {
+-                lazyValues++;
++                lazyValueCount[0]++;
+             }
+             if (sorted) {
+                 map.append(key, value);
+@@ -5570,7 +5569,6 @@ public final class Parcel {
+         if (sorted) {
+             map.validate();
+         }
+-        return lazyValues;
+     }
+ 
+     /**
+-- 
+2.34.1
+

aosp_diff/caas/frameworks/base/0030-Add-equals-method.patch

@@ -0,0 +1,88 @@
+From 13cf3cecd295087912ffd380c7c97a3e41495133 Mon Sep 17 00:00:00 2001
+From: kancharx <kancharlax.suresh@intel.com>
+Date: Wed, 3 Dec 2025 13:30:39 +0000
+Subject: [PATCH] [CVE_2025_26436]Add equals method
+
+Tracked-On: OAM-134642
+Signed-off-by: kancharx <kancharlax.suresh@intel.com>
+
+This adds an equals method which will for now only be used in tests.
+
+Test: atest BackgroundStartPrivilegesTest
+Flag: EXEMPT test only
+Bug: 322159724
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8aef21b72dca756458d25a42599779997d199f09)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f6f2d41ffcd246afb758042b8fdbca9b5775c579)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:815cca137f84295c6037fd04e9de8011392a0ca6)
+Merged-In: Ia726fa205b73a693fee775e4a08950ecd4b5f882
+Change-Id: Ia726fa205b73a693fee775e4a08950ecd4b5f882
+---
+ .../app/BackgroundStartPrivileges.java        | 21 ++++++++++++++++++-
+ .../app/BackgroundStartPrivilegesTest.java    | 11 ++++++++++
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/android/app/BackgroundStartPrivileges.java b/core/java/android/app/BackgroundStartPrivileges.java
+index 20278eaee3b2..adea0a8a0702 100644
+--- a/core/java/android/app/BackgroundStartPrivileges.java
++++ b/core/java/android/app/BackgroundStartPrivileges.java
+@@ -23,12 +23,13 @@ import android.os.IBinder;
+ import com.android.internal.util.Preconditions;
+ 
+ import java.util.List;
++import java.util.Objects;
+ 
+ /**
+  * Privileges granted to a Process that allows it to execute starts from the background.
+  * @hide
+  */
+-public class BackgroundStartPrivileges {
++public final class BackgroundStartPrivileges {
+     /** No privileges. */
+     public static final BackgroundStartPrivileges NONE = new BackgroundStartPrivileges(
+             false, false, null);
+@@ -190,4 +191,22 @@ public class BackgroundStartPrivileges {
+                 + ", originatingToken=" + mOriginatingToken
+                 + ']';
+     }
++
++    @Override
++    public boolean equals(Object o) {
++        if (this == o) return true;
++        if (o == null || getClass() != o.getClass()) return false;
++        BackgroundStartPrivileges that = (BackgroundStartPrivileges) o;
++        return mAllowsBackgroundActivityStarts == that.mAllowsBackgroundActivityStarts
++                && mAllowsBackgroundForegroundServiceStarts
++                == that.mAllowsBackgroundForegroundServiceStarts
++                && Objects.equals(mOriginatingToken, that.mOriginatingToken);
++    }
++
++    @Override
++    public int hashCode() {
++        return Objects.hash(mAllowsBackgroundActivityStarts,
++                mAllowsBackgroundForegroundServiceStarts,
++                mOriginatingToken);
++    }
+ }
+diff --git a/core/tests/coretests/src/android/app/BackgroundStartPrivilegesTest.java b/core/tests/coretests/src/android/app/BackgroundStartPrivilegesTest.java
+index cf6266c756ce..931d64640ea2 100644
+--- a/core/tests/coretests/src/android/app/BackgroundStartPrivilegesTest.java
++++ b/core/tests/coretests/src/android/app/BackgroundStartPrivilegesTest.java
+@@ -119,4 +119,15 @@ public class BackgroundStartPrivilegesTest {
+                 Arrays.asList(BSP_ALLOW_A, BSP_ALLOW_A, BSP_ALLOW_A, BSP_ALLOW_A)))
+                 .isEqualTo(BSP_ALLOW_A);
+     }
++
++    @Test
++    public void backgroundStartPrivilege_equals_works() {
++        assertThat(NONE).isEqualTo(NONE);
++        assertThat(ALLOW_BAL).isEqualTo(ALLOW_BAL);
++        assertThat(ALLOW_FGS).isEqualTo(ALLOW_FGS);
++        assertThat(BSP_ALLOW_A).isEqualTo(BSP_ALLOW_A);
++        assertThat(NONE).isNotEqualTo(ALLOW_BAL);
++        assertThat(ALLOW_FGS).isNotEqualTo(ALLOW_BAL);
++        assertThat(BSP_ALLOW_A).isNotEqualTo(BSP_ALLOW_B);
++    }
+ }
+-- 
+2.34.1
+

aosp_diff/caas/frameworks/base/0031-RESTRICT-AUTOMERGE-Clear-the-BAL-allowlist-durat.patch

@@ -0,0 +1,156 @@
+From a1e39f150a5ab95a7c251bf7c88ed3aa5e2443db Mon Sep 17 00:00:00 2001
+From: kancharx <kancharlax.suresh@intel.com>
+Date: Wed, 3 Dec 2025 13:36:13 +0000
+Subject: [PATCH] [CVE_2025_26436]RESTRICT AUTOMERGE Clear the BAL allowlist
+ duration
+
+Tracked-On: OAM-134642
+Signed-off-by: kancharx <kancharlax.suresh@intel.com>
+
+Clearing BAL privileges of a PendingIntent only cleared the tokens,
+but kept the duration based entries. `clearAllowBgActivityStarts` is exclusively used by SystemUI (in NotificationManagerService) and fixing this is part of fixing a security vulnerability (therefore and because this is a low risk change it is not flag guarded).
+
+BYPASS_INCLUSIVE_LANGUAGE_REASON=Using an existing API
+
+Bug: 322159724
+Flag: EXEMPT bugfix
+Test: atest PendingIntentControllerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5782703d0f7c913477f1dd59b11e6e6e879199d9)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:014d574afb413850c300f07af43148bf8ff684b6)
+Merged-In: I88e4df8fe4989fbc26aaa0e672626f3a1042678e
+Change-Id: I88e4df8fe4989fbc26aaa0e672626f3a1042678e
+---
+ .../server/am/PendingIntentRecord.java        | 14 ++++++-
+ .../am/PendingIntentControllerTest.java       | 41 +++++++++++++++++++
+ 2 files changed, 54 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/am/PendingIntentRecord.java b/services/core/java/com/android/server/am/PendingIntentRecord.java
+index 3817ba1a28b9..91501701e815 100644
+--- a/services/core/java/com/android/server/am/PendingIntentRecord.java
++++ b/services/core/java/com/android/server/am/PendingIntentRecord.java
+@@ -18,6 +18,8 @@ package com.android.server.am;
+ 
+ import static android.app.ActivityManager.PROCESS_STATE_TOP;
+ import static android.app.ActivityManager.START_SUCCESS;
++import static android.os.PowerWhitelistManager.TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_ALLOWED;
++import static android.os.PowerWhitelistManager.TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_NOT_ALLOWED;
+ import static android.app.ActivityOptions.MODE_BACKGROUND_ACTIVITY_START_ALLOWED;
+ import static android.app.ActivityOptions.MODE_BACKGROUND_ACTIVITY_START_ALLOW_ALWAYS;
+ import static android.app.ActivityOptions.MODE_BACKGROUND_ACTIVITY_START_COMPAT;
+@@ -304,6 +306,9 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
+         }
+         this.stringName = null;
+     }
++    @VisibleForTesting TempAllowListDuration getAllowlistDurationLocked(IBinder allowlistToken) {
++        return mAllowlistDuration.get(allowlistToken);
++    }
+ 
+     void setAllowBgActivityStarts(IBinder token, int flags) {
+         if (token == null) return;
+@@ -323,6 +328,13 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
+         mAllowBgActivityStartsForActivitySender.remove(token);
+         mAllowBgActivityStartsForBroadcastSender.remove(token);
+         mAllowBgActivityStartsForServiceSender.remove(token);
++	if (mAllowlistDuration != null) {
++            TempAllowListDuration duration = mAllowlistDuration.get(token);
++            if (duration != null
++                    && duration.type == TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_ALLOWED) {
++                duration.type = TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_NOT_ALLOWED;
++            }
++        }
+     }
+ 
+     public void registerCancelListenerLocked(IResultReceiver receiver) {
+@@ -703,7 +715,7 @@ public final class PendingIntentRecord extends IIntentSender.Stub {
+         return res;
+     }
+ 
+-    private BackgroundStartPrivileges getBackgroundStartPrivilegesForActivitySender(
++    @VisibleForTesting BackgroundStartPrivileges getBackgroundStartPrivilegesForActivitySender(
+             IBinder allowlistToken) {
+         return mAllowBgActivityStartsForActivitySender.contains(allowlistToken)
+                 ? BackgroundStartPrivileges.allowBackgroundActivityStarts(allowlistToken)
+diff --git a/services/tests/mockingservicestests/src/com/android/server/am/PendingIntentControllerTest.java b/services/tests/mockingservicestests/src/com/android/server/am/PendingIntentControllerTest.java
+index 89b48bad2358..d3727ed5e988 100644
+--- a/services/tests/mockingservicestests/src/com/android/server/am/PendingIntentControllerTest.java
++++ b/services/tests/mockingservicestests/src/com/android/server/am/PendingIntentControllerTest.java
+@@ -16,11 +16,16 @@
+ 
+ package com.android.server.am;
+ 
++import static android.os.PowerWhitelistManager.REASON_NOTIFICATION_SERVICE;
++import static android.os.PowerWhitelistManager.TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_ALLOWED;
++import static android.os.PowerWhitelistManager.TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_NOT_ALLOWED;
++
+ import static android.os.Process.INVALID_UID;
+ 
+ import static com.android.dx.mockito.inline.extended.ExtendedMockito.doReturn;
+ import static com.android.dx.mockito.inline.extended.ExtendedMockito.mockitoSession;
+ import static com.android.dx.mockito.inline.extended.ExtendedMockito.verify;
++import static com.android.server.am.PendingIntentRecord.FLAG_ACTIVITY_SENDER;
+ import static com.android.server.am.PendingIntentRecord.CANCEL_REASON_NULL;
+ import static com.android.server.am.PendingIntentRecord.CANCEL_REASON_ONE_SHOT_SENT;
+ import static com.android.server.am.PendingIntentRecord.CANCEL_REASON_OWNER_CANCELED;
+@@ -30,6 +35,7 @@ import static com.android.server.am.PendingIntentRecord.CANCEL_REASON_USER_STOPP
+ import static com.android.server.am.PendingIntentRecord.cancelReasonToString;
+ 
+ import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertNotNull;
+ import static org.mockito.ArgumentMatchers.anyInt;
+ import static org.mockito.ArgumentMatchers.anyLong;
+ import static org.mockito.ArgumentMatchers.eq;
+@@ -39,9 +45,11 @@ import static org.mockito.Mockito.when;
+ import android.app.ActivityManager;
+ import android.app.ActivityManagerInternal;
+ import android.app.AppGlobals;
++import android.app.BackgroundStartPrivileges;
+ import android.app.PendingIntent;
+ import android.content.Intent;
+ import android.content.pm.IPackageManager;
++import android.os.Binder;
+ import android.os.Looper;
+ import android.os.UserHandle;
+ 
+@@ -185,6 +193,39 @@ public class PendingIntentControllerTest {
+         assertEquals(errMsg, expectedReason, actualReason);
+     }
+ 
++    @Test
++    public void testClearAllowBgActivityStartsClearsToken() {
++        final PendingIntentRecord pir = createPendingIntentRecord(0);
++        Binder token = new Binder();
++        pir.setAllowBgActivityStarts(token, FLAG_ACTIVITY_SENDER);
++        assertEquals(BackgroundStartPrivileges.allowBackgroundActivityStarts(token),
++                pir.getBackgroundStartPrivilegesForActivitySender(token));
++        pir.clearAllowBgActivityStarts(token);
++        assertEquals(BackgroundStartPrivileges.NONE,
++                pir.getBackgroundStartPrivilegesForActivitySender(token));
++    }
++
++    @Test
++    public void testClearAllowBgActivityStartsClearsDuration() {
++        final PendingIntentRecord pir = createPendingIntentRecord(0);
++        Binder token = new Binder();
++        pir.setAllowlistDurationLocked(token, 1000,
++                TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_ALLOWED, REASON_NOTIFICATION_SERVICE,
++                "NotificationManagerService");
++        PendingIntentRecord.TempAllowListDuration allowlistDurationLocked =
++                pir.getAllowlistDurationLocked(token);
++        assertEquals(1000, allowlistDurationLocked.duration);
++        assertEquals(TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_ALLOWED,
++                allowlistDurationLocked.type);
++        pir.clearAllowBgActivityStarts(token);
++        PendingIntentRecord.TempAllowListDuration allowlistDurationLockedAfterClear =
++                pir.getAllowlistDurationLocked(token);
++        assertNotNull(allowlistDurationLockedAfterClear);
++        assertEquals(1000, allowlistDurationLockedAfterClear.duration);
++        assertEquals(TEMPORARY_ALLOWLIST_TYPE_FOREGROUND_SERVICE_NOT_ALLOWED,
++                allowlistDurationLocked.type);
++    }
++
+     @After
+     public void tearDown() {
+         if (mMockingSession != null) {
+-- 
+2.34.1
+